Bug 225322
Summary: | chkrootkit falsely flags files owned by valid packages | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Friedman <steve> |
Component: | chkrootkit | Assignee: | Michael Schwendt <bugs.michael> |
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-01-30 21:44:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steve Friedman
2007-01-29 21:53:12 UTC
> /usr/lib/perl5/5.8.8/i386-linux-thead-multi/.packlist It is in the nature of chkrootkit's check for suspicious files and dirs that such files are reported. With different packages installed, you can get output like: /usr/lib/firefox-1.5.0.3/.autoreg /usr/lib/firefox-1.5.0.2/.autoreg /usr/lib/firefox-1.5.0.8/.autoreg /usr/lib/firefox-1.5.0.1/.autoreg /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/firefox-1.5/.autoreg /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/firefox-1.5.0.4/.autoreg These are valid files, too, but chkrootkit cannot know that. Maintaining a white-list is beyond the scope of packaging. Making chkrootkit aware of RPM is a feature that should be request upstream. [...] > /usr/lib/security/classpath.security flagged as suspicious I get different results. Here it is marked as a false positive like this, Searching for OBSD rk v1... /usr/lib/security /usr/lib/security/classpath.security where the check seems to inaccurate. I agree with what you've written. Do you want to open it upstream, or shall I? I've mailed upstream and have added a small README to the package doc files, which covers these issues. The "false positives" (suspicious files) are covered by the FAQ, too: http://www.chkrootkit.org/faq/#8 Using "rpm" to check the validity of suspicious files would create an additional dependency on an external tool. Simply filtering out the libgcj files from the check would result in the same answer than in FAQ #8, so in general, not a good idea without an accurate check. |