Bug#1070152: chkrootkit: duplicate line from ifpromisc

2024-05-02 Thread Vincent Lefevre 
On 2024-05-02 08:57:10 +0100, Richard Lewis wrote:
> On Thu, 2 May 2024, 03:45 Vincent Lefevre,  wrote:
> 
> > On 2024-05-01 19:05:06 +0100, Richard Lewis wrote:
> > > I agree that you should be able to filter out duplicate lines. And i
> > think
> > > this is possible with a  custom filter.
> >
> > Yes, but "sed" may not be the best tool for that. With sed, removing
> > lines containing only the usual network managers is easier.
> 
> you dont have to use sed, you can set anything. id use awk or sort.

Using sort is not possible here, as the whole file would be sorted.

> but then you dont know if things have disappeared.

which can already happen with the default filter, because the actual
list is replaced by
  systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager

The default filter is either doing too little or doing too much.

> > > I dont think it should be the default - most chkrootkit users have a more
> > > static network setup,
> >
> > If they have a static network setup, why hiding the interface name?
> 
> i believe this was because if you have multiple interfaces they may not
> have static names (in the days where these were eth0 vs eth1 ) and because
> eg dhcpcd was set up to listen on eth0 and wlan0 even if eth0 wasnt used.
> maybe some of these assumptions are out of date?

AFAIK, systemd uses more complex names for predictability/stability.
For instance, on one of my machines, I have "enp0s25". See

  
https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/

Alternatively, users can define "persistent net" udev rules, such as
giving the interface name based on the MAC address of the interface:

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="", 
ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

> > But are lines containing *only* the usual network managers suspicious?
> 
> no, but it is suspicious is anything changed.

With the default filter, it will not detect all changes.

IMHO, either only the PID should be hidden (this is typically the
only thing that changes in static network setups) or the usual
network managers should entirely be ignored, such as with...

> Please also see the manpage which tells you how to use -s to remove these
> lines. The config file can easily be used to use -s each time.

Yes, I think that -s is the best solution for a laptop, but there
are issues in the man page. I've just reported bug 1070231.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#1070152: chkrootkit: duplicate line from ifpromisc

2024-05-02 Thread Richard Lewis 
On Thu, 2 May 2024, 03:45 Vincent Lefevre,  wrote:

> On 2024-05-01 19:05:06 +0100, Richard Lewis wrote:
> > I agree that you should be able to filter out duplicate lines. And i
> think
> > this is possible with a  custom filter.
>
> Yes, but "sed" may not be the best tool for that. With sed, removing
> lines containing only the usual network managers is easier.
>

you dont have to use sed, you can set anything. id use awk or sort.
but then you dont know if things have disappeared.



> > I dont think it should be the default - most chkrootkit users have a more
> > static network setup,
>
> If they have a static network setup, why hiding the interface name?
>

i believe this was because if you have multiple interfaces they may not
have static names (in the days where these were eth0 vs eth1 ) and because
eg dhcpcd was set up to listen on eth0 and wlan0 even if eth0 wasnt used.
maybe some of these assumptions are out of date?

Doing that makes the output more confusing, and the replacement of
> an interface by another one would not be detected.
>
> > and the alert shows something has changed. For laptops where
> > networking is more dynamic it's hard to design something that works
> > for everyone without also hiding information for other people.
>
> But are lines containing *only* the usual network managers suspicious?


no, but it is suspicious is anything changed.

Please also see the manpage which tells you how to use -s to remove these
lines. The config file can easily be used to use -s each time.

Bug#1070152: chkrootkit: duplicate line from ifpromisc

2024-05-01 Thread Vincent Lefevre 
On 2024-05-01 19:05:06 +0100, Richard Lewis wrote:
> I agree that you should be able to filter out duplicate lines. And i think
> this is possible with a  custom filter.

Yes, but "sed" may not be the best tool for that. With sed, removing
lines containing only the usual network managers is easier.

> I dont think it should be the default - most chkrootkit users have a more
> static network setup,

If they have a static network setup, why hiding the interface name?
Doing that makes the output more confusing, and the replacement of
an interface by another one would not be detected.

