Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1059769: chkrootkit-daily : filtering out empty lines to prevent unnecessary empty alert emails.
47 views
Skip to first unread message
Franck Richter
Dec 31, 2023, 12:40:05 PM12/31/23
to
Package: chkrootkit
Version: 0.57-2+b1
Severity: wishlist
Tags: patch
Dear Maintainer,
Currently chkrootkit-daily send me emails even if I ignore all false positives using chkrootkit.ignore.
Because chkrootkit outputs empty lines that cannot be excluded via chkrootkit.ignore.
It can be solved by adding to the filter in /etc/chkrootkit/chkrootkit.conf
-e '/^$/d'
ie replacing:
FILTER="sed -re 's![[:alnum:]]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
by
FILTER="sed -e '/^$/d' -re 's![[:alnum:]]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
Would it make sense to put that in default chkrootkit.conf ?
Examples on bookworm:
1-chkrootkit-daily.log-no_ignore-no_empty_line_filtering.txt
2-using_this_chkrootkit.ignore.txt
3-chkrootkit-daily.log-with_ignore-no_empty_line_filtering.txt
As one can see 3- contains only 2 empty lines made of line feeds.
Using above filter, checkrootkit-daily.log becomes empty and no alert email is sent.
Kind regards,
Franck Richter
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-16-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii libc6 2.36-9+deb12u3
Versions of packages chkrootkit recommends:
ii anacron 2.3-36
ii binutils 2.40-2
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1
ii cron [cron-daemon] 3.0pl1-162
ii exim4-daemon-light [mail-transport-agent] 4.96-15+deb12u3
ii iproute2 6.1.0-3
ii mailutils [mailx] 1:3.15-4
ii net-tools 2.10-0.1
ii procps 2:4.0.2-3
ii systemd-sysv 252.19-1~deb12u1
chkrootkit suggests no packages.
-- Configuration Files:
/etc/chkrootkit/chkrootkit.conf changed [not included]
/etc/chkrootkit/chkrootkit.ignore changed [not included]
-- no debconf information
Version: 0.57-2+b1
Severity: wishlist
Tags: patch
Dear Maintainer,
Currently chkrootkit-daily send me emails even if I ignore all false positives using chkrootkit.ignore.
Because chkrootkit outputs empty lines that cannot be excluded via chkrootkit.ignore.
It can be solved by adding to the filter in /etc/chkrootkit/chkrootkit.conf
-e '/^$/d'
ie replacing:
FILTER="sed -re 's![[:alnum:]]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
by
FILTER="sed -e '/^$/d' -re 's![[:alnum:]]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
Would it make sense to put that in default chkrootkit.conf ?
Examples on bookworm:
1-chkrootkit-daily.log-no_ignore-no_empty_line_filtering.txt
2-using_this_chkrootkit.ignore.txt
3-chkrootkit-daily.log-with_ignore-no_empty_line_filtering.txt
As one can see 3- contains only 2 empty lines made of line feeds.
Using above filter, checkrootkit-daily.log becomes empty and no alert email is sent.
Kind regards,
Franck Richter
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-16-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii libc6 2.36-9+deb12u3
Versions of packages chkrootkit recommends:
ii anacron 2.3-36
ii binutils 2.40-2
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1
ii cron [cron-daemon] 3.0pl1-162
ii exim4-daemon-light [mail-transport-agent] 4.96-15+deb12u3
ii iproute2 6.1.0-3
ii mailutils [mailx] 1:3.15-4
ii net-tools 2.10-0.1
ii procps 2:4.0.2-3
ii systemd-sysv 252.19-1~deb12u1
chkrootkit suggests no packages.
-- Configuration Files:
/etc/chkrootkit/chkrootkit.conf changed [not included]
/etc/chkrootkit/chkrootkit.ignore changed [not included]
-- no debconf information
Richard Lewis
Dec 31, 2023, 1:10:05 PM12/31/23
to
On Sun, 31 Dec 2023 at 17:30, Franck Richter <fran...@online.de> wrote:
> Currently chkrootkit-daily send me emails even if I ignore all false positives using chkrootkit.ignore.
> Because chkrootkit outputs empty lines that cannot be excluded via chkrootkit.ignore.
I havn't checked this, but: i think you can exclude blank lines using
> Currently chkrootkit-daily send me emails even if I ignore all false positives using chkrootkit.ignore.
> Because chkrootkit outputs empty lines that cannot be excluded via chkrootkit.ignore.
chkrootkit.ignore - just add "^$" in there?
> It can be solved by adding to the filter in /etc/chkrootkit/chkrootkit.conf
> -e '/^$/d'
>
> ie replacing:
> FILTER="sed -re 's![[:alnum:]]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
> by
> FILTER="sed -e '/^$/d' -re 's![[:alnum:]]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
>
> Would it make sense to put that in default chkrootkit.conf ?
from different tests, getting rid of it makes the output harder to
read, which doesnt seem like a good default. (There's of course
nothing wrong with you adding that to your systems, if you prefer it
--- but im not sure it's the best as a default for everyone)
I'd instead look at using:
- DIFF_MODE - then (whatever your other settings) you'd only see the
report once, until something changes
- RUN_DAILY_OPTS
a) including a -q which should suppress the blank line entirely.
b) you might be able to use -e or -s options - these are used by
chkrootkit and if all files are ignored that way, then no
'WARNING+list+blank line' would be produced tat all, whereas the
chkrootkit.ignore and other filtering are only done at the end
- tbh id also investigate why these files are being shipped by debian
at all, especially .gitignore looks like a mistake!
Franck Richter
Dec 31, 2023, 4:10:04 PM12/31/23
to
> I havn't checked this, but: i think you can exclude blank lines using
> chkrootkit.ignore - just add "^$" in there?
Ah yes, you are right that's easier.
> chkrootkit.ignore - just add "^$" in there?
I'll use this instead of also changing chkrootkit.conf.
Thanks for your comments & Happy New Year,
Franck
0 new messages