Kanjut SHELL
Server IP : 172.16.15.8  /  Your IP : 18.224.31.82
Web Server : Apache
System : Linux zeus.vwu.edu 4.18.0-553.27.1.el8_10.x86_64 #1 SMP Wed Nov 6 14:29:02 UTC 2024 x86_64
User : apache ( 48)
PHP Version : 7.2.24
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON
Directory (0555) :  /../dev/../proc/533/../29/../21/../519/../170/../520/../161/../508/../../../bin/

[  Home  ][  C0mmand  ][  Upload File  ]

Current File : //../dev/../proc/533/../29/../21/../519/../170/../520/../161/../508/../../../bin/rkhunter
#!/bin/sh

#
# rkhunter -- Scan the system for rootkits and other known security issues.
#
# Copyright (c) 2003-2017, Michael Boelen ( michael AT rootkit DOT nl )
#
#     This program is free software; you can redistribute it and/or modify
#     it under the terms of the GNU General Public License as published by
#     the Free Software Foundation; either version 2 of the License, or
#     (at your option) any later version.
#
#     This program is distributed in the hope that it will be useful,
#     but WITHOUT ANY WARRANTY; without even the implied warranty of
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#     GNU General Public License for more details.
#
#     You should have received a copy of the GNU General Public License
#     along with this program; if not, write to the Free Software
#     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111, USA.
#


#
# Unfortunately we must do some O/S checks at the very beginning,
# otherwise SunOS will complain about some of the ksh/bash syntax.
# By default the SunOS root account uses a simple Bourne shell,
# which does not work with RKH. So we exec to use the Bash shell
# if it is present, or the Korn shell which is usually installed
# by default on Solaris systems.
#

BSDOS=0
SUNOS=0
BUSYBOX=0

OPERATING_SYSTEM=`uname 2>/dev/null`

case "${OPERATING_SYSTEM}" in
*BSD|DragonFly)
	BSDOS=1
	unset CLICOLOR CLICOLOR_FORCE
	;;
SunOS)
	SUNOS=1
	unset CLICOLOR CLICOLOR_FORCE
	;;
esac

if [ $SUNOS -eq 1 ]; then
	# Simple SunOS test of RANDOM to see if we are now running bash or ksh.
	if [ -z "$RANDOM" ]; then
		# If the 'which' output contains a space, then it is probably an error.
		if [ -n "`which bash 2>/dev/null | grep -v ' '`" ]; then
			exec bash $0 $*
		elif [ -n "`which ksh 2>/dev/null | grep -v ' '`" ]; then
			exec ksh $0 $*
		else
			echo "Unable to find the bash or ksh shell to run rkhunter."
			exit 1
		fi

		exit 0
	fi
fi


#
# Check to see if we are using the '--debug' option. If so, then
# we exec to log everything to the debug file.
#

if [ -n "`echo \"$*\" | grep '\-\-debug'`" ]; then
	RKHDEBUGFILE=""
	RKHDEBUGBASE="/tmp/rkhunter-debug"

	#
	# Ensure we create a random file name.
	#

	if [ -n "`which mktemp 2>/dev/null | grep -v ' '`" ]; then
		RKHDEBUGFILE=`mktemp ${RKHDEBUGBASE}.XXXXXXXXXX`
	elif [ -n "$RANDOM" ]; then
		RKHDEBUGFILE="${RKHDEBUGBASE}.$RANDOM"
	elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%N%s%N`"
	elif [ -n "`date +%Y%m%d%H%M%S 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%Y%m%d%H%M%S`"
	else
		RKHDEBUGFILE="${RKHDEBUGBASE}.$$"
	fi

	if [ -e "${RKHDEBUGFILE}" ]; then
		if [ -f "${RKHDEBUGFILE}" -a ! -h "${RKHDEBUGFILE}" ]; then
			rm -f "${RKHDEBUGFILE}" >/dev/null 2>&1
		else
			echo "Cannot use '--debug' option. Debug file \"${RKHDEBUGFILE}\" already exists, but it is not a file."
			exit 1
		fi
	fi

	DEBUG_OPT=1

	exec 1>"${RKHDEBUGFILE}" 2>&1
	chmod 600 "${RKHDEBUGFILE}" >/dev/null 2>&1
	set -x
else
	DEBUG_OPT=0
fi


#
# Now we must determine if we are using the Korn shell or not. If so,
# then we alias the 'echo' command and set ECHOOPT. For other shells,
# we try and determine the real shell being used, and test to see if
# the 'echo -e' command is valid or not. We set ECHOOPT accordingly.
#

#
# Unfortunately *BSD doesn't seem to allow capturing of unknown commands.
# So we must alias 'print' to something valid, but which will fail.
#

test $BSDOS -eq 1 && alias print=false

if [ "`print "rkh-ksh-string-test" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	alias echo='print'
	ECHOOPT="--"
	MYSHELL=ksh
elif [ $SUNOS -eq 1 ]; then
	# For Solaris, if we are not running ksh, then it must be bash.
	MYSHELL=bash
	ECHOOPT="-e"
else
	#
	# We want to get the actual shell used by this program, and
	# so we need to test /bin/sh.
	#

	MYSHELL=/bin/sh
	test -h ${MYSHELL} && MYSHELL=`readlink ${MYSHELL} 2>/dev/null`
	MYSHELL=`basename ${MYSHELL} 2>/dev/null`

	# Assume 'bash' if we have problems finding the real shell.
	test -z "${MYSHELL}" && MYSHELL=bash

	# Check if we are using BusyBox.
	test "${MYSHELL}" = "busybox" && BUSYBOX=1

	#
	# Now test the 'echo -e' command.
	#

	if [ "`echo -e \"rkh-ksh\tstring-test\" 2>/dev/null`" = "rkh-ksh	string-test" ]; then
		ECHOOPT="-e"
	else
		ECHOOPT=""
	fi
fi

#
# We now perform a similar test to see if 'echo -n', or "\c", is valid
# or not. Unfortunately on some systems both '-e' and '-n' are valid,
# but not together. The "\c" option works in these cases. So we set
# ECHON accordingly.
#

if [ "`echo -n -e \"rkh-ksh-string-test\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	ECHON="-n"
elif [ "`echo -e \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	ECHON="c"
elif [ "`echo \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	ECHON="c"
else
	ECHON=""
fi


#
# We also need to run a test to see if POSIX grep is being
# used. If it is, then some typical grep tests will fail.
#

if [ "`echo \"rkh-grep-test\" | grep '^\+'`" = "rkh-grep-test" ]; then
	alias grep='grep -E'
fi


#
# It seems that the BusyBox 'readlink' command does have
# a '-f' option, but it does not show the true pathname.
# So we only use the option for everyone else.
#

test $BUSYBOX -eq 1 && READLINK_OPT="" || READLINK_OPT="-f"


#
# Finally, we need to test the 'head' and 'tail' commands
# to see if they understand the '-n' option or not.
#

if head -n 1 </dev/null >/dev/null 2>&1; then
	HEAD_OPT="-n "
else
	HEAD_OPT="-"
fi

if tail -n 1 </dev/null >/dev/null 2>&1; then
	TAIL_OPT="-n "
else
	TAIL_OPT="-"
fi


######################################################################
#
# Global function definitions
#
######################################################################


display() {

	#
	# This function is used to display text messages on to the
	# users screen, as well as in to the log file. The same
	# message is written to both. However, the screen may have
	# a coloured result (green for good, red for bad, etc), and
	# the log file will have the time prefixed to the message and,
	# optionally, additional information messages after the main
	# message. All the messages are indexed in the language file.
	#
	# Syntax: display --to <destination> --type <type>
	#		  [--screen-indent <n>] [--log-indent <n>]
	#		  [--nl [<n>]] [--nl-after] [--log-nl] [--screen-nl] [--nonl]
	#		  [--result <result> --color <colour>]
	#		  <message index> [optional message arguments]
	#
	# where the destination can be one of SCREEN, LOG or SCREEN+LOG.
	# The type can be one of PLAIN, INFO or WARNING.
	# The language file will have all the current values.
	#
	# The --screen-indent and --log-indent options are used to
	# forcibly indent a message.
	# The --nl option causes a blank-line to be output before the
	# message both on the screen and in the log file. A following
	# number can be used to indicate how many blank lines should
	# be displayed on the screen.
	# The --log-nl option outputs a blank line only in the log file.
	# The --screen-nl option outputs a blank line on the screen
	# regardless of whether SCREEN was specified or not.
	# The --nl-after option outputs a blank line on the screen after
	# the message.
	# The --nonl option is only to be used in special cases where we
	# want the output of more than one message to appear on the same
	# line. This is currently only used when trying to obtain the
	# lock file. It only applies to PLAIN messages, and may not be
	# supported on all systems (depending on whether 'echo -n' works
	# or not).
	#


	#
	# We first initialize some variables and then
	# process the switches used.
	#

	WARN_MSG=0; NL=0; NLAFTER=0; LOGINDENT=0; SCREENINDENT=0
	LOGNL=0; SCREENNL=0
	WRITETO=''; TYPE=''; RESULT=''; COLOR=''; MSG=''
	LINE1=''; LOGLINE1=''; SPACES=''; NONL=''

	#
	# The IFS environment variable could be set to a non-default value
	# when this function is called. However, we need it to be the default
	# value in order to dislay things correctly. So, we record the initial
	# value, and then set it to the default. We set it back to the initial
	# value whenever we return from this function.
	#

	ORIG_IFS=$IFS
	IFS=$RKHIFS

	DISPLAY_LINE="display $*"

	if [ $# -le 0 ]; then
		echo "Error: Invalid display call - no arguments given"
		IFS=$ORIG_IFS
		return
	fi

	while [ $# -ge 1 ]; do
		case "$1" in
		--to)
			case "$2" in
			SCREEN|LOG|SCREEN+LOG)
				WRITETO=$2
				;;
			*)
				echo "Error: Invalid display destination: $2   Display line: ${DISPLAY_LINE}"
				IFS=$ORIG_IFS
				return
				;;
			esac

			shift
			;;
		--type)
			TYPE=`eval echo "\\$MSG_TYPE_$2"`

			if [ -z "${TYPE}" -a "$2" != "PLAIN" ]; then
				if [ $RKHLANGUPDT -eq 0 ]; then
					echo "Error: Invalid display type: $2   Display line: ${DISPLAY_LINE}"
					IFS=$ORIG_IFS
					return
				fi
			fi

			test "$2" = "WARNING" && WARN_MSG=1

			shift
			;;
		--result)
			RESULT=`eval echo "\\$MSG_RESULT_$2"`

			if [ -z "${RESULT}" ]; then
				if [ $RKHLANGUPDT -eq 0 ]; then
					echo "Error: Invalid display result: $2   Display line: ${DISPLAY_LINE}"
					IFS=$ORIG_IFS
					return
				fi
			fi

			shift
			;;
		--color)
			if [ $COLORS -eq 1 ]; then
				test -n "$2" && COLOR=`eval "echo \\${$2}"`

				if [ -z "${COLOR}" ]; then
					echo "Error: Invalid display color: $2   Display line: ${DISPLAY_LINE}"
					IFS=$ORIG_IFS
					return
				fi
			fi

			shift
			;;
		--log-indent)
			LOGINDENT=$2

			if [ -z "${LOGINDENT}" ]; then
				echo "Error: No --log-indent value given.   Display line: ${DISPLAY_LINE}"
				IFS=$ORIG_IFS
				return
			elif [ -z "`echo ${LOGINDENT} | grep '^[0-9]*$'`" ]; then
				echo "Error: Invalid '--log-indent' value given: $2   Display line: ${DISPLAY_LINE}"
				IFS=$ORIG_IFS
				return
			fi

			shift
			;;
		--screen-indent)
			SCREENINDENT=$2

			if [ -z "${SCREENINDENT}" ]; then
				echo "Error: No --screen-indent value given.   Display line: ${DISPLAY_LINE}"
				IFS=$ORIG_IFS
				return
			elif [ -z "`echo ${SCREENINDENT} | grep '^[0-9]*$'`" ]; then
				echo "Error: Invalid '--screen-indent' value given: $2   Display line: ${DISPLAY_LINE}"
				IFS=$ORIG_IFS
				return
			fi

			shift
			;;
		--nl)
			NL=1

			case "$2" in
			[0-9])
				NL=$2
				shift
				;;
			esac
			;;
		--log-nl)
			LOGNL=1
			;;
		--screen-nl)
			SCREENNL=1
			;;
		--nl-after)
			NLAFTER=1
			;;
		--nonl)
			NONL=$ECHON
			;;
		-*)
			echo "Error: Invalid display option given: $1   Display line: ${DISPLAY_LINE}"
			IFS=$ORIG_IFS
			return
			;;
		*)
			MSG=$1
			shift
			break
			;;
		esac

		shift
	done


	#
	# Before anything we must record if this is a warning message.
	#

	test $WARN_MSG -eq 1 && WARNING_COUNT=`expr ${WARNING_COUNT} + 1`


	#
	# For simplicity we now set variables as to whether the output
	# goes to the screen and/or the log file. In some cases we do
	# not need to output anything, and so can just return.
	#

	if [ $NOLOG -eq 1 ]; then
		if [ "${WRITETO}" = "LOG" ]; then
			IFS=$ORIG_IFS
			return
		fi

		test "${WRITETO}" = "SCREEN+LOG" && WRITETO="SCREEN"
	fi

	if [ $NOTTY -eq 1 ]; then
		if [ "${WRITETO}" = "SCREEN" ]; then
			IFS=$ORIG_IFS
			return
		fi

		test "${WRITETO}" = "SCREEN+LOG" && WRITETO="LOG"
	fi


	test "${WRITETO}" = "SCREEN" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOTTY=1 || WRITETOTTY=0

	test "${WRITETO}" = "LOG" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOLOG=1 || WRITETOLOG=0


	#
	# Now check that the options we have been given make sense.
	#

	if [ $WRITETOTTY -eq 0 -a $WRITETOLOG -eq 0 ]; then
		echo "Error: Invalid display destination: Display line: ${DISPLAY_LINE}"
		IFS=$ORIG_IFS
		return
	elif [ $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a -n "${RESULT}" -a -z "${COLOR}" ]; then
		echo "Error: Invalid display - no color given: Display line: ${DISPLAY_LINE}"
		IFS=$ORIG_IFS
		return
	fi

	#
	# We only allow no newline for PLAIN messages.
	#

	test -n "${TYPE}" && NONL=""


	#
	# If we want whitelisted results to be shown as white, or
	# black for colour set two users, then change the colour now.
	#

	if [ $WLIST_IS_WHITE -eq 1 -a $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a "${RESULT}" = "${MSG_RESULT_WHITELISTED}" ]; then
		COLOR=$WHITE
	fi


	#
	# We set the variable LINE1 to contain the first line of the message.
	# For the log file we use the variable LOGLINE1. We also set
	# where the language file is located. If a message cannot be found
	# in the file, then we look in the English file. This will allow RKH
	# to still work even when the language files change.
	#

	LANG_FILE="${DB_PATH}/i18n/${LANGUAGE}"

	if [ -n "${MSG}" ]; then
		LINE1=`grep ${GREP_OPT} "^${MSG}:" "${LANG_FILE}" 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-`

		if [ $RKHCHKLOCALE -eq 1 ]; then
			LINE1=`echo "${LINE1}" | ${ICONV_CMD} -f UTF-8 -t ${RKHCHRMAP} 2>/dev/null`
			test $? -ne 0 && LINE1=""
		fi

		if [ -z "${LINE1}" ]; then
			LANG_FILE="${DB_PATH}/i18n/en"
			LINE1=`grep ${GREP_OPT} "^${MSG}:" "${LANG_FILE}" 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-`

			if [ -z "${LINE1}" ]; then
				echo "Error: Invalid display - keyword cannot be found: Display line: ${DISPLAY_LINE}"
				IFS=$ORIG_IFS
				return
			fi
		else
			LINE1=`echo "${LINE1}" | sed -e 's/\`/\\\\\`/g'`
		fi

		test -n "${LINE1}" && LINE1=`eval "echo \"${LINE1}\" | sed -e 's/;/\\;/g'"`
	fi


	#
	# At this point LINE1 is the text of the message. We have to
	# see if the message is to be indented, and must prefix the
	# time to log file messages. We must do the log file first
	# because it uses LINE1.
	#

	if [ $WRITETOLOG -eq 1 ]; then
		LOGLINE1=`date '+[%H:%M:%S]'`

		test $NL -gt 0 -o $LOGNL -eq 1 && echo "${LOGLINE1}" >>"${RKHLOGFILE}"

		if [ -n "${TYPE}" ]; then
			LOGLINE1="${LOGLINE1} ${TYPE}: ${LINE1}"
		else
			test $LOGINDENT -gt 0 && SPACES=`echo "${BLANK_LINE}" | cut -c1-$LOGINDENT`

			LOGLINE1="${LOGLINE1} ${SPACES}${LINE1}"
		fi
	fi

	if [ $WRITETOTTY -eq 1 -a $SCREENINDENT -gt 0 ]; then
		SPACES=`echo "${BLANK_LINE}" | cut -c1-$SCREENINDENT`
		LINE1="${SPACES}${LINE1}"
	fi


	#
	# We now check to see if a result is to be output. If it is,
	# then we need to space-out the line and color the result.
	#

	if [ -n "${RESULT}" ]; then
		if [ $WRITETOTTY -eq 1 ]; then
			LINE1_NUM=`echo "${LINE1}" | wc -c | tr -d ' '`
			NUM_SPACES=`expr 62 - ${LINE1_NUM}`
			test $NUM_SPACES -lt 1 && NUM_SPACES=1

			if [ $COLORS -eq 0 ]; then
				SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`
				LINE1="${LINE1}${SPACES}[ ${RESULT} ]"
			else
				LINE1="${LINE1}\033[${NUM_SPACES}C[ ${COLOR}${RESULT}${NORMAL} ]"
			fi
		fi

		if [ $WRITETOLOG -eq 1 ]; then
			LOGLINE1_NUM=`echo "${LOGLINE1}" | wc -c | tr -d ' '`
			NUM_SPACES=`expr 62 - ${LOGLINE1_NUM}`
			test $NUM_SPACES -lt 1 && NUM_SPACES=1
			SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`

