rkhunter 1.3.8 and sockstat on FreeBSD 8.2-PRERELEASE
I upgraded one of my systems to FreeBSD 8.2-PRERELEASE the other day. Next, I upgraded rkhunter to 1.3.8 on the same system. The output of the sockstat command sometimes contains more information than rkhunter is prepared to handle, resulting in different outputs from netstat and sockstat. rkhunter treats this as an infection. Maybe it is. But I have my doubts.
Here’s an abridged sample from sockstat on said system:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd 94221 4 tcp4 6 *:80 *:* www httpd 94221 5 tcp4 *:* *:*
The fifth column sometimes contains a single word, such as tcp4, and at other times the same column might contain two words, like tcp4 6.
This annoyance made me come up with this patch:
--- rkhunter.orig 2012-04-25 16:55:53.733244657 +0200
+++ rkhunter 2012-04-25 17:39:35.423329292 +0200
@@ -12925,8 +12925,8 @@
if [ -n "${SOCKSTAT_CMD}" -a -n "${NETSTAT_CMD}" ]; then
test "${OPERATING_SYSTEM}" = "NetBSD" && RKHTMPVAR="-n" || RKHTMPVAR=""
- SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
- NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
+ SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk '{ if ($6 == "6") print $7; else print $6; }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort -n | uniq`
+ NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | awk '{ print $4 }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort -n | uniq`
if [ "${SOCKSTAT_OUTPUT}" = "${NETSTAT_OUTPUT}" ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET
The above patch was also sent to the maintainer of rkhunter, and hopefully everyone else will benefit shortly.
If you’re using LDAP lookups, you might as well disable the call to bsd_specific_checks() altogether.
--- rkhunter.orig 2012-04-25 16:55:53.733244657 +0200
+++ rkhunter 2012-04-25 17:39:35.423329292 +0200
@@ -13225,7 +13225,7 @@
FreeBSD|NetBSD|DragonFly)
display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"
- bsd_specific_checks
+# bsd_specific_checks
test "${OPERATING_SYSTEM}" = "FreeBSD" -o "${OPERATING_SYSTEM}" = "DragonFly" && freebsd_specific_checks
;;
Here are both patches combined into one single diff file:
--- rkhunter.orig 2012-04-25 16:55:53.733244657 +0200
+++ rkhunter 2012-04-25 17:39:35.423329292 +0200
@@ -12925,8 +12925,8 @@
if [ -n "${SOCKSTAT_CMD}" -a -n "${NETSTAT_CMD}" ]; then
test "${OPERATING_SYSTEM}" = "NetBSD" && RKHTMPVAR="-n" || RKHTMPVAR=""
- SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk '{ print $6 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
- NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
+ SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk '{ if ($6 == "6") print $7; else print $6; }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort -n | uniq`
+ NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | awk '{ print $4 }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort -n | uniq`
if [ "${SOCKSTAT_OUTPUT}" = "${NETSTAT_OUTPUT}" ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET
@@ -13225,7 +13225,7 @@
FreeBSD|NetBSD|DragonFly)
display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"
- bsd_specific_checks
+# bsd_specific_checks
test "${OPERATING_SYSTEM}" = "FreeBSD" -o "${OPERATING_SYSTEM}" = "DragonFly" && freebsd_specific_checks
;;