Bug 689056 - Review Request: lmd - Linux Malware Detecter
Review Request: lmd - Linux Malware Detecter
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Sergio Belkin
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: FE-DEADREVIEW
  Show dependency treegraph
 
Reported: 2011-03-18 19:54 EDT by Mark McKinstry
Modified: 2013-02-19 10:53 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-19 10:53:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sergiobelkin: fedora‑review?


Attachments (Terms of Use)

  None (edit)
Description Mark McKinstry 2011-03-18 19:54:28 EDT
Spec URL: http://mmckinst.fedorapeople.org/packages/lmd/lmd.spec
SRPM URL: http://mmckinst.fedorapeople.org/packages/lmd/lmd-1.3.9-1.fc14.src.rpm
Scratch URL: http://koji.fedoraproject.org/koji/taskinfo?taskID=2924434
Description: 
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU
GPLv2 license, that is designed around the threats faced in shared hosted
environments. It uses threat data from network edge intrusion detection systems
to extract malware that is actively being used in attacks and generates
signatures for detection. In addition, threat data is also derived from user
submissions with the LMD checkout feature and from malware community
resources. The signatures that LMD uses are MD5 file hashes and HEX pattern
matches, they are also easily exported to any number of detection tools such as
ClamAV.
Comment 1 Sergio Belkin 2011-03-20 18:36:06 EDT
Hi Mark,

Here is the review (this is my first "official" review) so I am open to comments from experienced packagers :)

1 Firstly, please add a line between each new entry of changelog, I mean:

* Fri Mar 18 2011 Mark McKinstry <mmckinst@nexcess.net> - 1.3.9-1
- whatever....

* Tue Nov 29 2010 Mark McKinstry <mmckinst@nexcess.net> - 1.3.7-1
- whatever...

2 - Why is included a tmp file in datadir...?

3 - What's wrong with md5sum? (See below) It's not a minor issue in a software that pretends to detect malware!

Because of that, the package is NOT approved YET.

Notes: +:ok, =:needs attention, -:needs fixing

MUST Items:
[] MUST: rpmlint must be run on every package.

rpmlint -i -v /var/lib/mock/fedora-rawhide-i386/root/builddir/build/RPMS/lmd-1.3.9-1.fc16.noarch.rpm lmd.noarch: I: checking
lmd.noarch: W: spelling-error Summary(en_US) malware -> metalware, malarkey, Mallarme
The value of this tag appears to be misspelled. Please double-check.

lmd.noarch: W: spelling-error %description -l en_US malware -> metalware, malarkey, Mallarme
The value of this tag appears to be misspelled. Please double-check.

lmd.noarch: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds)
lmd.noarch: E: executable-marked-as-config-file /etc/cron.daily/maldetect
Executables must not be marked as config files because that may prevent
upgrades from working correctly. If you need to be able to customize an
executable, make it for example read a config file in /etc/sysconfig.

lmd.noarch: E: zero-length /usr/share/maldetect/ignore_sigs
lmd.noarch: W: no-manual-page-for-binary maldet
Each executable in standard binary directories should have a man page.

1 packages and 0 specfiles checked; 2 errors, 3 warnings.

rpmlint -i -v ../SRPMS/lmd-1.3.9-1.fc14.src.rpm 
lmd.src: I: checking
lmd.src: W: spelling-error Summary(en_US) malware -> metalware, malarkey, Mallarme
The value of this tag appears to be misspelled. Please double-check.

lmd.src: W: spelling-error %description -l en_US malware -> metalware, malarkey, Mallarme
The value of this tag appears to be misspelled. Please double-check.

lmd.src: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds)
lmd.src: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds)
1 packages and 0 specfiles checked; 0 errors, 2 warnings.



rpmlint -i -v lmd.spec
lmd.spec: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds)
0 packages and 1 specfiles checked; 0 errors, 0 warnings.

