1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
#! /bin/sh /usr/share/dpatch/dpatch-run
## excludes.dpatch by Francois Marier <francois@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: add the ability to exclude specific files/directories from the checks
@DPATCH@
--- chkrootkit-0.48.orig/README
+++ chkrootkit-0.48/README
@@ -123,6 +123,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude known false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
@@ -181,6 +183,31 @@
# ./chkrootkit -r /mnt
+ Sometimes the test for dot files in system directories will report
+ false positives for legitimate files. It has been argued that while
+ chkrootkit could be made to ignore these false positives, that might
+ result in attackers deliberately using those names in order to avoid
+ detection. For that reason chkrootkit does not exclude any false
+ positives by default. However, many people use chkrootkit as a
+ daily cron job, and having these false positives means that the
+ administrator gets daily emails reporting these files. This probably
+ would result in the administrator:
+ A) not checking those files each time they were reported, which
+ means than an attacker could still use those names to avoid
+ detection
+ B) getting into the habit of deleting the reports without looking
+ closely at them, which means they are more likely to miss a real
+ problem
+ Because the above would result in less security, there is support for
+ excluding files, using the -e flag, for example:
+
+ # ./chkrootkit -e '/lib/init/rw/.mdadm /lib/init/rw/.ramfs'
+
+ WARNING: by using this option you are giving attackers a way to avoid
+ detection! Make absolutely sure that these are truly false positives
+ and do a periodic check of any excluded files to make sure they are
+ still the legitimate files you think they are.
+
7. Output Messages
------------------
--- chkrootkit-0.48.orig/chkrootkit
+++ chkrootkit-0.48/chkrootkit
@@ -720,8 +737,24 @@
printn "The following suspicious files and directories were found:"
fi
echo
+
+ if [ -n "${EXCLUDES}" ]; then
+ for name in $files; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ for name in $dirs; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ else
+ echo ${files}
+ echo ${dirs}
+ fi
- echo ${files}
- echo ${dirs}
fi
### LPD Worm
@@ -2515,6 +2638,9 @@
-x) EXPERT=t;;
+ -e) shift
+ EXCLUDES="$1 $EXCLUDES";;
+
-q) QUIET=t
QUIET_ARG="-q"
;;
@@ -2533,6 +2661,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude known false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs"
|
