[Pkg-sysvinit-devel] Bug#403863: chkrootkit and false positive dot-files
Kenny
kenny at romhat.net
Sun Jan 25 20:57:40 UTC 2009
I am clearly late to the party, but this issue is still unresolved in
Debian stable (presently etch). More than two years in the waiting.
Ouch.
> I don't see how an empty dot-file could be a useful part of a rootkit,
> and neither an empty directory or one that contains nothing more than
> other empty files.
An empty file can store a wealth of information in the filename,
timestamp, mode bits, attributes (chattr/lsattr), acl (setfacl,
getfacl), and so on. Verifying that these dot-files are harmless is far
from trivial.
The same could be said about any number of other files, but these in
particular are encouraging people to ignore false positives or add
dangerous excludes to their security systems. Both of which are likely
to result in missed compromises. That's not good for any of us.
What is using this file, anyway? My google codesearch skills are
apparently lacking because aside from /etc/init.d/mountkernfs.sh
touching /lib/init/rw/.ramfs, I don't see anything that stats .ramfs.
Can anyone point me to an example of code that will need to be altered
before we can safely remove this dot-file?
Thanks.
--
Kenny
-+---+++-++-++++--+------+-+-++--++--+-+-++--+++-++----+-++-+++---+----+--+----+
More information about the Pkg-sysvinit-devel
mailing list