Bug 1071547 - Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP
Summary: Error: Invalid display - keyword cannot be found: Display line: display --to ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rkhunter
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-01 15:37 UTC by Harald Reindl
Modified: 2014-11-07 02:40 UTC (History)
2 users (show)

Fixed In Version: rkhunter-1.4.2-5.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-15 15:01:44 UTC
Type: Bug


Attachments (Terms of Use)

Description Harald Reindl 2014-03-01 15:37:49 UTC
this nonsense triggers daily alert mails starting a few days ago

[root@rh:~]$ rkhunter --check
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP

Comment 1 Kevin Fenzi 2014-03-01 17:46:05 UTC
Can you pinpoint what change caused it to start happening? 

Did you make any changes to rhunter.conf* ? 

What does 'rkhunter -C' output?

Did anything delete/tamper with your /var/lib/rkhunter/db/i18n files?

Comment 2 Harald Reindl 2014-03-01 18:10:43 UTC
> Can you pinpoint what change caused it to start happening? 

sorry no, i realized it too late because it was burried in expected alarms caused by updates and i don't keep that mails from my personal machines 

no changes in context rkhunter, only the typical fedora 
updates with no problems noticed

[root@srv-rhsoft:~]$ rkhunter --check
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP
[root@srv-rhsoft:~]$

yes, a different machine, but both are mirrored 2011 and config / packages are identical (controlled by own scripts)
____________________________________________________________________

[root@srv-rhsoft:~]$ cat /etc/rkhunter.conf.local
MAIL-ON-WARNING=""

IP_CMD=DISABLED
ALLOWPROMISCIF="eth0 eth1 eth2 bond0"
PORT_WHITELIST="TCP:6666"

ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENDIR=/etc/.java

ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWHIDDENFILE=/etc/.gitignore

ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/md/md-device-map
ALLOWDEVFILE=/dev/shm/mono*
ALLOWDEVFILE=/dev/shm/sem.jack_sem.0_default_system
ALLOWDEVFILE=/dev/shm/jack-shm-registry
ALLOWDEVFILE=/dev/md/autorebuild.pid
ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio
ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio_Launcher

ALLOW_SSH_ROOT_USER=without-password
ALLOW_SSH_PROT_V1=0

HASH_FUNC=sha1sum
____________________________________________________________________

[root@srv-rhsoft:~]$ stat /etc/rkhunter.conf.local
  Datei: „/etc/rkhunter.conf.local“
  Größe: 628            Blöcke: 8          EA Block: 4096   reguläre Datei
Gerät: 901h/2305d       Inode: 1178855     Verknüpfungen: 1
Zugriff: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Zugriff    : 2013-07-11 01:23:20.345312894 +0200
Modifiziert: 2013-08-14 00:46:57.514761712 +0200
Geändert   : 2013-08-14 00:46:57.514761712 +0200
 Geburt    : -

[root@srv-rhsoft:~]$ stat /etc/rkhunter.conf
  Datei: „/etc/rkhunter.conf“
  Größe: 39260          Blöcke: 80         EA Block: 4096   reguläre Datei
Gerät: 901h/2305d       Inode: 1182404     Verknüpfungen: 1
Zugriff: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Zugriff    : 2013-08-03 12:53:24.000000000 +0200
Modifiziert: 2013-08-03 12:53:24.000000000 +0200
Geändert   : 2014-01-02 02:26:47.995314136 +0100
 Geburt    : -

Comment 3 Kevin Fenzi 2014-03-01 18:18:16 UTC
Can you please provide the output of 'rkhunter -C' ?

Comment 4 Harald Reindl 2014-03-01 18:20:51 UTC
sorry, somehow i misse to copy&paste the non existing output of the command in my last reply that should have been before "yes, a different machine"

[root@srv-rhsoft:~]$ rkhunter -C
[root@srv-rhsoft:~]$

Comment 5 Kevin Fenzi 2014-03-02 21:25:57 UTC
Did anything change with your network config? 
ie, does 'ifconfig -a' show an interface in PROMISC with no ip?

