grub-btrfs
grub-btrfs copied to clipboard
Antynea
grub-btrfs automount issue with chkrootkit (Kali default)
?????????(utu???siem)-[~]
??????$ sensors
coretemp-isa-0000
Adapter: ISA adapter
Package id 0: +96.0??C (high = +86.0??C, crit = +100.0??C)
Core 0: +91.0??C (high = +86.0??C, crit = +100.0??C)
Core 1: +96.0??C (high = +86.0??C, crit = +100.0??C)
acpitz-acpi-0
Adapter: ACPI interface
temp1: +95.0??C
thinkpad-isa-0000
Adapter: ISA adapter
fan1: 4394 RPM
pwm1: 128%
BAT0-acpi-0
Adapter: ACPI interface
in0: 12.35 V
power1: 0.00 W
?????????(utu???siem)-[~]
??????$ ps H -eo pid,user,cmd --sort=-%cpu | head -n 25
PID USER CMD
23578 root /usr/bin/dpkg-query --search -- /tmp/grub-btrfs.UWTpTukADN/@.snapshots/6/snapshot/usr/share/exploitdb/exploits/hardware/webapps/35751.pl
1 root /usr/lib/systemd/systemd --system --deserialize=66 splash
9996 root /usr/bin/find /tmp/ -executable -type f -print0
643 root /usr/lib/systemd/systemd-logind
263 root [kworker/u16:5-btrfs-endio]
42 root [kworker/u16:3-btrfs-endio-write]
66 root [kswapd0]
336 root [btrfs-transaction]
12 root [kworker/u16:0-btrfs-endio-write]
41 root [kworker/u16:2-btrfs-flush_delalloc]
265 root [kworker/u16:7-btrfs-endio]
2866 utu -zsh
640 message+ /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
52 root [kcompactd0]
6257 root [kworker/u16:12-btrfs-flush_delalloc]
196 root [kworker/3:1H-kblockd]
266 root [kworker/u16:8-btrfs-endio-write]
15 root [rcu_preempt]
9997 root /usr/bin/xargs -0 -I@ ./check_if_debian @ /usr/bin/dpkg-query
4611 root [kworker/u16:10-btrfs-endio-write]
36 root [ksoftirqd/3]
2775 utu sshd-session: utu@pts/0
2865 utu sshd-session: utu@pts/2
14 root [ksoftirqd/0]
?????????(utu???siem)-[~]
??????$ sudo pkill -f chkrootkit
?????????(utu???siem)-[~]
??????$ sudo umount /tmp/grub-btrfs.UWTpTukADN
I have installed snapper, grub-btrfs and btrfs-progs. The platform is old laptop and I've noticed very high temperatures and laggy UI. When debugging issues, I noticed that there's always mountpoint under /tmp with name grub-btrfs.
AI (ChatGPT) suggested to add into /etc/default/grub-btrfs/config a line "GRUB_BTRFS_AUTO_MOUNT=false" which is doing nothing.
Is it possible to disable automounting entirely? I've tested snapper rollback which creates RW copy of RO snapshot and allows boot into that snapshot. I'm pretty sure that I'm nowadays running live filesystem without specific branching and snapper timeline snapshots are working well. Also this grub-btrfs.
Meanwhile after last copypaste I noticed that there's new grub-btrfs-mountpoint:
?????????(utu???siem)-[~]
??????$ mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=5957376k,nr_inodes=1489344,mode=755,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=1212868k,mode=755,inode64)
/dev/sda4 on / type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=333,subvol=/@)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
none on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=41,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=8272)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
/dev/sda4 on /.snapshots type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=257,subvol=/@.snapshots)
/dev/sda4 on /root type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=259,subvol=/@root)
/dev/sda4 on /home type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@home)
/dev/sda4 on /srv type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=260,subvol=/@srv)
/dev/sda4 on /var/log type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=263,subvol=/@var@log)
/dev/sda4 on /usr/local type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=262,subvol=/@usr@local)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,inode64)
/dev/sda3 on /boot type ext4 (rw,relatime)
/dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
sunrpc on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/credentials/[email protected] type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1212864k,nr_inodes=303216,mode=700,uid=1000,gid=1000,inode64)
none on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
none on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda4 on /tmp/grub-btrfs.aUsx8nshS5 type btrfs (ro,relatime,ssd,discard=async,space_cache=v2,subvolid=5,subvol=/)
Actually it looks like after "apt full-upgrade" and reboot, unmount is happening as intended and problem is non-existent anymore.