			LOGLINE1="${LOGLINE1}${SPACES}[ ${RESULT} ]"
		fi
	elif [ $WRITETOTTY -eq 1 -a -n "${COLOR}" ]; then
		LINE1="${COLOR}${LINE1}${NORMAL}"
	fi


	#
	# We can now output the message. We start with any required blank
	# lines, and then the first line. If this is a warning message we
	# write to the log file any additional lines.
	#

	if [ $SCREENNL -eq 1 ]; then
		test $QUIET -eq 0 -a $SHOWWARNINGSONLY -eq 0 -a $NOTTY -eq 0 && echo ""
	fi

	if [ $WRITETOTTY -eq 1 ]; then
		NLLOOP=$NL
		while test $NLLOOP -gt 0; do
			echo ""
			NLLOOP=`expr ${NLLOOP} - 1`
		done

		if [ "${NONL}" = "c" ]; then
			echo $ECHOOPT "${LINE1}\c"
		else
			echo $NONL $ECHOOPT "${LINE1}"
		fi
	fi

	if [ $WRITETOLOG -eq 1 ]; then
		echo $ECHOOPT "${LOGLINE1}" >>"${RKHLOGFILE}"

		if [ $WARN_MSG -eq 1 ]; then
			test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2-

			LINE1=1
			OLDIFS=$IFS
			IFS=$IFSNL

			for LOGLINE1 in `grep ${GREP_OPT} "^${MSG}:" "${LANG_FILE}" 2>/dev/null | cut -d: -f2-`; do
				if [ $LINE1 -eq 1 ]; then
					LINE1=0
					continue
				else
					test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT "         ${LOGLINE1}"
					echo $ECHOOPT "           ${LOGLINE1}" >>"${RKHLOGFILE}"
				fi
			done

			IFS=$OLDIFS
		elif [ $SHOWWARNINGSONLY -eq 1 -a -n "`echo \"${LOGLINE1}\" | grep '^\[[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\]         '`" ]; then
			echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2-
		fi
	fi

	#
	# Output a final blank line if requested to do so.
	#

	test $WRITETOTTY -eq 1 -a $NLAFTER -eq 1 && echo ""

	IFS=$ORIG_IFS

	return
}


name2text() {

	#
	# This function changes any spaces in a character string to '<SP>',
	# tabs to '<TAB>' and any control characters to '?'. This allows
	# pathnames to be seen more easily - especially if spaces or tabs
	# are used.
	#
	# Whilst it would be nice to perform this function in 'display', we do
	# not want the changes to occur for all messages. So we keep this a
	# separate function, and only use it where necessary.
	#
	# Note that we must ensure that the 'echo' command does not interpret
	# any part of the string.
	#

	echo $ECHOOPT "$*" | sed -e 's/ /<SP>/g; s/	/<TAB>/g' | tr -d '\n' | tr '[:cntrl:]' '?'

	return
}


keypresspause() {

	#
	# This function will display a prompt message to the user.
	#

	if [ $SKIP_KEY_PRESS -eq 0 -a $QUIET -eq 0 ]; then
		display --to SCREEN --type PLAIN --nl PRESSENTER
		read RKHTMPVAR

		test "${RKHTMPVAR}" = "s" -o "${RKHTMPVAR}" = "S" && SKIP_KEY_PRESS=1
	fi

	return
}


get_option() {

	#
	# This function is used to process configuration file options.
	#

	# Syntax: get_option (single | space-list | newline-list) <option name>
	#
	# The first parameter indicates if the option can occur on one
	# or more lines in the configuration files. A 'space-list' is a
	# space-separated list, and 'newline-list' is a newline-separated
	# list. These will both typically be multiline. The second parameter
	# is the configuration file option name.
	#
	# Single line options are typically numbers, a single word or pathname.
	# Multiline options are usually pathnames, and will be a space-separated
	# or newline-separated list. Space-separated lists are, obviously, not
	# expected to contain any special characters such as a space.
	#
	# The function will output the final, non-expanded, option value.
	# It will also return an error code. A code of zero indicates no
	# problem, but a code of one indicates an error.
	#

	OPTMULTI="$1"
	OPTNAME="$2"

	if [ -z "${OPTMULTI}" -o -z "${OPTNAME}" ]; then
		echo "Error: Missing arguments in get_option function: $*" >&2
		return 1
	fi


	#
	# First see if the option is in the configuration files.
	#

	RKHTMPVAR2=`grep -h "^${OPTNAME}=" ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES}`

	if [ -z "${RKHTMPVAR2}" ]; then
		echo ""
		return 0
	fi

	#
	# We have an option, so process it.
	#

	case "${OPTMULTI}" in
	single)
		OPTVAR=`echo "${RKHTMPVAR2}" | tail ${TAIL_OPT}1 | sed -e "s/${OPTNAME}=//"`

		# If the option is unset, then just return.
		if [ -z "${OPTVAR}" -o "${OPTVAR}" = '""' -o "${OPTVAR}" = "''" ]; then
			echo ""
			return 0
		fi

		#
		# We must handle any _CMD option specially because they may
		# contain quote characters, and we do not want to remove these.
		#

		case "${OPTNAME}" in
		*_CMD|WEBCMD|HASH_FUNC)
			;;
		*_OPTS)
			#
			# Rkhunter configuration options which are command options may
			# begin with a hyphen ('-'). This can cause problems for the
			# 'echo' command. To prevent this, the simplest solution is to
			# append a space to the option value.
			#

			OPTVAR=`echo "${OPTVAR} " | tr -d '" 	' | tr -d "'"`

			test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "
			;;
		*)
			OPTVAR=`echo "${OPTVAR}" | tr -d '" 	' | tr -d "'"`
			;;
		esac
		;;
	space-list|newline-list)
		#
		# We must test whether the last line is set to the null string because
		# a multiline option is reset by specifying the last setting as null.
		#

		RKHTMPVAR3=`echo "${RKHTMPVAR2}" | tail ${TAIL_OPT}1 | sed -e "s/${OPTNAME}=//"`

		# If the option is unset, then just return.
		if [ -z "${RKHTMPVAR3}" -o "${RKHTMPVAR3}" = '""' -o "${RKHTMPVAR3}" = "''" ]; then
			echo ""
			return 0
		fi

		OPTVAR=`echo "${RKHTMPVAR2}" | sed -e "s/${OPTNAME}=//"`

		#
		# If an option begins with a hyphen, then this will cause problems
		# for the 'echo' command. So to prevent the problem we simply add
		# a space to the option value. We must repeat this though if the
		# variable is set again.
		# 

		test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "

		#
		# Newline-separated list can contain virtually any character, so
		# we leave them alone. But for space-separated lists we can be nice
		# and compress spaces and remove quotes.
		#

		if [ "${OPTMULTI}" = "space-list" ]; then
			OPTVAR=`echo "${OPTVAR}" | tr -s ' 	' '  '`

			OPTVAR=`echo "${OPTVAR}" | sed -e 's/^ *"* *//; s/ *"* *$//' | sed -e "s/^ *'* *//; s/ *'* *$//"`
			test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "

			#
			# We only use the options given after the last blank line (if any).
			#

			if [ -n "${OPTVAR}" ]; then
				RKHLINES=`echo "${OPTVAR}" | wc -l | tr -d ' '`

				OPTVAR=`echo "${OPTVAR}" | ${AWK_CMD} -v l="$RKHLINES" '/./ { if (a) { a = a "\n" $0 } else a = $0 }; /^$/ { a = "" }; NR == l { print a }'`
				test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "
			fi
		else
			#
			# For newline-separated lists, which will be pathnames, we are
			# nice to the user and will strip off a leading single or double
			# quote character *if* it also ends in the same quote character.
			# Since these should be pathnames they should start with the
			# '/' character. A quote as the first character implies that the
			# user has quoted the pathname.
			#

			if [ -n "`echo \"${OPTVAR}\" | grep '^\".*\"$'`" ]; then
				OPTVAR=`echo "${OPTVAR}" | sed -e 's/^"\(.*\)"$/\1/'`
			elif [ -n "`echo \"${OPTVAR}\" | grep \"^'.*'$\"`" ]; then
				OPTVAR=`echo "${OPTVAR}" | sed -e "s/^'\(.*\)'$/\1/"`
			fi
		fi
		;;
	*)
		echo "Error: Invalid argument in get_option function: $*" >&2
		return 1
		;;
	esac


	echo "${OPTVAR}"

	return 0
}


check_paths() {

	#
	# This function will check a supplied list of pathnames to
	# ensure the files and directories exist. It will also
	# check that directories such as '/' (root) are not present,
	# nor are pathnames with unwanted characters.
	#
	# Syntax: check_paths <pathnames> <option_name> "[EXIST] [NOWILD] [NOBROKENLINK]"
	#
	# The function only checks the pathnames. It is not possible
	# to modify the list in any way. The variable ERRCODE will be
	# set to one if any pathname fails a check.
	#
	# The first parameter is the list of pathnames to check. The
	# second parameter is the option name to be used in the error
	# messages. The third parameter is a space-separated list
	# indicating how strict the checks need to be with respect to
	# the pathnames existence, whether wildcard characters are
	# allowed, and whether symbolic links are allowed. The
	# argument is a space-separated list of the words 'EXIST'
	# (meaning the pathname must exist), 'NOWILD' (meaning that
	# shell wildcard characters are not allowed), and 'NOBROKENLINK'
	# (meaning that the pathname must not be a broken link).
	# The words may be given in any order.
	#

