this nonsense triggers daily alert mails starting a few days ago [root@rh:~]$ rkhunter --check Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP
Can you pinpoint what change caused it to start happening? Did you make any changes to rhunter.conf* ? What does 'rkhunter -C' output? Did anything delete/tamper with your /var/lib/rkhunter/db/i18n files?
> Can you pinpoint what change caused it to start happening? sorry no, i realized it too late because it was burried in expected alarms caused by updates and i don't keep that mails from my personal machines no changes in context rkhunter, only the typical fedora updates with no problems noticed [root@srv-rhsoft:~]$ rkhunter --check Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP [root@srv-rhsoft:~]$ yes, a different machine, but both are mirrored 2011 and config / packages are identical (controlled by own scripts) ____________________________________________________________________ [root@srv-rhsoft:~]$ cat /etc/rkhunter.conf.local MAIL-ON-WARNING="" IP_CMD=DISABLED ALLOWPROMISCIF="eth0 eth1 eth2 bond0" PORT_WHITELIST="TCP:6666" ALLOWHIDDENDIR=/etc/.git ALLOWHIDDENDIR=/etc/.java ALLOWHIDDENFILE=/etc/.etckeeper ALLOWHIDDENFILE=/etc/.gitignore ALLOWDEVFILE=/dev/shm/pulse-shm-* ALLOWDEVFILE=/dev/md/md-device-map ALLOWDEVFILE=/dev/shm/mono* ALLOWDEVFILE=/dev/shm/sem.jack_sem.0_default_system ALLOWDEVFILE=/dev/shm/jack-shm-registry ALLOWDEVFILE=/dev/md/autorebuild.pid ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio_Launcher ALLOW_SSH_ROOT_USER=without-password ALLOW_SSH_PROT_V1=0 HASH_FUNC=sha1sum ____________________________________________________________________ [root@srv-rhsoft:~]$ stat /etc/rkhunter.conf.local Datei: „/etc/rkhunter.conf.local“ Größe: 628 Blöcke: 8 EA Block: 4096 reguläre Datei Gerät: 901h/2305d Inode: 1178855 Verknüpfungen: 1 Zugriff: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root) Zugriff : 2013-07-11 01:23:20.345312894 +0200 Modifiziert: 2013-08-14 00:46:57.514761712 +0200 Geändert : 2013-08-14 00:46:57.514761712 +0200 Geburt : - [root@srv-rhsoft:~]$ stat /etc/rkhunter.conf Datei: „/etc/rkhunter.conf“ Größe: 39260 Blöcke: 80 EA Block: 4096 reguläre Datei Gerät: 901h/2305d Inode: 1182404 Verknüpfungen: 1 Zugriff: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root) Zugriff : 2013-08-03 12:53:24.000000000 +0200 Modifiziert: 2013-08-03 12:53:24.000000000 +0200 Geändert : 2014-01-02 02:26:47.995314136 +0100 Geburt : -
Can you please provide the output of 'rkhunter -C' ?
sorry, somehow i misse to copy&paste the non existing output of the command in my last reply that should have been before "yes, a different machine" [root@srv-rhsoft:~]$ rkhunter -C [root@srv-rhsoft:~]$
Did anything change with your network config? ie, does 'ifconfig -a' show an interface in PROMISC with no ip?
