Bug#660998: chkrootkit: Add ignore list to avoid false positives

Thu, 23 Feb 2012 04:48:27 -0800 

Package: chkrootkit
Version: 0.49-4
Severity: normal
Tags: patch

Is publicly known that chkrootkit generate a lot of false positives, and
that is a pain to receive every day an e-mail with them, making people
to simply ignore those mails most of the time.

Here is a nice post describing an easy way to add an ignore list by
grepping the output:
http://www.electricmonk.nl/log/2007/11/29/chkrootkit-false-positives-filtering/

Attached is an updated patch for /etc/cron.daily/chkrootkit.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (50, 'unstable'), (20, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages chkrootkit depends on:
ii  binutils               2.21.90.20111004-2
ii  debconf [debconf-2.0]  1.5.40            
ii  libc6                  2.13-21           
ii  net-tools              1.60-24.1         
ii  procps                 1:3.2.8-11        

chkrootkit recommends no packages.

chkrootkit suggests no packages.

-- debconf information:
* chkrootkit/run_daily_opts: -q -n
* chkrootkit/run_daily: true
* chkrootkit/diff_mode: false

diff --git a/cron.daily/chkrootkit b/cron.daily/chkrootkit
index 7a6b7b9..152d503 100755
--- a/cron.daily/chkrootkit
+++ b/cron.daily/chkrootkit
@@ -4,6 +4,7 @@ set -e
 
 CHKROOTKIT=/usr/sbin/chkrootkit
 CF=/etc/chkrootkit.conf
+IGNOREF=/etc/chkrootkit.ignore
 LOG_DIR=/var/log/chkrootkit
 
 if [ ! -x $CHKROOTKIT ]; then
@@ -16,7 +17,7 @@ fi
 
 if [ "$RUN_DAILY" = "true" ]; then
     if [ "$DIFF_MODE" = "true" ]; then
-				eval $CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.today.raw 2>&1
+				eval $CHKROOTKIT $RUN_DAILY_OPTS  | egrep -v -f $IGNOREF > $LOG_DIR/log.today.raw 2>&1
 				# the sed expression replaces the messages about /sbin/dhclient3 /usr/sbin/dhcpd3
 				# with a message that is the same whatever order eth0 and eth1 were scanned
 				sed -r -e 's,eth(0|1)(:[0-9])?: PACKET SNIFFER\((/sbin/dhclient3|/usr/sbin/dhcpd3)\[[0-9]+\]\),eth\[0|1\]: PACKET SNIFFER\([dhclient3|dhcpd3]{PID}\),' \
@@ -46,6 +47,6 @@ if [ "$RUN_DAILY" = "true" ]; then
 						echo "# (note that unedited output is in $LOG_DIR/log.today.raw)"
         fi
     else
-        eval $CHKROOTKIT $RUN_DAILY_OPTS
+        eval $CHKROOTKIT $RUN_DAILY_OPTS | egrep -v -f $IGNOREF || true
     fi
 fi

Reply via email to