Bug#890635: chkrootkit: Errors when trying to exclude known false positives
Package: chkrootkit
Version: 0.50-4+b2
Severity: important
Dear Maintainer,
I have installed both fail2ban and chkrootkit on Debian Stretch. It is not the
system I'm writing this report from. When running chkrootkit, it complains
about hidden files from fail2ban:
===
$ sudo chkrootkit -q
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/file/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_anon/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_time/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/noentry/.htaccess
===
When attempting to tell chkrootkit to exclude those files, chkrootkit errors
with a weird error:
===
$ sudo chkrootkit -q -e '/usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/file/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_anon/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_time/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess'
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! grelm/.htpasswd 0 l2ban/tests/files/config/apache-augrelm/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
! wd 0 iles/config/apache-auth/digest_wrowd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/noentry/.htaccess
===
Just to assure you, those files do infact exist and there doesn't seem to be
any typo or special character in there, as ls finds those files just fine:
===
$ ls -lbh /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/file/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_anon/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_time/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-
auth/noentry/.htaccess
-rw-r--r-- 1 root root 136 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
-rw-r--r-- 1 root root 47 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
-rw-r--r-- 1 root root 129 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
-rw-r--r-- 1 root root 47 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
-rw-r--r-- 1 root root 231 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
-rw-r--r-- 1 root root 117 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
-rw-r--r-- 1 root root 159 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
-rw-r--r-- 1 root root 62 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
-rw-r--r-- 1 root root 195 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
-rw-r--r-- 1 root root 62 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
-rw-r--r-- 1 root root 179 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
-rw-r--r-- 1 root root 62 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
-rw-r--r-- 1 root root 14 Dec 9 2016 /usr/lib/python3/dist-
packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
===
The issue seems to be that chkrootkit doesn't parse its arguments correctly or
it has a limit on how long the -e argument can be. In fact, if you remove
several file paths from either the beginning or the end of the -e argument,
chkrootkit works as intended and lists just the removed file paths as false
positives. Ideally users should be able to specify any number of file paths to
be excluded.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii binutils 2.30-4
ii debconf [debconf-2.0] 1.5.65
ii libc6 2.26-6
ii net-tools 1.60+git20161116.90da8a0-1
ii openssh-client 1:7.6p1-4
ii procps 2:3.3.12-4
chkrootkit recommends no packages.
chkrootkit suggests no packages.
Reply to: