Rootkit.nl Logo - By Henry
   Home | Projects | Articles | Security Net | Contributors | Contact | Wishlist  

« Back to articles

[Howto] Responding to false positives


What is a false positive?
False positives are warnings which indicates there is a problem, but aren't really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet aware of these new files and while scanning it resports some "bad" files. In this case we have a false positive.




False positives: MD5

Check the logfile for more details about wrong MD5 hashes. If you recently updated some system packages, investigate which binaries have been updated. When you are in doubt about the update, please fill in the contact form.




False positives: Hidden directories/files

Most system directories contain no hidden directories and files, but there are a few special exceptions.

Some known false positives:
- /dev/lcd
- /dev/watchdog
- /etc/.aumixrc
- /etc/.java
- /usr/.Trash-root
- /etc/.whostmgrft

If you are 100 percent sure a hidden directory/file is valid for your system, add it to the whitelist. See the configuration file for more information.




Contact form

In most times false positives can be eliminated easily by filling in the contact form.



Last updated by Michael at 19 March 2005


Lynis Enterprise Suite

This website is also part of our mission to help individuals and companies to secure their systems and comply with regulations. As such, this website is additional guide for the open source community and our users of the Lynis Enterprise Suite:

Complete solution to audit, harden and secure your Linux/Unix environment.

Benefits:
  • Perform audits within a few minutes
  • Central management
  • Powerful reporting
  • Additional plugins and more tests

Lynis Enterprise screenshot
Lynis Enterprise Screenshot: Output of a customized implementation plan

Tell me more »


Testimonials

"A master piece of software and a must for every server admin." - Jose

"Happy installing Lynis on every server I install. Also made some changes for automation and having regular scans of the system. For several customers I made some custom checks on integrity." - Rick Voormolen


About
» About

Thanks to
» Contributors
» Sponsors








Valid XHTML 1.0!


[PHPips enabled]
 
Copyright 2003-2017 Rootkit.nl and Michael Boelen, supported by CISOfy
All rights reserved
Hosted by Shock Media