Bug#660998: chkrootkit: Add ignore list to avoid false positives

2015-05-03 Thread Daniel Hornung 
Any news on this?  The proposed patch works seems to work fine.


signature.asc
Description: This is a digitally signed message part.

Bug#660998: chkrootkit: Add ignore list to avoid false positives

2014-08-25 Thread IOhannes m zmoelnig 
Package: chkrootkit
Version: 0.49-5
Followup-For: Bug #660998

pretty please add this feature.

the more noise an administrator gets about false positives, the more likely they
are to miss/ignore the really important warnings.

attached is an updated fix for the script, that also provides a fallback when no
ignore-file is present.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.14-1-686-pae (SMP w/4 CPU cores)
Locale: LANG=de_AT.utf8, LC_CTYPE=de_AT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages chkrootkit depends on:
ii  binutils   2.24.51.20140709-1
ii  debconf [debconf-2.0]  1.5.53
ii  libc6  2.19-7
ii  net-tools  1.60-26
ii  procps 1:3.3.9-7

chkrootkit recommends no packages.

chkrootkit suggests no packages.

-- debconf information excluded
From 40cb03d3a8c4d784e0969d610eb9381a02e2ab46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?IOhannes=20m=20zm=C3=B6lnig?= zmoel...@iem.at
Date: Mon, 25 Aug 2014 09:53:37 +0200
Subject: [PATCH] use IGNORE_FILE to filter out false-positives

if the user defines an IGNORE_FILE in /etc/chkrootkit.conf
and this file is readable, this file will be used to filter out
false-positives (and other lines, depending on the regular expressions
in the file), in the cron-script.

TODO:
- exit-code of the cron-script (cf. 19ce77e7)
 - it probably should bail out if there is an un-filtered error
 - it probably should bail out if there is a filter-rule that had no match
- the value of IGNORE_FILE is currently not handled by debconf.
---
 debian/cron.daily | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/debian/cron.daily b/debian/cron.daily
index 7a6b7b9..6566d3c 100755
--- a/debian/cron.daily
+++ b/debian/cron.daily
@@ -5,6 +5,7 @@ set -e
 CHKROOTKIT=/usr/sbin/chkrootkit
 CF=/etc/chkrootkit.conf
 LOG_DIR=/var/log/chkrootkit
+IGNORE_FILE=/dev/null
 
 if [ ! -x $CHKROOTKIT ]; then
   exit 0
@@ -14,9 +15,13 @@ if [ -f $CF ]; then
 . $CF
 fi
 
+if [ ! -r ${IGNORE_FILE} ]; then
+ IGNORE_FILE=/dev/null
+fi
+
 if [ $RUN_DAILY = true ]; then
 if [ $DIFF_MODE = true ]; then
-eval $CHKROOTKIT $RUN_DAILY_OPTS  $LOG_DIR/log.today.raw 21
+eval $CHKROOTKIT $RUN_DAILY_OPTS | egrep -v -f ${IGNORE_FILE}  $LOG_DIR/log.today.raw 21
 # the sed expression replaces the messages about /sbin/dhclient3 /usr/sbin/dhcpd3
 # with a message that is the same whatever order eth0 and eth1 were scanned
 sed -r -e 's,eth(0|1)(:[0-9])?: PACKET SNIFFER\((/sbin/dhclient3|/usr/sbin/dhcpd3)\[[0-9]+\]\),eth\[0|1\]: PACKET SNIFFER\([dhclient3|dhcpd3]{PID}\),' \
@@ -46,6 +51,6 @@ if [ $RUN_DAILY = true ]; then
 		echo # (note that unedited output is in $LOG_DIR/log.today.raw)
 fi
 else
-eval $CHKROOTKIT $RUN_DAILY_OPTS
+eval $CHKROOTKIT $RUN_DAILY_OPTS | (egrep -v -f ${IGNORE_FILE} || true)
 fi
 fi
-- 
2.0.1

Bug#660998: chkrootkit: Add ignore list to avoid false positives

2012-02-23 Thread Leandro Lucarella 
Package: chkrootkit
Version: 0.49-4
Severity: normal
Tags: patch

Is publicly known that chkrootkit generate a lot of false positives, and
that is a pain to receive every day an e-mail with them, making people
to simply ignore those mails most of the time.

Here is a nice post describing an easy way to add an ignore list by
grepping the output:
http://www.electricmonk.nl/log/2007/11/29/chkrootkit-false-positives-filtering/

Attached is an updated patch for /etc/cron.daily/chkrootkit.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (50, 'unstable'), (20, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages chkrootkit depends on:
ii  binutils   2.21.90.20111004-2
ii  debconf [debconf-2.0]  1.5.40
ii  libc6  2.13-21   
ii  net-tools  1.60-24.1 
ii  procps 1:3.2.8-11

chkrootkit recommends no packages.

chkrootkit suggests no packages.

-- debconf information:
* chkrootkit/run_daily_opts: -q -n
* chkrootkit/run_daily: true
* chkrootkit/diff_mode: false
diff --git a/cron.daily/chkrootkit b/cron.daily/chkrootkit
index 7a6b7b9..152d503 100755
--- a/cron.daily/chkrootkit
+++ b/cron.daily/chkrootkit
@@ -4,6 +4,7 @@ set -e
 
 CHKROOTKIT=/usr/sbin/chkrootkit
 CF=/etc/chkrootkit.conf
+IGNOREF=/etc/chkrootkit.ignore
 LOG_DIR=/var/log/chkrootkit
 
 if [ ! -x $CHKROOTKIT ]; then
@@ -16,7 +17,7 @@ fi
 
 if [ $RUN_DAILY = true ]; then
 if [ $DIFF_MODE = true ]; then
-eval $CHKROOTKIT $RUN_DAILY_OPTS  $LOG_DIR/log.today.raw 21
+eval $CHKROOTKIT $RUN_DAILY_OPTS  | egrep -v -f $IGNOREF  $LOG_DIR/log.today.raw 21
 # the sed expression replaces the messages about /sbin/dhclient3 /usr/sbin/dhcpd3
 # with a message that is the same whatever order eth0 and eth1 were scanned
 sed -r -e 's,eth(0|1)(:[0-9])?: PACKET SNIFFER\((/sbin/dhclient3|/usr/sbin/dhcpd3)\[[0-9]+\]\),eth\[0|1\]: PACKET SNIFFER\([dhclient3|dhcpd3]{PID}\),' \
@@ -46,6 +47,6 @@ if [ $RUN_DAILY = true ]; then
 		echo # (note that unedited output is in $LOG_DIR/log.today.raw)
 fi
 else
-eval $CHKROOTKIT $RUN_DAILY_OPTS
+eval $CHKROOTKIT $RUN_DAILY_OPTS | egrep -v -f $IGNOREF || true
 fi
 fi