chkrootkit false positives filtering
Thursday, November 29th, 2007
Chkrootkit is a tool that searches for rootkits, trojans and other signs of break-ins on your system. Like most security scanners, it sometimes generates false positives. Chkrootkit doesn’t have a native way to filter those out. From the FAQ:
[Q:] chkrootkit is reporting some files and dirs as suspicious: `.packlist’, `.cvsignore’, etc. These are clearly false positives. Can’t you ignore these?
[A:] Ignoring some files and dirs could impair chkrootkit’s accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.
This is true, but getting an email every day is simply too annoying, and makes me skip chkrootkit generated emails on occasion because “It’s probably a false positive anyway”. So here’s a small guide for setting up a filtering of chkrootkit’s output.
First, we create a file /etc/chkrootkit.ignore which will hold a bunch of regular expressions that will match everything we don’t want to be warned about. For instance, I’ve got a machine that needs to have a dhcp client installed. Chkrootkit keeps on generating emails with these lines:
eth0: PACKET SNIFFER(/sbin/dhclient[346]) eth1: PACKET SNIFFER(/usr/sbin/dhcpd3[1008])
So what we do is create the file /etc/chkrootkit.ignore and put the following in it:
/etc/chkrootkit.ignore
^eth0: PACKET SNIFFER\(/sbin/dhclient\[[0-9]*\])$ ^eth1: PACKET SNIFFER\(/usr/sbin/dhcpd3\[[0-9]*\]\)$
In order to test if the rules we created are correct, we put the two lines with false positives in a separate file (/tmp/chkrk-fp.txt) and run the following:
test:
[root@sharky]/etc# cat /tmp/chkrk-fp.txt | grep -f /etc/chkrootkit.ignore
eth0: PACKET SNIFFER(/sbin/dhclient[346])
eth1: PACKET SNIFFER(/usr/sbin/dhcpd3[1008])
The lines that should be filtered out of the chkrootkit output should appear here. If nothing appears, or if not all of the lines that you want to filter appear, there’s a problem. Refine your regular expressions in /etc/chkrootkit.filter until it works.
Now we need to modify the chkrootkit cronjob so that the false positives are filtered. To do this, we edit /etc/cron.daily/chkrootkit. Below is a patch that shows what should be changed. You can apply the patch with the ‘patch‘ command, or you can manually add the lines that start with a ‘+’, replacing the lines with a ‘-‘.
--- /home/root/foo 2007-11-21 11:53:58.532769984 +0100 +++ /etc/cron.daily/chkrootkit 2007-11-21 11:54:00.689442120 +0100 @@ -1,27 +1,28 @@ #!/bin/sh -e CHKROOTKIT=/usr/sbin/chkrootkit CF=/etc/chkrootkit.conf +IGNOREF=/etc/chkrootkit.ignore LOG_DIR=/var/cache/chkrootkit if [ ! -x $CHKROOTKIT ]; then exit 0 fi if [ -f $CF ]; then . $CF fi if [ "$RUN_DAILY" = "true" ]; then if [ "$DIFF_MODE" = "true" ]; then - $CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.new 2>&1 + $CHKROOTKIT $RUN_DAILY_OPTS | grep -v -f $IGNOREF > $LOG_DIR/log.new 2>&1 || true if [ ! -f $LOG_DIR/log.old ] \ || ! diff -q $LOG_DIR/log.old $LOG_DIR/log.new > /dev/null 2>&1; then cat $LOG_DIR/log.new fi mv $LOG_DIR/log.new $LOG_DIR/log.old else - $CHKROOTKIT $RUN_DAILY_OPTS + $CHKROOTKIT $RUN_DAILY_OPTS | grep -v -f $IGNOREF || true fi fi
Next, we try running chkrootkit, to see if anything shows up:
[root@sharky]/etc/cron.daily# ./chkrootkit [root@sharky]/etc/cron.daily#
There is no output, so our false positives are now being ignored.