Bug#1059769: chkrootkit-daily : filtering out empty lines to prevent unnecessary empty alert emails.

Franck Richter Sun, 31 Dec 2023 09:30:16 -0800

Package: chkrootkit
Version: 0.57-2+b1
Severity: wishlist
Tags: patch

Dear Maintainer,


Currently chkrootkit-daily send me emails even if I ignore all false positives 
using chkrootkit.ignore.
Because chkrootkit outputs empty lines that cannot be excluded via 
chkrootkit.ignore.

It can be solved by adding to the filter in /etc/chkrootkit/chkrootkit.conf
  -e '/^$/d'

ie replacing:
FILTER="sed -re 's![[:alnum:]]+: PACKET 
SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](,
 )?)+\)!<interface>: PACKET 
SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!'
 -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
by
FILTER="sed -e '/^$/d' -re 's![[:alnum:]]+: PACKET 
SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](,
 )?)+\)!<interface>: PACKET 
SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!'
 -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"

Would it make sense to put that in default chkrootkit.conf ?

Examples on bookworm:
1-chkrootkit-daily.log-no_ignore-no_empty_line_filtering.txt
2-using_this_chkrootkit.ignore.txt
3-chkrootkit-daily.log-with_ignore-no_empty_line_filtering.txt
As one can see 3- contains only 2 empty lines made of line feeds.
Using above filter, checkrootkit-daily.log becomes empty and no alert email is 
sent.

Kind regards,
Franck Richter


-- System Information:
Debian Release: 12.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-16-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chkrootkit depends on:
ii  libc6  2.36-9+deb12u3

Versions of packages chkrootkit recommends:
ii  anacron                                    2.3-36
ii  binutils                                   2.40-2
ii  bsd-mailx [mailx]                          8.1.2-0.20220412cvs-1
ii  cron [cron-daemon]                         3.0pl1-162
ii  exim4-daemon-light [mail-transport-agent]  4.96-15+deb12u3
ii  iproute2                                   6.1.0-3
ii  mailutils [mailx]                          1:3.15-4
ii  net-tools                                  2.10-0.1
ii  procps                                     2:4.0.2-3
ii  systemd-sysv                               252.19-1~deb12u1

chkrootkit suggests no packages.

-- Configuration Files:
/etc/chkrootkit/chkrootkit.conf changed [not included]
/etc/chkrootkit/chkrootkit.ignore changed [not included]

-- no debconf information

WARNING: The following suspicious files and directories were found:
/usr/lib/libreoffice/share/.registry
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/assumed_shape/.f2py_f2cmap
/usr/lib/python3/dist-packages/numpy/f2py/tests/src/f2cmap/.f2py_f2cmap
/usr/lib/python3/dist-packages/numpy/core/include/numpy/.doxyfile
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierrc
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierignore
/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.eslintrc.js
/usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/_static/.gitignore
/usr/lib/python3/dist-packages/matplotlib/tests/tinypages/.gitignore
/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document
/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscode
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.vscodeignore
/usr/lib/ruby/gems/3.1.0/gems/typeprof-0.21.2/vscode/.gitignore
/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo

WARNING: Output from ifpromisc:
<interface>: PACKET 
SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})

WARNING: The following suspicious files and directories were found:
\/usr\/lib\/libreoffice\/share\/.registry
\/usr\/lib\/python3\/dist-packages\/numpy\/f2py\/tests\/src\/assumed_shape\/.f2py_f2cmap
\/usr\/lib\/python3\/dist-packages\/numpy\/f2py\/tests\/src\/f2cmap\/.f2py_f2cmap
\/usr\/lib\/python3\/dist-packages\/numpy\/core\/include\/numpy\/.doxyfile
\/usr\/lib\/python3\/dist-packages\/matplotlib\/backends\/web_backend\/.prettierrc
\/usr\/lib\/python3\/dist-packages\/matplotlib\/backends\/web_backend\/.prettierignore
\/usr\/lib\/python3\/dist-packages\/matplotlib\/backends\/web_backend\/.eslintrc.js
\/usr\/lib\/python3\/dist-packages\/matplotlib\/tests\/baseline_images\/.keep
\/usr\/lib\/python3\/dist-packages\/matplotlib\/tests\/tinypages\/_static\/.gitignore
\/usr\/lib\/python3\/dist-packages\/matplotlib\/tests\/tinypages\/.gitignore
\/usr\/lib\/ruby\/vendor_ruby\/rubygems\/ssl_certs\/.document
\/usr\/lib\/ruby\/vendor_ruby\/rubygems\/tsort\/.document
\/usr\/lib\/ruby\/vendor_ruby\/rubygems\/optparse\/.document
\/usr\/lib\/ruby\/gems\/3.1.0\/gems\/typeprof-0.21.2\/vscode\/.vscode
\/usr\/lib\/ruby\/gems\/3.1.0\/gems\/typeprof-0.21.2\/vscode\/.vscodeignore
\/usr\/lib\/ruby\/gems\/3.1.0\/gems\/typeprof-0.21.2\/vscode\/.gitignore
\/usr\/lib\/jvm\/.java-1.17.0-openjdk-amd64.jinfo
WARNING: Output from ifpromisc:
<interface>: PACKET 
SNIFFER\(\[systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager\]\{PID\}\)

Bug#1059769: chkrootkit-daily : filtering out empty lines to prevent unnecessary empty alert emails.

Reply via email to