Package: chkrootkit Version: 0.50-4+b2 Severity: important Dear Maintainer,
I have installed both fail2ban and chkrootkit on Debian Stretch. It is not the system I'm writing this report from. When running chkrootkit, it complains about hidden files from fail2ban: === $ sudo chkrootkit -q /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/basic/file/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_anon/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_time/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/noentry/.htaccess === When attempting to tell chkrootkit to exclude those files, chkrootkit errors with a weird error: === $ sudo chkrootkit -q -e '/usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/basic/file/.htaccess /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/basic/authz_owner/.htaccess /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_anon/.htaccess /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest/.htaccess /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_time/.htaccess /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess' The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! grelm/.htpasswd 0 l2ban/tests/files/config/apache-augrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess ! wd 0 iles/config/apache-auth/digest_wrowd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/noentry/.htaccess === Just to assure you, those files do infact exist and there doesn't seem to be any typo or special character in there, as ls finds those files just fine: === $ ls -lbh /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/basic/file/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_anon/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_time/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache- auth/noentry/.htaccess -rw-r--r-- 1 root root 136 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess -rw-r--r-- 1 root root 47 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd -rw-r--r-- 1 root root 129 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess -rw-r--r-- 1 root root 47 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd -rw-r--r-- 1 root root 231 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess -rw-r--r-- 1 root root 117 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd -rw-r--r-- 1 root root 159 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess -rw-r--r-- 1 root root 62 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd -rw-r--r-- 1 root root 195 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess -rw-r--r-- 1 root root 62 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd -rw-r--r-- 1 root root 179 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess -rw-r--r-- 1 root root 62 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd -rw-r--r-- 1 root root 14 Dec 9 2016 /usr/lib/python3/dist- packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess === The issue seems to be that chkrootkit doesn't parse its arguments correctly or it has a limit on how long the -e argument can be. In fact, if you remove several file paths from either the beginning or the end of the -e argument, chkrootkit works as intended and lists just the removed file paths as false positives. Ideally users should be able to specify any number of file paths to be excluded. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages chkrootkit depends on: ii binutils 2.30-4 ii debconf [debconf-2.0] 1.5.65 ii libc6 2.26-6 ii net-tools 1.60+git20161116.90da8a0-1 ii openssh-client 1:7.6p1-4 ii procps 2:3.3.12-4 chkrootkit recommends no packages. chkrootkit suggests no packages.
