Re: [RFR] templates://chkrootkit/{templates}
> Your review should be sent as an answer to this mail.
> Template: chkrootkit/run_daily_opts
[...]
> + -r <root>: specifies an alternate root directory;
> + -n : do not attempt to analyze nfs mounted files;
> + -q : run in quiet mode [highly recommended].
Slightly improved parallel construction, and capitalised acronym:
-r <root>: use an alternate root directory;
-n : do not attempt to analyze NFS-mounted files;
-q : run in quiet mode [highly recommended].
> Package: chkrootkit
[...]
>
> + The chkrootkit program identifies whether the target computer is infected
> + with a 'rootkit'. Rootkits are set of programs and hacks designed to
> + take control of a target machine by using known security flaws.
We've taken out the phrase "local system", so it would be better to
avoid referring to "the target computer" as if it was possible to
run "chkrootkit example.org". I like your definition, though.
The chkrootkit security scanner searches the local system for signs
that it is infected with a 'rootkit'. Rootkits are set of programs and
hacks designed to take control of a target machine by using known
security flaws.
.
Types that chkrootkit can identify include:
> + One should note that chkrootkit not detecting intrusions does not
> + necessarily mean the target computer was not attacked or compromised.
> + In addition to running chkrootkit, more specific tests should be performed.
Not so good.
Please note that where chkrootkit detects no intrusions, this does not
guarantee that the system is uncompromised. In addition to running
chkrootkit, more specific tests should always be performed.
> I'm frankly not enthusiast about the long enumeration. I suppose that
> chkrootkit detected kits vary over time. So the alternative I propose
> is just dropping the list. At least, it should use the now established
> standard for enumerations.
It does at least seem to be a list from this decade. There are
current lists at http://www.chkrootkit.org/ - it wants a Homepage
header.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
--- ../chkrootkit.old/debian/templates 2008-02-07 11:28:32.000000000 +0000
+++ debian/templates 2008-02-08 00:34:54.000000000 +0000
@@ -1,25 +1,26 @@
Template: chkrootkit/run_daily
Type: boolean
Default: false
-_Description: Would you like to run chkrootkit automatically every day?
- chkrootkit can be run automatically via cron.daily if you like. If you
- answer yes to this question, you'll also be given the opportunity to
+_Description: Should chkrootkit be run automatically every day?
+ The chkrootkit program can be run automatically via a daily cron job. If you
+ choose this option, you'll also be given the opportunity to
specify options for the daily run.
Template: chkrootkit/run_daily_opts
Type: string
-_Default: -q
-_Description: What arguments would you like to pass to the daily chkrootkit run?
+Default: -q
+_Description: Arguments to use with chkrootkit in the daily run:
The following are useful arguments to pass to chkrookit:
- * -r <root> specifies an alternate root directory
- * -n do not attempt to analyze nfs mounted files
- * -q run in quiet mode [highly recommended]
+ -r <root>: use an alternate root directory;
+ -n : do not attempt to analyze NFS-mounted files;
+ -q : run in quiet mode [highly recommended].
Template: chkrootkit/diff_mode
Type: boolean
Default: false
-_Description: Only report problems if they differ from yesterday's problems?
- Choosing yes here instructs the cron.daily call of chkrootkit to
- only report problems if they differ from the previous day's run.
+_Description: Only report problems if they differ from previous day's problems?
+ If you choose this option, chkrootkit will
+ only report problems when they differ from the previous day's run.
.
- Use this option with care.
+ Using this option is not recommended as it is likely to hide existing
+ security problems.
--- ../chkrootkit.old/debian/control 2008-02-07 11:28:32.000000000 +0000
+++ debian/control 2008-02-08 00:39:46.000000000 +0000
@@ -1,6 +1,7 @@
Source: chkrootkit
Section: misc
Priority: optional
+Homepage: http://www.chkrootkit.org/
Maintainer: lantz moore <lmoore@debian.org>
Standards-Version: 3.6.2
Build-Depends: debhelper (>> 4.0.0), libc6.1-dev [ia64], po-debconf
@@ -8,21 +9,27 @@
Package: chkrootkit
Architecture: any
Depends: ${shlibs:Depends}, binutils, net-tools, debconf | debconf-2.0, procps
-Description: Checks for signs of rootkits on the local system
- chkrootkit identifies whether the target computer is infected with a rootkit.
