Package: chkrootkit Severity: wishlist Tags: patch
Chkrootkit sometimes reports valid files as suspicious, such as /lib/init/rw/.ramfs and .mdadm, and if a packet sniffer is running on an interface such as snort. For these cases, I'd like to know when something changes in the chkrootkit output. However, the current diff mode of the chkrootkit cron script only sends a message about the changed output once. What I'd like is that it continually warns about the change until the sysadmin acknowledges the change. Therefore, I have modified the cron script with an additional 'once' diff mode (attached). Contrary to the current diff mode, it creates the $LOG_DIR/log.old file, but does not overwrite it if it already exists. Thus, if something changes and chkrootkit generates a different output, the cron script will continually warn about the change, until the sysadmin deletes the $LOG_DIR/log.old file by hand. The next run of the cron script will then recreate it with the new chkrootkit output.
chkrootkit.cron-daily
Description: application/shellscript
