Package: chkrootkit Version: 0.54-1+b2 Tags: patch Followup-For: Bug #630880 X-Debbugs-Cc: richard.lewis.deb...@googlemail.com
Dear Maintainer, Please consider the attached patch that fixes this bug The patch - improves the filtering for /etc/cron.daily/chkrootkit by expanding the list of 'allowed' packet sniffers to include wpa_supplicant, dhcpcd, etc - quotes more variables - makes tabs consistent - includes stderr in the output (just in case) Thanks for considering -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/1 CPU thread) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages chkrootkit depends on: ii binutils 2.35.2-2 ii debconf [debconf-2.0] 1.5.77 ii libc6 2.31-13 ii net-tools 1.60+git20181103.0eebece-1 ii openssh-client 1:8.4p1-5 ii procps 2:3.3.17-5 chkrootkit recommends no packages. chkrootkit suggests no packages. -- Configuration Files: /etc/cron.daily/chkrootkit changed [not included] -- debconf information: * chkrootkit/run_daily_opts: -q * chkrootkit/diff_mode: true * chkrootkit/run_daily: true
--- etc.cron.daily.chkrootkit.orig 2021-09-12 22:04:13.087114719 +0100 +++ etc.cron.daily.chkrootkit.new 2021-09-12 22:12:57.534539024 +0100 @@ -7,45 +7,74 @@ LOG_DIR=/var/log/chkrootkit IGNORE_FILE=/dev/null -if [ ! -x $CHKROOTKIT ]; then - exit 0 +if [ ! -x "$CHKROOTKIT" ]; then + exit 0 fi -if [ -f $CF ]; then - . $CF +if [ -f "$CF" ]; then + . "$CF" fi -if [ ! -r "${IGNORE_FILE}" ]; then - IGNORE_FILE=/dev/null +if [ ! -r "$IGNORE_FILE" ]; then + IGNORE_FILE=/dev/null fi +if [ "${RUN_DAILY-false}" = "true" ]; then + if [ "${DIFF_MODE-false}" = "true" ]; then + case "${RUN_DAILY_OPTS-}" in + # if '-q' is used then the first line is blank and the + # second is a list of files containing a '.': we add back + # the description and convert from a space-separated list + # to a new-line separated one. filter_with_sed is used below + *q*) + filter_with_sed(){ + sed -r \ + -e '1cThe following suspicious files and directories were found' \ + -e '2s/ /\n/g' "$@" + } + ;; + *) + filter_with_sed(){ + sed -r "$@" + } + ;; + esac -if [ "$RUN_DAILY" = "true" ]; then - if [ "$DIFF_MODE" = "true" ]; then - eval $CHKROOTKIT $RUN_DAILY_OPTS 2>&1 | egrep -v -f "${IGNORE_FILE}" > $LOG_DIR/log.today || true - if [ ! -f $LOG_DIR/log.expected ]; then - echo "ERROR: No file $LOG_DIR/log.expected" - echo "This file should contain expected output from chkrootkit" - echo - echo "Today's run produced the following output:" - echo "--- [ BEGIN: cat $LOG_DIR/log.today ] ---" - cat $LOG_DIR/log.today - echo "--- [ END: cat $LOG_DIR/log.today ] ---" - echo - echo "To create this file containing all output from today's run, do (as root)" - echo "# cp -a $LOG_DIR/log.today $LOG_DIR/log.expected" - elif ! diff -q $LOG_DIR/log.expected $LOG_DIR/log.today > /dev/null 2>&1; then - echo "ERROR: chkrootkit output was not as expected." - echo - echo "The difference is:" - echo "---[ BEGIN: diff -u $LOG_DIR/log.expected $LOG_DIR/log.today ] ---" - diff -u $LOG_DIR/log.expected $LOG_DIR/log.today || true - echo "---[ END: diff -u $LOG_DIR/log.expected $LOG_DIR/log.today ] ---" - echo - echo "To update the expected output, run (as root)" - echo "# cp -a -f $LOG_DIR/log.today $LOG_DIR/log.expected" - fi - else - eval $CHKROOTKIT $RUN_DAILY_OPTS 2>&1 | (egrep -v -f "${IGNORE_FILE}") || true - fi + eval "$CHKROOTKIT" "$RUN_DAILY_OPTS" > "$LOG_DIR/log.today.raw" 2>&1 + + # make output more stable: + # 1) split message about dotfiles over multiple lines (only if RUN_DAILY_OPTS contains 'q') + # 2) stop message about systemd-networkd, dhclient, dhcpd, dhcpdN, wpa_supplicant changing if pid or interface name changes + # 3) stop list of running processes changing if pid changes + egrep -v -f "$IGNORE_FILE" "$LOG_DIR/log.today.raw" \ + | filter_with_sed -e 's![a-z0-9:]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant]{PID}\)!' \ + -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/' \ + "$LOG_DIR/log.today.raw" > "$LOG_DIR/log.today" 2>&1 || true + if [ ! -f "$LOG_DIR/log.expected" ]; then + echo "ERROR: No file $LOG_DIR/log.expected" + echo "This file should contain expected output from chkrootkit" + echo + echo "Today's run produced the following output:" + echo "--- [ BEGIN: cat $LOG_DIR/log.today ] ---" + cat "$LOG_DIR/log.today" + echo "--- [ END: cat $LOG_DIR/log.today ] ---" + echo + echo "To create this file containing all output from today's run, do (as root)" + echo "# cp -a $LOG_DIR/log.today $LOG_DIR/log.expected" + echo "# (note that unedited output is in $LOG_DIR/log.today.raw)" + elif ! diff -q "$LOG_DIR/log.expected" "$LOG_DIR/log.today" > /dev/null 2>&1; then + echo "ERROR: chkrootkit output was not as expected." + echo + echo "The difference is:" + echo "---[ BEGIN: diff -u $LOG_DIR/log.expected $LOG_DIR/log.today ] ---" + diff -u "$LOG_DIR/log.expected" "$LOG_DIR/log.today" || true + echo "---[ END: diff -u $LOG_DIR/log.expected $LOG_DIR/log.today ] ---" + echo + echo "To update the expected output, run (as root)" + echo "# cp -a -f $LOG_DIR/log.today $LOG_DIR/log.expected" + echo "# (note that unedited output is in $LOG_DIR/log.today.raw)" + fi + else + eval "$CHKROOTKIT" "$RUN_DAILY_OPTS" 2>&1 | (egrep -v -f "${IGNORE_FILE}" || true) + fi fi