rpms/chkrootkit/devel README.false_positives, NONE, 1.1 chkrootkit-0.47-libgcj-false-positive.patch, NONE, 1.1 .cvsignore, 1.6, 1.7 chkrootkit.spec, 1.17, 1.18 sources, 1.6, 1.7
Michael Schwendt (mschwendt)
fedora-extras-commits at redhat.com
Tue Jan 30 20:06:46 UTC 2007
Author: mschwendt
Update of /cvs/extras/rpms/chkrootkit/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18856
Modified Files:
.cvsignore chkrootkit.spec sources
Added Files:
README.false_positives
chkrootkit-0.47-libgcj-false-positive.patch
Log Message:
* Tue Jan 30 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.47-3
- Patch OpenBSD rootkit check to not report libgcj file
/usr/lib/security/classpath.security
- Add README.false_positives
--- NEW FILE README.false_positives ---
This is an additional document added to the Fedora RPM package of
chkrootkit.
-----
It is in the nature of some of chkrootkit's checks that there may be some
false positives among the reported findings. The chkrootkit user is
advised to examine such files more closely (display them, query the RPM
database about them, compare with backups on read-only media) and use
another layer of protection (such as an intrusion detection tool).
For example, where it is searched for hidden files below /usr/lib, which
begin with a dot, chkrootkit may report files which belong into valid RPM
packages, or which have been created at run-time by some software, and
which are innocent. The output could look like this (the lines have been
wrapped for readability):
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox-1.5.0.3/.autoreg
/usr/lib/firefox-1.5.0.2/.autoreg
/usr/lib/firefox-1.5.0.8/.autoreg
/usr/lib/firefox-1.5.0.1/.autoreg
/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
/usr/lib/qt-3.3/etc/settings/.qtrc.lock
/usr/lib/firefox-1.5/.autoreg
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
/usr/lib/firefox-1.5.0.4/.autoreg
In this example, the files are valid files from Firefox (previous and
current versions), Perl and the Qt GUI toolkit, but only the ".packlist"
file is included in the main "perl" package. Creating and maintaining a
simple white-list inside chkrootkit would bear the risk that a new rootkit
uses the knowledge about white-listed file locations to store its
malicious files.
Another example is a check that looks for files in a place, which is
used by a valid package nowadays. The output looks like:
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Both files are included within the "libgcj" package, however,
$ rpm --query --file /usr/lib/security/classpath.security
libgcj-4.1.1-51.fc6
and are false positives,
$ rpm --verify libgcj
$
unless something has managed to manipulate the system in a way, so that
simple checks like above cannot be trusted.
chkrootkit-0.47-libgcj-false-positive.patch:
--- NEW FILE chkrootkit-0.47-libgcj-false-positive.patch ---
diff -Nur chkrootkit-0.47-orig/chkrootkit chkrootkit-0.47/chkrootkit
--- chkrootkit-0.47-orig/chkrootkit 2006-10-09 21:20:54.000000000 +0200
+++ chkrootkit-0.47/chkrootkit 2007-01-30 21:09:49.000000000 +0100
@@ -900,7 +900,11 @@
if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
- echo "${files}"
+ echo
+ for f in ${files}; do
+ cmd="rpm --query --file ${f}"
+ echo $cmd && eval $cmd
+ done
fi
fi
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/chkrootkit/devel/.cvsignore,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- .cvsignore 20 Oct 2006 12:47:12 -0000 1.6
+++ .cvsignore 30 Jan 2007 20:06:16 -0000 1.7
@@ -1,2 +1 @@
chkrootkit-0.47.tar.gz
-chkrootkit-0.47.tar.gz.sig
Index: chkrootkit.spec
===================================================================
RCS file: /cvs/extras/rpms/chkrootkit/devel/chkrootkit.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- chkrootkit.spec 4 Jan 2007 10:44:51 -0000 1.17
+++ chkrootkit.spec 30 Jan 2007 20:06:16 -0000 1.18
@@ -1,6 +1,6 @@
Name: chkrootkit
Version: 0.47
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Tool to locally check for signs of a rootkit
Group: Applications/System
License: BSD-like
@@ -11,10 +11,12 @@
Source3: chkrootkit.desktop
Source4: chkrootkit.console
Source5: chkrootkit.pam
+Source6: README.false_positives
Patch1: chkrootkit-0.44-getCMD.patch
Patch2: chkrootkit-0.44-inetd.patch
Patch3: chkrootkit-0.45-includes.patch
Patch4: chkrootkit-0.47-warnings.patch
+Patch5: chkrootkit-0.47-libgcj-false-positive.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: desktop-file-utils
@@ -42,6 +44,7 @@
%patch2 -p1 -b .inetd
%patch3 -p1 -b .includes
%patch4 -p1 -b .warnings
+%patch5 -p1 -b .libgcj-false-positive
sed -i -e 's!\s\+ at strip.*!!g' Makefile
@@ -89,6 +92,8 @@
--add-category X-Fedora \
%{SOURCE3}
+install -p %{SOURCE6} .
+
%clean
rm -rf ${RPM_BUILD_ROOT}
@@ -96,7 +101,7 @@
%files
%defattr(-,root,root,-)
-%doc ACKNOWLEDGMENTS COPYRIGHT README README.chklastlog README.chkwtmp chkrootkit.lsm
+%doc ACKNOWLEDGMENTS COPYRIGHT README README.chklastlog README.chkwtmp chkrootkit.lsm README.false_positives
%{_sbindir}/chkrootkit
%{_bindir}/chkrootkit
%{_bindir}/chkrootkitX
@@ -108,6 +113,11 @@
%changelog
+* Tue Jan 30 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.47-3
+- Patch OpenBSD rootkit check to not report libgcj file
+ /usr/lib/security/classpath.security
+- Add README.false_positives
+
* Thu Jan 04 2007 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/chkrootkit/devel/sources,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- sources 20 Oct 2006 12:47:12 -0000 1.6
+++ sources 30 Jan 2007 20:06:16 -0000 1.7
@@ -1,2 +1 @@
4c6455d202cef35395a673386e4bf01a chkrootkit-0.47.tar.gz
-39d898c13e094d884237f7ad9f343895 chkrootkit-0.47.tar.gz.sig
More information about the fedora-extras-commits
mailing list