[SGVLUG] chkrootkit question
Claude Felizardo
cafelizardo at gmail.com
Wed Sep 27 10:37:07 PDT 2006
Does anyone on the list use chkrootkit?
I have two Linux boxes running Mandrake's msec suite of security tools
scheduled to run at 4 am. The machine at work is a P4 2.8 GHz box
with SATA and it would usually complete its scans within the hour. My
file server at home is a P3/450 with 3 IDE drives in a RAID-5
configuration and the scan generally took well over 12 hours but since
it usually completes by the time I get home and I don't often log into
the machine it wasn't a big deal. I figured it was the amount of data
it had to scan and the software RAID. One of the tools msec will use
is chkrootkit and I discovered that while it's installed at home, it
was never installed on my desktop at work.
This morning I find that it's still running at work with a load avg of
2.5 while my server at home is at it's normal 1.2 during the scan. So
I started looking around and
crap, i just noticed that it's been scanning the home directories of
everyone at work. Well it managed to generate about 145KB of
Permission denied messages before I managed to kill it.
Looks like there's a -n option I can use to tell it to skip NFS
mounted directories but what I'd really want to do is have it ignore
my backup directories as well. msec has some config options to
exclude directories but I don't think its used by chkrootkit.
I'm running chkrootkit 0.45 and from their website, i see that the
latest is 0.46a. According to some of the posts to their mailing
list, some people had complained that the -n option didn't support
skipping AFS file systems and was causing a similar problem, not clear
on what version this was.
Any suggestions?
claude
More information about the SGVLUG
mailing list