DebianChkRootkit

How to get rid of annoying false positivies in Debians' daily chkrootkit cron runs

There are at least two methods...

DIFF_MODE

Debian etch chkrootkit (version 0.46 and newer) has a DIFF_MODE option that makes chkrootkit only report the alerts that are different from yesterday's ones. Use sudo dpkg-reconfigure chkrootkit in order to enable this operation mode.

Debian sarge's chkrootkit does not have this option, but there is a backport available on http://backports.org.

-- IntRigeri - 30 Apr 2006

Patch

ALERT! Note: This was tested against the Debian package chkrootkit-0.46a-3. It may not work against other versions.

Make sure the chkrootkit package is setup to do the daily crons via debconf:
dpkg-reconfigure -plow chkrootkit

Apply the patch found below to /etc/cron.daily/chkrootkit. It's in (unified) diff -Naur format.

Now edit /etc/chkrootkit.conf and add the following to the end:
# Regular expression defining messages to ignore
# in daily cron runs only.
#IGNORE="^INFECTED (PORTS:  465)$"

Change the IGNORE Regular Expression to suppress any messages generated by the daily cron runs and remove the leading dash on the IGNORE line to uncomment it. The above IGNORE rule is an example only.

-- AlsteR - 22 Mar 2006

Topic attachments
I Attachment Action Size Date Who Comment
chkrootkit.diffdiff chkrootkit.diff manage 1 K 31 Mar 2006 - 02:05 UnknownUser chkrootkit patch for Debian allowing for suppressing false positives on cron'd runs
This topic: Sysadmin > WebHome > DebianChkRootkit
Topic revision: 30 Apr 2006, IntRigeri
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback