control: clone -1 -2 control: retitle -2 spurious warnings if no sniffers (ifpromisc needs a proper exit status to fix this) thanks
On Sun, 30 Apr 2023, 11:33 Red Omen, <redo...@nwi.net> wrote: > Package: chkrootkit > Version: 0.57-2+b1 > Followup-For: Bug #1033538 > Thanks - this should be in a separate bug report though! Checking `sniffer'... WARNING > > WARNING: Output from ifpromisc: > lo: not promisc and no packet sniffer sockets > eth0: not promisc and no packet sniffer sockets > > > If this is working correctly and there is no issue should it still be > sending an alert mail? > Technically it should, because you are not using diff more (and are not asking for 'quiet' output): ifpromisc then reports on every interface. The test (even before debians many patches) just gives the output if ifpromisc. It is very unusual these days not to have any dhcp or some network manager running anywhere! There are several ways you can work round this: 1. I would recommend you edit /etc/chkrootkit/chkrootkit.conf and set DIFF_MODE to true - then you will get one email with instructions on how to suppress repeat mails. 2. Alternatively, in the same file is RUN_DAILY_OPTS -- and in that you can set chkrootkit options including a) -q (affects all tests, including this one) - it is passed through to ifpromisc which will then give you no output. b) -s to filter the output of ifpromisc (doesnt affect any other tests) eg RUN_DAILY_OPTS="-s 'no packet sniffer'" should work (the arg for -s is passed to 'grep -Ev') both 2a and 2b can be used with or without diff_mode of course. -------- Having said all that there is a minor bug here: It is a minor inaccuracy to have a 'warning' in the output when the only output is no promisc interfaces at all - the best way to fix this would be if ifpromisc set an exit status of 1 if anything was found - patches for that welcome! (ckrootkit could then use that status to suppress the 'WARNING' bit )