	OPT_VALUE_OPT=$1
	OPT_NAME=$2
	STRICT=$3

	test -z "${OPT_NAME}" && OPT_NAME=${OPT_VALUE_OPT}

	OPT_VALUE=`eval echo \"\\$${OPT_VALUE_OPT}\"`

	ERRCODE=0
	MUSTEXIST=0
	NOWILD=0
	NOBROKENLINK=0

	for RKHTMPVAR in ${STRICT}; do
		case "${RKHTMPVAR}" in
		EXIST)
			MUSTEXIST=1
			;;
		NOWILD)
			NOWILD=1
			;;
		NOBROKENLINK)
			NOBROKENLINK=1
			;;
		*)
			echo "Error: Invalid argument in check_paths function: $*" >&2
			;;
		esac
	done


	#
	# If no option value was given then just return (generally this situation
	# should never happen). However, if the file was required to exist, then
	# return with an error.
	#

	if [ -z "${OPT_VALUE}" ]; then
		if [ $MUSTEXIST -eq 1 ]; then
			ERRCODE=1

			echo "Invalid ${OPT_NAME} configuration option: No filename given, but it must exist."
		fi

		return
	fi


	#
	# If a pathname begins with a hyphen, then this will cause problems
	# for the 'echo' command. Since we generally don't allow plain filenames,
	# as opposed to a pathname, and these won't begin with a hyphen, we can
	# test and reject these.
	#

	RKHTMPVAR=`echo "${OPT_VALUE} " | grep '^-'`

	if [ -n "${RKHTMPVAR}" ]; then
		ERRCODE=1

		# We need to get RKHTMPVAR into a single line now, but we can't use a
		# straight echo command here because that would expand any wildcards.

		RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`

		echo "Invalid ${OPT_NAME} configuration option: Pathname begins with a hyphen: ${RKHTMPVAR}"
		return
	fi


	#
	# We must check the entry for wildcard characters first
	# because the following 'for' command will expand them.
	#

	if [ $NOWILD -eq 1 ]; then
		#
		# For the SHARED_LIB_WHITELIST option the pathname may contain
		# the '{}' characters (wrapped around variable names). So we do
		# not check for these characters for that particular option.
		#

		if [ "${OPT_NAME}" = "SHARED_LIB_WHITELIST" ]; then
			RKHTMPVAR=`echo "${OPT_VALUE}" | egrep '(^|[^\\])[][?*]'`
		else
			RKHTMPVAR=`echo "${OPT_VALUE}" | egrep '(^|[^\\])[][?*{}]'`
		fi

		if [ -n "${RKHTMPVAR}" ]; then
			ERRCODE=1

			# We need to get RKHTMPVAR into a single line now, but we can't use a
			# straight echo command here because that would expand the wildcards.

			RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`

			echo "Invalid ${OPT_NAME} configuration option: Pathname contains wildcard characters: ${RKHTMPVAR}"
			return
		fi
	fi


	#
	# Now check each pathname in the option.
	#

	# If this is a newline list option then we need to read a line at a time.

	if [ -n "`echo \"${NEWLINE_LIST_OPTS}\" | grep \" ${OPT_NAME} \"`" ]; then
		IFS=$IFSNL
	fi

	for FNAME in ${OPT_VALUE}; do
		test -z "${FNAME}" && continue

		#
		# For some options we may have to remove the leading character.
		#

# TODO:
# This is no longer needed since we moved the check_paths for bindir paths.
# The code is left here since we may need something very similar for overloaded options.
#   overloaded options - ALLOWPROCDELFILE PORT_PATH_WHITELIST RTKT_FILE_WHITELIST
#		if [ "${OPT_NAME}" = "BINDIR" ]; then
#			if [ -n "`echo \"${FNAME}\" | grep '^\+'`" ]; then
#				FNAME=`echo "${FNAME}" | cut -c2-`
#			fi
#		fi


		#
		# First check for anything which contains just dots.
		# Also check that '/' has not been set.
		#

		if [ -n "`echo \"${FNAME}\" | egrep '(^[./]*$)|[;&]|/\.\./'`" ]; then
			ERRCODE=1

			echo "Invalid ${OPT_NAME} configuration option: Invalid pathname: ${FNAME}"
			continue
		fi

		#
		# Next we check to see if it is a relative pathname. However, for
		# the SHARED_LIB_WHITELIST option, the pathname may begin with a
		# variable ($ORIGIN, ${LIB} etc). We must ignore these entries.
		#

		if [ -n "`echo \"${FNAME}\" | grep '^[^/].*/'`" ]; then
			if [ "${OPT_NAME}" = "SHARED_LIB_WHITELIST" -a -n "`echo \"${FNAME}\" | grep '^\\$'`" ]; then
				continue
			else
				ERRCODE=1
				echo "Invalid ${OPT_NAME} configuration option: Relative pathname: ${FNAME}"
			fi
		elif [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
			#
			# Now we check to see if it is a simple file name.
			#

			#
			# Simple file names are allowed for some options.
			#

			case "${OPT_NAME}" in
			USER_FILEPROP_FILES_DIRS|SHARED_LIB_WHITELIST|*_CMD)
				continue
				;;
			esac

			ERRCODE=1

			echo "Invalid ${OPT_NAME} configuration option: Simple filename: ${FNAME}"
		else
			#
			# It's an absolute pathname. This could be a file, a directory,
			# some other file type, or a non-existent name.
			#

			#
			# This is as far as we go for some options. These pathnames may,
			# or may not exist, or may be things other than just files and
			# directories.
			#

			case "${OPT_NAME}" in
			PKGMGR_NO_VRFY|EXISTWHITELIST|ALLOWDEVFILE)
				continue
				;;
			esac

			#
			# Now test for the different file types.
			#

			if [ -f "${FNAME}" ]; then
				case "${OPT_NAME}" in
				ALLOWHIDDENDIR|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|SSH_CONFIG_DIR|SUSPSCAN_DIRS|SUSPSCAN_TEMP|RTKT_DIR_WHITELIST|LOCKDIR)
					ERRCODE=1

					echo "Invalid ${OPT_NAME} configuration option: Not a directory: ${FNAME}"
					;;
				esac
			elif [ -d "${FNAME}" ]; then
				#
				# For the ALLOWHIDDENFILE option we need to allow
				# a hidden symbolic link to a directory.
				#

				test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue


				case "${OPT_NAME}" in
				ALLOWHIDDENFILE|RTKT_FILE_WHITELIST|WRITEWHITELIST|IMMUTWHITELIST|SCRIPTWHITELIST|LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|MISSING_LOGFILES|EMPTY_LOGFILES|PORT_PATH_WHITELIST|ALLOWIPCPROC|SHARED_LIB_WHITELIST|*_CMD)
					ERRCODE=1

					echo "Invalid ${OPT_NAME} configuration option: Not a file: ${FNAME}"
					;;
				esac
			elif [ -h "${FNAME}" ]; then
				#
				# Generally we will accept broken links since the code will
				# simply not be able to use them. However, for some paths
				# these are not allowed at all.
				#

				if [ $NOBROKENLINK -eq 1 ]; then
					ERRCODE=1

					echo "Invalid ${OPT_NAME} configuration option: Broken link found: ${FNAME}"
				fi
			elif [ -e "${FNAME}" ]; then
				#
				# This is as far as we go for the hidden files. A hidden
				# 'file' can actually be anything other than a directory.
				# Similarly, a rootkit 'file' could be something other than
				# a regular file. So we allow them.
				#

				test "${OPT_NAME}" = "ALLOWHIDDENFILE" -o "${OPT_NAME}" = "RTKT_FILE_WHITELIST" && continue

				ERRCODE=1

				case "${OPT_NAME}" in
				ALLOWHIDDENDIR|RTKT_DIR_WHITELIST|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|SSH_CONFIG_DIR|SUSPSCAN_DIRS|SUSPSCAN_TEMP|LOCKDIR)
					RKHTMPVAR2="directory"
					;;
				LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|MISSING_LOGFILES|EMPTY_LOGFILES|PORT_PATH_WHITELIST|ALLOWIPCPROC|SHARED_LIB_WHITELIST|*_CMD)
					RKHTMPVAR2="file"
					;;
				*)
					RKHTMPVAR2="file or directory"
					;;
				esac

				echo "Invalid ${OPT_NAME} configuration option: Not a ${RKHTMPVAR2}: ${FNAME}"
			else
				#
				# Some pathnames don't need to exist.
				#

				test $MUSTEXIST -eq 0 && continue

				#
				# For the SHARED_LIB_WHITELIST option, we cannot test these
				# if they contain a variable in the pathname.
				#

				if [ "${OPT_NAME}" = "SHARED_LIB_WHITELIST" ]; then
					if [ -n "`echo \"${FNAME}\" | egrep '\\$\\{?(ORIGIN|LIB|PLATFORM)\\}?'`" ]; then
						continue
					fi
				fi

				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -z "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					ERRCODE=1

					echo "Invalid ${OPT_NAME} configuration option: Non-existent pathname: `name2text \"${FNAME}\"`"
				fi
			fi
		fi
	done

	IFS=$RKHIFS


	return
}


expand_paths() {

	#
	# This function will output an expanded list of pathnames.
	#
	# The first parameter is the variable name containing the
	# newline-separated list of pathnames.
	#

	PATH_LIST=`eval echo \"\\$${1}\"`

	test -z "${PATH_LIST}" && return


	LIST=""
	IFS=$IFSNL

	for FNAME in ${PATH_LIST}; do
		test -z "${FNAME}" && continue

		LIST="${LIST}
${FNAME}"
	done

	IFS=$RKHIFS

	echo "${LIST}" | sed -e '/^$/d'

	return
}


make_space_list() {

	#
	# This function simply converts its argument into a space-separated list.
	#

	if [ "${ECHON}" = "c" ]; then
		echo $ECHOOPT "${1}\c" | tr '\n' ' ' | tr -s '	 ' '  '
	else
		echo $ECHON $ECHOOPT "${1}" | tr '\n' ' ' | tr -s '	 ' '  '
	fi

	return
}


check_is_digit() {

	#
	# This function checks to see if an option is a valid
	# number or not. Typically it must be 0 or 1.
	#
	# The first parameter is the variable name to check. The
	# second parameter is the option name to be used in the error
	# messages. An optional third parameter may be given to specify
	# that other values are allowed. If this is set to 'ANY', then
	# any positive number is allowed. If it is set to 'ANY1', then
	# the number must be greater than zero.
	#

	OPT_VALUE=$1
	OPT_NAME=$2
	OTHERS=$3

	test -z "${OPT_NAME}" && OPT_NAME=${OPT_VALUE}
	test -z "${OTHERS}" && OTHERS=0

	RKHTMPVAR=`eval echo "\"\\$${OPT_VALUE}\""`

	ERRCODE=0

	test -z "${RKHTMPVAR}" && return


	#
	# If ANY1 is given, then 0 is not a valid number.
	#

	if [ "${RKHTMPVAR}" = "0" -a "${OTHERS}" = "ANY1" ]; then
		ERRCODE=1

		echo "Invalid ${OPT_NAME} configuration option: not a valid number: ${RKHTMPVAR}"
	elif [ "${RKHTMPVAR}" != "0" -a "${RKHTMPVAR}" != "1" ]; then
		#
		# Some options may allow a slightly different value.
		#

		if [ -n "${OTHERS}" ]; then
			if [ "${OTHERS}" = "ANY" -a -n "`echo \"${RKHTMPVAR}\" | grep '^[0-9][0-9]*$'`" ]; then
				return
			elif [ "${OTHERS}" = "ANY1" -a -n "`echo \"${RKHTMPVAR}\" | grep '^[1-9][0-9]*$'`" ]; then
				return
			elif [ "${RKHTMPVAR}" = "${OTHERS}" ]; then
				return
			fi
		fi

		ERRCODE=1

		echo "Invalid ${OPT_NAME} configuration option: not a valid number: ${RKHTMPVAR}"
	fi

	return
}


get_temp_file() {

	#
	# This function will find a unique pathname which can be
	# used as a temporary file.
	#
	# It takes one parameter which is the pathname for the file,
	# excluding the suffix. The function will return the pathname
	# in TEMPFILE. The pathname itself is not created.
	#

	TEMPFILE=""

	TEMPFILE_BASE=$1


	if [ -n "${MKTEMP_CMD}" ]; then
		TEMPFILE=`${MKTEMP_CMD} "${TEMPFILE_BASE}.XXXXXXXXXX"`
	elif [ -n "$RANDOM" ]; then
		TEMPFILE="${TEMPFILE_BASE}.$RANDOM"
	elif [ $BSDOS -eq 1 ]; then
		TEMPFILE="${TEMPFILE_BASE}.`date +%s`"
	elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		TEMPFILE="${TEMPFILE_BASE}.`date +%N%s%N`"
	else
		TEMPFILE="${TEMPFILE_BASE}.`date +%Y%m%d%H%M%S`"
	fi


	#
	# Remove the file just in case it already exists!
	#

	rm -f "${TEMPFILE}" >/dev/null 2>&1

	return
}


suckit_extra_checks() {

	#
	# This function carries out some extra checks of the suckit rootkit.
	# There are 3 extra checks, but we only display the result after
	# all the checks have completed. As such we store the result of
	# each check in a variable, and display the final result based on
	# the value of those variables.
	#

	display --to LOG --type PLAIN --log-indent 2 --nl ROOTKIT_ADD_SUCKIT_LOG

	#
	# The first check tests the link count of the '/sbin/init' file.
	# We use the NLINKS variable to indicate the test result:
	#	-1 means that no 'stat' command was available
	#	 0 means that the 'stat' command gave an error
	#	 1 is okay
	#	>1 means that suckit may be installed
	#

	NLINKS=-1

	if [ -n "${STAT_CMD}" ]; then
		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
			NLINKS=`${STAT_CMD} --nlink /sbin/init 2>/dev/null`
		else
			NLINKS=`${STAT_CMD} -c %h /sbin/init 2>/dev/null`
		fi

		test -z "${NLINKS}" && NLINKS=0

		if [ $NLINKS -eq 0 ]; then
			display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'
		elif [ $NLINKS -eq 1 ]; then
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'
			fi
		else
			display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'
		fi
	else
		display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'stat'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'stat'
		fi
	fi


	#
	# The next test checks to see if certain files are being
	# hidden. These files have the '.xrk' or '.mem' suffix.
	# The HIDDEN variable will be used to indicate the result:
	#	<null> is okay
	#	'xrk' means that the 'xrk' suffix is hidden
	#	'mem' means that the 'mem' suffix is hidden
	#

	HIDDEN=""

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	for EXT in xrk mem; do
		get_temp_file "${RKHTMPDIR}/suckitexttest"

		touch "${TEMPFILE}"
		rm -f "${TEMPFILE}.${EXT}" >/dev/null 2>&1
		mv "${TEMPFILE}" "${TEMPFILE}.${EXT}"

		if [ ! -f "${TEMPFILE}.${EXT}" ]; then
			if [ -n "${HIDDEN}" ]; then
				HIDDEN="${HIDDEN} and ${EXT}"
			else
				HIDDEN=${EXT}
			fi
		fi

		rm -f "${TEMPFILE}.${EXT}" >/dev/null 2>&1
	done

	if [ -z "${HIDDEN}" ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
		fi
	else
		display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
	fi


	#
	# Finally we perform a check using the skdet command, if it
	# is present. The SKDET variable will be used to indicate
	# the result:
	#	-1 means that skdet is not available
	#	 0 means that skdet found nothing
	#	 1 means that skdet found something
	#	 2 means that the version of skdet is unknown
	#
	# The variable SKDET_OUTPUT will contain any output from
	# the command.
	#

	SKDET=-1
	SKDET_OUTPUT=""
	SKDET_CMD=`find_cmd skdet`

	if [ -n "${SKDET_CMD}" ]; then
		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO FOUND_CMD 'skdet' "${SKDET_CMD}"
		fi

		#
		# We need to check the skdet version first.
		#

		SKDET=0
		SKDETOPT=""
		SKDETVER=`${SKDET_CMD} -v 2>&1 | grep '^skdet.v' | ${AWK_CMD} -F'.' '{ print $1 }'`

		case "${SKDETVER}" in
		*v0)
			SKDETOPT="-a"
			;;
		*v1)
			SKDETOPT="-c"
			;;
		*)
			SKDET=2
			SKDET_OUTPUT=`${SKDET_CMD} -v 2>&1`
			;;
		esac

		if [ $SKDET -eq 0 ]; then
			SKDET_OUTPUT=`${SKDET_CMD} ${SKDETOPT} 2>&1 | tr -s ' ' | grep -i 'invis'`

			test -n "${SKDET_OUTPUT}" && SKDET=1
		fi

		if [ $SKDET -eq 0 ]; then
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
			fi
		else
			display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
		fi
	else
		display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
		display --to LOG --type INFO NOT_FOUND_CMD 'skdet'
	fi


	#
	# Now we can display the results.
	#

	if [ \( $NLINKS -eq 1 -o $NLINKS -eq -1 \) -a -z "${HIDDEN}" -a $SKDET -le 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}Suckit Rootkit (additional checks), "

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT

		if [ $NLINKS -eq -1 ]; then
			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_DISABLED
			else
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_NOCMD
			fi
		elif [ $NLINKS -eq 0 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_LINK_COUNT_CMDERR "${STAT_CMD}" '/sbin/init'
		elif [ $NLINKS -gt 1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_FOUND "$NLINKS"
		fi

		if [ -n "${HIDDEN}" ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_EXT_FOUND "${HIDDEN}"
		fi

		if [ $SKDET -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_FOUND "${SKDET_OUTPUT}"
		elif [ $SKDET -eq 2 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_VER "${SKDET_OUTPUT}"
		fi
	fi

	return
}


scanrootkit() {

	#
	# This function performs the actual check for a rootkit.
	# It uses the variables SCAN_ROOTKIT, SCAN_FILES, SCAN_DIRS
	# and SCAN_KSYMS. These will have been set before the
	# function is called.
	#

	SCAN_STATUS=0

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"


	#
	# First check to see if any of the known files exist.
	#

	FILE_FOUND=""

	for RKHTMPVAR2 in ${SCAN_FILES}; do
		RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

