Bug 1071547
| Summary: | Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
| Component: | rkhunter | Assignee: | Kevin Fenzi <kevin> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | kevin, nonamedotc |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rkhunter-1.4.2-5.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-03-15 15:01:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Harald Reindl
2014-03-01 15:37:49 UTC
Can you pinpoint what change caused it to start happening? Did you make any changes to rhunter.conf* ? What does 'rkhunter -C' output? Did anything delete/tamper with your /var/lib/rkhunter/db/i18n files? > Can you pinpoint what change caused it to start happening?
sorry no, i realized it too late because it was burried in expected alarms caused by updates and i don't keep that mails from my personal machines
no changes in context rkhunter, only the typical fedora
updates with no problems noticed
[root@srv-rhsoft:~]$ rkhunter --check
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP
[root@srv-rhsoft:~]$
yes, a different machine, but both are mirrored 2011 and config / packages are identical (controlled by own scripts)
____________________________________________________________________
[root@srv-rhsoft:~]$ cat /etc/rkhunter.conf.local
MAIL-ON-WARNING=""
IP_CMD=DISABLED
ALLOWPROMISCIF="eth0 eth1 eth2 bond0"
PORT_WHITELIST="TCP:6666"
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWHIDDENFILE=/etc/.gitignore
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/md/md-device-map
ALLOWDEVFILE=/dev/shm/mono*
ALLOWDEVFILE=/dev/shm/sem.jack_sem.0_default_system
ALLOWDEVFILE=/dev/shm/jack-shm-registry
ALLOWDEVFILE=/dev/md/autorebuild.pid
ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio
ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio_Launcher
ALLOW_SSH_ROOT_USER=without-password
ALLOW_SSH_PROT_V1=0
HASH_FUNC=sha1sum
____________________________________________________________________
[root@srv-rhsoft:~]$ stat /etc/rkhunter.conf.local
Datei: „/etc/rkhunter.conf.local“
Größe: 628 Blöcke: 8 EA Block: 4096 reguläre Datei
Gerät: 901h/2305d Inode: 1178855 Verknüpfungen: 1
Zugriff: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)
Zugriff : 2013-07-11 01:23:20.345312894 +0200
Modifiziert: 2013-08-14 00:46:57.514761712 +0200
Geändert : 2013-08-14 00:46:57.514761712 +0200
Geburt : -
[root@srv-rhsoft:~]$ stat /etc/rkhunter.conf
Datei: „/etc/rkhunter.conf“
Größe: 39260 Blöcke: 80 EA Block: 4096 reguläre Datei
Gerät: 901h/2305d Inode: 1182404 Verknüpfungen: 1
Zugriff: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)
Zugriff : 2013-08-03 12:53:24.000000000 +0200
Modifiziert: 2013-08-03 12:53:24.000000000 +0200
Geändert : 2014-01-02 02:26:47.995314136 +0100
Geburt : -
Can you please provide the output of 'rkhunter -C' ? sorry, somehow i misse to copy&paste the non existing output of the command in my last reply that should have been before "yes, a different machine" [root@srv-rhsoft:~]$ rkhunter -C [root@srv-rhsoft:~]$ Did anything change with your network config? ie, does 'ifconfig -a' show an interface in PROMISC with no ip? not recently, the network config is untouched for at least 6 months
[root@srv-rhsoft:~]$ ifconfig -a
br0: flags=4675<UP,BROADCAST,RUNNING,ALLMULTI,MULTICAST> mtu 1500
inet 192.168.x.x netmask 255.255.255.0 broadcast 192.168.2.255
ether 24:be:05:1a:c0:27 txqueuelen 0 (Ethernet)
RX packets 287271 bytes 51650364 (49.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 390128 bytes 235700698 (224.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.x.x netmask 255.255.255.0 broadcast 192.168.10.255
ether 0a:00:68:68:6a:be txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 62580 bytes 11192044 (10.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
ether 24:be:05:1a:c0:27 txqueuelen 500 (Ethernet)
RX packets 187636 bytes 43638865 (41.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 263224 bytes 65153847 (62.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7e00000-f7e20000
eth1: flags=67<UP,BROADCAST,RUNNING> mtu 1500
inet 62.178.x.x netmask 255.255.255.0 broadcast 255.255.255.255
ether 00:50:8d:b5:cc:de txqueuelen 500 (Ethernet)
RX packets 73880328 bytes 40979671833 (38.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 64306696 bytes 37592237028 (35.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xf7cc0000-f7ce0000