- Some of the rootkits that chkrootkit identifies are:
- 1. lrk3, lrk4, lrk5, lrk6 (and some variants);
- 2. Solaris rootkit;
- 3. FreeBSD rootkit;
- 4. t0rn (including latest variant);
- 5. Ambient's Rootkit for Linux (ARK);
- 6. Ramen Worm;
- 7. rh[67]-shaper;
- 8. RSHA;
- 9. Romanian rootkit;
- 10. RK17;
- 11. Lion Worm;
- 12. Adore Worm.
- Please note that this is not a definitive test, it does not ensure that the
- target has not been cracked. In addition to running chkrootkit, one should
- perform more specific tests.
+Description: rootkit detection software
+ The chkrootkit security scanner searches the local system for signs
+ that it is infected with a 'rootkit'. Rootkits are set of programs and
+ hacks designed to take control of a target machine by using known
+ security flaws.
+ .
+ Types that chkrootkit can identify include:
+ .
+ - lrk3, lrk4, lrk5, lrk6 (and some variants);
+ - Solaris rootkit;
+ - FreeBSD rootkit;
+ - t0rn (including latest variant);
+ - Ambient's Rootkit for Linux (ARK);
+ - Ramen Worm;
+ - rh[67]-shaper;
+ - RSHA;
+ - Romanian rootkit;
+ - RK17;
+ - Lion Worm;
+ - Adore Worm.
+ .
+ Please note that where chkrootkit detects no intrusions, this does not
+ guarantee that the system is uncompromised. In addition to running
+ chkrootkit, more specific tests should always be performed.
Template: chkrootkit/run_daily
Type: boolean
Default: false
_Description: Should chkrootkit be run automatically every day?
The chkrootkit program can be run automatically via a daily cron job. If you
choose this option, you'll also be given the opportunity to
specify options for the daily run.
Template: chkrootkit/run_daily_opts
Type: string
Default: -q
_Description: Arguments to use with chkrootkit in the daily run:
The following are useful arguments to pass to chkrookit:
-r <root>: use an alternate root directory;
-n : do not attempt to analyze NFS-mounted files;
-q : run in quiet mode [highly recommended].
Template: chkrootkit/diff_mode
Type: boolean
Default: false
_Description: Only report problems if they differ from previous day's problems?
If you choose this option, chkrootkit will
only report problems when they differ from the previous day's run.
.
Using this option is not recommended as it is likely to hide existing
security problems.
Source: chkrootkit
Section: misc
Priority: optional
Homepage: http://www.chkrootkit.org/
Maintainer: lantz moore <lmoore@debian.org>
Standards-Version: 3.6.2
Build-Depends: debhelper (>> 4.0.0), libc6.1-dev [ia64], po-debconf
Package: chkrootkit
Architecture: any
Depends: ${shlibs:Depends}, binutils, net-tools, debconf | debconf-2.0, procps
Description: rootkit detection software
The chkrootkit security scanner searches the local system for signs
that it is infected with a 'rootkit'. Rootkits are set of programs and
hacks designed to take control of a target machine by using known
security flaws.
.
Types that chkrootkit can identify include:
.
- lrk3, lrk4, lrk5, lrk6 (and some variants);
- Solaris rootkit;
- FreeBSD rootkit;
- t0rn (including latest variant);
- Ambient's Rootkit for Linux (ARK);
- Ramen Worm;
- rh[67]-shaper;
- RSHA;
- Romanian rootkit;
- RK17;
- Lion Worm;
- Adore Worm.
.
Please note that where chkrootkit detects no intrusions, this does not
guarantee that the system is uncompromised. In addition to running
chkrootkit, more specific tests should always be performed.
Reply to: