Package: chkrootkit
Version: 0.55-4+b2
Severity: wishlist
Tags: patch upstream
Would be nice to skip extremely large directories which the admin choose to
skip in the scan.
Typical examples are /var/lib/backuppc or similar backup dirs, or various large
mounts.
The following patch contains only a few changes in the find calls where it uses
a complete root dir scan.
I hope I was successful doing it POSIX safe, but please check.
(Sidenote: I see you commented out '-o' at the end of the $findargs, is it
correct this way?)
--- chkrootkit.orig 2022-08-17 15:47:55.000000000 +0200
+++ chkrootkit 2022-12-01 15:38:30.214332133 +0100
@@ -417,7 +417,7 @@
[ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find}
${ROOTDIR}/usr/lib/lib.so1.so
### sniffer's logs
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
- ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o
-name \
+ ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs}
${FIND_EXCLUDE_ARGS} -name tcp.log -o -name \
.linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename
${ROOTDIR}usr/lib/in.httpd -o \
-wholename ${ROOTDIR}usr/lib/in.pop3d"
@@ -707,7 +707,7 @@
if [ "${QUIET}" != "t" ]; then \
printn "Searching for sniffer's logs, it may take a while... "; fi
files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc
${ROOTDIR}var \
- ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g"
-o -name "core_" \) \
+ ${findargs} ${FIND_EXCLUDE_ARGS} \( -name "tcp.log" -o -name ".linux-sniff"
-o -name "sniff-l0g" -o -name "core_" \) \
2>/dev/null`
if [ "${files}" = "" ]
then
@@ -2943,6 +2943,9 @@
-e) shift
EXCLUDES="$1 $EXCLUDES";;
+
+ -E) shift
+ EXCLUDE_DIRS="$1 $EXCLUDE_DIRS";;
-s) shift
EXCLUDES_SNIF="$1";;
@@ -2969,6 +2972,7 @@
-x expert mode
-e 'FILE1 FILE2' exclude files/dirs from results. Must be followed by
a space-separated list of files/dirs.
Read
/usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
+ -E 'DIR1 DIR2' exclude dirs (actually 'find' path patterns) from
scanning.
-s REGEXP filter results of sniffer test through 'grep -Ev
REGEXP' to exclude expected
PACKET_SNIFFERs. Read
/usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
-r DIR use DIR as the root directory
@@ -3002,6 +3006,14 @@
pth=`echo $PATH | sed -e "s/:/ /g"`
pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ."
+### Excluded paths from find (split the string, POSIX style)
+set -f
+FIND_EXCLUDE_ARGS=""
+for p in $EXCLUDE_DIRS; do
+ FIND_EXCLUDE_ARGS="${FIND_EXCLUDE_ARGS} -path ${p} -prune -o "
+done
+set +f
+
### external command's PATH
if [ "${CHKRKPATH}" = "" ]; then
chkrkpth=${pth}
-- System Information:
Debian Release: bookworm/sid
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'unstable'), (500,
'oldstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND,
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii libc6 2.36-4
Versions of packages chkrootkit recommends:
ii binutils 2.39-8
ii iproute2 6.0.0-1+b1
ii net-tools 1.60+git20181103.0eebece-1
ii procps 2:3.3.17-7+b1
chkrootkit suggests no packages.
-- Configuration Files:
/etc/cron.daily/chkrootkit changed [not included]
