You are here: Foswiki>Sysadmin Web>DebianChkRootkit (30 Apr 2006, IntRigeri)Edit Attach

DebianChkRootkit

DebianChkRootkit
- How to get rid of annoying false positivies in Debians' daily chkrootkit cron runs
  - DIFF_MODE
  - Patch

How to get rid of annoying false positivies in Debians' daily chkrootkit cron runs

There are at least two methods...

DIFF_MODE

Debian etch chkrootkit (version 0.46 and newer) has a DIFF_MODE option that makes chkrootkit only report the alerts that are different from yesterday's ones. Use sudo dpkg-reconfigure chkrootkit in order to enable this operation mode.

Debian sarge's chkrootkit does not have this option, but there is a backport available on http://backports.org.

-- IntRigeri - 30 Apr 2006

Patch

Note: This was tested against the Debian package chkrootkit-0.46a-3. It may not work against other versions.

Make sure the chkrootkit package is setup to do the daily crons via debconf:

dpkg-reconfigure -plow chkrootkit

Apply the patch found below to /etc/cron.daily/chkrootkit. It's in (unified) diff -Naur format.

Now edit /etc/chkrootkit.conf and add the following to the end:

# Regular expression defining messages to ignore
# in daily cron runs only.
#IGNORE="^INFECTED (PORTS:  465)$"

Change the IGNORE Regular Expression to suppress any messages generated by the daily cron runs and remove the leading dash on the IGNORE line to uncomment it. The above IGNORE rule is an example only.

-- AlsteR - 22 Mar 2006

Topic attachments
I	Attachment	Action	Size	Date	Who	Comment
diff	chkrootkit.diff	manage	1 K	31 Mar 2006 - 02:05	UnknownUser	chkrootkit patch for Debian allowing for suppressing false positives on cron'd runs

Topic revision: r4 - 30 Apr 2006, IntRigeri

Sysadmin

Home

All sections
Global network
Local IMCs
Tech
Sandbox

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback