Bug 12897 - rkhunter Error: Invalid display keyword --to SCREEN+LOG
Summary: rkhunter Error: Invalid display keyword --to SCREEN+LOG
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: x86_64 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Remco Rijnders
QA Contact:
URL:
Whiteboard: MGA5TOO MGA4TOO
Keywords: 6sta2, Triaged
Depends on:
Blocks:
 
Reported: 2014-02-27 15:22 CET by Bit Twister
Modified: 2022-06-19 13:37 CEST (History)
2 users (show)

See Also:
Source RPM: rkhunter-1.4.0-9.mga6.src.rpm
CVE:
Status comment:

Attachments
/etc/rkhunter.d/mageia.conf (1.07 KB, text/plain)
2014-03-15 22:32 CET, Bit Twister 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Bit Twister 2014-02-27 15:22:17 CET 
Description of problem:

Error: Invalid display - keyword cannot be found: Display line:
 display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL

Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. /etc/cron.daily/rkhunter
2.
3.


Reproducible: 

Steps to Reproduce:
Manuel Hiebel 2014-02-27 17:04:49 CET

Assignee: bugsquad => remco
Keywords: (none) => Triaged

Comment 1 James Kerr 2014-02-27 18:54:49 CET 
I also see this. It started after the recent updates to the file and lib64magic1 packages:

file-5.16-1.1.mga4.x86_64                    
lib64magic1-5.16-1.1.mga4.x86_64   

Those were updated on my system on Feb 23

On Feb 24, rkhunter, as expected, issued a warning about the change in inode for /usr/bin/file

On Feb 25, rkhunter repeated the identical warning about the change in inode, and reported the error message quoted above

On subsequent days it has repeated that error message.
Comment 2 Bit Twister 2014-03-15 20:23:52 CET 
James, you may want to rebuild/update the database for some of your errors.
rkhunter --propupd

PS:
rkhunter-1.4.2.tar.gz has been released with several fixes.
http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG

I suggest using the new rkhunter.d feature and create /etc/rkhunter.d/mageia.conf with all the Mageia changes that were done to /etc/rkhunter.conf
Comment 3 Bit Twister 2014-03-15 22:30:48 CET 
I did a mkdir /etc/rkhunter.d/, pulled the Mageia changes from /etc/rkhunter.conf
into /etc/rkhunter.d/mageia.conf, urpme rkhunter, untared rkhunter-1.4.2.tar.gz
ran ./installer.sh --layout /usr --install
ran rkhunter --propupd ; rkhunter --skip-keypress -C
then ran a copy of /etc/cron.daily/rkunter and it ran without the display error.

packager will need to decide where the SCRIPTDIR should point since the tar file is arch dependent or do what I did, and removed the SCRIPTDIR from the mageia.conf file. See attachment.
Comment 4 Bit Twister 2014-03-15 22:32:13 CET 
Created attachment 5057 [details]
/etc/rkhunter.d/mageia.conf
Comment 5 Bit Twister 2014-03-15 22:39:04 CET 
Oops, forgot
/etc/cron.daily/rkunter might/will need modification to /usr/bin/rkhunter unless package manager wants to override default install location.
Comment 6 Giuseppe Merigo 2015-02-24 18:16:23 CET 
Will 1.4.2 be packaged for mga4?

CC: (none) => g.merigo

Comment 7 Bit Twister 2015-07-01 10:58:08 CEST 
Verified the original bug does not exists in release rkhunter-1.4.2 which needs to be updated in core release.
Samuel Verschelde 2015-07-01 12:25:38 CEST

Summary: 4: rkhunter Error: Invalid display keyword --to SCREEN+LOG => rkhunter Error: Invalid display keyword --to SCREEN+LOG
Whiteboard: (none) => MGA5TOO MGA4TOO
Version: 4 => Cauldron

Comment 8 Giuseppe Merigo 2015-08-19 12:40:28 CEST 
I updated my home server system to MGA5, and rkhunter is still at version 1.4.0, so the error is still current.

Any idea if rkhunter will be upgraded to 1.4.2?
Comment 9 Bit Twister 2015-08-19 15:00:35 CEST 
My workaround is downloading the tar archive into my download directory, remove rkhunter rpm, add conf change files, and install rkhunter.


