Re: chkrootkit output

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/31/05, Stuart Lowe <stuart@xxxxxxxxxxxx> wrote:
> On Tue, May 31, 2005 at 12:44:30PM -0400, Matthew Miller wrote:
> > On Tue, May 31, 2005 at 05:42:00PM +0100, Andy Green wrote:
> > > | Checking `chkutmp'...  The tty of the following user process(es) were
> > > not found
> > > |  in /var/run/utmp !
> > > | ! RUID          PID TTY    CMD
> > > | ! root         4674 tty1   /sbin/mingetty tty1

This warning from chkrootkit can be ignored for getty-type
processes, such as /sbin/mingetty.  It is normal behvior for a
getty process to be attached to a tty device, yet not have an
audit entry recorded in the utmp file.  In fact, it is getty in
combination with login that creates those utmp entries.  But
while getty is sitting on a tty device waiting for a user to login,
the state that chkutmp reports is normal.

It is proper though that chkrootkit detects this sort of condition
though, because it could indicate a process trying to "hide".
However it should have the getty processes as an explicit
exception to the rule.  But non-getty processes should be
reported.
-- 
Deron Meranda


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux