On Sun, 9 Mar 2025, 07:51 Peter Marschall, <pe...@adpm.de> wrote:
>
> when running chkrootkit using `chkrootkit-daily` in diff mode, ifpromisc
> sometimes raised an alert because of its output appears in a different
> order.
>
this is why we have the diff mode and the filtering mechanism, to avoid
this kind of thing.
To avoid those false alerts, it would be good if the output of `ifpromisc`
> would be sorted - at least for the non-EXPERT case.
>
> If I saw it correctly in Debian's git repo, this should be a simple change
> in
> 'debian/patches/chkrootkit-sniffer.patch':
>
> --- a/debian/patches/chkrootkit-sniffer.patch
> +++ b/debian/patches/chkrootkit-sniffer.patch
> @@ -48,10 +48,10 @@ index d1d84e4..9f2d0b4 100755
> - [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
> + status=0
> + if [ "${QUIET}" != "t" ]; then
> -+ outmsg=$(./ifpromisc -v 2>&1)
> ++ outmsg=$(./ifpromisc 2>&1 | sort)
> + status=$?
> + else
> -+ outmsg=$(./ifpromisc -q 2>&1)
> ++ outmsg=$(./ifpromisc -q 2>&1 | sort)
> + status=$?
> + fi
> + if [ "$status" = 0 ]; then
>
i am not sure if this is a good idea.
it's adding "hardcoded" logic that cant be controlled by the user: and if
there is anything on stderr from ifpromisc then it will be likely be moved
to the wrong place by sorting which is not helpful (i think this does
happen if running as non-root, or in an unprivileged container that "sees"
host interfaces, and potentially if some dubious process is doing bad
things).
And by default the output *should* be stable anyway: can you give an
example of the output you are getting?
i think you are right about the -v. but i assume this is present upstream
and seems harmless (i not sure -x is ever useful tbh)
