CSF csf.pignore syntax for suspicious process

jazee

Well-Known Member
Jan 12, 2015
118
2
68
cPanel Access Level
Root Administrator
I know a lot of Cpanel users are running CSF/LFD. I've searched and read many posts on this topics before but I still don't find it clear what specific syntax to use in the csf.pignore file. These is the type of warning I'm trying to ignore.

lfd[5333]: *Suspicious Process* PID:3792 PPID:3788 User:username Uptime:121 secs EXE:/home/virtfs/elemcms/opt/cpanel/ea-php73/root/usr/bin/php CMD:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php

Right now I have:

pcmd:cron\.php$
cmd:cron\.php$

There's so many different options of what to specify in the file and the syntax, it leaves most users like myself on sort of a trial and error quest and so for I'm unsuccessful.
 

cPanelJamesW

Linux Technical Analyst I
Staff member
Mar 13, 2018
24
1
78
Houston
cPanel Access Level
Root Administrator
Greetings!

The syntax for the 'csf.pignore' file is:
Code:
exe:/full/path/to/file
user:username
cmd:command line
so if you would like to whitelist the 'cron.php' file itself, you would need to use the full path, e.g.:
Code:
exe:/home/${cPuser}/path/to/cron.php
or alternatively, you may also try the entire command, e.g.:
Code:
cmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php
Please give that a try and let us know if it works for you.

Thanks!
 

jazee

Well-Known Member
Jan 12, 2015
118
2
68
cPanel Access Level
Root Administrator
Prior to your reply, I added all 4 of these:

cmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php
pcmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php
cmd:/opt/cpanel/.*/root/usr/bin/php -f cron.php
pcmd:/opt/cpanel/.*/root/usr/bin/php -f cron.php

One of them worked as I stopped getting the warning. When I get some time I'll use trial and error to find out. I'm guessing/hoping it's this one:

cmd:/opt/cpanel/.*/root/usr/bin/php -f cron.p

As the first two will no longer work if I upgrade to a PHP version newer than 7.3 and will have to remember to go update the file.
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
438
107
343
cPanel Access Level
DataCenter Provider
You can's use wildcards in the cmd option. That's what pcmd is for. pcmd uses perl regular expressions. If you look in /etc/csf/csf.pignore it gives examples near the top.
 

jazee

Well-Known Member
Jan 12, 2015
118
2
68
cPanel Access Level
Root Administrator
Then it is probably the pcmd:/opt/cpanel/.*/root/usr/bin/php -f cron.php that is working.

Thanks for the clarification. I for some reason misunderstood 'p' as referring to process instead of PERL.