hi harry, thanks for the report - I don't think this a bug per se, but it is helpful reminder of knockd
while knockd is not a malicious packet sniffer, it does "sniff packets" (not the greatest term in any case), so chkrootkit is working as intended by flagging it. It's the classic case of a false positive which i see is already documented in /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz. It cant realistically be a goal of the debian package to never produce a false positive - that's not possible or realistic given the variability of debian systems (while we do ignore very common things like wpa_supplicant, i dont think knockd is in that class.) Instead of an infallible oracle, we should treat chkrootkit as something that tells you about what is on your system and gives you the tools to suppress those warnings when you, as admin, are happy they are fine. The documentation already points to ways to do this - you might want to start by reading the file /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz (which already mentions knockd) and following the suggested links to /etc/chkrootkit/chkrootkit.conf and the man-page for chkrootkit. it may well be that the documentation can be improved - constructive suggestions welcome Regards, and happy Christmas Richard On Fri, 24 Dec 2021 at 02:15, Harry Sintonen <debianb...@kyber.fi> wrote: > > Package: chkrootkit > Version: 0.55-4 > Severity: normal > > Hello, > > chkrootkit gives a false positive "PACKET SNIFFER" warning for knockd > package. This package > should not be listed as a potential sniffer since it needs to listen to > network traffic to > perform its job in the first place. > > > -- System Information: > Debian Release: bookworm/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.15.0-2-amd64 (SMP w/12 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages chkrootkit depends on: > ii libc6 2.33-1 > > Versions of packages chkrootkit recommends: > ii binutils 2.37-10 > ii iproute2 5.15.0-1 > ii net-tools 1.60+git20181103.0eebece-1 > ii procps 2:3.3.17-5 > > chkrootkit suggests no packages. > > -- Configuration Files: > /etc/chkrootkit/chkrootkit.conf changed [not included] > /etc/chkrootkit/chkrootkit.ignore changed [not included] > > -- no debconf information >