not recently, the network config is untouched for at least 6 months [root@srv-rhsoft:~]$ ifconfig -a br0: flags=4675<UP,BROADCAST,RUNNING,ALLMULTI,MULTICAST> mtu 1500 inet 192.168.x.x netmask 255.255.255.0 broadcast 192.168.2.255 ether 24:be:05:1a:c0:27 txqueuelen 0 (Ethernet) RX packets 287271 bytes 51650364 (49.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 390128 bytes 235700698 (224.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.x.x netmask 255.255.255.0 broadcast 192.168.10.255 ether 0a:00:68:68:6a:be txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 62580 bytes 11192044 (10.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 ether 24:be:05:1a:c0:27 txqueuelen 500 (Ethernet) RX packets 187636 bytes 43638865 (41.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 263224 bytes 65153847 (62.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 20 memory 0xf7e00000-f7e20000 eth1: flags=67<UP,BROADCAST,RUNNING> mtu 1500 inet 62.178.x.x netmask 255.255.255.0 broadcast 255.255.255.255 ether 00:50:8d:b5:cc:de txqueuelen 500 (Ethernet) RX packets 73880328 bytes 40979671833 (38.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 64306696 bytes 37592237028 (35.0 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 memory 0xf7cc0000-f7ce0000 eth2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500 ether 0a:00:68:68:6a:be txqueuelen 500 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 0 (Lokale Schleife) RX packets 1908098 bytes 375880932 (358.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1908098 bytes 375880932 (358.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1472 inet 10.x.x.x netmask 255.255.255.0 broadcast 10.0.0.255 ether 96:06:55:09:62:4f txqueuelen 100 (Ethernet) RX packets 1438366 bytes 1038973302 (990.8 MiB) RX errors 0 dropped 24173 overruns 0 frame 0 TX packets 1064882 bytes 111660824 (106.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vmnet8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.x.x netmask 255.255.255.0 broadcast 192.168.196.255 ether 00:50:56:c0:00:08 txqueuelen 1000 (Ethernet) RX packets 288861 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 378676 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether 28:10:7b:ca:be:51 txqueuelen 1000 (Ethernet) RX packets 99618 bytes 12784267 (12.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 271348 bytes 198533592 (189.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether 28:10:7b:ca:be:52 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 62580 bytes 12318484 (11.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Looks like this is due to upstream releasing a new version (1.4.2) and changing the update db setup to handle it, but not still be compatible with the older 1.4.0 version. ;( I'm going to push a 1.4.2 update out very soon... not sure if upstream is also able to fix this for 1.4.0 in the mean time... If you want to test, here's a f20 scratch build I am testing here now: http://koji.fedoraproject.org/koji/taskinfo?taskID=6603634 It seems to work, but is very slow. ;(
hm - that comes up with a different problem rkhunter.noarch 0:1.4.2-1.fc20 [root@rh:/downloads]$ rkhunter --propupd [root@rh:/downloads]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF [root@rh:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM ALLOWPROMISCIF="eth0 eth1 bond0" [root@rh:/downloads]$ nano /etc/rkhunter.conf.local [root@rh:/downloads]$ rkhunter --check Warning: Possible promiscuous interfaces: 'ifconfig' command output: bond0: flags=5443<UP,BROADCAST,RUNNING,PROMISC,MASTER,MULTICAST> mtu 1472 [root@rh:/downloads]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF [root@rh:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM ALLOWPROMISCIF="eth0,eth1,bond0"
Can you try please: ALLOWPROMISCIF=eth0 eth1 bond0 (ie, spaces but no "s)
i tried "ALLOWPROMISCIF=eth0 eth1 bond0" already before me last reply here, the same result
ok. We may have to take this to upstream... some last things to check: * does 'rpm -V rkhunter' show that only /etc/rkhunter.conf is changed? * There's not a /etc/rkhunter.conf.rpm* file is there? * Does 'rkhunter --update' change anything? I'll try and also duplicate this here on a test machine this weekend if possible...
_____________________________________________________________ [root@srv-rhsoft:~]$ LANG=C [root@srv-rhsoft:~]$ rpm -V rkhunter ..5....T. c /etc/sysconfig/rkhunter S.5....T. /var/lib/rkhunter/db/i18n/en [root@srv-rhsoft:~]$ ls /etc/rkhunter.conf* -rw-r----- 1 root root 39K 2013-08-03 12:53 /etc/rkhunter.conf -rw-r----- 1 root root 628 2013-08-14 00:46 /etc/rkhunter.conf.local -rw-r----- 1 root root 628 2013-08-13 01:24 /etc/rkhunter.conf.local.save [root@srv-rhsoft:~]$ rkhunter --update [root@srv-rhsoft:~]$ rkhunter --check Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP [root@srv-rhsoft:~]$ rpm -q rkhunter rkhunter-1.4.0-9.fc20.noarch _____________________________________________________________ what is interesting is that in the scract-build above "ALLOWPROMISCIF" whines and in the current fedora-version "INFO NETWORK_PROMISC_NO_IP" is part of the message - wild guess: that is somehow related
Can you upgrade to the scratch build and do a 'rkhunter --update' then 'rkhunter --check' ? Does that still give the same error?
surely, it's my job as reporter :-) below complete outputs scratch-build and after downgrade again ___________________________________ [root@srv-rhsoft:~]$ rpm -q rkhunter rkhunter-1.4.2-1.fc20.noarch [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --update [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF ___________________________________ [root@srv-rhsoft:~]$ rpm -q rkhunter rkhunter-1.4.0-9.fc20.noarch [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --update [root@srv-rhsoft:~]$ rkhunter --propupd [root@srv-rhsoft:~]$ rkhunter --check Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP
Thanks. asking upstream what could be going on here...
