rpms/chkrootkit/FC-6 README.false_positives, NONE, 1.1 chkrootkit.spec, 1.16, 1.17

Michael Schwendt (mschwendt) fedora-extras-commits at redhat.com
Wed Jan 31 18:35:23 UTC 2007 

Author: mschwendt

Update of /cvs/extras/rpms/chkrootkit/FC-6
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9087/FC-6

Modified Files:
	chkrootkit.spec 
Added Files:
	README.false_positives 
Log Message:
* Wed Jan 31 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.47-2
- Upstream wants to disable the OBSD rk v1 check on Linux with
  next release.



--- NEW FILE README.false_positives ---
This is an additional document added to the Fedora RPM package of
chkrootkit.
-----

It is in the nature of some of chkrootkit's checks that there may be some
false positives among the reported findings. The chkrootkit user is
advised to examine such files more closely (display them, query the RPM
database about them, compare with backups on read-only media) and use
another layer of protection (such as an intrusion detection tool).


For example, where it is searched for hidden files below /usr/lib, which
begin with a dot, chkrootkit may report files which belong into valid RPM
packages, or which have been created at run-time by some software, and
which are innocent. The output could look like this (the lines have been
wrapped for readability):

Searching for suspicious files and dirs, it may take a while... 
/usr/lib/firefox-1.5.0.3/.autoreg
/usr/lib/firefox-1.5.0.2/.autoreg
/usr/lib/firefox-1.5.0.8/.autoreg
/usr/lib/firefox-1.5.0.1/.autoreg
/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
/usr/lib/qt-3.3/etc/settings/.qtrc.lock
/usr/lib/firefox-1.5/.autoreg
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
/usr/lib/firefox-1.5.0.4/.autoreg

In this example, the files are valid files from Firefox (previous and
current versions), Perl and the Qt GUI toolkit, but only the ".packlist"
file is included in the main "perl" package. Creating and maintaining a
simple white-list inside chkrootkit would bear the risk that a new rootkit
uses the knowledge about white-listed file locations to store its
malicious files.

Also see:  http://www.chkrootkit.org/faq/


Index: chkrootkit.spec
===================================================================
RCS file: /cvs/extras/rpms/chkrootkit/FC-6/chkrootkit.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- chkrootkit.spec	20 Oct 2006 12:47:12 -0000	1.16
+++ chkrootkit.spec	31 Jan 2007 18:34:53 -0000	1.17
@@ -1,6 +1,6 @@
 Name:           chkrootkit
 Version:        0.47
-Release: 1%{?dist}
+Release:        2%{?dist}
 Summary:        Tool to locally check for signs of a rootkit
 Group:          Applications/System
 License:        BSD-like
@@ -11,10 +11,12 @@
 Source3:        chkrootkit.desktop
 Source4:        chkrootkit.console
 Source5:        chkrootkit.pam
+Source6:        README.false_positives
 Patch1:         chkrootkit-0.44-getCMD.patch
 Patch2:         chkrootkit-0.44-inetd.patch
 Patch3:         chkrootkit-0.45-includes.patch
 Patch4:         chkrootkit-0.47-warnings.patch
+Patch5:         chkrootkit-0.47-no-openbsd.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  desktop-file-utils
@@ -42,6 +44,7 @@
 %patch2 -p1 -b .inetd
 %patch3 -p1 -b .includes
 %patch4 -p1 -b .warnings
+%patch5 -p1 -b .no-openbsd
 sed -i -e 's!\s\+ at strip.*!!g' Makefile
 
 
@@ -89,6 +92,8 @@
   --add-category X-Fedora                              \
   %{SOURCE3}
 
+install -p %{SOURCE6} .
+
 
 %clean
 rm -rf ${RPM_BUILD_ROOT}
@@ -96,7 +101,7 @@
 
 %files
 %defattr(-,root,root,-)
-%doc ACKNOWLEDGMENTS COPYRIGHT README README.chklastlog README.chkwtmp chkrootkit.lsm
+%doc ACKNOWLEDGMENTS COPYRIGHT README README.chklastlog README.chkwtmp chkrootkit.lsm README.false_positives
 %{_sbindir}/chkrootkit
 %{_bindir}/chkrootkit
 %{_bindir}/chkrootkitX
@@ -108,13 +113,14 @@
 
 
 %changelog
+* Wed Jan 31 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.47-2
+- Upstream wants to disable the OBSD rk v1 check on Linux with
+  next release.
+
 * Fri Oct 20 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.47-1
 - Update to 0.47.
 - mark PAM and consolehelper files in /etc as config
 
-* Mon Aug 28 2006 Michael Schwendt <mschwendt[AT]users.sf.net>
-- rebuilt
-
 * Sat Feb 25 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.46a-2
 - rebuilt for FC5

More information about the scm-commits mailing list