> and the alert shows something has changed. For laptops where
> networking is more dynamic it's hard to design something that works
> for everyone without also hiding information for other people.

But are lines containing *only* the usual network managers suspicious?

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#1070152: chkrootkit: duplicate line from ifpromisc

2024-05-01 Thread Richard Lewis 
On Wed, 1 May 2024, 00:57 Vincent Lefevre,  wrote:

> On 2024-05-01 01:29:10 +0200, Vincent Lefevre wrote:
> > For instance, /var/log/chkrootkit/log.expected contains
> >
> > WARNING: Output from ifpromisc:
> > lo: not promisc and no packet sniffer sockets
> > : PACKET
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> >
> > But /var/log/chkrootkit/log.today currently has a duplicate line:
> >
> > WARNING: Output from ifpromisc:
> > lo: not promisc and no packet sniffer sockets
> > : PACKET
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> > : PACKET
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> >
> > which has the effect to generate an alert.
>
> This is actually due to the filter in /etc/chkrootkit/chkrootkit.conf,
> which obfuscates the output.
>
> The unfiltered output:
>
> lo: not promisc and no packet sniffer sockets
> eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1261])
> wlp0s20f3: PACKET SNIFFER(/usr/sbin/NetworkManager[1261],
> /usr/sbin/wpa_supplicant[1263])
>
> But for a laptop, there is not always an Ethernet cable plugged in.
>
> IMHO, known packet sniffers should be filtered out.
>

I agree that you should be able to filter out duplicate lines. And i think
this is possible with a  custom filter.


I dont think it should be the default - most chkrootkit users have a more
static network setup, and the alert shows something has changed. For
laptops where networking is more dynamic it's hard to design something that
works for everyone without also hiding information for other people.

I think the defaults need to be conservative, while allowing people to hide
what they want.

Maybe the best solution is to provide more docs/examples about how to hide
duplicate lines.

Bug#1070152: chkrootkit: duplicate line from ifpromisc

2024-04-30 Thread Vincent Lefevre 
On 2024-05-01 01:29:10 +0200, Vincent Lefevre wrote:
> For instance, /var/log/chkrootkit/log.expected contains
> 
> WARNING: Output from ifpromisc:
> lo: not promisc and no packet sniffer sockets
> : PACKET 
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> 
> But /var/log/chkrootkit/log.today currently has a duplicate line:
> 
> WARNING: Output from ifpromisc:
> lo: not promisc and no packet sniffer sockets
> : PACKET 
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> : PACKET 
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> 
> which has the effect to generate an alert.

This is actually due to the filter in /etc/chkrootkit/chkrootkit.conf,
which obfuscates the output.

The unfiltered output:

lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1261])
wlp0s20f3: PACKET SNIFFER(/usr/sbin/NetworkManager[1261], 
/usr/sbin/wpa_supplicant[1263])

But for a laptop, there is not always an Ethernet cable plugged in.

IMHO, known packet sniffers should be filtered out.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#1070152: chkrootkit: duplicate line from ifpromisc

2024-04-30 Thread Vincent Lefevre 
Package: chkrootkit
Version: 0.58b-1+b2
Severity: normal

In the generated log, I sometimes get a duplicate line from ifpromisc.

For instance, /var/log/chkrootkit/log.expected contains

WARNING: Output from ifpromisc:
lo: not promisc and no packet sniffer sockets
: PACKET 
SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})

But /var/log/chkrootkit/log.today currently has a duplicate line:

WARNING: Output from ifpromisc:
lo: not promisc and no packet sniffer sockets
: PACKET 
SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
: PACKET 
SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})

which has the effect to generate an alert.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.15-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chkrootkit depends on:
ii  libc6  2.37-19

Versions of packages chkrootkit recommends:
ii  anacron 2.3-40
ii  binutils2.42-4
ii  cron [cron-daemon]  3.0pl1-189
ii  iproute26.8.0-1
ii  mailutils [mailx]   1:3.17-1.1+b2
ii  net-tools   2.10-1.1
ii  postfix [mail-transport-agent]  3.9.0-2
ii  procps  2:4.0.4-4
ii  systemd-sysv255.4-1+b1

chkrootkit suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)