chkrootkit checking sniffer's log takes ages

Question

On my server chkrootkit hangs on

Searching for sniffer's logs, it may take a while...

After half an hour, I stopped this, so how can I find out what chkrootkit is trying to achieve in this step?

I looked at the code and it seems this is the part that takes so long:

files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \
   ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
   2>/dev/null`

chkrootkit tries to find sniffer-logs in these places:

find /dev /tmp /lib /etc /var ( -name tcp.log -o -name .linux-sniff -o -name sniff-l0g -o -name core_ )

which could be huge, cause on my server I backup into /var/backups/rsnapshot/ which would be inside /var

What can I do to speedup chkrootkit?

Can I blacklist /var/backup or change that find code line so it doesn't search in that folder?

Make /var/backups a separate partition, then unmount it when you run chkrootkit? — CameronNemo, Sep 28 '14 at 20:23
feature request at https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1397548 — rubo77, Nov 29 '14 at 15:46

k6bml743 · Accepted Answer · 2014-11-25T21:31:36.880

0

adjust find to your likings with the prune option. something like this:

find /var -type d -path /var/backups -prune -o -print

edit: simpler syntax,absolut path

edited Nov 25 '14 at 21:31

answered Nov 25 '14 at 21:15

k6bml743

24
2

But then I would have to re-patch this after each apt-get update of chkrootkit – rubo77 Nov 25 '14 at 21:16

chkrootkit checking sniffer's log takes ages

1 Answers1