Hi guys. On my system (Librem 15 v4, PureOS amber), rkhunter is complaining about /usr/sbin/dhclient listening on the network.
Now, I already had /sbin/dhclient whitelisted for this check. It appears that dhclient has moved to a different directory, under /usr/ . Is that normal, or should I be concerned?
Did you look what’s actually inside these directories? Maybe there is a soft link between them and the binary is only in one directory. Just guessing.
Also I wonder how long a DHCP client listens to the network. Shouldn’t it only wait for a response after itself send a request?
The two files do not appear to be linked. They do appear to be exact copies of each other though, as far as timestamp, file size, and sha256 checksum.
Good point about how long the DHCP client should listen to the network. I may need to do some further research.
OK, so I just discovered that the entire /sbin directory is actually a link to /usr/sbin.
That would explain it. 
I think it has to do with this:
https://wiki.debian.org/UsrMerge
https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/
Linux Mint also recommended doing it for the latest version upgrade.
Not really.
An IP address assigned by DHCP is only valid for X seconds (where X may be very short or very long or anything in between). So every DHCP client has a repeated need for communication on the network i.e. to renew the lease every X seconds (and in fact nearly all DHCP clients will start attempting to renew the lease substantially before the lease expires, in accordance with the DHCP RFC).
I do believe (someone correct me if I am wrong) that the exact behaviour is a relatively recent change (last few years).
bootp port).in either case as revealed by netstat
Perhaps there was some reason for the change but I don’t know what it was.