		#
		# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
		# will search (on a per rootkit basis) for filenames in all of the directories (as defined
		# by the result of running 'find / -xdev'). While still not optimal, as it 
		# still searches for only file names as opposed to file contents, this is one step away
		# from the rigidity of searching in known (evidence) or default (installation) locations.
		#
		# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
		#
		# You should only activate this feature as part of a more thorough investigation which
		# should be based on relevant best practices and procedures. 
		# Apart from ameliorating the case with respect to functionality (e.g. reporting) this feature does not
		# concern itself with efficiency so asking for improvements like whitelisting, de-duping or false-positives is 
		# out of the question.
		#
		# Enabling this feature implies you have the knowledge to interpret the results properly.
		#

		case "${SCANROOTKITMODE}" in
		THOROUGH) # Search the whole filesystem
				test -n "${BASENAME_CMD}" && FNAME=`${BASENAME_CMD} "${RKHTMPVAR}"` || FNAME=`echo "${RKHTMPVAR}" | sed -e 's:^.*/::'`

				FILENAMES=`${FIND_CMD} / -xdev -name "${FNAME}"`

				if [ -z "${FILENAMES}" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
					fi
				else
					FOUND=0

					IFS=$IFSNL

					for FNAME in ${FILENAMES}; do
						if [ \( -f "${FNAME}" -a -s "${FNAME}" \) -o -b "${FNAME}" -o -c "${FNAME}" -o -h "${FNAME}" -o -p "${FNAME}" -o -S "${FNAME}" ]; then
							FOUND=1
							SCAN_STATUS=1
							FILE_FOUND="${FILE_FOUND}
${FNAME}"
						fi
					done

					IFS=$RKHIFS

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						test $FOUND -eq 0 && FOUND="NOT_FOUND" || FOUND="FOUND"
						display --to LOG --type PLAIN --result ${FOUND} --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
					fi
				fi
				;;
			*) # Scan the old way
				if [ -f "${RKHTMPVAR}" ]; then
					#
					# We first check to see if the file is whitelisted. Note that we use
					# the un-translated file name. This allows us to check for filenames
					# with spaces, but without causing problems for our space-delimited test.
					#

					FNAMEGREP=`echo "${RKHTMPVAR2}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

					if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type INFO FILE_PROP_WL "`name2text \"${RKHTMPVAR}\"`" 'known_rkts'
						fi
					else
						SCAN_STATUS=1
						FILE_FOUND="${FILE_FOUND}
${RKHTMPVAR}"
					fi

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
					fi
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
				fi
				;;
		esac
	done


	#
	# Next check to see if any of the directories exist.
	#

	DIR_FOUND=""

	for RKHTMPVAR2 in ${SCAN_DIRS}; do
		RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

		if [ -d "${RKHTMPVAR}" ]; then
			#
			# We first check to see if the directory is whitelisted. Note that we use
			# the un-translated directory name. This allows us to check for directory
			# names with spaces, but without causing problems for our space-delimited test.
			#

			FNAMEGREP=`echo "${RKHTMPVAR2}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO FILE_PROP_WL_DIR "`name2text \"${RKHTMPVAR}\"`" 'known_rkts'
				fi
			else
				SCAN_STATUS=1
				DIR_FOUND="${DIR_FOUND}
${RKHTMPVAR}"
			fi

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "`name2text \"${RKHTMPVAR}\"`"
			fi
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "`name2text \"${RKHTMPVAR}\"`"
		fi
	done


	#
	# Finally check the kernel symbols file.
	#

	KSYM_FOUND=""

	if [ -n "${SCAN_KSYMS}" ]; then
		for KS in ${SCAN_KSYMS}; do
			if [ -n "${KSYMS_FILE}" ]; then
				FNAMEGREP=`echo "${KS}" | sed -e 's/\./\\\./g'`

				if [ -n "`grep ${GREP_OPT} \"${FNAMEGREP}\" \"${KSYMS_FILE}\"`" ]; then
					SCAN_STATUS=1
					KSYM_FOUND="${KSYM_FOUND}
${KS}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
					fi
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
				fi
			else
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
			fi
		done
	fi


	#
	# Now display the results.
	#

	if [ $SCAN_STATUS -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"


		#
		# Log any files, directories or kernel symbols found.
		#

		IFS=$IFSNL

		FILE_FOUND=`echo "${FILE_FOUND}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FILE_FOUND}; do
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_FILE_FOUND "`name2text \"${RKHTMPVAR}\"`"
		done

		DIR_FOUND=`echo "${DIR_FOUND}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${DIR_FOUND}; do
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_DIR_FOUND "`name2text \"${RKHTMPVAR}\"`"
		done

		KSYM_FOUND=`echo "${KSYM_FOUND}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${KSYM_FOUND}; do
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_KSYM_FOUND "${RKHTMPVAR}"
		done

		IFS=$RKHIFS
	fi

	return
}


check_required_commands() {

	#
	# This function checks that the required commands are present
	# on the system. The function is called twice: initially to check
	# that we can at least start running rkhunter; and the second
	# time after we have processed BINDIR to ensure that all the
	# required commands are present. It takes one parameter used
	# to indicate which list of commands to check.
	#

	LEAVE=0

	if [ $1 -eq 1 ]; then
		CMDDIR="${RKHROOTPATH}"
		CMDNAMES="${ABSOLUTELY_REQUIRED_CMDS}"
	else
		CMDDIR="${BINPATHS}"
		CMDNAMES="${REQCMDS}"
	fi

	for CMD in ${CMDNAMES}; do
		SEEN=0

		for DIR in ${CMDDIR}; do
			if [ -f "${DIR}/${CMD}" -a -x "${DIR}/${CMD}" ]; then
				SEEN=1
				break
			fi
		done

		if [ $SEEN -eq 0 ]; then
			LEAVE=1
			echo "The command '${CMD}' must be present on the system in order to run rkhunter."
		fi
	done


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


check_commands() {

	#
	# We check for some commands used in the tests. If the command
	# is found then a variable including the command name is set.
	# These commands are not 'required', so nothing happens if the
	# command is not found. The commands can be defined in the
	# configuration file, and a value of 'DISABLED' will cause a
	# command to not exist. A value of 'BUILTIN' may be used for
	# the 'stat' and 'readlink' commands, to indicate that the
	# supplied scripts should be used. We have to handle the 'stat'
	# command in a special way so that the perl module does not get
	# used if the command is to be disabled.
	#

	LEAVE=0
	ERRCODE=0

	for CMD in ${CMDLIST}; do
		CMDNAME=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
		CMDNAME="${CMDNAME}_CMD"


		#
		# See if the user has defined the command in
		# the configuration file.
		#

		CFG_CMD=`get_option single "${CMDNAME}"` || exit $?

		if [ -n "${CFG_CMD}" ]; then
			if [ "${CFG_CMD}" = "DISABLED" -o "${CFG_CMD}" = "BUILTIN" ]; then
				eval ${CMDNAME}=\"${CFG_CMD}\"
			else
				MCMD=`echo "${CFG_CMD}" | cut -d' ' -f1`

				#
				# We must first check that the command name is valid.
				# The user may have included globbing characters, or
				# used multiple dots, and we do not allow that.
				#

				check_paths MCMD "${CMDNAME}" "EXIST NOWILD NOBROKENLINK"

				if [ $ERRCODE -eq 1 ]; then
					LEAVE=1
					continue
				fi

				#
				# Check that the command is executable.
				#

				if [ -n "`find_cmd ${MCMD}`" ]; then
					eval ${CMDNAME}=\"${CFG_CMD}\"
				else
					CFG_CMD=""
				fi
			fi
		fi


		#
		# If the command has not been predefined, or is not
		# executable, then go find the command to use.
		#

		test -z "${CFG_CMD}" && eval ${CMDNAME}=`find_cmd ${CMD}`
	done


	#
	# We can only go this far really if there has been an error.
	#

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
			return
		fi
	fi


	#
	# If we cannot find a 'stat' command, or the supplied script is to
	# be used, then we must check to see if perl is available. If it is,
	# then the supplied 'stat' script can be used.
	#

	if [ -n "${PERL_CMD}" -a "${PERL_CMD}" != "DISABLED" ]; then
		if [ -z "${STAT_CMD}" -o "${STAT_CMD}" = "BUILTIN" ]; then
			if [ -r "${SCRIPT_PATH}/check_modules.pl" ]; then
				MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" File::stat Getopt::Long 2>/dev/null | grep 'NOT installed'`
			else
				MOD_INSTALLED="module not found"
			fi

			if [ -z "${MOD_INSTALLED}" -a -r "${SCRIPT_PATH}/stat.pl" ]; then
				STAT_CMD="${PERL_CMD} ${SCRIPT_PATH}/stat.pl"
			else
				STAT_CMD=""
			fi
		fi
	elif [ "${STAT_CMD}" = "BUILTIN" ]; then
		STAT_CMD=""
	fi


