Bug#1053979: chkrootkit: ignore or lower to info for files owned by installed debian packages and unchanged

Alban Browaeys Sun, 15 Oct 2023 01:39:20 -0700

Package: chkrootkit
Version: 0.57-2+b1
Severity: wishlist

Dear Maintainer,


when chkrootkit-daily runs (was with old /etc/ckrootkit.conf thus diff mode
false and "-q -n" flags) I get reports for files owned by Debian
packages and that are iso with their installation state:
WARNING: The following suspicious files and directories were found:
/usr/lib/debug/.build-id
/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
/usr/lib/python3/dist-packages/glances/outputs/static/.prettierrc.js
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.eslintrc.js
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierignore
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierrc
/usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/_static/.gitignore
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/.gitignore
/usr/lib/python3/dist-packages/numpy/core/include/numpy/.doxyfile
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscode
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.gitignore
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscodeignore
/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document

Could chkrootkit check these files are owned by an installed Debian
package and unmodified and at least lower the status from WARNING to
INFO in the logged output (maybe we do not want them ignored altogether
in the case where a Debian package could be compromised and ship the
dangerous file?)
(ala "dpkg --search /usr/lib/ruby/vendor_ruby/rubygems/tsort/.document")
and that this file is unchanged from its Debian package state (against
/var/lib/dpkg/info/<pkg>.md5sums)?

I cooked such a script:
for file in $(grep /usr/lib /var/log/chkrootkit/log.today); do for pkg in $(set 
-o pipefail; dpkg -S $file 2>/dev/null  | sed  's/: .*//' | tr ',' '\n'); do 
for md5pkgfile in $(ls /var/lib/dpkg/info/$pkg.md5sums 2> /dev/null); do [ -f 
"$file" ] && grep ${file:1} $md5pkgfile | ( read -r md5filepkg filepkgpath; 
md5file="$(md5sum "/$filepkgpath" | cut -d' ' -f1)"; [ "x$md5filepkg" = 
"x$md5file" ] && echo "Debian unmodified $file" || echo "non Debian or modified 
$file"); done; done ;done
gives:
Debian unmodified /usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
(...)
It does not handles directories like /usr/lib/debug/.build-id. Maybe
chkrootkit could check none of the files in such a dot directory are
non Debian packages installed files unmodified and owned by still
installed packages?


Cheers,
Alban

-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'oldstable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chkrootkit depends on:
ii  libc6  2.36-9+deb12u3

Versions of packages chkrootkit recommends:
ii  binutils                        2.40-2
ii  bsd-mailx [mailx]               8.1.2-0.20220412cvs-1
ii  cron [cron-daemon]              3.0pl1-162
ii  iproute2                        6.1.0-3
ii  mailutils [mailx]               1:3.15-4
ii  net-tools                       2.10-0.1
ii  postfix [mail-transport-agent]  3.7.6-0+deb12u2
ii  procps                          2:4.0.2-3
ii  systemd-sysv                    252.17-1~deb12u1

chkrootkit suggests no packages.

-- no debconf information

Bug#1053979: chkrootkit: ignore or lower to info for files owned by installed debian packages and unchanged

Reply via email to