On Sun, 9 Mar 2025, 07:51 Peter Marschall, <
peter@adpm.de> wrote:
when running chkrootkit using `chkrootkit-daily` in diff mode, ifpromisc sometimes raised an alert because of its output appears in a different
order.
this is why we have the diff mode and the filtering mechanism, to avoid
this kind of thing.
To avoid those false alerts, it would be good if the output of `ifpromisc`
would be sorted - at least for the non-EXPERT case.
If I saw it correctly in Debian's git repo, this should be a simple change
in
'debian/patches/chkrootkit-sniffer.patch':
--- a/debian/patches/chkrootkit-sniffer.patch
+++ b/debian/patches/chkrootkit-sniffer.patch
@@ -48,10 +48,10 @@ index d1d84e4..9f2d0b4 100755
- [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
+ status=0
+ if [ "${QUIET}" != "t" ]; then
-+ outmsg=$(./ifpromisc -v 2>&1)
++ outmsg=$(./ifpromisc 2>&1 | sort)
+ status=$?
+ else
-+ outmsg=$(./ifpromisc -q 2>&1)
++ outmsg=$(./ifpromisc -q 2>&1 | sort)
+ status=$?
+ fi
+ if [ "$status" = 0 ]; then
i am not sure if this is a good idea.
it's adding "hardcoded" logic that cant be controlled by the user: and if
there is anything on stderr from ifpromisc then it will be likely be moved
to the wrong place by sorting which is not helpful (i think this does
happen if running as non-root, or in an unprivileged container that "sees"
host interfaces, and potentially if some dubious process is doing bad
things).
And by default the output *should* be stable anyway: can you give an
example of the output you are getting?
i think you are right about the -v. but i assume this is present upstream
and seems harmless (i not sure -x is ever useful tbh)
<div dir="auto"><div><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sun, 9 Mar 2025, 07:51 Peter Marschall, <<a href="mailto:
peter@adpm.de">
peter@adpm.de</a>> wrote:<br></div><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
when running chkrootkit using `chkrootkit-daily` in diff mode, ifpromisc<br> sometimes raised an alert because of its output appears in a different order.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">this is why we have the diff mode and the filtering mechanism, to avoid this kind of thing.</div><div dir="
auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote gmail_quote_container"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
To avoid those false alerts, it would be good if the output of `ifpromisc`<br> would be sorted - at least for the non-EXPERT case.<br>
If I saw it correctly in Debian's git repo, this should be a simple change in<br>
'debian/patches/chkrootkit-sniffer.patch':<br>
--- a/debian/patches/chkrootkit-sniffer.patch<br>
+++ b/debian/patches/chkrootkit-sniffer.patch<br>
@@ -48,10 +48,10 @@ index d1d84e4..9f2d0b4 100755<br>
- [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q<br>
+ status=0<br>
+ if [ "${QUIET}" != "t" ]; then<br> -+ outmsg=$(./ifpromisc -v 2>&1)<br> ++ outmsg=$(./ifpromisc 2>&1 | sort)<br> + status=$?<br>
+ else<br>
-+ outmsg=$(./ifpromisc -q 2>&1)<br> ++ outmsg=$(./ifpromisc -q 2>&1 | sort)<br>
+ status=$?<br>
+ fi<br>
+ if [ "$status" = 0 ]; then<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">i am not sure if this is a g