	#
	# If the readlink command cannot be found, or it does not support
	# the '-f' option, then we must use the supplied shell script.
	#

	if [ "${READLINK_CMD}" != "DISABLED" ]; then
		if [ -z "${READLINK_CMD}" -o "${READLINK_CMD}" = "BUILTIN" ]; then
			test -x "${SCRIPT_PATH}/readlink.sh" && READLINK_CMD="${SCRIPT_PATH}/readlink.sh" || READLINK_CMD=""
		elif [ -n "`${READLINK_CMD} -f \"${SCRIPT_PATH}/readlink.sh\" 2>&1 >/dev/null`" ]; then
			test -x "${SCRIPT_PATH}/readlink.sh" && READLINK_CMD="${SCRIPT_PATH}/readlink.sh" || READLINK_CMD=""
		fi
	fi


	#
	# For Solaris systems we should use the 'gstrings' command
	# rather than 'strings', if it is available. Similarly we
	# should use 'gawk' or 'nawk' if it is available rather
	# than 'awk'.
	#

	if [ $SUNOS -eq 1 ]; then
		if [ "${STRINGS_CMD}" != "DISABLED" ]; then
			RKHTMPVAR=`find_cmd gstrings`
			test -n "${RKHTMPVAR}" && STRINGS_CMD="${RKHTMPVAR}"
		fi

		AWK_CMD=`find_cmd gawk`

		if [ -z "${AWK_CMD}" ]; then
			AWK_CMD=`find_cmd nawk`

			if [ -z "${AWK_CMD}" ]; then
				AWK_CMD=`find_cmd /usr/xpg4/bin/awk`

				if [ -z "${AWK_CMD}" ]; then
					AWK_CMD='awk'
				fi
			fi
		fi
	else
		AWK_CMD='awk'
	fi


	#
	# For OSX systems we should use the 'gnumfmt' command
	# rather than 'numfmt', if it is available.
	#

	if [ $MACOSX -eq 1 ]; then
		if [ "${NUMFMT_CMD}" != "DISABLED" ]; then
			RKHTMPVAR=`find_cmd gnumfmt`
			test -n "${RKHTMPVAR}" && NUMFMT_CMD="${RKHTMPVAR}"
		fi
	fi


	#
	# Now remove all the DISABLED commands.
	#

	for CMD in ${CMDLIST}; do
		RKHTMPVAR=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
		RKHTMPVAR="${RKHTMPVAR}_CMD"
		RKHTMPVAR2=`eval echo "\\$${RKHTMPVAR}"`

		if [ "${RKHTMPVAR2}" = "DISABLED" -o "${RKHTMPVAR2}" = "BUILTIN" ]; then
			eval ${RKHTMPVAR}=\"\"
			test "${RKHTMPVAR2}" = "DISABLED" && DISABLED_CMDS="${DISABLED_CMDS} ${CMD}"
		fi
	done

	test -n "${DISABLED_CMDS}" && DISABLED_CMDS=" ${DISABLED_CMDS} "


	#
	# Finally we can set some variables based on
	# whether the commands exist or not.
	#

	test -n "${NUMFMT_CMD}" && HAVE_NUMFMT=1
	test -n "${READLINK_CMD}" && HAVE_READLINK=1

	return
}


get_installdir_option() {

	#
	# This function obtains the RKH installation directory. It must
	# be set by the installer script, and has no default.
	#

	LEAVE=0
	ERRCODE=0

	RKHINSTALLDIR=`get_option single INSTALLDIR` || exit $?

	if [ -z "${RKHINSTALLDIR}" ]; then
		LEAVE=1
		echo "Invalid INSTALLDIR configuration option - no installation directory specified."
	elif [ ! -d "${RKHINSTALLDIR}" ]; then
		LEAVE=1
		echo "Installation directory does not exist: ${RKHINSTALLDIR}"
	elif [ ! -r "${RKHINSTALLDIR}" ]; then
		LEAVE=1
		echo "Installation directory is not readable: ${RKHINSTALLDIR}"
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_language_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${LANGUAGE}" ]; then
		LANGUAGE=`echo "${LANGUAGE}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${LANGUAGE}" ]; then
			LEAVE=1
			echo "Invalid '--language' option - no language given."
		fi
	else
		LANGUAGE=`get_option single LANGUAGE` || exit $?
	fi

	#
	# If no language has been set, then use English.
	#

	test -z "${LANGUAGE}" && LANGUAGE="en"


	#
	# Now check that the language is available.
	#

	if [ ! -d "${DB_PATH}/i18n" ]; then
		LEAVE=1
		echo "The internationalisation directory does not exist: ${DB_PATH}/i18n"
	fi

	#
	# If we are using the '--update' option, then the language files
	# will be installed if they are missing. As such, we cannot check
	# them here.
	#

	if [ $LEAVE -eq 0 ]; then
		if [ ! -s "${DB_PATH}/i18n/${LANGUAGE}" -a "${LANGUAGE}" != "en" ]; then
			if [ $UPDATE_ONLY -eq 1 ]; then
				RKHLANGUPDT=1
			else
				LEAVE=1
				echo "The language specified is not available: ${LANGUAGE}"
				echo "Use the command 'rkhunter --lang en --list languages' to see the list of available languages."
			fi
		elif [ ! -s "${DB_PATH}/i18n/en" ]; then
			if [ $UPDATE_ONLY -eq 1 ]; then
				RKHLANGUPDT=1
			else
				LEAVE=1
				echo "The English language file must be present: ${DB_PATH}/i18n/en"
				echo "If it has been deleted, then you will need to run 'rkhunter --update' with no other options."
			fi
		fi
	fi

	#
	# Next sort out the locale used if the language is German.
	#

	if [ "${LANGUAGE}" = "de" ]; then
		ICONV_CMD=`find_cmd iconv`
		LOCALE_CMD=`find_cmd locale`

		if [ -n "${ICONV_CMD}" -a -n "${LOCALE_CMD}" ]; then
			RKHCHRMAP=`${LOCALE_CMD} charmap 2>/dev/null`
			test -n "${RKHCHRMAP}" && RKHCHKLOCALE=1
		fi
	fi

	#
	# Finally, find out what languages the user wants to be updated.
	# We add in the default language, and 'en', if they have not
	# been specified.
	#

	if [ $UPDATE -eq 1 ]; then
		UPDATE_LANG=`get_option space-list UPDATE_LANG` || exit $?

		if [ -n "${UPDATE_LANG}" ]; then
			UPDATE_LANG=`echo ${UPDATE_LANG}`

			if [ -z "`echo \" ${UPDATE_LANG} \" | grep \" ${LANGUAGE} \"`" ]; then
				UPDATE_LANG="${UPDATE_LANG} ${LANGUAGE}"
			fi

			if [ -z "`echo \" ${UPDATE_LANG} \" | grep ' en '`" ]; then
				UPDATE_LANG="${UPDATE_LANG} en"
			fi
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_logfile_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${RKHLOGFILE}" ]; then
		RKHLOGFILE=`echo "${RKHLOGFILE}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "Invalid '--logfile' option - no logfile name given."
		fi
	else
		RKHLOGFILE=`get_option single LOGFILE` || exit $?

		check_paths RKHLOGFILE LOGFILE "NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			if [ -z "${RKHLOGFILE}" ]; then
				RET_CODE=1
				RKHLOGFILE="${DFLT_LOGFILE}"
				echo "The default logfile will be used: ${RKHLOGFILE}"
			fi
		else
			LEAVE=1
		fi
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ "${RKHLOGFILE}" = "/dev/null" ]; then
		APPEND_LOG=0
	else
		LOGDIR=`echo "${RKHLOGFILE}" | sed -e 's:/[^/][^/]*$::'`

		if [ -z "`echo \"${LOGDIR}\" | grep '/'`" ]; then
			LOGDIR="."
		fi

		if [ "${LOGDIR}" = "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "No log filename given: ${RKHLOGFILE}"
		elif [ ! -e "${LOGDIR}" ]; then
			LEAVE=1
			echo "Logfile directory does not exist: ${RKHLOGFILE}"
		elif [ ! -d "${LOGDIR}" ]; then
			LEAVE=1
			echo "Logfile directory is not a directory: ${RKHLOGFILE}"
		elif [ ! -w "${LOGDIR}" ]; then
			LEAVE=1
			echo "Logfile directory is not writable: ${RKHLOGFILE}"
		elif [ ! -r "${LOGDIR}" ]; then
			LEAVE=1
			echo "Logfile directory is not readable: ${RKHLOGFILE}"
		elif [ -h "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "Logfile is a symbolic link: ${RKHLOGFILE}"
			echo "This is a security problem. The link points to another file, and that file is about to be modified by rkhunter."
		elif [ -e "${RKHLOGFILE}" -a ! -f "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "Logfile already exists but it is not a file: ${RKHLOGFILE}"
		fi
	fi


	#
	# Now check whether we should append to the logfile
	# or overwrite it. We check the configuration file
	# option, if it is given, and ensure that it is valid.
	#

	if [ $APPEND_OPT -eq 0 ]; then
		ERRCODE=0

		APPEND_LOG=`get_option single APPEND_LOG` || exit $?

		if [ -n "${APPEND_LOG}" ]; then
			check_is_digit APPEND_LOG

			test $ERRCODE -eq 1 && LEAVE=1
		else
			APPEND_LOG=0
		fi
	fi


	#
	# Finally, check if the logfile should be copied if
	# there were any errors or warnings. Obviously no
	# copy is done if no logfile is used.
	#

	ERRCODE=0

	RKHTMPVAR=`get_option single COPY_LOG_ON_ERROR` || exit $?

