Package: chkrootkit
Version: 0.54-1+b2
Tags: patch
Followup-For: Bug #630880
X-Debbugs-Cc: richard.lewis.deb...@googlemail.com
Dear Maintainer,
Please consider the attached patch that fixes this bug
The patch
- improves the filtering for /etc/cron.daily/chkrootkit
by expanding the list of 'allowed' packet sniffers to include
wpa_supplicant, dhcpcd, etc
- quotes more variables
- makes tabs consistent
- includes stderr in the output (just in case)
Thanks for considering
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii binutils 2.35.2-2
ii debconf [debconf-2.0] 1.5.77
ii libc6 2.31-13
ii net-tools 1.60+git20181103.0eebece-1
ii openssh-client 1:8.4p1-5
ii procps 2:3.3.17-5
chkrootkit recommends no packages.
chkrootkit suggests no packages.
-- Configuration Files:
/etc/cron.daily/chkrootkit changed [not included]
-- debconf information:
* chkrootkit/run_daily_opts: -q
* chkrootkit/diff_mode: true
* chkrootkit/run_daily: true
--- etc.cron.daily.chkrootkit.orig 2021-09-12 22:04:13.087114719 +0100
+++ etc.cron.daily.chkrootkit.new 2021-09-12 22:12:57.534539024 +0100
@@ -7,45 +7,74 @@
LOG_DIR=/var/log/chkrootkit
IGNORE_FILE=/dev/null
-if [ ! -x $CHKROOTKIT ]; then
- exit 0
+if [ ! -x "$CHKROOTKIT" ]; then
+ exit 0
fi
-if [ -f $CF ]; then
- . $CF
+if [ -f "$CF" ]; then
+ . "$CF"
fi
-if [ ! -r "${IGNORE_FILE}" ]; then
- IGNORE_FILE=/dev/null
+if [ ! -r "$IGNORE_FILE" ]; then
+ IGNORE_FILE=/dev/null
fi
+if [ "${RUN_DAILY-false}" = "true" ]; then
+ if [ "${DIFF_MODE-false}" = "true" ]; then
+ case "${RUN_DAILY_OPTS-}" in
+ # if '-q' is used then the first line is blank and the
+ # second is a list of files containing a '.': we add
back
+ # the description and convert from a space-separated
list
+ # to a new-line separated one. filter_with_sed is used
below
+ *q*)
+ filter_with_sed(){
+ sed -r \
+ -e '1cThe following suspicious
files and directories were found' \
+ -e '2s/ /\n/g' "$@"
+ }
+ ;;
+ *)
+ filter_with_sed(){
+ sed -r "$@"
+ }
+ ;;
+ esac
-if [ "$RUN_DAILY" = "true" ]; then
- if [ "$DIFF_MODE" = "true" ]; then
- eval $CHKROOTKIT $RUN_DAILY_OPTS 2>&1 | egrep
-v -f "${IGNORE_FILE}" > $LOG_DIR/log.today || true
- if [ ! -f $LOG_DIR/log.expected ]; then
- echo "ERROR: No file
$LOG_DIR/log.expected"
- echo "This file should contain
expected output from chkrootkit"
- echo
- echo "Today's run produced the
following output:"
- echo "--- [ BEGIN: cat
$LOG_DIR/log.today ] ---"
- cat $LOG_DIR/log.today
- echo "--- [ END: cat
$LOG_DIR/log.today ] ---"
- echo
- echo "To create this file
containing all output from today's run, do (as root)"
- echo "# cp -a
$LOG_DIR/log.today $LOG_DIR/log.expected"
- elif ! diff -q $LOG_DIR/log.expected
$LOG_DIR/log.today > /dev/null 2>&1; then
- echo "ERROR: chkrootkit output
was not as expected."
- echo
- echo "The difference is:"
- echo "---[ BEGIN: diff -u
$LOG_DIR/log.expected $LOG_DIR/log.today ] ---"
- diff -u $LOG_DIR/log.expected
$LOG_DIR/log.today || true
- echo "---[ END: diff -u
$LOG_DIR/log.expected $LOG_DIR/log.today ] ---"
- echo
- echo "To update the expected
output, run (as root)"
- echo "# cp -a -f
$LOG_DIR/log.today $LOG_DIR/log.expected"
- fi
- else
- eval $CHKROOTKIT $RUN_DAILY_OPTS 2>&1 | (egrep -v -f "${IGNORE_FILE}")
|| true
- fi
+ eval "$CHKROOTKIT" "$RUN_DAILY_OPTS" > "$LOG_DIR/log.today.raw"
2>&1
+
+ # make output more stable:
+ # 1) split message about dotfiles over multiple lines (only if
RUN_DAILY_OPTS contains 'q')
+ # 2) stop message about systemd-networkd, dhclient, dhcpd,
dhcpdN, wpa_supplicant changing if pid or interface name changes
+ # 3) stop list of running processes changing if pid changes
+ egrep -v -f "$IGNORE_FILE" "$LOG_DIR/log.today.raw" \
+ | filter_with_sed -e 's![a-z0-9:]+: PACKET
SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant))\[[0-9]+\](,
)?)+\)!<interface>: PACKET
SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant]{PID}\)!' \
+ -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/' \
+ "$LOG_DIR/log.today.raw" >
"$LOG_DIR/log.today" 2>&1 || true
+ if [ ! -f "$LOG_DIR/log.expected" ]; then
+ echo "ERROR: No file $LOG_DIR/log.expected"
+ echo "This file should contain expected output from
chkrootkit"
+ echo
+ echo "Today's run produced the following output:"
+ echo "--- [ BEGIN: cat $LOG_DIR/log.today ] ---"
+ cat "$LOG_DIR/log.today"
+ echo "--- [ END: cat $LOG_DIR/log.today ] ---"
+ echo
+ echo "To create this file containing all output from
today's run, do (as root)"
+ echo "# cp -a $LOG_DIR/log.today $LOG_DIR/log.expected"
+ echo "# (note that unedited output is in
$LOG_DIR/log.today.raw)"
+ elif ! diff -q "$LOG_DIR/log.expected" "$LOG_DIR/log.today" >
/dev/null 2>&1; then
+ echo "ERROR: chkrootkit output was not as expected."
+ echo
+ echo "The difference is:"
+ echo "---[ BEGIN: diff -u $LOG_DIR/log.expected
$LOG_DIR/log.today ] ---"
+ diff -u "$LOG_DIR/log.expected" "$LOG_DIR/log.today" ||
true
+ echo "---[ END: diff -u $LOG_DIR/log.expected
$LOG_DIR/log.today ] ---"
+ echo
+ echo "To update the expected output, run (as root)"
+ echo "# cp -a -f $LOG_DIR/log.today
$LOG_DIR/log.expected"
+ echo "# (note that unedited output is in
$LOG_DIR/log.today.raw)"
+ fi
+ else
+ eval "$CHKROOTKIT" "$RUN_DAILY_OPTS" 2>&1 | (egrep -v -f
"${IGNORE_FILE}" || true)
+ fi
fi
