Bug#1059769: chkrootkit-daily : filtering out empty lines to prevent unnecessary empty alert emails.

Sun, 31 Dec 2023 10:03:13 -0800 

On Sun, 31 Dec 2023 at 17:30, Franck Richter <franck...@online.de> wrote:


> Currently chkrootkit-daily send me emails even if I ignore all false 
> positives using chkrootkit.ignore.
> Because chkrootkit outputs empty lines that cannot be excluded via 
> chkrootkit.ignore.

I havn't checked this, but: i think you can exclude blank lines using
chkrootkit.ignore - just add "^$" in there?

> It can be solved by adding to the filter in /etc/chkrootkit/chkrootkit.conf
>   -e '/^$/d'
>
> ie replacing:
> FILTER="sed -re 's![[:alnum:]]+: PACKET 
> SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](,
>  )?)+\)!<interface>: PACKET 
> SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!'
>  -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
> by
> FILTER="sed -e '/^$/d' -re 's![[:alnum:]]+: PACKET 
> SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](,
>  )?)+\)!<interface>: PACKET 
> SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!'
>  -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
>
> Would it make sense to put that in default chkrootkit.conf ?

hmm. I'm not sure it would!  The blank line there to separate output
from different tests, getting rid of it makes the output harder to
read, which doesnt seem like a good default.  (There's of course
nothing wrong with you adding that to your systems, if you prefer it
--- but im not sure it's the best as a default for everyone)

I'd instead look at using:
- DIFF_MODE - then (whatever your other settings) you'd only see the
report once, until something changes
- RUN_DAILY_OPTS
    a) including a -q which should suppress the blank line entirely.
    b) you might be able to use -e or -s options - these are used by
chkrootkit and if all files are ignored that way, then no
'WARNING+list+blank line' would be produced tat all, whereas the
chkrootkit.ignore and other filtering are only done at the end
- tbh id also investigate why these files are being shipped by debian
at all, especially .gitignore looks like a mistake!

Reply via email to