Created the suggested /etc/rkhunter.d/mageia.conf file from my attachment,
  https://bugs.mageia.org/attachment.cgi?id=5057
then installed my changes to /etc/rkhunter.d/my__rkhunter.conf


Code snippet from my install_rkhunter script follows:

    function install_tar_file ()
    {
      _tar_fn=$(ls $_dl_dir/*rkhunter* 2> /dev/null | sort -V |  tail -1)
      cd /root/tmp
      cp $_tar_fn .
      tar xvfz rkhunter*.tar.gz
      cd rkhunter*
      ./installer.sh --layout /usr --install
    } # end install_tar_file
Comment 10 Giuseppe Merigo 2015-08-19 15:04:37 CEST 
Nice hack but already know how to operate rkhunter from "source" (it's a shell script), but it beats the whole purpose of having an rpm ready to install on every mageia box.

Maybe if I have time I'll try to package it by myself but not having that much time it will take a long time...
Javier Díaz 2016-08-26 19:48:06 CEST

CC: (none) => javier_diaz

Comment 11 Javier Díaz 2016-08-26 19:49:59 CEST 
In mageia 5 it also fails, rpm version: rkhunter-1.4.0-7.mga5
Comment 12 Giuseppe Merigo 2016-08-26 20:39:17 CEST 
Javier, I know, see comment #8.
Comment 13 Bit Twister 2017-02-01 00:08:59 CET 
Although the "Invalid display - keyword cannot be found" has been fixed, I am leaving this bug open so that a suggested mageia.conf will be created for release 1.4.2 

See  /etc/rkhunter.d/mageia.conf attachment.

Source RPM: rkhunter-1.4.0-5.mga4.src.rpm => rkhunter-1.4.0-9.mga6.src.rpm
Keywords: (none) => 6sta2

Comment 14 Bit Twister 2017-02-01 01:27:40 CET 
another bug report has mageia.conf attachment.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 Javier Díaz 2017-08-22 20:45:23 CEST 
Hello, I have just upgraded to mageia 6 and it still fails, rpm 'rkhunter-1.4.0-10.mga6':

/etc/cron.daily/rkhunter:
Error: Invalid display - keyword cannot be found: Display line: display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL


Is it necessary to make any configuration change to correct it? There is no /etc/rkhunter.d/mageia.conf file, only /etc/rkhunter.conf
Comment 16 Giuseppe Merigo 2017-08-23 08:31:23 CEST 
I tried to use the proposed mageia.conf file but when I run rkhunter the same way the cronjob I get the same message:

# /usr/sbin/rkhunter --update --rwo --tmpdir /var/lib/rkhunter/tmp --dbdir /var/lib/rkhunter/db --cronjob --logfile /var/log/rkhunter-cronjob.log --appendlog
Error: Invalid display - keyword cannot be found: Display line: display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL
Warning: Suspicious file types found in /dev:
         /dev/shm/squid-cf__readers.shm: data
         /dev/shm/squid-cf__queues.shm: data
         /dev/shm/squid-cf__metadata.shm: data

Note: I'm not on mga6 but I see the rkhunter version is still the same.
So proposed solution won't work. I don't know why this bug is marked as FIXED.
Comment 17 Giuseppe Merigo 2017-08-23 08:32:48 CEST 
Addendum: of course the squid files are another kind of configuration error entirely, I'm just speaking about the Invalid display error.
Comment 18 Javier Díaz 2017-08-24 19:11:49 CEST 
If it doesn't work, I think this bug should be reopened
Comment 19 Javier Díaz 2017-12-06 23:09:07 CET 
Hello, I reopen this bug: it is still failing

Status: RESOLVED => UNCONFIRMED
Ever confirmed: 1 => 0
Resolution: FIXED => (none)

Comment 20 sturmvogel 2022-06-19 13:37:31 CEST 
We have now rkhunter-1.4.6-3.mga8. According comment 7 the problem was fixed in rkhunter-1.4.2

Closing as FIXED.

Resolution: (none) => FIXED
Status: UNCONFIRMED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.