[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: chkrootkit output

From: Deron Meranda <deron meranda gmail com>
To: For users of Fedora Core releases <fedora-list redhat com>
Subject: Re: chkrootkit output
Date: Tue, 31 May 2005 13:09:43 -0400

On 5/31/05, Stuart Lowe <stuart teksavvy com> wrote:
> On Tue, May 31, 2005 at 12:44:30PM -0400, Matthew Miller wrote:
> > On Tue, May 31, 2005 at 05:42:00PM +0100, Andy Green wrote:
> > > | Checking `chkutmp'...  The tty of the following user process(es) were
> > > not found
> > > |  in /var/run/utmp !
> > > | ! RUID          PID TTY    CMD
> > > | ! root         4674 tty1   /sbin/mingetty tty1

This warning from chkrootkit can be ignored for getty-type
processes, such as /sbin/mingetty.  It is normal behvior for a
getty process to be attached to a tty device, yet not have an
audit entry recorded in the utmp file.  In fact, it is getty in
combination with login that creates those utmp entries.  But
while getty is sitting on a tty device waiting for a user to login,
the state that chkutmp reports is normal.

It is proper though that chkrootkit detects this sort of condition
though, because it could indicate a process trying to "hide".
However it should have the getty processes as an explicit
exception to the rule.  But non-getty processes should be
reported.
-- 
Deron Meranda

References:
- chkrootkit output
  - From: Stuart Lowe
- Re: chkrootkit output
  - From: Andy Green
- Re: chkrootkit output
  - From: Matthew Miller
- Re: chkrootkit output
  - From: Stuart Lowe

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]