Package: rkhunter Version: 1.3.6-4 Severity: wishlist Tags: patch If the option to check hidden processes is enabled, rkhunter will output 'Found HIDDEN PID ...' messages in its report. However, no other info is provided and the report itself may be read quite later from the time the processes were checked. Since many of these messages result from false positives, the report usually is over-alerting and also not of much a help; all pids must be manually checked and since this is done quite a time after the incident, one can never be sure.
The proposed patch inspects processes found immediately after and if the
/proc/pid directory exists (in the other case as rkhunter documentation
states it is probably a process caught while shutting down) prints a
report about it in the job's message; else reports the pid as probably
safe.
regards
George Zarkadas
===============================PATCH-STARTS==============
--- debian/cron.daily
+++ debian/cron.daily.new
@@ -11,11 +11,59 @@
NICE=0
fi
+# Pretty-print a header ($1) and a command output ($2).
+# Add a final newline if $3 is supplied and not an empty string
+#
+print_pid_item ()
+{
+ printf "## %s :\n%s\n" "${1}" '##############'
+ eval "${2}"
+ if [ "X${3}" != "X" ]; then
+ printf "\n"
+ fi
+}
+
+# We have pid as $1 and we are in /proc/$1 (cd'ed by caller)
+#
+fullreport_hidden_pid ()
+{
+ echo '################################################################'
+ print_pid_item '/proc/PID' 'pwd'
+ print_pid_item 'cmdline ' 'cat cmdline' 1
+ print_pid_item 'exe ' 'ls -lA exe'
+ print_pid_item 'cwd ' 'ls -lA cwd'
+ print_pid_item 'loginuid ' 'cat loginuid' 1
+ print_pid_item 'attr ' 'ls attr'
+ print_pid_item 'fd ' 'ls -lA fd'
+ print_pid_item 'environ ' 'cat environ | tr "\0" "\n"'
+ print_pid_item 'status ' 'cat status'
+ print_pid_item 'maps ' 'cat maps'
+ print_pid_item 'ps io ' 'cat io'
+ echo '################################################################'
+ echo
+}
+
case "$CRON_DAILY_RUN" in
[Yy]*)
OUTFILE=`mktemp` || exit 1
/usr/bin/nice -n $NICE $RKHUNTER --cronjob --report-warnings-only
--appendlog > $OUTFILE
if [ -s "$OUTFILE" ]; then
+
+ # Seek more info for hidden pids now; later it may
+ # be impossible to do so.
+
+ for pid in `<$OUTFILE awk '/Found HIDDEN PID:/ {print $NF}'`
+ do
+ echo " Quering Hidden Pid Status, PID: ${pid}" >> $OUTFILE
+ cd /proc/${pid}
+ if [ "`pwd`" = "/proc/${pid}" ]
+ then
+ echo " HIDDEN PROCESS IS RUNNING (SECURITY ALERT):" >>
$OUTFILE
+ fullreport_hidden_pid ${pid} >> $OUTFILE
+ else
+ echo " Appears to be a transient process (probably
should be ignored)" >> $OUTFILE
+ fi
+ done
(
echo "Subject: [rkhunter] $(hostname -f) - Daily report"
echo "To: $REPORT_EMAIL"
===============================PATCH-ENDS================
signature.asc
Description: Αυτό το σημείο του μηνύματος είναι ψηφιακά υπογεγραμμένο