Aaaand yet again.....
┌──(utu㉿siem)-[~]
└─$ journalctl -xeu grub-btrfs.service
Dec 03 00:00:31 siem bash[111005]: Found snapshot: 2025-10-31 09:52:04 | @.snapshots/605/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-31 09:51:41 | @.snapshots/604/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-31 09:26:12 | @.snapshots/603/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-31 00:00:03 | @.snapshots/593/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-30 00:00:03 | @.snapshots/569/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-29 00:00:04 | @.snapshots/545/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-23 12:00:57 | @.snapshots/413/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-23 12:00:47 | @.snapshots/412/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-23 08:23:56 | @.snapshots/407/snapshot >
Dec 03 00:00:32 siem bash[111005]: Found 50 snapshot(s)
Dec 03 00:00:32 siem bash[112581]: submenu 'Kali GNU/Linux snapshots' {
Dec 03 00:00:32 siem bash[112581]: configfile "${prefix}/grub-btrfs.cfg"
Dec 03 00:00:32 siem bash[112581]: }
Dec 03 00:00:50 siem bash[111005]: Unmount /tmp/grub-btrfs.XH5N5bmuoH ...........
Dec 03 00:00:50 siem bash[111005]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.XH5N5bmuoH
Dec 03 00:00:50 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit grub-btrfs.service has successfully entered the 'dead' state.
Dec 03 00:00:50 siem systemd[1]: Finished grub-btrfs.service - Regenerate grub-btrfs.cfg.
░░ Subject: A start job for unit grub-btrfs.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit grub-btrfs.service has finished successfully.
░░
░░ The job identifier is 9536.
Dec 03 00:00:50 siem systemd[1]: grub-btrfs.service: Consumed 2.071s CPU time over 20.006s wall clock time, 6.2M me>
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit grub-btrfs.service completed and consumed the indicated resources.
I have no idea how I should configure things correctly using Kali. There's seemingly a combination with systemd-scheduled snapper, cron-scheduled chkrootkit and grub-btrfs running update-grub in same time when chkrootkit is starting to scan filesystem. I kinda want to keep chkrootkit running if planning to run siem on old laptop. It's most likely that I'm going to uninstall grub-btrfs is that cannot generate exclude rule for chkrootkit for it's RO /tmp mount during update-grub.
┌──(utu㉿siem)-[~]
└─$ ps H -eo pid,user,cmd --sort=-%cpu | head -n 25
PID USER CMD
174363 root /bin/dpkg-query --search -- /tmp/grub-btrfs.XH5N5bmuoH/@.snapshots/6/snapshot/usr/share/exploitdb/exploits/linux/webapps/17941.rb
174318 root /usr/bin/dpkg-query --search -- /tmp/grub-btrfs.XH5N5bmuoH/@.snapshots/6/snapshot/usr/share/exploitdb/exploits/linux/dos/24951.pl
126078 root /bin/sh /usr/sbin/lynis audit system --cronjob
13473 xrdp /usr/sbin/xrdp
13685 utu x-terminal-emulator
13803 utu top
13479 utu /usr/lib/xorg/Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log
115337 root /bin/find /tmp/ -executable -type f -print0
13553 utu i3bar --bar_id=bar-0 --socket=/run/user/1000/i3/ipc-socket.13478
107249 root [kworker/u16:1-btrfs-endio-write]
118094 root /usr/bin/find /tmp/ -executable -type f -print0
107251 root [kworker/u16:5-btrfs-endio-write]
15322 utu x-terminal-emulator
13561 utu i3blocks
115338 root /bin/xargs -0 -I@ ./check_if_debian @ /bin/dpkg-query
118095 root /usr/bin/xargs -0 -I@ ./check_if_debian @ /usr/bin/dpkg-query
97880 root [kworker/u16:6-events_unbound]
92946 root [kworker/3:2-events]
1 root /usr/lib/systemd/systemd --system --deserialize=63 splash
15325 utu /usr/bin/zsh
15 root [rcu_preempt]
13622 utu x-terminal-emulator
336 root [btrfs-transaction]
109969 root /bin/sh /sbin/chkrootkit -q
sensors:
coretemp-isa-0000
Adapter: ISA adapter
Package id 0: +97.0°C (high = +86.0°C, crit = +100.0°C)
Core 0: +97.0°C (high = +86.0°C, crit = +100.0°C)
Core 1: +95.0°C (high = +86.0°C, crit = +100.0°C)
acpitz-acpi-0
Adapter: ACPI interface
temp1: +96.0°C
thinkpad-isa-0000
Adapter: ISA adapter
fan1: 4389 RPM
pwm1: 128%
BAT0-acpi-0
Adapter: ACPI interface
in0: 12.35 V
power1: 0.00 W
It looks to me like chkrootkit is scanning filesystem occasionally in same moment when grub-btrfs is generating grub.cfg. Is it possible to somehow mount snapshots into /tmp with mountoption -noexec ?