Warnings are harmless

<<output if not already posted>>
[:=] MUST: The package must be named according to the Package Naming Guidelines.
[+] MUST: The spec file name must match the base package %{name}
[:=] MUST: The package must meet the Packaging Guidelines. [FIXME?: covers this list and more]
[+] MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines.
[-] MUST: The License field in the package spec file must match the actual license.
File tlog is licensed under GPLv2+, so License must be: GPLv2 + GPLv2+

[+] MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
[:=] MUST: The spec file must be written in American English.
[+] MUST: The spec file for the package MUST be legible.
[-] MUST: The sources used to build the package must match the upstream source, as provided in the spec URL.
md5sum checksum tarball from SRPM:fdaf465ad43ffe90bb47adf6d2a39918
md5sum checksum upstream: e805672f97e990907fa910029b52a7dd

Ooops! What's wrong??

[+] MUST: The package must successfully compile and build into binary rpms on at least one supported architecture.
[+] MUST: All build dependencies must be listed in BuildRequires



[] MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro.
[+] MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory.
[+] MUST: A package must not contain any duplicate files in the %files listing.
[+] MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line.
[+] MUST: Each package must consistently use macros, as described in the macros section of Packaging Guidelines.
[+] MUST: The package must contain code, or permissible content. This is described in detail in the code vs. content section of Packaging Guidelines.
[+] MUST: If a package includes something as %doc, it must not affect the runtime of the application.
[+] MUST: Packages must not own files or directories already owned by other packages.
[+] MUST: All filenames in rpm packages must be valid UTF-8.

SHOULD Items:
[:=] SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
[+] SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
[+] SHOULD: The reviewer should test that the package builds in mock.
[:=] SHOULD: The reviewer should test that the package functions as described.
[+] SHOULD: Packages should try to preserve timestamps of original installed files.
[:=] It has not a manpage for executable file, could it possible? contact to the upstream if you can.
Comment 2 Martin Gieseking 2011-03-22 06:38:10 EDT
(In reply to comment #1)
> File tlog is licensed under GPLv2+, so License must be: GPLv2 + GPLv2+

It would be "GPLv2 and GPLv2+". However, I'd prefer a consistent licensing scenario for the whole package. Mark, please ask upstream whether tlog is actually intended to be licensed under GPLv2+ while all other scripts are GPLv2 only.


Here are some additional comments:

- "lmd" seems to be the abbreviation of the project name. However, upstream 
   uses "maldetect" for the tarball and all related files/folders. Therefore, 
   I personally would tend to name the package "maldetect" as well.

- You should drop Requires: perl as this dependency is detected automatically.

- Please use plain rm, cp, and sed instead of the corresponding macros. See 
  also: http://fedoraproject.org/wiki/Packaging/Guidelines#Macros

- The package currently doesn't own the folders %{_datadir}/maldetect, 
  %{_var}/lib/maldetect, and %{_libexecdir}/maldetect but only their contents. 
  Just remove the asterisks in the %file section to get it right.
Comment 3 Mark McKinstry 2011-08-04 11:41:58 EDT
Sergio,

Thank you for the review.

> 1 - Firstly, please add a line between each new entry of changelog, I mean:

Done.

> 2 - Why is included a tmp file in datadir...?

I'll make a request to the author to make the location of tmp tunable.

> 3 - What's wrong with md5sum? (See below) It's not a minor issue in a software that pretends to detect malware!

Thank you for finding this. The tarball is continually updated with new signatures of malware which is why the md5sum differs. I've included a comment in the spec file on how to delete the signatures and verify the integrity of the rest of the tarball.



Martin,

> - "lmd" seems to be the abbreviation of the project name. However, upstream 
>    uses "maldetect" for the tarball and all related files/folders. Therefore, 
>    I personally would tend to name the package "maldetect" as well.


I agreee. The package name is now maldetect.

> - You should drop Requires: perl as this dependency is detected automatically.

Done.

> - Please use plain rm, cp, and sed instead of the corresponding macros. See 
>   also: http://fedoraproject.org/wiki/Packaging/Guidelines#Macros

Done

> - The package currently doesn't own the folders %{_datadir}/maldetect, 
>   %{_var}/lib/maldetect, and %{_libexecdir}/maldetect but only their contents. 
>   Just remove the asterisks in the %file section to get it right.