Comment 6 Harald Reindl 2014-03-02 21:29:51 UTC
not recently, the network config is untouched for at least 6 months

[root@srv-rhsoft:~]$ ifconfig -a
br0: flags=4675<UP,BROADCAST,RUNNING,ALLMULTI,MULTICAST>  mtu 1500
        inet 192.168.x.x  netmask 255.255.255.0  broadcast 192.168.2.255
        ether 24:be:05:1a:c0:27  txqueuelen 0  (Ethernet)
        RX packets 287271  bytes 51650364 (49.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 390128  bytes 235700698 (224.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.x.x  netmask 255.255.255.0  broadcast 192.168.10.255
        ether 0a:00:68:68:6a:be  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 62580  bytes 11192044 (10.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        ether 24:be:05:1a:c0:27  txqueuelen 500  (Ethernet)
        RX packets 187636  bytes 43638865 (41.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 263224  bytes 65153847 (62.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7e00000-f7e20000  

eth1: flags=67<UP,BROADCAST,RUNNING>  mtu 1500
        inet 62.178.x.x  netmask 255.255.255.0  broadcast 255.255.255.255
        ether 00:50:8d:b5:cc:de  txqueuelen 500  (Ethernet)
        RX packets 73880328  bytes 40979671833 (38.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 64306696  bytes 37592237028 (35.0 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xf7cc0000-f7ce0000  

eth2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST>  mtu 1500
        ether 0a:00:68:68:6a:be  txqueuelen 500  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Lokale Schleife)
        RX packets 1908098  bytes 375880932 (358.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1908098  bytes 375880932 (358.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1472
        inet 10.x.x.x  netmask 255.255.255.0  broadcast 10.0.0.255
        ether 96:06:55:09:62:4f  txqueuelen 100  (Ethernet)
        RX packets 1438366  bytes 1038973302 (990.8 MiB)
        RX errors 0  dropped 24173  overruns 0  frame 0
        TX packets 1064882  bytes 111660824 (106.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vmnet8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.x.x  netmask 255.255.255.0  broadcast 192.168.196.255
        ether 00:50:56:c0:00:08  txqueuelen 1000  (Ethernet)
        RX packets 288861  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 378676  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 28:10:7b:ca:be:51  txqueuelen 1000  (Ethernet)
        RX packets 99618  bytes 12784267 (12.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 271348  bytes 198533592 (189.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 28:10:7b:ca:be:52  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 62580  bytes 12318484 (11.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Comment 7 Kevin Fenzi 2014-03-06 00:45:28 UTC
Looks like this is due to upstream releasing a new version (1.4.2) and changing the update db setup to handle it, but not still be compatible with the older 1.4.0 version. ;( 

I'm going to push a 1.4.2 update out very soon... not sure if upstream is also able to fix this for 1.4.0 in the mean time... 

If you want to test, here's a f20 scratch build I am testing here now: 
http://koji.fedoraproject.org/koji/taskinfo?taskID=6603634
It seems to work, but is very slow. ;(

Comment 8 Harald Reindl 2014-03-06 09:25:29 UTC
hm - that comes up with a different problem

rkhunter.noarch 0:1.4.2-1.fc20                                                                                                
[root@rh:/downloads]$ rkhunter --propupd
[root@rh:/downloads]$ rkhunter --check
Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF

[root@rh:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM
ALLOWPROMISCIF="eth0 eth1 bond0"

[root@rh:/downloads]$ nano /etc/rkhunter.conf.local

[root@rh:/downloads]$ rkhunter --check
Warning: Possible promiscuous interfaces:
         'ifconfig' command output:
             bond0: flags=5443<UP,BROADCAST,RUNNING,PROMISC,MASTER,MULTICAST>  mtu 1472

[root@rh:/downloads]$ rkhunter --check
Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF
[root@rh:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM
ALLOWPROMISCIF="eth0,eth1,bond0"

Comment 9 Kevin Fenzi 2014-03-06 21:40:44 UTC
Can you try please: 

ALLOWPROMISCIF=eth0 eth1 bond0

(ie, spaces but no "s)

Comment 10 Harald Reindl 2014-03-06 21:55:21 UTC
i tried "ALLOWPROMISCIF=eth0 eth1 bond0" already before me last reply here, the same result

Comment 11 Kevin Fenzi 2014-03-07 22:40:40 UTC
ok. We may have to take this to upstream... some last things to check: 

* does 'rpm -V rkhunter' show that only /etc/rkhunter.conf is changed?