I think that way chkrootkit could skip the mountpoint entirely.
┌──(utu㉿siem)-[~]
└─$ journalctl -u grub-btrfs.service --since "3 days ago" | grep -A1 Unmount
Dec 02 15:35:04 siem bash[1049]: Unmount /tmp/grub-btrfs.UWTpTukADN ...........
Dec 02 15:35:04 siem bash[1049]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.UWTpTukADN
--
Dec 02 15:37:33 siem bash[2981]: Unmount /tmp/grub-btrfs.lIvHQODeOM .. Success
Dec 02 15:37:33 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 15:47:15 siem bash[21280]: Unmount /tmp/grub-btrfs.qXxFNQLwcX .. Success
Dec 02 15:47:15 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 16:00:21 siem bash[24380]: Unmount /tmp/grub-btrfs.aUsx8nshS5 ...........
Dec 02 16:00:21 siem bash[24380]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.aUsx8nshS5
--
Dec 02 16:19:50 siem bash[820]: Unmount /tmp/grub-btrfs.baoGEuWmno .. Success
Dec 02 16:19:50 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 16:29:50 siem bash[4991]: Unmount /tmp/grub-btrfs.QkGkCHCODp .. Success
Dec 02 16:29:50 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 17:00:10 siem bash[6496]: Unmount /tmp/grub-btrfs.CYG8R8tIO1 .. Success
Dec 02 17:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 18:00:10 siem bash[10190]: Unmount /tmp/grub-btrfs.BetBki3ANa .. Success
Dec 02 18:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 19:00:10 siem bash[11713]: Unmount /tmp/grub-btrfs.yKhOssW4Pu .. Success
Dec 02 19:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 20:00:32 siem bash[28353]: Unmount /tmp/grub-btrfs.dp3g4MTLwF .. Success
Dec 02 20:00:32 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 21:00:10 siem bash[48367]: Unmount /tmp/grub-btrfs.joQ4J1pLSE .. Success
Dec 02 21:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 22:00:32 siem bash[68653]: Unmount /tmp/grub-btrfs.hqtkpp7kqT .. Success
Dec 02 22:00:32 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 23:00:20 siem bash[88720]: Unmount /tmp/grub-btrfs.u949EPEvut .. Success
Dec 02 23:00:20 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 00:00:50 siem bash[111005]: Unmount /tmp/grub-btrfs.XH5N5bmuoH ...........
Dec 03 00:00:50 siem bash[111005]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.XH5N5bmuoH
--
Dec 03 11:31:24 siem bash[895]: Unmount /tmp/grub-btrfs.DRxYiRxmpB .. Success
Dec 03 11:31:24 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 11:41:19 siem bash[2501]: Unmount /tmp/grub-btrfs.WZFHen3lTl .. Success
Dec 03 11:41:19 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 12:00:07 siem bash[4117]: Unmount /tmp/grub-btrfs.pdf0xkF8wh .. Success
Dec 03 12:00:07 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 13:00:03 siem bash[7915]: Unmount /tmp/grub-btrfs.hbGQCTHmkp .. Success
Dec 03 13:00:03 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
I patched the 41_snapshots-btrfs script to mount snapshots with noexec flag and created a pull request. Then I noticed that same chkrootkit is then checking php files which lead myself to their upstream and try continue debugging with their developers. The issue could be rooted to defectdojo software which comes with Kali linux by default.
I think that my patch is valid still.