In #406493, the original submitter is concerned about a false positive dot
file being reported (/lib/init/rw/.ramfs). The discussion that followed
focused on solving these false positives on a case by case basis.
I'd also like to note that upstream says the following in FAQ #8
( http://www.chkrootkit.org/faq/#8 ):
Q.) chkrootkit is reporting some files and dirs as suspicious:
`.packlist', `.cvsignore', etc. These are clearly false positives.
Can't you ignore these?
A.) Ignoring some files and dirs could impair chkrootkit's accuracy.
An attacker might use this, since he knows that chkrootkit will
ignore certain files and dirs.
I have written a patch that allows chkrootkit to exclude false positives
from the list of reported dot files, and added a warning to the README of
when you would want to use this feature and why it is sometimes needed to
result in a more secure system. I think that it should hopefully be
acceptable to upstream.
Attached are two patches, one against Debian 0.47-1.1 and one against
upstream 0.48. Please consider applying and/or forwarding upstream.
Thanks,
--
Matt Taggart
[EMAIL PROTECTED]
diff -ur chkrootkit-0.48.orig/chkrootkit chkrootkit-0.48/chkrootkit
--- chkrootkit-0.48.orig/chkrootkit 2007-12-17 10:54:42.000000000 -0800
+++ chkrootkit-0.48/chkrootkit 2008-03-16 18:07:37.000000000 -0700
@@ -721,8 +721,24 @@
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
echo
- echo ${files}
- echo ${dirs}
+
+ if [ -n "${EXCLUDES}" ]; then
+ for name in $files; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ for name in $dirs; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ else
+ echo ${files}
+ echo ${dirs}
+ fi
fi
### LPD Worm
@@ -2515,6 +2531,9 @@
-x) EXPERT=t;;
+ -e) shift
+ EXCLUDES=$1;;
+
-q) QUIET=t;;
-V) echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}"
@@ -2533,6 +2552,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude known false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs"
diff -ur chkrootkit-0.48.orig/README chkrootkit-0.48/README
--- chkrootkit-0.48.orig/README 2007-12-17 10:50:42.000000000 -0800
+++ chkrootkit-0.48/README 2008-03-16 18:09:51.000000000 -0700
@@ -123,6 +123,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude known false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
@@ -181,6 +183,31 @@
# ./chkrootkit -r /mnt
+ Sometimes the test for dot files in system directories will report
+ false positives for legitimate files. It has been argued that while
+ chkrootkit could be made to ignore these false positives, that might
+ result in attackers deliberately using those names in order to avoid
+ detection. For that reason chkrootkit does not exclude any false
+ positives by default. However, many people use chkrootkit as a
+ daily cron job, and having these false positives means that the
+ administrator gets daily emails reporting these files. This probably
+ would result in the administrator:
+ A) not checking those files each time they were reported, which
+ means than an attacker could still use those names to avoid
+ detection
+ B) getting into the habit of deleting the reports without looking
+ closely at them, which means they are more likely to miss a real
+ problem
+ Because the above would result in less security, there is support for
+ excluding files, using the -e flag, for example:
+
+ # ./chkrootkit -e '/lib/init/rw/.mdadm /lib/init/rw/.ramfs'
+
+ WARNING: by using this option you are giving attackers a way to avoid
+ detection! Make absolutely sure that these are truly false positives
+ and do a periodic check of any excluded files to make sure they are
+ still the legitimate files you think they are.
+
7. Output Messages
------------------diff -ur orig/chkrootkit chkrootkit-0.47/chkrootkit
--- orig/chkrootkit 2008-03-16 14:37:24.000000000 -0700
+++ chkrootkit-0.47/chkrootkit 2008-03-16 17:58:28.000000000 -0700
@@ -714,9 +714,26 @@
if [ "${QUIET}" = "t" ]; then
printn "The following suspicious files and directories were found:"
fi
+
echo
- echo "${files}"
- echo "${dirs}"
+
+ if [ -n "${EXCLUDES}" ]; then
+ for name in $files; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ for name in $dirs; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ else
+ echo "${files}"
+ echo "${dirs}"
+ fi
fi
### LPD Worm
@@ -2486,6 +2503,9 @@
-x) EXPERT=t;;
+ -e) shift
+ EXCLUDES=$1;;
+
-q) QUIET=t
QUIET_ARG="-q"
;;
@@ -2506,6 +2526,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude known false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs"
diff -ur orig/README chkrootkit-0.47/README
--- orig/README 2008-03-16 17:27:43.000000000 -0700
+++ chkrootkit-0.47/README 2008-03-16 17:59:22.000000000 -0700
@@ -122,6 +122,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude know false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
@@ -180,6 +182,31 @@
# ./chkrootkit -r /mnt
+ Sometimes the test for dot files in system directories will report
+ false positives for legitimate files. It has been argued that while
+ chkrootkit could be made to ignore these false positives, that might
+ result in attackers deliberately using those names in order to avoid
+ detection. For that reason chkrootkit does not exclude any false
+ positives by default. However, many people use chkrootkit as a
+ daily cron job, and having these false positives means that the
+ administrator gets daily emails reporting these files. This probably
+ would result in the administrator:
+ A) not checking those files each time they were reported, which
+ means than an attacker could still use those names to avoid
+ detection
+ B) getting into the habit of deleting the reports without looking
+ closely at them, which means they are more likely to miss a real
+ problem
+ Because the above would result in less security, there is support for
+ excluding files, using the -e flag, for example:
+
+ # ./chkrootkit -e '/lib/init/rw/.mdadm /lib/init/rw/.ramfs'
+
+ WARNING: by using this option you are giving attackers a way to avoid
+ detection! Make absolutely sure that these are truly false positives
+ and do a periodic check of any excluded files to make sure they are
+ still the legitimate files you think they are.
+
7. Output Messages
------------------
