Package: chkrootkit
Version: 0.47-1.1
Followup-For: Bug #286735
I've also done something similar, but I have used sed to change output
rather than just deleting it.
In any case, I suggest keeping the "raw" output from chkrootkit in,
say,
$LOG_DIR/log.today.raw
and putting post-filtering results in $LOG_DIR/log.today
the diff is then
diff -u $LOG_DIR/log.today $LOG_DIR/log.expected
(the attached patch hardcodes the sed thing, but following the
approach of using a variable seems better)
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.29-xen
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages chkrootkit depends on:
ii binutils 2.17-3 The GNU assembler, linker and bina
ii debconf [debconf-2.0] 1.5.11etch1 Debian configuration management sy
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii net-tools 1.60-17 The NET-3 networking toolkit
ii procps 1:3.2.7-3 /proc file system utilities
chkrootkit recommends no packages.
-- debconf information:
* chkrootkit/run_daily: true
* chkrootkit/diff_mode: false
* chkrootkit/run_daily_opts: -q
--- /root/keep/etc-_-cron.daily-_-chkrootkit.orig 2006-03-19
23:31:06.000000000 +0000
+++ /etc/cron.daily/chkrootkit 2008-06-07 12:34:41.000000000 +0100
@@ -20,6 +20,35 @@
cat $LOG_DIR/log.new
fi
mv $LOG_DIR/log.new $LOG_DIR/log.old
+ elif [ "$DIFF_MODE" = "filtered" ]; then
+ $CHKROOTKIT $RUN_DAILY_OPTS >
$LOG_DIR/log.today.raw 2>&1
+ # the sed expression replaces the messages
about /sbin/dhclient3 /usr/sbin/dhcpd3
+ # with a message that is the same whatever
order eth0 and eth1 were scanned
+ sed -r 's,eth(0|1): PACKET
SNIFFER\((/sbin/dhclient3|/usr/sbin/dhcpd3)\[[0-9]+\]\),eth\[0|1\]: PACKET
SNIFFER\([dhclient3|dhcpd3]{PID}\),' $LOG_DIR/log.today.raw > $LOG_DIR/log.today
+ if [ ! -f $LOG_DIR/log.expected ]; then
+ echo "ERROR: No file
$LOG_DIR/log.expected"
+ echo "This file should contain
expected output from chkrootkit"
+ echo
+ echo "Today's run produced the
following output:"
+ echo "--- [ BEGIN: cat
$LOG_DIR/log.today ] ---"
+ cat $LOG_DIR/log.today
+ echo "--- [ END: cat
$LOG_DIR/log.today ] ---"
+ echo
+ echo "To create this file
containing all output from today's run, do (as root)"
+ echo "# cp -a
$LOG_DIR/log.today $LOG_DIR/log.expected"
+ echo "# (note that unedited
output is in $LOG_DIR/log.today.raw)"
+ elif ! diff -q $LOG_DIR/log.expected
$LOG_DIR/log.today > /dev/null 2>&1; then
+ echo "ERROR: chkrootkit output
was not as expected."
+ echo
+ echo "The difference is:"
+ echo "---[ BEGIN: diff -u
$LOG_DIR/log.expected $LOG_DIR/log.today ] ---"
+ diff -u $LOG_DIR/log.expected
$LOG_DIR/log.today || true
+ echo "---[ END: diff -u
$LOG_DIR/log.expected $LOG_DIR/log.today ] ---"
+ echo
+ echo "To update the expected
output, run (as root)"
+ echo "# cp -a -f
$LOG_DIR/log.today $LOG_DIR/log.expected"
+ echo "# (note that unedited
output is in $LOG_DIR/log.today.raw)"
+ fi
else
$CHKROOTKIT $RUN_DAILY_OPTS
fi
