4

I want to "white-list" some of the false-positives of chkrootkit, therefor i would like to use the /etc/chkrootkit.conf as a "white-list".

But this does not work: RUN_DAILY_OPTS="-q -e '/sbin/init /sbin/dhclient'

And i still get the following false-positives:

Warning: /sbin/init INFECTED eth0: PACKET SNIFFER(/sbin/dhclient (deleted)[…])

I know its not a real white-list, but the false-positives should not send me emails every day. chkrootkit version 0.49

Alex W.
  • 43

1 Answers1

2

You could put those in a ... 

/etc/chkrootkit.filter

When you put this in ...

^eth0: PACKET SNIFFER\(/sbin/dhclient\[[0-9]*\])$

it will ignore dhclient on eth0. Add this file to /etc/cron.daily/chkrootkit. Find ...

$CHKROOTKIT $RUN_DAILY_OPTS

with your favorite editor and change it into ...

$CHKROOTKIT $RUN_DAILY_OPTS | grep -v -f $FILTER || true

and (somewhere at the beginning) add ...

FILTER=/etc/chkrootkit.filter

after ...

CF=/etc/chkrootkit.conf

Before your start do a ...

./chkrootkit

It should show the false positive reference to dhclient and after editing this in run it again. The reference to dhclient should be gone.

Mind though: anything you add to this that does get infected you will no longer be warned about. So be careful with this kind of filtering. Better would be to have 'them' update their definitions.

Rinzwind
  • 310,127
  • 1
    In recent versions of chkrootkit (>=0.52-1 on debian/ubuntu), this is now built-in, with a IGNORE variable in /etc/cron.daily/chkrootkit where you can give your filter/ignore file. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660998 – Mossroy Dec 12 '19 at 11:34
  • @Mossroy that sort of defeats its purpose as the 1st question that pops in my head is "Sooooo what happens if a malware maker target a file that is set to be ignored by chrootkit and it does get infected?" – Rinzwind Dec 12 '19 at 13:00
  • What has been implemented in recent chkrootkit debian/ubuntu packages is almost exactly the same as your accepted answer (except they called the variable IGNORE instead of FILTER). It filters/ignores output lines of chkrootkit, not files themselves. By default, it's safe as the variable points to /dev/null. I don't see how it defeats the purpose of chkrootkit : in all cases, it's the admin responsibility to choose the right ignore rules – Mossroy Dec 12 '19 at 13:33
  • To avoid error emails like find: '/proc/24157': No such file or directory, I also replaced both occurences of eval $CHKROOTKIT $RUN_DAILY_OPTS by eval $CHKROOTKIT $RUN_DAILY_OPTS 2>&1 in /etc/cron.daily/chkrootkit, and added ^[ \t]*find: '/proc/[0-9]+': No such file or directory[ \t]*$ in the ignore/filter file – Mossroy Jan 01 '20 at 10:05