Bug#1033538: chkrootkit: Chkrootkit reports a false positive?

[antonio]

Package: chkrootkit
Version: 0.57-2
Severity: normal
X-Debbugs-Cc: antd...@gmail.com

Dear Maintainer,
It seems that chkrootkit returns a false positive... or not?

Thanks,
Antonio

---

$ /usr/lib/chkrootkit/ifpromisc
lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1056])
eth2: PACKET SNIFFER(/usr/sbin/NetworkManager[1056])

---

$ ip -d link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0
allmulti 0 minmtu 0 maxmtu 0 addrgenmode none numtxqueues 1 numrxqueues 1
gso_max_size 65536 gso_max_segs 65535 tso_max_size 524280 tso_max_segs 65535
gro_max_size 65536
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
mode DEFAULT group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff promiscuity 0 allmulti
0 minmtu 68 maxmtu 9000 addrgenmode eui64 numtxqueues 1 numrxqueues 1
gso_max_size 65536 gso_max_segs 65535 tso_max_size 65536 tso_max_segs 65535
gro_max_size 65536 parentbus pci parentdev 0000:00:19.0


-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (700, 'unstable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.2.8-2-liquorix-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to it_IT.UTF-8), LANGUAGE=it
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chkrootkit depends on:
ii libc6 2.36-8

Versions of packages chkrootkit recommends:
ii anacron 2.3-36
ii binutils 2.40-2
ii cron [cron-daemon] 3.0pl1-162
pn default-mta | mail-transport-agent <none>
ii iproute2 6.1.0-2
ii mailutils [mailx] 1:3.15-4
ii net-tools 2.10-0.1
ii procps 2:4.0.3-1
ii systemd-sysv 252.6-1

chkrootkit suggests no packages.

-- no debconf information

[Richard Lewis]

control: tags -1 + moreinfo

overall this looks like the intended behaviour, based on the information provided, rather than something that needs fixing. Or is there another reason you considered this a bug? 

On Mon, 27 Mar 2023, 07:51 antonio wrote:

It seems that chkrootkit returns a false positive... or not?

$ /usr/lib/chkrootkit/ifpromisc
lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1056])
eth2: PACKET SNIFFER(/usr/sbin/NetworkManager[1056])

If you run ifpromisc directly im not sure quite what output you expected, but the above looks correct, based on the information provided.

Network manager can be reasonably classed as a 'packet sniffer' as it has the ability to read network traffic. 

If network manager was not started intentionally (standard for a server) you would want to know about it.

If it was started by you because you are running a standard gnome desktop then it is indeed a false positive

...but there is no way software can reliably tell which of these circumstances apply.

See the document about false positives in /usr/share/doc/chkrootkit for more information on how to filter out such messages from the daily report.

[Antonio]

Because every morning I receive an email from "/etc/cron.daily/chkrootkit" that informs me of this.

Of course I can deactivate the check but I would not like to lose other useful information for the security of the system.

Il 27/03/23 19:41, Richard Lewis ha scritto:

[Richard Lewis]

On Mon, 27 Mar 2023, 18:55 Antonio, <antd...@gmail.com> wrote:

Because every morning I receive an email from "/etc/cron.daily/chkrootkit" that informs me of this.

Of course I can deactivate the check but I would not like to lose other useful information for the security of the system.

And if you read  /etc/chkrootkit/chkrootkit.conf you will find there are various ways to stop that happening (without deactivating anything). look for the bit about diff mode.

[Antonio]

Thank Richard,
I will do some tests with the diff mode.

For now, I changed /etc/chkrootkit/chkrootkit.conf:

        MAILTO="journal"

- and added this on "/usr/sbin/chkrootkit-daily":

                if [ "$MAILTO" = "journal" ]; then
                    logger --file "$FILE"
                else
                    mail -s "$SUBJECT" "$MAILTO" < "$FILE"
                fi

for send the output to the journal.

Il 27/03/23 22:19, Richard Lewis ha scritto:

[Red Omen]

Package: chkrootkit
Version: 0.57-2+b1
Followup-For: Bug #1033538

Hi, I also seem to be getting a false positive but without any process details:

Checking `sniffer'... WARNING

WARNING: Output from ifpromisc:

lo: not promisc and no packet sniffer sockets

eth0: not promisc and no packet sniffer sockets


If this is working correctly and there is no issue should it still be sending an alert mail?

-- System Information:
Debian Release: 12.0

APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')

Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.12a (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1), LANGUAGE not set

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chkrootkit depends on:

ii libc6 2.36-9

Versions of packages chkrootkit recommends:

ii binutils 2.40-2
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1
ii cron [cron-daemon] 3.0pl1-162
ii exim4-daemon-light [mail-transport-agent] 4.96-14
ii iproute2 6.1.0-2
ii net-tools 2.10-0.1
ii procps 2:4.0.2-3

[Richard Lewis]

control: clone -1 -2

control: retitle -2 spurious warnings if no sniffers (ifpromisc needs a proper exit status to fix this)

thanks

On Sun, 30 Apr 2023, 11:33 Red Omen, <red...@nwi.net> wrote:

Package: chkrootkit
Version: 0.57-2+b1
Followup-For: Bug #1033538

Thanks - this should be in a separate bug report though! 

Checking `sniffer'...                                       WARNING

WARNING: Output from ifpromisc:
lo: not promisc and no packet sniffer sockets
eth0: not promisc and no packet sniffer sockets


If this is working correctly and there is no issue should it still be sending an alert mail?

Technically it should, because you are not using diff more (and are not asking for 'quiet' output): ifpromisc then reports on every interface. The test (even before debians many patches) just gives the output if ifpromisc.

It is very unusual these days not to have any dhcp or some network manager running anywhere!

There are several ways you can work round this:

1. I would recommend you edit /etc/chkrootkit/chkrootkit.conf and set DIFF_MODE to true - then  you will get one email with instructions on how to suppress repeat mails.

2. Alternatively, in the same file is RUN_DAILY_OPTS -- and in that you can set chkrootkit options including

a)  -q (affects all tests, including this one) - it is passed through to ifpromisc which will then give you no output.

b)   -s to filter the output of ifpromisc (doesnt affect any other tests)  eg RUN_DAILY_OPTS="-s 'no packet sniffer'" should work (the arg for -s is passed to 'grep -Ev')

both 2a and 2b can be used with or without diff_mode of course.

--------

Having said all that there is a minor bug here:

It is a minor inaccuracy to have a  'warning' in the output when the only output is no promisc interfaces at all - the best way to fix this would be if ifpromisc set an exit status of 1 if anything was found - patches for that welcome!

 

(ckrootkit could then use that status to suppress the 'WARNING' bit )