If you change: ALLOWPROMISCIF=eth0 eth1 bond0 to: ALLOWPROMISCIF=eth0 ALLOWPROMISCIF=eth0 ALLOWPROMISCIF=bond0 With the new 1.4.2 one does it stop complaining?
(I of course meant eth1 on the second line there)
no, with our without quotes makes no difference [root@srv-rhsoft:/downloads]$ rkhunter --update [root@srv-rhsoft:/downloads]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF [root@srv-rhsoft:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM ALLOWPROMISCIF="eth0" ALLOWPROMISCIF="eth1" ALLOWPROMISCIF="eth2" ALLOWPROMISCIF="bond0" [root@srv-rhsoft:/downloads]$ nano /etc/rkhunter.conf.local [root@srv-rhsoft:/downloads]$ rkhunter --check Error: Invalid argument in get_option function: space_list ALLOWPROMISCIF [root@srv-rhsoft:/downloads]$ cat /etc/rkhunter.conf.local | grep PROM ALLOWPROMISCIF=eth0 ALLOWPROMISCIF=eth1 ALLOWPROMISCIF=eth2 ALLOWPROMISCIF=bond0
ok, make sure 1.4.2 is installed then edit /usr/bin/rkhunter and change the 'space_list' on line 5757 to 'space-list' Does it then operate as expected? I'm asking upstream if they plan a new release to fix this, or if I will just patch it locally.
good catch - that looks better - needed "rpl" because all my editors are convertig tabs to spaces and killing the rkhunter-binary that way... __________________________________ [root@srv-rhsoft:/downloads]$ rpl "space_list ALLOWPROMISCIF" "space-list ALLOWPROMISCIF" /usr/bin/rkhunter Replacing "space_list ALLOWPROMISCIF" with "space-list ALLOWPROMISCIF" (case sensitive) (partial words matched) . A Total of 1 matches replaced in 1 file searched. __________________________________ [root@srv-rhsoft:/downloads]$ rkhunter --propupd; rkhunter --update; rkhunter --propupd; rkhunter --check Warning: Package manager verification has failed: File: /usr/bin/rkhunter The file hash value has changed The file modification time has changed Warning: Suspicious file types found in /dev: /dev/shm/sem.SWT_Window_Zend<SP>Studio: data __________________________________
Upstream anoyingly 're-released' 1.4.2 with this fix as well as a few others. Look for an update in a bit here....
Can you test this scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6630812
bingo - that solves it :-) thank you! [root@srv-rhsoft:/downloads]$ rpm -Uvh --force rkhunter-1.4.2-1.fc20.noarch.rpm Vorbereiten... ################################# [100%] Aktualisierung/ Installation... 1:rkhunter-1.4.2-1.fc20 ################################# [100%] [root@srv-rhsoft:/downloads]$ rkhunter --update; rkhunter --propupd [root@srv-rhsoft:/downloads]$ rkhunter --check [root@srv-rhsoft:/downloads]$
*argh* on servers "man-db" and it's dependency-chain is not installed [root@testserver:~]$ rkhunter --propupd Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/whatis [root@testserver:~]$ rkhunter --check Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/whatis _______________________________________________________ [harry@srv-rhsoft:~]$ rpm -q --file /usr/bin/whatis man-db-2.6.5-2.fc20.x86_64 "srv-rhsoft" is a hybrid workstation/homeserver "testserver" is a stripped down setup likely our production
Does adding: EXISTWHITELIST=/usr/bin/whatis then --propupd and re-run fix that?
confirmed [root@testserver:~]$ sync [root@testserver:~]$ nano /etc/rkhunter.conf.local [root@testserver:~]$ cat /etc/rkhunter.conf.local | grep EXISTWHITELIST EXISTWHITELIST=/usr/bin/whatis [root@testserver:~]$ rkhunter --propupd [root@testserver:~]$ rkhunter --check [root@testserver:~]$
rkhunter-1.4.2-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc20
rkhunter-1.4.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc19
rkhunter-1.4.2-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.el6
rkhunter-1.4.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.2-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc19
rkhunter-1.4.2-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.