rpms/chkrootkit/devel README.false_positives, NONE, 1.1 chkrootkit-0.47-libgcj-false-positive.patch, NONE, 1.1 .cvsignore, 1.6, 1.7 chkrootkit.spec, 1.17, 1.18 sources, 1.6, 1.7

Michael Schwendt (mschwendt) fedora-extras-commits at redhat.com
Tue Jan 30 20:06:46 UTC 2007


Author: mschwendt

Update of /cvs/extras/rpms/chkrootkit/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18856

Modified Files:
	.cvsignore chkrootkit.spec sources 
Added Files:
	README.false_positives 
	chkrootkit-0.47-libgcj-false-positive.patch 
Log Message:
* Tue Jan 30 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.47-3
- Patch OpenBSD rootkit check to not report libgcj file
  /usr/lib/security/classpath.security
- Add README.false_positives



--- NEW FILE README.false_positives ---
This is an additional document added to the Fedora RPM package of
chkrootkit.
-----

It is in the nature of some of chkrootkit's checks that there may be some
false positives among the reported findings. The chkrootkit user is
advised to examine such files more closely (display them, query the RPM
database about them, compare with backups on read-only media) and use
another layer of protection (such as an intrusion detection tool).


For example, where it is searched for hidden files below /usr/lib, which
begin with a dot, chkrootkit may report files which belong into valid RPM
packages, or which have been created at run-time by some software, and
which are innocent. The output could look like this (the lines have been
wrapped for readability):

Searching for suspicious files and dirs, it may take a while... 
/usr/lib/firefox-1.5.0.3/.autoreg
/usr/lib/firefox-1.5.0.2/.autoreg
/usr/lib/firefox-1.5.0.8/.autoreg
/usr/lib/firefox-1.5.0.1/.autoreg
/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
/usr/lib/qt-3.3/etc/settings/.qtrc.lock
/usr/lib/firefox-1.5/.autoreg
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
/usr/lib/firefox-1.5.0.4/.autoreg

In this example, the files are valid files from Firefox (previous and
current versions), Perl and the Qt GUI toolkit, but only the ".packlist"
file is included in the main "perl" package. Creating and maintaining a
simple white-list inside chkrootkit would bear the risk that a new rootkit
uses the knowledge about white-listed file locations to store its
malicious files.


Another example is a check that looks for files in a place, which is
used by a valid package nowadays. The output looks like:

Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security

Both files are included within the "libgcj" package, however,

  $ rpm --query --file /usr/lib/security/classpath.security
  libgcj-4.1.1-51.fc6

and are false positives,

  $ rpm --verify libgcj
  $

unless something has managed to manipulate the system in a way, so that
simple checks like above cannot be trusted.

chkrootkit-0.47-libgcj-false-positive.patch:

--- NEW FILE chkrootkit-0.47-libgcj-false-positive.patch ---
diff -Nur chkrootkit-0.47-orig/chkrootkit chkrootkit-0.47/chkrootkit
--- chkrootkit-0.47-orig/chkrootkit	2006-10-09 21:20:54.000000000 +0200
+++ chkrootkit-0.47/chkrootkit	2007-01-30 21:09:49.000000000 +0100
@@ -900,7 +900,11 @@
       if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then
          if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
       else
-        echo "${files}"
+         echo
+         for f in ${files}; do
+            cmd="rpm --query --file ${f}"
+            echo $cmd && eval $cmd
+         done
       fi
    fi
 


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/chkrootkit/devel/.cvsignore,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- .cvsignore	20 Oct 2006 12:47:12 -0000	1.6
+++ .cvsignore	30 Jan 2007 20:06:16 -0000	1.7
@@ -1,2 +1 @@
 chkrootkit-0.47.tar.gz
-chkrootkit-0.47.tar.gz.sig


Index: chkrootkit.spec
===================================================================
RCS file: /cvs/extras/rpms/chkrootkit/devel/chkrootkit.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- chkrootkit.spec	4 Jan 2007 10:44:51 -0000	1.17
+++ chkrootkit.spec	30 Jan 2007 20:06:16 -0000	1.18
@@ -1,6 +1,6 @@
 Name:           chkrootkit
 Version:        0.47
-Release: 2%{?dist}
+Release:        3%{?dist}
 Summary:        Tool to locally check for signs of a rootkit
 Group:          Applications/System
 License:        BSD-like
@@ -11,10 +11,12 @@
 Source3:        chkrootkit.desktop
 Source4:        chkrootkit.console
 Source5:        chkrootkit.pam
+Source6:        README.false_positives
 Patch1:         chkrootkit-0.44-getCMD.patch
 Patch2:         chkrootkit-0.44-inetd.patch
 Patch3:         chkrootkit-0.45-includes.patch
 Patch4:         chkrootkit-0.47-warnings.patch
+Patch5:         chkrootkit-0.47-libgcj-false-positive.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  desktop-file-utils
@@ -42,6 +44,7 @@
 %patch2 -p1 -b .inetd
 %patch3 -p1 -b .includes
 %patch4 -p1 -b .warnings
+%patch5 -p1 -b .libgcj-false-positive
 sed -i -e 's!\s\+ at strip.*!!g' Makefile
 
 
@@ -89,6 +92,8 @@
   --add-category X-Fedora                              \
   %{SOURCE3}
 
+install -p %{SOURCE6} .
+
 
 %clean
 rm -rf ${RPM_BUILD_ROOT}
@@ -96,7 +101,7 @@
 
 %files
 %defattr(-,root,root,-)
-%doc ACKNOWLEDGMENTS COPYRIGHT README README.chklastlog README.chkwtmp chkrootkit.lsm
+%doc ACKNOWLEDGMENTS COPYRIGHT README README.chklastlog README.chkwtmp chkrootkit.lsm README.false_positives
 %{_sbindir}/chkrootkit
 %{_bindir}/chkrootkit
 %{_bindir}/chkrootkitX
@@ -108,6 +113,11 @@
 
 
 %changelog
+* Tue Jan 30 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.47-3
+- Patch OpenBSD rootkit check to not report libgcj file
+  /usr/lib/security/classpath.security
+- Add README.false_positives
+
 * Thu Jan 04 2007 Michael Schwendt <mschwendt[AT]users.sf.net>
 - rebuilt
 


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/chkrootkit/devel/sources,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- sources	20 Oct 2006 12:47:12 -0000	1.6
+++ sources	30 Jan 2007 20:06:16 -0000	1.7
@@ -1,2 +1 @@
 4c6455d202cef35395a673386e4bf01a  chkrootkit-0.47.tar.gz
-39d898c13e094d884237f7ad9f343895  chkrootkit-0.47.tar.gz.sig




More information about the fedora-extras-commits mailing list