app-forensics/chkrootkit-0.49 when used with the -n switch will still transverse nfs4 mounts because the logic only adds "!-fstype nfs" to the find arguments. Reproducible: Always Steps to Reproduce: 1. mount nfs4 filesystem (mine has millions of files) 2. run chkrootkit -n 3. wait forever Actual Results: My NFS4 mount is a RAID storing millions of documents, and it takes hours for it to slog through all of it. Expected Results: with -n, it should ignore these file systems.
This is the line that I'm having the most issue with inside of chkrootkit: files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` And this one too: expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ -size 0" With a manual change to make nfs nfs4, this is what it renders out to: find // ! -fstype nfs4 -name '.*history' -size 0 The problem with this is that while the -fstype nfs4 is filtering out files and directories from find, it's not actually causing find to stop transversing the NFS filesystem. Best way I've found to do that without using the -xdev command, which would keep find on one filesystem, is to modify the above to this: find // -fstype nfs4 -prune -o -name '.*history' -size 0 -print With both nfs and nfs4 it would look like this: find // -fstype nfs -prune -o -fstype nfs4 -prune -o -name '.*history' -size 0 -print The -print needs to be on there or else the NFS mount points will come up as results in find. Note: I'm not a `find' guru, and there's probably other ways to do this.
I found it also useful to add `-fstype proc -prune -o' after ${findargs} on the four lines containing the .*history searches. This was because it seems that the -fstype parameter would cause file not found warnings to show inside of /proc.
Created attachment 304871 [details] Modified chkrootkit script This contains all changes I did to the chkrootkit script to make it work with nfs and nfs4 in a nice way.
Comment on attachment 304871 [details] Modified chkrootkit script --- chkrootkit 2012-03-13 11:14:30.429782949 +0100 +++ - 2012-03-13 11:15:22.216339696 +0100 @@ -593,10 +593,10 @@ ### shell history file check if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then - expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ - -size 0" - expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ - \( -links 2 -o -type l \)" + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name .*history \ + -size 0 -print" + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name .*history \ + \( -links 2 -o -type l \) -print" fi return 5 @@ -1161,10 +1161,10 @@ printn "Searching for anomalies in shell history files... "; fi files="" if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then - files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` + files=`${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name '.*history' -size 0 -print` [ ! -z "${files}" ] && \ echo "Warning: \`${files}' file size is zero" - files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)` + files1=`${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name '.*history' \( -links 2 -o -type l \) -print` [ ! -z "${files1}" ] && \ echo "Warning: \`${files1}' is linked to another file" fi @@ -1244,10 +1244,10 @@ findargs="" if find /etc -maxdepth 0 >/dev/null 2>&1; then find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \ - findargs="! -fstype nfs " + findargs="-fstype nfs -prune -o -fstype nfs4 -prune -o " elif find /etc -prune > /dev/null 2>&1; then find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \ - findargs="! -fstype nfs " + findargs="-fstype nfs -prune -o -fstype nfs4 -prune -o " fi }
Sounds like you also encounter Bug 509000?
Please retry with 0.51 version
