[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] chkrootkit keeps complaining about hidden processes

Subject: Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
Date: Tue, 5 Mar 2002 08:58:53 +0100
Organization: Spin in het Web (www.spininhetweb.nl)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>

> Chkrootkit compares the processes in the /proc/  directory with those
shown
> by the command "ps". If both outputs don't match, then it'll give alert.
> However, the comparision takes a few moments and if a  process ends (or a
new
> one is started) during the comparision, then that will cause an false
alarm.

Thanks Michael,

I was thinking of some solution to these false alarms. This would require
rewriting chkrootkit, so I can only suggest things. Maybe something like
doing it process by process (recompare all the time).

Is this test really useful? False alarms are quite dangerous because people
don't watch them anymore. So if there has never been any incident with
hidden /proc entries, the test better be turned off????

Jelmer

Follow-Ups:
- Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
  - From: Michael Stauber

References:
- [cobalt-security] chkrootkit keeps complaining about hidden processes
  - From: Jelmer Jellema
- Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] pro's and cons of not letting GUI change ro ot password
Next by Date: Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
Previous by thread: Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
Next by thread: Re: [cobalt-security] chkrootkit keeps complaining about hidden processes

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index