Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1025257: chkrootkit: Add possibility to skip large directory scans in find
82 views
Skip to first unread message
Peter Gervai
Dec 1, 2022, 10:10:03 AM12/1/22
to
Package: chkrootkit
Version: 0.55-4+b2
Severity: wishlist
Tags: patch upstream
Would be nice to skip extremely large directories which the admin choose to skip in the scan.
Typical examples are /var/lib/backuppc or similar backup dirs, or various large mounts.
The following patch contains only a few changes in the find calls where it uses a complete root dir scan.
I hope I was successful doing it POSIX safe, but please check.
(Sidenote: I see you commented out '-o' at the end of the $findargs, is it correct this way?)
--- chkrootkit.orig 2022-08-17 15:47:55.000000000 +0200
+++ chkrootkit 2022-12-01 15:38:30.214332133 +0100
@@ -417,7 +417,7 @@
[ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so
### sniffer's logs
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
- ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
+ ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} ${FIND_EXCLUDE_ARGS} -name tcp.log -o -name \
.linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename ${ROOTDIR}usr/lib/in.httpd -o \
-wholename ${ROOTDIR}usr/lib/in.pop3d"
@@ -707,7 +707,7 @@
if [ "${QUIET}" != "t" ]; then \
printn "Searching for sniffer's logs, it may take a while... "; fi
files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \
- ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
+ ${findargs} ${FIND_EXCLUDE_ARGS} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
2>/dev/null`
if [ "${files}" = "" ]
then
@@ -2943,6 +2943,9 @@
-e) shift
EXCLUDES="$1 $EXCLUDES";;
+
+ -E) shift
+ EXCLUDE_DIRS="$1 $EXCLUDE_DIRS";;
-s) shift
EXCLUDES_SNIF="$1";;
@@ -2969,6 +2972,7 @@
-x expert mode
-e 'FILE1 FILE2' exclude files/dirs from results. Must be followed by a space-separated list of files/dirs.
Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
+ -E 'DIR1 DIR2' exclude dirs (actually 'find' path patterns) from scanning.
-s REGEXP filter results of sniffer test through 'grep -Ev REGEXP' to exclude expected
PACKET_SNIFFERs. Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
-r DIR use DIR as the root directory
@@ -3002,6 +3006,14 @@
pth=`echo $PATH | sed -e "s/:/ /g"`
pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ."
+### Excluded paths from find (split the string, POSIX style)
+set -f
+FIND_EXCLUDE_ARGS=""
+for p in $EXCLUDE_DIRS; do
+ FIND_EXCLUDE_ARGS="${FIND_EXCLUDE_ARGS} -path ${p} -prune -o "
+done
+set +f
+
### external command's PATH
if [ "${CHKRKPATH}" = "" ]; then
chkrkpth=${pth}
-- System Information:
Debian Release: bookworm/sid
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii libc6 2.36-4
Versions of packages chkrootkit recommends:
ii binutils 2.39-8
ii iproute2 6.0.0-1+b1
ii net-tools 1.60+git20181103.0eebece-1
ii procps 2:3.3.17-7+b1
chkrootkit suggests no packages.
-- Configuration Files:
/etc/cron.daily/chkrootkit changed [not included]
Version: 0.55-4+b2
Severity: wishlist
Tags: patch upstream
Would be nice to skip extremely large directories which the admin choose to skip in the scan.
Typical examples are /var/lib/backuppc or similar backup dirs, or various large mounts.
The following patch contains only a few changes in the find calls where it uses a complete root dir scan.
I hope I was successful doing it POSIX safe, but please check.
(Sidenote: I see you commented out '-o' at the end of the $findargs, is it correct this way?)
--- chkrootkit.orig 2022-08-17 15:47:55.000000000 +0200
+++ chkrootkit 2022-12-01 15:38:30.214332133 +0100
@@ -417,7 +417,7 @@
[ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so
### sniffer's logs
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
- ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
+ ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} ${FIND_EXCLUDE_ARGS} -name tcp.log -o -name \
.linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename ${ROOTDIR}usr/lib/in.httpd -o \
-wholename ${ROOTDIR}usr/lib/in.pop3d"
@@ -707,7 +707,7 @@
if [ "${QUIET}" != "t" ]; then \
printn "Searching for sniffer's logs, it may take a while... "; fi
files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \
- ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
+ ${findargs} ${FIND_EXCLUDE_ARGS} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
2>/dev/null`
if [ "${files}" = "" ]
then
@@ -2943,6 +2943,9 @@
-e) shift
EXCLUDES="$1 $EXCLUDES";;
+
+ -E) shift
+ EXCLUDE_DIRS="$1 $EXCLUDE_DIRS";;
-s) shift
EXCLUDES_SNIF="$1";;
@@ -2969,6 +2972,7 @@
-x expert mode
-e 'FILE1 FILE2' exclude files/dirs from results. Must be followed by a space-separated list of files/dirs.
Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
+ -E 'DIR1 DIR2' exclude dirs (actually 'find' path patterns) from scanning.
-s REGEXP filter results of sniffer test through 'grep -Ev REGEXP' to exclude expected
PACKET_SNIFFERs. Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
-r DIR use DIR as the root directory
@@ -3002,6 +3006,14 @@
pth=`echo $PATH | sed -e "s/:/ /g"`
pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ."
+### Excluded paths from find (split the string, POSIX style)
+set -f
+FIND_EXCLUDE_ARGS=""
+for p in $EXCLUDE_DIRS; do
+ FIND_EXCLUDE_ARGS="${FIND_EXCLUDE_ARGS} -path ${p} -prune -o "
+done
+set +f
+
### external command's PATH
if [ "${CHKRKPATH}" = "" ]; then
chkrkpth=${pth}
-- System Information:
Debian Release: bookworm/sid
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii libc6 2.36-4
Versions of packages chkrootkit recommends:
ii binutils 2.39-8
ii iproute2 6.0.0-1+b1
ii net-tools 1.60+git20181103.0eebece-1
ii procps 2:3.3.17-7+b1
chkrootkit suggests no packages.
-- Configuration Files:
/etc/cron.daily/chkrootkit changed [not included]
Richard Lewis
Dec 8, 2022, 7:20:04 AM12/8/22
to
> Would be nice to skip extremely large >directories which the admin choose to skip in >the scan.
>Typical examples are /var/lib/backuppc or >similar backup dirs, or various large mounts.
not sure i would use this feature myself, but doesnt seem unreasonable. are there other use cases than large files?
(I think most people use chkrootkit via the daily cron job - how does this interact with that?)
does the patch apply against the version of chkrootkit with the - many tens of - existing debian patches?
also, can you add autopktests for the new feature and add the option to the man page too(i didnt find what was written in the patch to the 'help' output very clear, if you could find a clearer explanation of what this is for that would help too). if you do all that, ill take a closer look.
The following patch contains only a few changes in the find calls where it uses a complete root dir scan.
I hope I was successful doing it POSIX safe, but please check.
i havent looked in detail but i think there are some issues that need fixing:
` ...` should be replaced by $(...).
And variables look like they need quoting.
you can use shellcheck to spot some of these issues.
...chkrootkit is itself full of issues like this, but we should be making it better with every patch.
(Sidenote: I see you commented out '-o' at the end of the $findargs, is it correct this way?)
i dont know, but you should provide a recommendation as part of the patch. i wouldnt be surprised if it was an error - it wouldnt be the first bit if dubious code spotted in chkrootkit. But equally why would it end in -o ?
0 new messages