* There's not a /etc/rkhunter.conf.rpm* file is there?

* Does 'rkhunter --update' change anything?

I'll try and also duplicate this here on a test machine this weekend if possible...

Comment 12 Harald Reindl 2014-03-07 22:51:55 UTC
_____________________________________________________________

[root@srv-rhsoft:~]$ LANG=C
[root@srv-rhsoft:~]$ rpm -V rkhunter
..5....T.  c /etc/sysconfig/rkhunter
S.5....T.    /var/lib/rkhunter/db/i18n/en
[root@srv-rhsoft:~]$ ls /etc/rkhunter.conf*
-rw-r----- 1 root root 39K 2013-08-03 12:53 /etc/rkhunter.conf
-rw-r----- 1 root root 628 2013-08-14 00:46 /etc/rkhunter.conf.local
-rw-r----- 1 root root 628 2013-08-13 01:24 /etc/rkhunter.conf.local.save
[root@srv-rhsoft:~]$ rkhunter --update
[root@srv-rhsoft:~]$ rkhunter --check
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP
[root@srv-rhsoft:~]$ rpm -q rkhunter 
rkhunter-1.4.0-9.fc20.noarch
_____________________________________________________________

what is interesting is that in the scract-build above "ALLOWPROMISCIF" whines and in the current fedora-version "INFO NETWORK_PROMISC_NO_IP" is part of the message - wild guess: that is somehow related

Comment 13 Kevin Fenzi 2014-03-10 18:07:21 UTC
Can you upgrade to the scratch build and do a 'rkhunter --update' then 'rkhunter --check' ? Does that still give the same error?

Comment 14 Harald Reindl 2014-03-10 18:14:25 UTC
surely, it's my job as reporter :-)

below complete outputs scratch-build and after downgrade again
___________________________________

[root@srv-rhsoft:~]$ rpm -q rkhunter
rkhunter-1.4.2-1.fc20.noarch
[root@srv-rhsoft:~]$ rkhunter --propupd
[root@srv-rhsoft:~]$ rkhunter --update
[root@srv-rhsoft:~]$ rkhunter --propupd
[root@srv-rhsoft:~]$ rkhunter --check
Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF
___________________________________

[root@srv-rhsoft:~]$ rpm -q rkhunter
rkhunter-1.4.0-9.fc20.noarch
[root@srv-rhsoft:~]$ rkhunter --propupd
[root@srv-rhsoft:~]$ rkhunter --update
[root@srv-rhsoft:~]$ rkhunter --propupd
[root@srv-rhsoft:~]$ rkhunter --check
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP

Comment 15 Kevin Fenzi 2014-03-10 18:21:07 UTC
Thanks. 

asking upstream what could be going on here...

Comment 16 Kevin Fenzi 2014-03-10 18:54:37 UTC
If you change: 

ALLOWPROMISCIF=eth0 eth1 bond0

to: 

ALLOWPROMISCIF=eth0
ALLOWPROMISCIF=eth0
ALLOWPROMISCIF=bond0

With the new 1.4.2 one does it stop complaining?

Comment 17 Kevin Fenzi 2014-03-10 18:56:15 UTC
(I of course meant eth1 on the second line there)

Comment 18 Harald Reindl 2014-03-10 19:12:27 UTC
no, with our without quotes makes no difference

[root@srv-rhsoft:/downloads]$ rkhunter --update
[root@srv-rhsoft:/downloads]$ rkhunter --check
Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF
[root@srv-rhsoft:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM
ALLOWPROMISCIF="eth0"
ALLOWPROMISCIF="eth1"
ALLOWPROMISCIF="eth2"
ALLOWPROMISCIF="bond0"
[root@srv-rhsoft:/downloads]$ nano /etc/rkhunter.conf.local
[root@srv-rhsoft:/downloads]$ rkhunter --check
Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF
[root@srv-rhsoft:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM
ALLOWPROMISCIF=eth0
ALLOWPROMISCIF=eth1
ALLOWPROMISCIF=eth2
ALLOWPROMISCIF=bond0

Comment 19 Kevin Fenzi 2014-03-11 14:37:57 UTC
ok, make sure 1.4.2 is installed then edit /usr/bin/rkhunter and change the 'space_list' on line 5757 to 'space-list' 

Does it then operate as expected? 

