-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package: chkrootkit
Version: 0.52-3+b10
Severity: normal
Tags: patch
In stretch, using diff_mode redirected stderr from chkrootkit into the
log.today file. In buster, this is no longer the case: a pipe was
inserted that greps an IGNORE_FILE, and the stderr of this grep is
redirected into the file rather than stderr of chkrootkit. I suspect
this was a simple oversight... I suspect that any errors from grep
indicate a problem, and it was intended to redirect chkrootkit instead.
OpenVPN creates zombie processes that stay around for the duration of
the VPN. Since upgrading to buster, I get daily reminders, whereas with
stretch, I could just have these zombies in log.expected and have them
silenced.
The behaviour pre-patch:
- --8<---------------cut here---------------start------------->8---
# ps fax|grep [o]penvpn
[...]
2071 ? Ss 0:00 /usr/sbin/openvpn --daemon ovpn-lucas-0 --status
/run/openvpn/lucas-0.status 10 --cd /etc/openvpn --config
/etc/openvpn/lucas-0.conf --writepid /run/openvpn/lucas-0.pid
2156 ? Z 0:00 \_ [openvpn] <defunct>
[...]
2161 ? Ss 0:00 /usr/sbin/openvpn --daemon ovpn-lucas-0 --status
/run/openvpn/lucas-0.status 10 --cd /etc/openvpn --config
/etc/openvpn/lucas-0.conf --writepid /run/openvpn/lucas-0.pid
[...]
# /etc/cron.daily/chkrootkit
find: â/proc/2121/task/2121/netâ: Invalid argument
find: â/proc/2121/netâ: Invalid argument
find: â/proc/2130/task/2130/netâ: Invalid argument
find: â/proc/2130/netâ: Invalid argument
find: â/proc/2133/task/2133/netâ: Invalid argument
find: â/proc/2133/netâ: Invalid argument
find: â/proc/2152/task/2152/netâ: Invalid argument
find: â/proc/2152/netâ: Invalid argument
find: â/proc/2154/task/2154/netâ: Invalid argument
find: â/proc/2154/netâ: Invalid argument
find: â/proc/2156/task/2156/netâ: Invalid argument
find: â/proc/2156/netâ: Invalid argument
- --8<---------------cut here---------------end--------------->8---
I removed all but one VPN from the process list for brevity; all
reported PIDs are OpenVPN zombies.
The behaviour after the patch:
- --8<---------------cut here---------------start------------->8---
# /etc/cron.daily/chkrootkit
ERROR: chkrootkit output was not as expected.
The difference is:
- ---[ BEGIN: diff -u /var/log/chkrootkit/log.expected
/var/log/chkrootkit/log.today ] ---
- --- /var/log/chkrootkit/log.expected 2019-08-11 14:22:49.808457154 +0200
+++ /var/log/chkrootkit/log.today 2019-08-11 15:09:05.962225005 +0200
@@ -2,6 +2,18 @@
/usr/lib/debug/.build-id
/usr/lib/debug/.build-id
INFECTED PORTS: ( 465)
+find: â/proc/2121/task/2121/netâ: Invalid argument
+find: â/proc/2121/netâ: Invalid argument
+find: â/proc/2130/task/2130/netâ: Invalid argument
+find: â/proc/2130/netâ: Invalid argument
+find: â/proc/2133/task/2133/netâ: Invalid argument
+find: â/proc/2133/netâ: Invalid argument
+find: â/proc/2152/task/2152/netâ: Invalid argument
+find: â/proc/2152/netâ: Invalid argument
+find: â/proc/2154/task/2154/netâ: Invalid argument
+find: â/proc/2154/netâ: Invalid argument
+find: â/proc/2156/task/2156/netâ: Invalid argument
+find: â/proc/2156/netâ: Invalid argument
enp2s8: PACKET SNIFFER(/usr/sbin/dhcpd[2312])
vlan4: PACKET SNIFFER(/usr/sbin/dhclient[1009])
vlan5: PACKET SNIFFER(/usr/sbin/dhcpd[2312])
- ---[ END: diff -u /var/log/chkrootkit/log.expected
/var/log/chkrootkit/log.today ] ---
To update the expected output, run (as root)
# cp -a -f /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expected
# (note that unedited output is in /var/log/chkrootkit/log.today.raw)
[... inserted vertical space for readability ...]
# cp -a -f /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expected
# /etc/cron.daily/chkrootkit
#
- --8<---------------cut here---------------end--------------->8---
(The last two lines show it executed without any output. I had to edit
the output a bit to keep it understandable.)
Have a nice day,
Peter.
- -- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.19.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii binutils 2.31.1-16
ii debconf [debconf-2.0] 1.5.71
ii libc6 2.28-10
ii net-tools 1.60+git20180626.aebd88e-1
ii openssh-client 1:7.9p1-10
ii procps 2:3.3.15-2
chkrootkit recommends no packages.
chkrootkit suggests no packages.
- -- Configuration Files:
/etc/cron.daily/chkrootkit changed [not included]
- -- debconf information:
chkrootkit/run_daily: true
chkrootkit/run_daily_opts: -q
chkrootkit/diff_mode: true
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEZQCNwiCq4qJXTWzVlp4Bj95s3KEFAl1QGF4ACgkQlp4Bj95s
3KGOYAgAuf+QYc+lWF8/T3lExAA9oGPtqLMp+r0vrM2vQAXz5q6iUfSFuXWiZLU7
U5baoN1bHqJbB+Q+JZcOGtK6RSXt0EznLhcnO4qpUiPvHvrqxXP4k1ppIxIf1SCR
ucZsXR2KuXO3pGfrfrhs+ska22Dv1JMajDq7oKYjlNZ7SqiUf6BbLpycRlOSkucP
FKUqRXangzTXZUjztrEHqhfjSaASfzfmM5+q7c1yQ+j6mfyHXOwUYPQyfxXqdyuO
6xZYxukOvYc6I6Hs2b670SvVQplto+HOVvfiOU3DDre/Pa1QeX3VFVAmEGY6xqBa
YXEJZJ+Q/hbfLiWFbxKsouW/Y27V2w==
=0RY8
-----END PGP SIGNATURE-----
--- chkrootkit-0.52.orig/debian/cron.daily 2019-03-01 01:23:34.000000000
+0100
+++ chkrootkit-0.52/debian/cron.daily 2019-08-11 15:04:23.047885245 +0200
@@ -22,7 +22,7 @@
if [ "$RUN_DAILY" = "true" ]; then
if [ "$DIFF_MODE" = "true" ]; then
- eval $CHKROOTKIT $RUN_DAILY_OPTS | egrep -v -f
"${IGNORE_FILE}" > $LOG_DIR/log.today.raw 2>&1
+ eval $CHKROOTKIT $RUN_DAILY_OPTS 2>&1 | egrep
-v -f "${IGNORE_FILE}" > $LOG_DIR/log.today.raw
# the sed expression replaces the messages
about /sbin/dhclient3 /usr/sbin/dhcpd3
# with a message that is the same whatever
order eth0 and eth1 were scanned
sed -r -e 's,eth(0|1)(:[0-9])?: PACKET
SNIFFER\((/sbin/dhclient|/usr/sbin/dhcpd)\[[0-9]+\]\),eth\[0|1\]: PACKET
SNIFFER\([dhclient|dhcpd]{PID}\),' \
