How to get rid of annoying false positivies in Debians' daily chkrootkit cron runs
There are at least two methods...
Debian etch chkrootkit (version 0.46 and newer) has a
option that makes chkrootkit only report the alerts that are different from yesterday's ones. Use
sudo dpkg-reconfigure chkrootkit
in order to enable this operation mode.
Debian sarge's chkrootkit does not have this option, but there is a backport available on http://backports.org
- 30 Apr 2006
This was tested against the Debian package chkrootkit-0.46a-3. It may not work against other versions.
Make sure the chkrootkit package is setup to do the daily crons via debconf:
dpkg-reconfigure -plow chkrootkit
Apply the patch found below to /etc/cron.daily/chkrootkit. It's in (unified) diff -Naur format.
Now edit /etc/chkrootkit.conf and add the following to the end:
# Regular expression defining messages to ignore
# in daily cron runs only.
#IGNORE="^INFECTED (PORTS: 465)$"
IGNORE Regular Expression
to suppress any messages generated by the daily cron runs and remove the leading dash on the
line to uncomment it. The above
rule is an example only.
- 22 Mar 2006