I'm asking upstream if they plan a new release to fix this, or if I will just patch it locally.

Comment 20 Harald Reindl 2014-03-11 15:03:53 UTC
good catch - that looks better - needed "rpl" because all my editors are convertig tabs to spaces and killing the rkhunter-binary that way...
__________________________________

[root@srv-rhsoft:/downloads]$ rpl "space_list ALLOWPROMISCIF" "space-list ALLOWPROMISCIF" /usr/bin/rkhunter
Replacing "space_list ALLOWPROMISCIF" with "space-list ALLOWPROMISCIF" (case sensitive) (partial words matched)
.
A Total of 1 matches replaced in 1 file searched.
__________________________________

[root@srv-rhsoft:/downloads]$ rkhunter --propupd; rkhunter --update; rkhunter --propupd; rkhunter --check
Warning: Package manager verification has failed:
         File: /usr/bin/rkhunter
         The file hash value has changed
         The file modification time has changed
Warning: Suspicious file types found in /dev:
         /dev/shm/sem.SWT_Window_Zend<SP>Studio: data
__________________________________

Comment 21 Kevin Fenzi 2014-03-13 19:47:53 UTC
Upstream anoyingly 're-released' 1.4.2 with this fix as well as a few others. 

Look for an update in a bit here....

Comment 22 Kevin Fenzi 2014-03-13 19:53:56 UTC
Can you test this scratch build: 

http://koji.fedoraproject.org/koji/taskinfo?taskID=6630812

Comment 23 Harald Reindl 2014-03-13 20:00:03 UTC
bingo - that solves it :-)
thank you!

[root@srv-rhsoft:/downloads]$ rpm -Uvh --force rkhunter-1.4.2-1.fc20.noarch.rpm
Vorbereiten...                        ################################# [100%]
Aktualisierung/ Installation...

   1:rkhunter-1.4.2-1.fc20            ################################# [100%]
[root@srv-rhsoft:/downloads]$ rkhunter --update; rkhunter --propupd
[root@srv-rhsoft:/downloads]$ rkhunter --check
[root@srv-rhsoft:/downloads]$

Comment 24 Harald Reindl 2014-03-13 21:24:43 UTC
*argh* on servers "man-db" and it's dependency-chain is not installed

[root@testserver:~]$ rkhunter --propupd
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/whatis

[root@testserver:~]$ rkhunter --check
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/whatis
_______________________________________________________

[harry@srv-rhsoft:~]$ rpm -q --file /usr/bin/whatis
man-db-2.6.5-2.fc20.x86_64

"srv-rhsoft" is a hybrid workstation/homeserver
"testserver" is a stripped down setup likely our production

Comment 25 Kevin Fenzi 2014-03-13 22:41:02 UTC
Does adding: 

EXISTWHITELIST=/usr/bin/whatis

then --propupd and re-run fix that?

Comment 26 Harald Reindl 2014-03-13 23:41:03 UTC
confirmed

[root@testserver:~]$ sync
[root@testserver:~]$ nano /etc/rkhunter.conf.local 
[root@testserver:~]$ cat /etc/rkhunter.conf.local | grep EXISTWHITELIST
EXISTWHITELIST=/usr/bin/whatis
[root@testserver:~]$ rkhunter --propupd
[root@testserver:~]$ rkhunter --check
[root@testserver:~]$

Comment 27 Fedora Update System 2014-03-14 16:41:18 UTC
rkhunter-1.4.2-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc20

Comment 28 Fedora Update System 2014-03-14 16:43:55 UTC
rkhunter-1.4.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc19

Comment 29 Fedora Update System 2014-03-14 16:53:04 UTC
rkhunter-1.4.2-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.el6

Comment 30 Fedora Update System 2014-03-15 15:01:44 UTC
rkhunter-1.4.2-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2014-03-30 18:47:26 UTC
rkhunter-1.4.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2014-10-27 15:57:52 UTC
rkhunter-1.4.2-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc19

Comment 33 Fedora Update System 2014-11-07 02:40:03 UTC
rkhunter-1.4.2-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.