#176 Warning messages since grep has been updgraded to 3.8

[GGGG]

rkunter prints tens on warning messages on my system since grep has been updated to version 3.8
grep: warning: stray \ before +
egrep: warning: egrep is obsolescent; using grep -E

$ rkhunter --version
grep: warning: stray \ before -
grep: warning: stray \ before +
Rootkit Hunter 1.4.6

$ grep --version
grep (GNU grep) 3.8

I am running mageia cauldron (dev branch)

Regards

[GGGG]

Additional info may be found here:
https://www.phoronix.com/news/GNU-Grep-3.8-Stop-egrep-fgrep

[GGGG]

i tried to cope with those warnings. It seems to work for me.

feel free to use.

[Pantelis Panayiotou]

Same problem here, with exact same versions of rkhunter and grep on Arch.

I gave a quick look to GGGG's file, and it looks like he's done a good job, replacing "egrep" with "grep -E" wherever necessary, and removing the superfluous backslashes. He also removed "egrep" from ABSOLUTELY_REQUIRED_CMDS, so that the script won't fail when "egrep" gets retired.

On my system, it runs OK, with the following exception:

  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Allowed ]
    Checking if SSH protocol v1 is allowed                   [ Not allowed ]
    Checking for other suspicious configuration settings     [ None found ]
Error: Invalid display - keyword cannot be found: Display line: display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]

[GGGG]

i understand the issue is the error line. If i understand it, right or wrong it says it is looking for SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL in /var/lib/rkhunter/db/i18n/* and can't find it

i cant see how the modifications i made have lead to this error.

$ grep -i -h display /usr/sbin/rkhunter /usr/sbin/rkhunter-bak | grep -- "-to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL"
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL

$ grep SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL: /var/lib/rkhunter/db/i18n/*
/var/lib/rkhunter/db/i18n/en:SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL:Checking for running systemd journal daemon

May you
- share your command line
- share the output of grep SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL: /var/lib/rkhunter/db/i18n/*
on your system
- give a try with export LC_MESSAGES=C; rkhunter...
- try to revert the patch and downgrade grep to check if the issue was already here ?

regards

[Pantelis Panayiotou]

Hi GGGG,

The offending code seems to be this block at line 17529:

                        RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | grep -E 'systemd-journald( |$)' | grep -v 'grep'`
                        if [ -n "${RKHTMPVAR}" ]; then
                                SYSTEMD_JOURNAL_SEEN=1

                                display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL
                        else
                                display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL
                        fi

Removing the above solves the issue.

The code appears to be doing some sort of systemd/journald detection, and course isn't related to the egrep bug. It's not part of stock rkhunter 1.4.6. In fact, your version seems to include a couple more extra bits of code related to systemd, which also aren't part of stock. (I'm attaching the diff; look towards the end.)

Perhaps you modified a development version of rkhunter, rather than the 1.4.6 release? Or one of the Git branches? If that's the case, then this is definitely not your fault. :-)

[GGGG]

Well this patch was part of my distro. As you pointed out, it is related to systemd-journal.
So, it should be reverted from mine to get something which should better work on other distros.
Regards

[Pantelis Panayiotou]

OK, I think I've done it.

The attached should contain all of GGGG's fixes, and be identical to stock 1.4.6 otherwise.

It appears to work fine, for me at least. Let's hope the developers will find it useful, and manage to issue an official patch for this bug as soon as possible.

[Matthew M. Ogilvie]

Here is the the same thing formatted as an easier to use and more robust unidiff patch and isolated from any distribution-specific patches. It should be easier to combine this with other distribution-specific patches/etc. (For example, on Gentoo, this patch could be applied by simply depositing it at /etc/portage/patches/app-forensics/rkhunter-1.4.6-r1/rkhunter-GNUgrep3.8.patch and re-emerging rkhunter, until a newer version incorporates something like it directly.)

I don't know enough about the subtle nuances of grep portability to say whether this might break something on other systems using something other than GNU grep, but I kind of suspect if it does break something, it would be on an OS so old that it should have been completely disconnected from the internet decades ago.

However, I will note that it might be be worth revisiting or removing the special logic to conditionally define an alias for grep near line 185. Or maybe the patch could be shrunk by conditionally defining an alias or shell function for "egrep", instead just replacing all such instances.