Bug 19079

Summary: msec chkrootkit result is always "failed"
Product: Mageia Reporter: Yann Ciret <mageia>
Component: RPM PackagesAssignee: Shlomi Fish <shlomif>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: mageia, marja11, yvesbrungard
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: msec-2.1-1.mga6.src.rpm CVE:
Status comment:
Attachments: Patch against chkrootkit to hopefully fix the problem.
test result
bash -x result

Description Yann Ciret 2016-07-28 21:51:24 CEST 
Description of problem:
msec always returns that chkrootkit check failed.
But if you analyse all individual chkrootkit check result, you can see only "not found", "not infected", "not tested", "no suspect files"⦠So all test are good and the global status should be "passed".

I do not know if the problem comes from msec or chkrootkit. So I arbitrary choose msec (/usr/share/msec/scripts/04_rootkit.sh).

Version-Release number of selected component (if applicable):
Valid on Mageia 5 and Cauldron

How reproducible:


Steps to Reproduce:
1. Configure msec at "secure" level
2. Launch msec
3. Check result in "/var/log/security/mail.daily.today". You can found the string "Chkrootkit check: failed" in the summary at the beginning.
Yann Ciret 2016-07-28 21:51:37 CEST

CC: (none) => mageia

Yann Ciret 2016-07-29 10:56:16 CEST

Summary: msec chkrootkit result is always => msec chkrootkit result is always "failed"

Comment 1 Marja Van Waes 2016-07-30 20:07:08 CEST 
Well, chkrootkit has a registered maintainer, and msec doesn't....

Shlomi, I'm assigning this one to you, but please feel free to reassign to pkg-bugs@ml ;-)

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2016-07-31 14:13:09 CEST 
Hi all!

Here is what I found so far: it appears that the chkrootkit invocation returns a non-zero (and false) exit value which causes the bash wrapper ( /usr/share/msec/scripts/04_rootkit.sh ) to report failure:

root@telaviv1:~$ /usr/sbin/chkrootkit -n > ~/chkroot.out && echo passed || echo failed
failed

-n is a flag that tells chkrootkit to ignore NFS mounts. Next I'll try to run chkrootkit under sh -x and see where it fails but first I need to reboot for the new mageia v6 kernel. Stay tuned.
Comment 3 Shlomi Fish 2016-07-31 15:01:19 CEST 
Created attachment 8291 [details]
Patch against chkrootkit to hopefully fix the problem.

This patch fixes the error code of chkrootkit. Original reporter: can you please apply it and test if it fixes the problem for you? My chkrootkit seems to misbehave here.
Comment 4 Yann Ciret 2016-08-01 09:29:01 CEST 
Created attachment 8296 [details]
test result

Hi Slomi,

it looks not good here after patching.
In msec result: Chkrootkit check: failed

I attach my chkrootkit result file.
Comment 5 Shlomi Fish 2016-08-01 13:39:48 CEST 
(In reply to Yann Ciret from comment #4)
> Created attachment 8296 [details]
> test result
> 
> Hi Slomi,
> 
> it looks not good here after patching.
> In msec result: Chkrootkit check: failed
> 
> I attach my chkrootkit result file.

Hi Yann!

Please try running chkrootkit using "bash -x" and attach the result after compressing with xz or whatever. Thanks!

P.S: my name is "Shlomi" - not "Slomi".
Comment 6 Yann Ciret 2016-08-01 16:27:41 CEST 
Created attachment 8298 [details]
bash -x result

Sorry for my mistake on your name. I will pay attention in the future.

There is the requested file.
Comment 7 Yann Ciret 2016-12-30 08:51:29 CET 
Hi Shlomi,

any update on this bug?
Comment 8 papoteur 2022-04-16 18:58:03 CEST 
Hello,
I know this is old, but is this bug still valid?

CC: (none) => yves.brungard_mageia

Comment 9 Yann Ciret 2022-05-12 16:15:41 CEST 
Hello papoteur,

I just check on my cauldron VM and the issue seems to be go away.

Now the result is « Chkrootkit check: passed ».

This bug can be closed.

Regards
Yann

Status: NEW => RESOLVED
Resolution: (none) => FIXED