Fixed.


spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec
SRPM: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-1.fc14.src.rpm
scratch: http://koji.fedoraproject.org/koji/taskinfo?taskID=3252300
Comment 4 Sergio Belkin 2011-08-08 06:14:31 EDT
Mark, I'll take a look the package this week. I didn't forget you :)
Comment 5 Sergio Belkin 2011-08-20 20:20:20 EDT
Hi Mark

[ rpmlint spec file ]

rpmlint -i -v maldetect.spec 
maldetect.spec:16: W: mixed-use-of-spaces-and-tabs (spaces: line 16, tab: line 1)
The specfile mixes use of spaces and tabs for indentation, which is a cosmetic
annoyance.  Use either spaces or tabs for indentation, not both.

maldetect.spec: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds)
0 packages and 1 specfiles checked; 0 errors, 1 warnings.

[A]: Fix it ;)

[ rpmlint SRPM file ]

rpmlint -i  -v /home/sergio/rpmbuild/SRPMS/maldetect-1.4.0-1.fc15.src.rpm 
maldetect.src: I: checking
maldetect.src: W: spelling-error Summary(en_US) malware -> Waldemar
The value of this tag appears to be misspelled. Please double-check.

maldetect.src: W: spelling-error %description -l en_US malware -> Waldemar
The value of this tag appears to be misspelled. Please double-check.

maldetect.src: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds)
maldetect.src:16: W: mixed-use-of-spaces-and-tabs (spaces: line 16, tab: line 1)
The specfile mixes use of spaces and tabs for indentation, which is a cosmetic
annoyance.  Use either spaces or tabs for indentation, not both.

maldetect.src: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds)
maldetect.src: W: file-size-mismatch maldetect-current.tar.gz = 758891, http://www.rfxn.com/downloads/maldetect-current.tar.gz = 762399
The size of the file in the package does not match the size indicated by
peeking at its URL.  Verify that the file in the package has the intended
contents.

1 packages and 0 specfiles checked; 0 errors, 4 warnings.

[B]: Fix indentation issue

[ rpmlint rpm files ]

maldetect.noarch: I: checking
maldetect.noarch: W: spelling-error Summary(en_US) malware -> Waldemar
The value of this tag appears to be misspelled. Please double-check.

maldetect.noarch: W: spelling-error %description -l en_US malware -> Waldemar
The value of this tag appears to be misspelled. Please double-check.

maldetect.noarch: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds)
maldetect.noarch: E: executable-marked-as-config-file /etc/cron.daily/maldetect
Executables must not be marked as config files because that may prevent
upgrades from working correctly. If you need to be able to customize an
executable, make it for example read a config file in /etc/sysconfig.

maldetect.noarch: E: incorrect-fsf-address /usr/share/doc/maldetect-1.4.0/COPYING.GPL
The Free Software Foundation address in this file seems to be outdated or
misspelled.  Ask upstream to update the address, or if this is a license file,
possibly the entire file with a new copy available from the FSF.

maldetect.noarch: E: zero-length /usr/share/maldetect/ignore_sigs
maldetect.noarch: E: incorrect-fsf-address /var/lib/maldetect/inotify/tlog
The Free Software Foundation address in this file seems to be outdated or
misspelled.  Ask upstream to update the address, or if this is a license file,
possibly the entire file with a new copy available from the FSF.

maldetect.noarch: W: no-manual-page-for-binary maldet
Each executable in standard binary directories should have a man page.

[C]: Fix FSF address take a look at http://www.fsf.org/about/contact/ and eg /usr/share/doc/kdeaccessibility-4.6.5/COPYING


[:=] MUST: The package must be named according to the Package Naming
Guidelines.
[+] MUST: The spec file name must match the base package %{name}
[:=] MUST: The package must meet the Packaging Guidelines. [FIXME?: covers this
list and more]
[+] MUST: The package must be licensed with a Fedora approved license and meet
the Licensing Guidelines.
[+] MUST: The License field in the package spec file must match the actual
license.


[+] MUST: If (and only if) the source package includes the text of the
license(s) in its own file, then that file, containing the text of the
license(s) for the package must be included in %doc.
[:=] MUST: The spec file must be written in American English.
[+] MUST: The spec file for the package MUST be legible.
[:=] MUST: The sources used to build the package must match the upstream source,


[+] MUST: The package must successfully compile and build into binary rpms on
at least one supported architecture.
[+] MUST: All build dependencies must be listed in BuildRequires



