Red Hat Bugzilla – Bug 225322
chkrootkit falsely flags files owned by valid packages
Last modified: 2007-11-30 17:11:54 EST
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install above packages
2. run 'chkrootkit'
/usr/lib/perl5/5.8.8/i386-linux-thead-multi/.packlist flagged as suspicious
/usr/lib/security/classpath.security flagged as suspicious
These two files are valid and warnings should not be generated on their presence.
It is in the nature of chkrootkit's check for suspicious files and
dirs that such files are reported. With different packages installed,
you can get output like:
These are valid files, too, but chkrootkit cannot know that.
Maintaining a white-list is beyond the scope of packaging.
Making chkrootkit aware of RPM is a feature that should be
> /usr/lib/security/classpath.security flagged as suspicious
I get different results. Here it is marked as a false positive like
Searching for OBSD rk v1... /usr/lib/security
where the check seems to inaccurate.
I agree with what you've written. Do you want to open it upstream, or shall I?
I've mailed upstream and have added a small README to the package
doc files, which covers these issues.
The "false positives" (suspicious files) are covered by the FAQ,
Using "rpm" to check the validity of suspicious files would create
an additional dependency on an external tool. Simply filtering out
the libgcj files from the check would result in the same answer
than in FAQ #8, so in general, not a good idea without an accurate