ports/132541: rkhunter 1.3.4 False positives fix

Lukasz Wasikowski lukasz at wasikowski.net
Wed Mar 11 13:20:03 UTC 2009 

>Number:         132541
>Category:       ports
>Synopsis:       rkhunter 1.3.4 False positives fix
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 11 13:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Lukasz Wasikowski
>Release:        FreeBSD 7.0-RELEASE-p1
>Organization:
>Environment:
FreeBSD bijou.wasikowski.net 7.0-RELEASE-p1 FreeBSD 7.0-RELEASE-p1 #0: Mon Apr 21 10:35:47 CEST 2008     root at bijou.wasikowski.net:/usr/obj/usr/src/sys/bijou  i386
>Description:
When rkhunter does FreeBSD's specific checks it compares output of sockstat and netstat and if there's a difference it reports warning. The problem is that sockstat command returns ports as numbers, and netstat command returns it as numbers with dot sign in front.
>How-To-Repeat:
Install rkhunter 1.3.4 from ports and run rkhunter --propupd -c --rwo

If some services are listening on some ports you'll get:

Warning: Differences found between sockstat and netstat output:
         Sockstat output: 110
22

         Netstat output: .110
.22

>Fix:
Patch attached.

Patch attached with submission follows:

diff -ruN rkhunter.old/files/patch-rkhunter rkhunter/files/patch-rkhunter
--- rkhunter.old/files/patch-rkhunter	2009-03-11 02:07:25.000000000 +0100
+++ rkhunter/files/patch-rkhunter	2009-03-11 13:58:09.000000000 +0100
@@ -7,7 +7,7 @@
 -		SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} -n | grep '\*[:.]\*' | cut -c1-55 | grep '\*[:.]' | cut -c39-47 | grep -v '\*' | tr -d ' ' | ${SORT_CMD} | ${UNIQ_CMD}`
 -		NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | egrep -v 'TIME_WAIT|ESTABLISHED|SYN_SENT|CLOSE_WAIT|LAST_ACK|SYN_RECV|CLOSING' | cut -c1-44 | grep '\*\.' | cut -c24-32 | grep -v '\*' | tr -d ' ' | tr -d '\t' | ${SORT_CMD} | ${UNIQ_CMD}`
 +		SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} | grep '\*[:.]\*' | cut -c1-55 | grep '\*[:.]' | cut -c39-47 | grep -v '\*' | tr -d ' ' | ${SORT_CMD} | ${UNIQ_CMD}`
-+		NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | egrep -v 'TIME_WAIT|ESTABLISHED|SYN_SENT|CLOSE_WAIT|LAST_ACK|SYN_RECV|CLOSING' | cut -c1-44 | grep '\*\.' | cut -c23-31 | grep -v '\*' | tr -d ' ' | tr -d '\t' | ${SORT_CMD} | ${UNIQ_CMD}`
++		NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | egrep -v 'TIME_WAIT|ESTABLISHED|SYN_SENT|CLOSE_WAIT|LAST_ACK|SYN_RECV|CLOSING' | cut -c1-44 | grep '\*\.' | cut -c23-31 | grep -v '\*' | tr -d ' ' | tr -d '\t' | tr -d '.' | ${SORT_CMD} | ${UNIQ_CMD}`
  
  		if [ "${SOCKSTAT_OUTPUT}" = "${NETSTAT_OUTPUT}" ]; then
  			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list