[] MUST: The spec file MUST handle locales properly. This is done by using the
%find_lang macro.
[+] MUST: A package must own all directories that it creates. If it does not
create a directory that it uses, then it should require a package which does
create that directory.
[+] MUST: A package must not contain any duplicate files in the %files listing.
[+] MUST: Permissions on files must be set properly. Executables should be set
with executable permissions, for example. Every %files section must include a
%defattr(...) line.
[+] MUST: Each package must consistently use macros, as described in the macros
section of Packaging Guidelines.
[+] MUST: The package must contain code, or permissible content. This is
described in detail in the code vs. content section of Packaging Guidelines.
[+] MUST: If a package includes something as %doc, it must not affect the
runtime of the application.
[+] MUST: Packages must not own files or directories already owned by other
packages.
[+] MUST: All filenames in rpm packages must be valid UTF-8.

SHOULD Items:
[:=] SHOULD: If the source package does not include license text(s) as a
separate file from upstream, the packager SHOULD query upstream to include it.
[:=] SHOULD: The description and summary sections in the package spec file
should contain translations for supported Non-English languages, if available.
[+] SHOULD: The reviewer should test that the package builds in mock.
[+] SHOULD: The reviewer should test that the package functions as described.
[+] SHOULD: Packages should try to preserve timestamps of original installed
files.
[:=] It has not a manpage for executable file, could it possible? contact to
the upstream if you can.

[D] Please coud you contact to upstream to determine what kind of license should be applied to the entire package as Martin Gieseking  suggested? If upstream doesn't answer so let license be GPLv2 + GPLv2+

[E]: The comment in the specfile:

It's a bit bad-written :) and also I think that "hardcoding" the current md5sum is not a good idea.

# The author does not provide a way of download a specifc version.
# The md5sum of the tarball in this SRPM will differ becasue the signatures
# included are constantly updated. To confirm this tarball is the same as the
# one you just donwloaded, the line below  delete the signatures and generate 
# the md5sum. The md5sum should be b7a28e4121e4ba0655de143a38aa3ed4

You may add something like this instead:

# The author does not provide a way of download a specifc version.
# The md5sum of the tarball in this SRPM will differ becasue the signatures
# included are constantly updated. In order to confirm this tarball is the same # as the one you just donwloaded from Source0, run the line below which deletes # the signatures and generates the md5sum. You should do it the same for #tarball of SRPM package. Both md5sums should be equal.

Please fix each issue labeled with letters and then come back and maldetect will be approved :)

But there are a serious issue unless I didn't understand well how this program works, look at this:


My /etc/fstab looks as follows:

#
# /etc/fstab
# Created by anaconda on Tue Jul 12 19:45:18 2011
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/vg_sebelk-root /                       ext4    defaults        1 1
#UUID=1cfa489a-8252-4b54-b740-2b0344474e2e /boot                   ext4    defaults        1 2
/dev/sda3 /boot                   ext4    defaults        1 2
/dev/mapper/vg_sebelk-LogVol02 /home                   ext4    defaults        1 2
/dev/mapper/vg_sebelk-LogVol01 swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0



maldet -a /etc/fstab
Linux Malware Detect v1.4.0
            (C) 2002-2011, R-fx Networks <proj@r-fx.org>
            (C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(2809): {scan} signatures loaded: 8114 (6257 MD5 / 1857 HEX)
maldet(2809): {scan} building file list for /etc/fstab, this might take awhile...
maldet(2809): {scan} file list completed, found 1 files...
maldet(2809): {scan} 1/1 files scanned: 0 hits 0 cleaned
maldet(2809): {scan} scan completed on /etc/fstab: files 1, malware hits 1, cleaned hits 0

[NOTE FROM MYSELF: WHAT????]

maldet(2809): {scan} scan report saved 'maldet --report 082011-2109.2809'

I've edited /etc/maldetect.conf and set

quar_hits to 1

And guess what? 

maldetect put my innocent fstab under qurantine!!!

I've tested with a lot of other innocent files and did it the same.

Please tell me if we should let come in this package in Fedora... Did I miss something?

Take care.
Comment 6 Mark McKinstry 2011-09-08 20:10:37 EDT
> [A]: Fix it ;)
> [B]: Fix indentation issue

Fixed. 

> [C]: Fix FSF address take a look at http://www.fsf.org/about/contact/ and eg
> /usr/share/doc/kdeaccessibility-4.6.5/COPYING

I emailed the author. 

