I want to "white-list" some of the false-positives of chkrootkit, therefor i would like to use the /etc/chkrootkit.conf as a "white-list".
But this does not work:
RUN_DAILY_OPTS="-q -e '/sbin/init /sbin/dhclient'
And i still get the following false-positives:
Warning: /sbin/init INFECTED
eth0: PACKET SNIFFER(/sbin/dhclient (deleted)[…])
I know its not a real white-list, but the false-positives should not send me emails every day.
chkrootkit version 0.49
You could put those in a ...
/etc/chkrootkit.filter
When you put this in ...
^eth0: PACKET SNIFFER\(/sbin/dhclient\[[0-9]*\])$
it will ignore dhclient on eth0. Add this file to /etc/cron.daily/chkrootkit. Find ...
$CHKROOTKIT $RUN_DAILY_OPTS
with your favorite editor and change it into ...
$CHKROOTKIT $RUN_DAILY_OPTS | grep -v -f $FILTER || true
and (somewhere at the beginning) add ...
FILTER=/etc/chkrootkit.filter
after ...
CF=/etc/chkrootkit.conf
Before your start do a ...
./chkrootkit
It should show the false positive reference to dhclient and after editing this in run it again. The reference to dhclient should be gone.
Mind though: anything you add to this that does get infected you will no longer be warned about. So be careful with this kind of filtering. Better would be to have 'them' update their definitions.
