[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
- Subject: Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
- From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
- Date: Tue, 5 Mar 2002 08:58:53 +0100
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>
> Chkrootkit compares the processes in the /proc/ directory with those
shown
> by the command "ps". If both outputs don't match, then it'll give alert.
> However, the comparision takes a few moments and if a process ends (or a
new
> one is started) during the comparision, then that will cause an false
alarm.
Thanks Michael,
I was thinking of some solution to these false alarms. This would require
rewriting chkrootkit, so I can only suggest things. Maybe something like
doing it process by process (recompare all the time).
Is this test really useful? False alarms are quite dangerous because people
don't watch them anymore. So if there has never been any incident with
hidden /proc entries, the test better be turned off????
Jelmer