Because every morning I receive an email from
"/etc/cron.daily/chkrootkit" that informs me of this.
Of course I can deactivate the check but I would not like to lose other
useful information for the security of the system.
Il 27/03/23 19:41, Richard Lewis ha scritto:
control: tags -1 + moreinfo
overall this looks like the intended behaviour, based on the
information provided, rather than something that needs fixing. Or is
there another reason you considered this a bug?
On Mon, 27 Mar 2023, 07:51 antonio wrote:
It seems that chkrootkit returns a false positive... or not?
$ /usr/lib/chkrootkit/ifpromisc
lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1056])
eth2: PACKET SNIFFER(/usr/sbin/NetworkManager[1056])
If you run ifpromisc directly im not sure quite what output you
expected, but the above looks correct, based on the information provided.
Network manager can be reasonably classed as a 'packet sniffer' as it
has the ability to read network traffic.
If network manager was not started intentionally (standard for a
server) you would want to know about it.
If it was started by you because you are running a standard gnome
desktop then it is indeed a false positive
...but there is no way software can reliably tell which of these
circumstances apply.
See the document about false positives in /usr/share/doc/chkrootkit
for more information on how to filter out such messages from the daily
report.
