Package: chkrootkit
Version: 0.48-8
Severity: important
Tags: patch
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30.3service
Locale: lang=it...@euro, lc_ctype=it...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages chkrootkit depends on:
ii binutils 2.18.1~cvs20080103-7 The GNU assembler, linker and bina
ii debconf [debconf-2. 1.5.24 Debian configuration management sy
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii net-tools 1.60-22 The NET-3 networking toolkit
ii procps 1:3.2.7-11 /proc file system utilities
chkrootkit recommends no packages.
chkrootkit suggests no packages.
-- debconf information:
* chkrootkit/run_daily: true
* chkrootkit/run_daily_opts: -q -n
* chkrootkit/diff_mode: false
Ciao Giuseppe,
Two problem :
1) With some nfs mounted, every day the chkrootkit send a messages with the
mounted directory. Also putting this dir in -e don't work
2) Every day chkrootkit send me a messages with some legacy sniffer and
in the current version i can't exclude this daemon (ex. dhcpd3, ntop,
snort etc). For this problem i've created a new exclusion switch (-s for
"sniffer") and i this is the best syntax to put in the RUN_DAILY_OPTS
sample with one sniffer to exclude :
-s '(\/usr\/sbin\/ntop\[[:0-9]+\])'"
sample with two sniffer to exclude :
-s '(\/usr\/sbin\/ntop\[[:0-9]+\], \/usr\/sbin\/snort\[[:0-9]+\])'
i suggest to capture the last report from chkrootkit for settings your
rules
I've solved the two problem with the attached the patch
bye
--- chkrootkit.ori 2008-11-27 08:10:54.000000000 +0100
+++ chkrootkit 2010-05-06 12:07:27.000000000 +0200
@@ -177,7 +177,15 @@
echo "not tested: can't exec ./ifpromisc"
return ${NOT_TESTED}
else
- [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
+# [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
+ outmsg=`[ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q`
+ [ "$EXCLUDES_SNIF" ] && {
+ for exclude in $EXCLUDES_SNIF
+ do
+ outmsg=`echo $outmsg | egrep -v $exclude`
+ done
+ }
+ echo $outmsg
fi
}
@@ -734,28 +742,26 @@
then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
- if [ "${QUIET}" = "t" ]; then
- printn "The following suspicious files and directories were found:"
- fi
- echo
-
+ outmsg=""
if [ -n "${EXCLUDES}" ]; then
for name in $files; do
for exclude in $EXCLUDES; do
if [ $name = $exclude ]; then continue 2; fi
done
- echo $name
+ outmsg="$outmsg$name\n"
done
for name in $dirs; do
for exclude in $EXCLUDES; do
if [ $name = $exclude ]; then continue 2; fi
done
- echo $name
+ outmsg="$outmsg$name\n"
done
else
- echo ${files}
- echo ${dirs}
+ outmsg="${files}\n${dirs}"
fi
+ if [ "${QUIET}" = "t" -a "$outmsg" ]; then
+ echo -e "The following suspicious files and directories were
found:\n\n $outmsg"
+ fi
fi
### LPD Worm
@@ -1227,10 +1233,12 @@
findargs=""
if find /etc -maxdepth 0 >/dev/null 2>&1; then
find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
- findargs=" -fstype nfs -prune -o "
+ findargs=" -fstype nfs -prune "
+# findargs=" -fstype nfs -prune -o "
elif find /etc -prune > /dev/null 2>&1; then
find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
- findargs=" -fstype nfs -prune -o "
+ findargs=" -fstype nfs -prune "
+# findargs=" -fstype nfs -prune -o "
fi
}
@@ -2647,6 +2655,9 @@
-e) shift
EXCLUDES="$1 $EXCLUDES";;
+ -s) shift
+ EXCLUDES_SNIF="$1 $EXCLUDES_SNIF";;
+
-q) QUIET=t
QUIET_ARG="-q"
;;
@@ -2669,6 +2680,8 @@
-x expert mode
-e exclude known false positive files/dirs, quoted,
space separated, READ WARNING IN README
+ -s exclude known false positive sniffer (dhcpd, ntop
etc)
+ quoted, space separated
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs"
