Bug#890635: chkrootkit: Errors when trying to exclude known false positives
Lorenzo "Palinuro" Faletra
palinuro at parrotsec.org
Sun Feb 18 14:10:09 UTC 2018
On 02/17/2018 02:35 AM, Maxim Biro wrote:
> Package: chkrootkit
> Version: 0.50-4+b2
> Severity: important
>
> Dear Maintainer,
>
> I have installed both fail2ban and chkrootkit on Debian Stretch. It is not the
> system I'm writing this report from. When running chkrootkit, it complains
> about hidden files from fail2ban:
>
>
> The issue seems to be that chkrootkit doesn't parse its arguments correctly or
> it has a limit on how long the -e argument can be. In fact, if you remove
> several file paths from either the beginning or the end of the -e argument,
> chkrootkit works as intended and lists just the removed file paths as false
> positives. Ideally users should be able to specify any number of file paths to
> be excluded.
Hi, i don't think that chkrootkit should be fixed in a way to allow you
to manually remove the fail2ban false positives. I think instead that
chkrootkit should be fail2ban-aware and include a special case to
automatically detect your situation and remove the false positives by
default if the fail2ban package is installed.
iirc the software already includes many switches in its core to disable
most of the warnings if special cases known to be false-positives are
detected.
And now i have a question for the other pkg-security contributors:
should we patch it in Debian or should we try to patch it directly in
upstream?
i can personally try to work on a patch between today an the rest of
this week. Does anyone else want to join me?
More information about the Pkg-security-team
mailing list