Open Rebits opened 1 year ago
It was found that is_file()
function is not working as expected, returning true (1) when testing a non-existent file.
/etc/sysconfig/
dir/etc/sysconfig/console
rootkit_files.txt
This is the case of /etc/sysconfig/console/load.zk
, debugger shows what comments says
int is_file(char *file_name)
{
struct stat statbuf;
int ret = 0;
FILE *fp = NULL;
DIR *dp = NULL;
if (!file_name) { // file_name exist, continue
mterror(ARGV0, "RK: Invalid file name: %s!", file_name);
return ret;
}
dp = opendir(file_name);
if (dp) {
closedir(dp);
ret = 1;
#ifndef WIN32
} else if (errno == ENOTDIR) {
ret = 1; // Code enter here, since file_name is not a dir. But why is not setting errno to `ENOENT`
#endif
}
/* Trying other calls */
if ((stat(file_name, &statbuf) < 0) &&
#ifndef WIN32
(access(file_name, F_OK) < 0) &&
#endif
((fp = fopen(file_name, "r")) == NULL)) {
return ret; //Code return here, since `file_name` cannot be stated, accessed not opened
}
if (fp) {
ret = 1;
fclose(fp);
}
return ret;
}
This could or not be a false-positive, it does not matter, because the function that relies on is not working as expected
On opensuse 15.5 the false positive still exists. I think the problem occurs if a parent-folder of file_name exists as file.
For example when testing '/etc/sysconfig/console/load.zk' the function is assuming /etc/sysconfig/console is a directory or not existing. At least in opensuse there is a file '/etc/sysconfig/console'.
errno will be ENOTDIR then as can be verified with cat
ls -l /etc/sysconfig/console
-rw-r--r-- 1 root root 1544 Jul 21 2023 /etc/sysconfig/console
cat /etc/sysconfig/console2/load.zk
cat: /etc/sysconfig/console2/load.zk: No such file or directory
You could try to open the containing folder as well and only return only 1 if that folder exists as well.
Description
Rootcheck produces false positives.
Regarding SUSE Linux Enterprise 15 SCA Policy duplicated check ids 7521 and 7522, it was detected possible false positives in Open Suse Enterprise EC2 host. @wazuh/threat-intel.
In this case, some alerts were triggered in a new environment:
Those rules are related to ZK rootcheck rules (
ruleset/rootcheck/db/rootkit_trojans.txt
)It is required to refactor the rootcheck database to avoid false positives.