Package: chkrootkit Version: 0.49-4 Severity: normal /etc/cron.d/chkrootkit has a hard coded check for only dhclient and dhcpd (or dhclient3/dhcpd3) as allowed packet sniffers, and only on eth0/eth1.
The former assumption may not be correct, for instance the argus network monitor runs as a packet sniffer, causing false positives. One is quite likely to want to run chkrootkit on an internet facing argus monitor and argus shouldn't be regarded as suspicious. In addition, the regex used means that even dhcpd will FP when another sniffer is running on the same interface as it expects that dhcp will be the only one. It might be nice to allow specifying which sniffers to expect and to elide the PIDs from, but if not then it would I think be safe to just remove all PIDs in a PACKET SNIFFER line, and rely on the diff to pick up unauthorised ones. The device names assumption is not always true even now (my eth1 and eth2 are bridged together as br0, which is where dhcpd sniffs), and will certainly be untrue when biosdevname is in use with udev ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617820 , http://lists.debian.org/debian-devel/2010/11/msg00108.html ). As a result of the above, I get the following chkrootkit FP every day, and even if I copy .today to .expected, it will start FP'ing again every time one of the daemons is restarted. ------------------------------------------------------------ /etc/cron.daily/chkrootkit: ERROR: chkrootkit output was not as expected. The difference is: ---[ BEGIN: diff -u /var/log/chkrootkit/log.expected /var/log/chkrootkit/log.today ] --- --- /var/log/chkrootkit/log.expected 2011-06-03 07:05:53.000000000 +0100 +++ /var/log/chkrootkit/log.today 2011-06-18 07:05:25.000000000 +0100 @@ -34,8 +34,8 @@ warning, got bogus unix line. warning, got bogus unix line. warning, got bogus unix line. -eth2: PACKET SNIFFER(/usr/sbin/argus_linux[1956]) -br0: PACKET SNIFFER(/usr/sbin/argus_linux[1956], /usr/sbin/dhcpd[2579]) +eth2: PACKET SNIFFER(/usr/sbin/argus_linux[1966]) +br0: PACKET SNIFFER(/usr/sbin/argus_linux[1966], /usr/sbin/dhcpd[2588]) unable to open wtmp-file wtmp warning, got bogus unix line. warning, got bogus unix line. ---[ END: diff -u /var/log/chkrootkit/log.expected /var/log/chkrootkit/log.today ] --- ------------------------------------------------------------ Thanks, Nick -- debconf information: * chkrootkit/run_daily: true * chkrootkit/run_daily_opts: -q -n * chkrootkit/diff_mode: true -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