> [D] Please coud you contact to upstream to determine what kind of license
> should be applied to the entire package as Martin Gieseking  suggested? If
> upstream doesn't answer so let license be GPLv2 + GPLv2+

I emailed the author. 

> [E]: The comment in the specfile:

I've updated the comment.

> maldetect put my innocent fstab under qurantine!!!
> 
> I've tested with a lot of other innocent files and did it the same.
> 
> Please tell me if we should let come in this package in Fedora... Did I miss
> something?

I think I may have introduced a bug when it was upgraded to 1.4.0. Try scanning again using the new RPM. You generally don't want to tell it to quarantine results unless you're sure all the stuff it has found is valid. 

It may still come up with false positives, it is meant for scanning web sites to find things like remote shells, irc bots, spamming scripts, etc. It is not meant to be an antivirus program like Windows has, that will scan all files on your computer.

If you'd like a better test of its abilities, google for terms like 'r57 shell' or 'c99 shell' and try scanning those files.

I contacted the author this afternoon to see if he can clarify the licensing. I'll give it a week or two before contacting him again. In the mean time, here's and updated SPEC and SRPM:

Spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec
SRPM: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-2.fc14.src.rpm
Comment 7 Mark McKinstry 2011-10-12 21:05:26 EDT
I heard back from the author and the license on tlog has been updated to GPLv2 only (no longer GPLv2+) so the entire program is GPLv2 now. The address for the FSF has also been updated to the most recent address.

I introduced a bug with one of my patches which lead to the problems scanning files you were having. To better test it, google for 'r57 shell' or 'c99 shell' and try scanning them. If you have a website, you could try scanning the files for it as well since scanning web files malware/shells/spamming scripts/suspicious files is what it was designed for.

Spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec
SRPM: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-3.fc14.src.rpm
Comment 8 Mark McKinstry 2011-11-14 20:35:26 EST
ping?
Comment 9 Sergio Belkin 2011-11-18 17:33:32 EST
Hi Mark,

Are you in a hurry? :)

Please consider that package you have submitted has been little-friendly for reviewing. Also, I was a bit busy. So please, be patient. I will review as as soon I have the time to one more time to take the task seriously of review this package. Especially when the software doesn't give a lot of false positives only in certain cases...


Regards
Comment 10 Sergio Belkin 2011-11-18 17:44:48 EST
(In reply to comment #7)
> I heard back from the author and the license on tlog has been updated to GPLv2
> only (no longer GPLv2+) so the entire program is GPLv2 now. The address for the
> FSF has also been updated to the most recent address.
> 
> I introduced a bug with one of my patches which lead to the problems scanning
> files you were having. To better test it, google for 'r57 shell' or 'c99 shell'
> and try scanning them. If you have a website, you could try scanning the files
> for it as well since scanning web files malware/shells/spamming
> scripts/suspicious files is what it was designed for.

You are saying that is not a rootkit scanner, aren't you? So, make it clear on the Description and (this is not mandatory) suggest the same to upstream if you wish

> Spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec
> SRPM:
> http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-3.fc14.src.rpm

Make these things if you are so interested to include such a package in Fedora
Comment 11 Miroslav Suchý 2012-12-17 14:43:24 EST
Ping? Any progress here? Or we can close this review?
Comment 12 Miroslav Suchý 2013-02-19 05:44:32 EST
Stalled Review. Closing per:
https://fedoraproject.org/wiki/Policy_for_stalled_package_reviews
If you ever want to continue in this review, please reopen or
submit new review.
Comment 13 Miroslav Suchý 2013-02-19 10:41:33 EST
This package did not pass review. Therefore reseting fedora-review flag.
This package is not included in Fedora. Therefore closing as NOTABUG.
Comment 14 Sergio Belkin 2013-02-19 10:50:33 EST
Still waiting for this be fixed:

maldetect.noarch: E: executable-marked-as-config-file /etc/cron.daily/maldetect


Executables must not be marked as config files because that may prevent
upgrades from working correctly. If you need to be able to customize an
executable, make it for example read a config file in /etc/sysconfig.
Comment 15 Sergio Belkin 2013-02-19 10:53:02 EST
Sorry I've approved earlier by mistake, as I've said we are waiting for some errors to be fixed

Note You need to log in before you can comment on or make changes to this bug.