On 2024-05-02 08:57:10 +0100, Richard Lewis wrote: > On Thu, 2 May 2024, 03:45 Vincent Lefevre, <vinc...@vinc17.net> wrote: > > > On 2024-05-01 19:05:06 +0100, Richard Lewis wrote: > > > I agree that you should be able to filter out duplicate lines. And i > > think > > > this is possible with a custom filter. > > > > Yes, but "sed" may not be the best tool for that. With sed, removing > > lines containing only the usual network managers is easier. > > you dont have to use sed, you can set anything. id use awk or sort.
Using sort is not possible here, as the whole file would be sorted. > but then you dont know if things have disappeared. which can already happen with the default filter, because the actual list is replaced by systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager The default filter is either doing too little or doing too much. > > > I dont think it should be the default - most chkrootkit users have a more > > > static network setup, > > > > If they have a static network setup, why hiding the interface name? > > i believe this was because if you have multiple interfaces they may not > have static names (in the days where these were eth0 vs eth1 ) and because > eg dhcpcd was set up to listen on eth0 and wlan0 even if eth0 wasnt used. > maybe some of these assumptions are out of date? AFAIK, systemd uses more complex names for predictability/stability. For instance, on one of my machines, I have "enp0s25". See https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ Alternatively, users can define "persistent net" udev rules, such as giving the interface name based on the MAC address of the interface: SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="<MAC address>", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" > > But are lines containing *only* the usual network managers suspicious? > > no, but it is suspicious is anything changed. With the default filter, it will not detect all changes. IMHO, either only the PID should be hidden (this is typically the only thing that changes in static network setups) or the usual network managers should entirely be ignored, such as with... > Please also see the manpage which tells you how to use -s to remove these > lines. The config file can easily be used to use -s each time. Yes, I think that -s is the best solution for a laptop, but there are issues in the man page. I've just reported bug 1070231. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