eth2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether 0a:00:68:68:6a:be txqueuelen 500 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Lokale Schleife)
RX packets 1908098 bytes 375880932 (358.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1908098 bytes 375880932 (358.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1472
inet 10.x.x.x netmask 255.255.255.0 broadcast 10.0.0.255
ether 96:06:55:09:62:4f txqueuelen 100 (Ethernet)
RX packets 1438366 bytes 1038973302 (990.8 MiB)
RX errors 0 dropped 24173 overruns 0 frame 0
TX packets 1064882 bytes 111660824 (106.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vmnet8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.x.x netmask 255.255.255.0 broadcast 192.168.196.255
ether 00:50:56:c0:00:08 txqueuelen 1000 (Ethernet)
RX packets 288861 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 378676 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 28:10:7b:ca:be:51 txqueuelen 1000 (Ethernet)
RX packets 99618 bytes 12784267 (12.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 271348 bytes 198533592 (189.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 28:10:7b:ca:be:52 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 62580 bytes 12318484 (11.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Looks like this is due to upstream releasing a new version (1.4.2) and changing the update db setup to handle it, but not still be compatible with the older 1.4.0 version. ;( I'm going to push a 1.4.2 update out very soon... not sure if upstream is also able to fix this for 1.4.0 in the mean time... If you want to test, here's a f20 scratch build I am testing here now: http://koji.fedoraproject.org/koji/taskinfo?taskID=6603634 It seems to work, but is very slow. ;( hm - that comes up with a different problem
rkhunter.noarch 0:1.4.2-1.fc20
[root@rh:/downloads]$ rkhunter --propupd
[root@rh:/downloads]$ rkhunter --check
Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF
[root@rh:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM
ALLOWPROMISCIF="eth0 eth1 bond0"
[root@rh:/downloads]$ nano /etc/rkhunter.conf.local
[root@rh:/downloads]$ rkhunter --check
Warning: Possible promiscuous interfaces:
'ifconfig' command output:
bond0: flags=5443<UP,BROADCAST,RUNNING,PROMISC,MASTER,MULTICAST> mtu 1472
[root@rh:/downloads]$ rkhunter --check
Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF
[root@rh:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM
ALLOWPROMISCIF="eth0,eth1,bond0"
Can you try please: ALLOWPROMISCIF=eth0 eth1 bond0 (ie, spaces but no "s) i tried "ALLOWPROMISCIF=eth0 eth1 bond0" already before me last reply here, the same result ok. We may have to take this to upstream... some last things to check: * does 'rpm -V rkhunter' show that only /etc/rkhunter.conf is changed? * There's not a /etc/rkhunter.conf.rpm* file is there? * Does 'rkhunter --update' change anything? I'll try and also duplicate this here on a test machine this weekend if possible... _____________________________________________________________ [root@srv-rhsoft:~]$ LANG=C [root@srv-rhsoft:~]$ rpm -V rkhunter ..5....T. c /etc/sysconfig/rkhunter S.5....T. /var/lib/rkhunter/db/i18n/en [root@srv-rhsoft:~]$ ls /etc/rkhunter.conf* -rw-r----- 1 root root 39K 2013-08-03 12:53 /etc/rkhunter.conf -rw-r----- 1 root root 628 2013-08-14 00:46 /etc/rkhunter.conf.local -rw-r----- 1 root root 628 2013-08-13 01:24 /etc/rkhunter.conf.local.save [root@srv-rhsoft:~]$ rkhunter --update [root@srv-rhsoft:~]$ rkhunter --check Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP [root@srv-rhsoft:~]$ rpm -q rkhunter rkhunter-1.4.0-9.fc20.noarch _____________________________________________________________ what is interesting is that in the scract-build above "ALLOWPROMISCIF" whines and in the current fedora-version "INFO NETWORK_PROMISC_NO_IP" is part of the message - wild guess: that is somehow related Can you upgrade to the scratch build and do a 'rkhunter --update' then 'rkhunter --check' ? Does that still give the same error? surely, it's my job as reporter :-) below complete outputs scratch-build and after downgrade again ___________________________________ [root@srv-rhsoft:~]$ rpm -q rkhunter rkhunter-1.4.2-1.fc20.noarch [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --update [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF ___________________________________ [root@srv-rhsoft:~]$ rpm -q rkhunter rkhunter-1.4.0-9.fc20.noarch [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --update [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --check Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP Thanks. asking upstream what could be going on here... If you change: ALLOWPROMISCIF=eth0 eth1 bond0 to: ALLOWPROMISCIF=eth0 ALLOWPROMISCIF=eth0 ALLOWPROMISCIF=bond0 With the new 1.4.2 one does it stop complaining? (I of course meant eth1 on the second line there) no, with our without quotes makes no difference [root@srv-rhsoft:/downloads]$ rkhunter --update [root@srv-rhsoft:/downloads]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF [root@srv-rhsoft:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM ALLOWPROMISCIF="eth0" ALLOWPROMISCIF="eth1" ALLOWPROMISCIF="eth2" ALLOWPROMISCIF="bond0" [root@srv-rhsoft:/downloads]$ nano /etc/rkhunter.conf.local [root@srv-rhsoft:/downloads]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF [root@srv-rhsoft:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM ALLOWPROMISCIF=eth0 ALLOWPROMISCIF=eth1 ALLOWPROMISCIF=eth2 ALLOWPROMISCIF=bond0 ok, make sure 1.4.2 is installed then edit /usr/bin/rkhunter and change the 'space_list' on line 5757 to 'space-list' Does it then operate as expected? I'm asking upstream if they plan a new release to fix this, or if I will just patch it locally. good catch - that looks better - needed "rpl" because all my editors are convertig tabs to spaces and killing the rkhunter-binary that way...
__________________________________
[root@srv-rhsoft:/downloads]$ rpl "space_list ALLOWPROMISCIF" "space-list ALLOWPROMISCIF" /usr/bin/rkhunter
Replacing "space_list ALLOWPROMISCIF" with "space-list ALLOWPROMISCIF" (case sensitive) (partial words matched)
.
A Total of 1 matches replaced in 1 file searched.
__________________________________
[root@srv-rhsoft:/downloads]$ rkhunter --propupd; rkhunter --update; rkhunter --propupd; rkhunter --check
Warning: Package manager verification has failed:
File: /usr/bin/rkhunter
The file hash value has changed
The file modification time has changed
Warning: Suspicious file types found in /dev:
/dev/shm/sem.SWT_Window_Zend<SP>Studio: data
__________________________________
Upstream anoyingly 're-released' 1.4.2 with this fix as well as a few others. Look for an update in a bit here.... Can you test this scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6630812 bingo - that solves it :-) thank you! [root@srv-rhsoft:/downloads]$ rpm -Uvh --force rkhunter-1.4.2-1.fc20.noarch.rpm Vorbereiten... ################################# [100%] Aktualisierung/ Installation... 1:rkhunter-1.4.2-1.fc20 ################################# [100%] [root@srv-rhsoft:/downloads]$ rkhunter --update; rkhunter --propupd [root@srv-rhsoft:/downloads]$ rkhunter --check [root@srv-rhsoft:/downloads]$ *argh* on servers "man-db" and it's dependency-chain is not installed [root@testserver:~]$ rkhunter --propupd Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/whatis [root@testserver:~]$ rkhunter --check Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/whatis _______________________________________________________ [harry@srv-rhsoft:~]$ rpm -q --file /usr/bin/whatis man-db-2.6.5-2.fc20.x86_64 "srv-rhsoft" is a hybrid workstation/homeserver "testserver" is a stripped down setup likely our production Does adding: EXISTWHITELIST=/usr/bin/whatis then --propupd and re-run fix that? confirmed [root@testserver:~]$ sync [root@testserver:~]$ nano /etc/rkhunter.conf.local [root@testserver:~]$ cat /etc/rkhunter.conf.local | grep EXISTWHITELIST EXISTWHITELIST=/usr/bin/whatis [root@testserver:~]$ rkhunter --propupd [root@testserver:~]$ rkhunter --check [root@testserver:~]$ rkhunter-1.4.2-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc20 rkhunter-1.4.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc19 rkhunter-1.4.2-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.el6 rkhunter-1.4.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. rkhunter-1.4.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. rkhunter-1.4.2-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc19 rkhunter-1.4.2-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |