File: README.patch

package info (click to toggle)
chkrootkit 0.58b-5
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 7,796 kB
  • sloc: sh: 187,095; ansic: 3,779; makefile: 103
file content (57 lines) | stat: -rw-r--r-- 2,262 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
From: "francois@debian.org" <francois@debian.org>
Date: Sun, 9 Jul 2017 18:42:55 +0200
Subject: README

Update README to mention -e and attitude to false positives

Forwarded: yes
(Forwarded by email: 21 Dec 2024)
---
 README | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/README b/README
index f19c3d8..cc9d3d8 100644
--- a/README
+++ b/README
@@ -123,6 +123,8 @@
          -d                debug
          -q                quiet mode
          -x                expert mode
+         -e                exclude known false positive files/dirs, quoted,
+                           space separated, READ WARNING IN README
          -r dir            use dir as the root directory
          -p dir1:dir2:dirN path for the external commands used by chkrootkit
          -n                skip NFS mounted dirs
@@ -181,6 +183,31 @@
 
    # ./chkrootkit -r /mnt
 
+ Sometimes the test for dot files in system directories will report
+ false positives for legitimate files. It has been argued that while
+ chkrootkit could be made to ignore these false positives, that might
+ result in attackers deliberately using those names in order to avoid
+ detection. For that reason chkrootkit does not exclude any false
+ positives by default. However, many people use chkrootkit as a
+ daily cron job, and having these false positives means that the
+ administrator gets daily emails reporting these files. This probably
+ would result in the administrator:
+   A) not checking those files each time they were reported, which
+      means than an attacker could still use those names to avoid
+      detection
+   B) getting into the habit of deleting the reports without looking
+      closely at them, which means they are more likely to miss a real
+      problem
+ Because the above would result in less security, there is support for
+ excluding files, using the -e flag, for example:
+
+   # ./chkrootkit -e '/run/.ramfs'
+
+ WARNING: by using this option you are giving attackers a way to avoid
+ detection! Make absolutely sure that these are truly false positives
+ and do a periodic check of any excluded files to make sure they are
+ still the legitimate files you think they are.
+
 
  7. Output Messages
  ------------------