Summary: | app-forensics/chkrootkit-0.50 -n option does not recognize nfs4 mounts | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Adam Randall <randalla> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | RESOLVED TEST-REQUEST | ||
Severity: | normal | CC: | randalla |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Modified chkrootkit script |
Description
Adam Randall
2012-03-10 22:10:48 UTC
This is the line that I'm having the most issue with inside of chkrootkit: files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` And this one too: expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ -size 0" With a manual change to make nfs nfs4, this is what it renders out to: find // ! -fstype nfs4 -name '.*history' -size 0 The problem with this is that while the -fstype nfs4 is filtering out files and directories from find, it's not actually causing find to stop transversing the NFS filesystem. Best way I've found to do that without using the -xdev command, which would keep find on one filesystem, is to modify the above to this: find // -fstype nfs4 -prune -o -name '.*history' -size 0 -print With both nfs and nfs4 it would look like this: find // -fstype nfs -prune -o -fstype nfs4 -prune -o -name '.*history' -size 0 -print The -print needs to be on there or else the NFS mount points will come up as results in find. Note: I'm not a `find' guru, and there's probably other ways to do this. I found it also useful to add `-fstype proc -prune -o' after ${findargs} on the four lines containing the .*history searches. This was because it seems that the -fstype parameter would cause file not found warnings to show inside of /proc. Created attachment 304871 [details]
Modified chkrootkit script
This contains all changes I did to the chkrootkit script to make it work with nfs and nfs4 in a nice way.
Comment on attachment 304871 [details]
Modified chkrootkit script
--- chkrootkit 2012-03-13 11:14:30.429782949 +0100
+++ - 2012-03-13 11:15:22.216339696 +0100
@@ -593,10 +593,10 @@
### shell history file check
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
- -size 0"
- expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
- \( -links 2 -o -type l \)"
+ expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name .*history \
+ -size 0 -print"
+ expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name .*history \
+ \( -links 2 -o -type l \) -print"
fi
return 5
@@ -1161,10 +1161,10 @@
printn "Searching for anomalies in shell history files... "; fi
files=""
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0`
+ files=`${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name '.*history' -size 0 -print`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' file size is zero"
- files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)`
+ files1=`${find} ${ROOTDIR}${HOME} ${findargs} -fstype proc -prune -o -name '.*history' \( -links 2 -o -type l \) -print`
[ ! -z "${files1}" ] && \
echo "Warning: \`${files1}' is linked to another file"
fi
@@ -1244,10 +1244,10 @@
findargs=""
if find /etc -maxdepth 0 >/dev/null 2>&1; then
find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
- findargs="! -fstype nfs "
+ findargs="-fstype nfs -prune -o -fstype nfs4 -prune -o "
elif find /etc -prune > /dev/null 2>&1; then
find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
- findargs="! -fstype nfs "
+ findargs="-fstype nfs -prune -o -fstype nfs4 -prune -o "
fi
}
Sounds like you also encounter Bug 509000? Please retry with 0.51 version |