	if [ -n "${RKHTMPVAR}" ]; then
		check_is_digit RKHTMPVAR COPY_LOG_ON_ERROR

		if [ $ERRCODE -eq 0 ]; then
			COPY_LOG_ON_ERROR=$RKHTMPVAR
		else
			LEAVE=1
		fi
	else
		COPY_LOG_ON_ERROR=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_tmpdir_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${RKHTMPDIR}" ]; then
		RKHTMPDIR=`echo "${RKHTMPDIR}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${RKHTMPDIR}" ]; then
			LEAVE=1
			echo "Invalid '--tmpdir' option - no directory name given."
		fi
	else
		RKHTMPDIR=`get_option single TMPDIR` || exit $?

		check_paths RKHTMPDIR TMPDIR "NOWILD NOBROKENLINK EXIST"

		if [ $ERRCODE -eq 0 ]; then
			if [ -z "${RKHTMPDIR}" ]; then
				RET_CODE=1
				RKHTMPDIR="${RKHINSTALLDIR}/lib/rkhunter/tmp"
				echo "The default temporary directory will be used: ${RKHTMPDIR}"
			fi
		else
			LEAVE=1
		fi
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ ! -e "${RKHTMPDIR}" ]; then
		LEAVE=1
		echo "Temporary directory does not exist: ${RKHTMPDIR}"
	elif [ ! -d "${RKHTMPDIR}" ]; then
		LEAVE=1
		echo "Temporary directory is not a directory: ${RKHTMPDIR}"
	elif [ ! -w "${RKHTMPDIR}" ]; then
		LEAVE=1
		echo "Temporary directory is not writable: ${RKHTMPDIR}"
	elif [ ! -r "${RKHTMPDIR}" ]; then
		LEAVE=1
		echo "Temporary directory is not readable: ${RKHTMPDIR}"
	elif [ "${RKHTMPDIR}" = "/tmp" -o "${RKHTMPDIR}" = "/var/tmp" ]; then
		LEAVE=1
		echo "Do not use ${RKHTMPDIR} as the temporary directory."
		echo "This directory will be used by rkhunter to contain system files, so the directory must be secure."
	elif [ "${RKHTMPDIR}" = "/etc" ]; then
		LEAVE=1
		echo "Do not use ${RKHTMPDIR} as the temporary directory."
		echo "This directory will be used by rkhunter to copy and delete certain system files."
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_dbdir_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${DB_PATH}" ]; then
		DB_PATH=`echo "${DB_PATH}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${DB_PATH}" ]; then
			LEAVE=1
			echo "Invalid '--dbdir' option - no directory name given."
		fi
	else
		DB_PATH=`get_option single DBDIR` || exit $?

		check_paths DB_PATH DBDIR "NOWILD EXIST NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			if [ -z "${DB_PATH}" ]; then
				RET_CODE=1
				DB_PATH="${RKHINSTALLDIR}/lib/rkhunter/db"
				echo "The default database directory will be used: ${DB_PATH}"
			fi
		else
			LEAVE=1
		fi
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ ! -e "${DB_PATH}" ]; then
		LEAVE=1
		echo "Database directory does not exist: ${DB_PATH}"
	elif [ ! -d "${DB_PATH}" ]; then
		LEAVE=1
		echo "Database directory is not a directory: ${DB_PATH}"
	elif [ ! -r "${DB_PATH}" ]; then
		LEAVE=1
		echo "Database directory is not readable: ${DB_PATH}"
	elif [ $PROP_UPDATE -eq 1 -o $UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		if [ ! -w "${DB_PATH}" ]; then
			LEAVE=1
			echo "Database directory is not writable: ${DB_PATH}"
		fi
	fi


	if [ $LEAVE -eq 0 ]; then
		RKHDAT_FILE="${DB_PATH}/rkhunter.dat"
		RKH_FILEPROP_LIST="${DB_PATH}/rkhunter_prop_list.dat"
	else
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


add_extra_dirs() {

	#
	# This functions takes care of any additional directories
	# that may exist on some systems. After the function is called
	# the value of EXTRA_DIRS must be added to whatever variable
	# is being used.
	#

	EXTRA_DIRS=""

	if [ $SUNOS -eq 1 ]; then
		#
		# Add in some other directories, and those which
		# contain the Solaris 'companion' software.
		#

		test -d /usr/gnu && EXTRA_DIRS="${EXTRA_DIRS} /usr/gnu/bin /usr/gnu/sbin /usr/gnu/libexec"
		test -d /usr/sfw && EXTRA_DIRS="${EXTRA_DIRS} /usr/sfw/bin /usr/sfw/sbin /usr/sfw/libexec"
		test -d /opt/sfw && EXTRA_DIRS="${EXTRA_DIRS} /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec"
		test -d /usr/xpg4/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/xpg4/bin"
		test -d /usr/ccs/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/ccs/bin"
		test -d /usr/5bin -a ! -h /usr/5bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/5bin"
		test -d /usr/ucb && EXTRA_DIRS="${EXTRA_DIRS} /usr/ucb"


		#
		# OpenSolaris distributions (e.g. BeleniX) may use
		# other directories.
		#

		test -d /usr/foss && EXTRA_DIRS="${EXTRA_DIRS} /usr/foss/bin /usr/foss/sbin /usr/foss/libexec"
	elif [ $BSDOS -eq 1 ]; then
		test -d /usr/pkg && EXTRA_DIRS="${EXTRA_DIRS} /usr/pkg/bin /usr/pkg/sbin /usr/pkg/libexec"
	elif [ $MACOSX -eq 1 ]; then
		#
		# Cater for Fink (Mac OS X) additional software.
		#

		test -d /sw && EXTRA_DIRS="${EXTRA_DIRS} /sw/bin /sw/sbin"
	elif [ $IRIXOS -eq 1 ]; then
		test -d /usr/ucb && EXTRA_DIRS="${EXTRA_DIRS} /usr/ucb"
		test -d /usr/freeware && EXTRA_DIRS="${EXTRA_DIRS} /usr/freeware/bin /usr/freeware/sbin"
		test -d /usr/xpg4/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/xpg4/bin"
	elif [ -f "/etc/GoboLinuxVersion" ]; then
		#
		# We have no other easy way of detecting GoboLinux.
		# It has a peculiar filesystem layout, so we need to
		# add in this little bit of support to help it work
		# with RKH.
		#

		test -d "/System/Links/Executables" && EXTRA_DIRS="${EXTRA_DIRS} /System/Links/Executables"
	fi


	#
	# Finally check if there are any optional
	# bin and sbin directories present.
	#

	test -d /opt && EXTRA_DIRS="${EXTRA_DIRS} /opt/bin /opt/sbin"
	test -d /usr/opt && EXTRA_DIRS="${EXTRA_DIRS} /usr/opt/bin /usr/opt/sbin"

	return
}


get_bindir_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ $BINDIR_OPT -eq 1 ]; then
		BINPATHS=`echo "${BINPATHS}" | tr -d '"' | tr -d "'" | tr -s '	 ' '  '`

		if [ "${BINPATHS}" = " " ]; then
			LEAVE=1
			echo "Invalid '--bindir' option - no directory names given."
		fi
	else
		BINPATHS=`get_option space-list BINDIR` || exit $?

		if [ -z "${BINPATHS}" ]; then
			BINPATHS="${DFLT_BINPATHS}"

			#
			# Under some OS's /bin is a link to /usr/bin, so
			# there is no need to look in it.
			#

			if [ $SUNOS -eq 1 -o $IRIXOS -eq 1 -o "${OPERATING_SYSTEM}" = "AIX" ]; then
				if [ -h "/bin" ]; then
					RKHTMPVAR=""

					for DIR in ${BINPATHS}; do
						test "${DIR}" != "/bin" && RKHTMPVAR="${RKHTMPVAR} ${DIR}"
					done

					BINPATHS=`echo ${RKHTMPVAR}`
				fi
			fi

			add_extra_dirs
			BINPATHS="${BINPATHS}${EXTRA_DIRS}"
		fi
	fi


	#
	# The BINPATHS list is prepended with the root PATH. However,
	# any specified BINDIR directories beginning with a '+' will
	# be prepended before the root PATH.
	#
	# Once that has been done, we check that each directory begins
	# with a '/'. We remove any non-existent directories, but we do
	# not flag this as an error. We also remove any duplicate directories.
	#

	if [ $LEAVE -eq 0 ]; then
		RKHTMPVAR=""
		PREPEND_PATHS=""

		for DIR in ${BINPATHS}; do
			if [ -n "`echo ${DIR} | grep '^\+'`" ]; then
				DIR=`echo ${DIR} | cut -c2-`
				PREPEND_PATHS="${PREPEND_PATHS} ${DIR}"
			fi
		done

		PREPEND_PATHS=`echo ${PREPEND_PATHS}`


		for DIR in ${PREPEND_PATHS} ${RKHROOTPATH} ${BINPATHS}; do
			if [ -n "`echo ${DIR} | grep '^\+'`" ]; then
				# These will already be in PREPEND_PATHS.
				continue
			elif [ -z "`echo ${DIR} | grep '^/'`" ]; then
				LEAVE=1
				test $BINDIR_OPT -eq 1 && RKHTMPVAR2="'--bindir'" || RKHTMPVAR2="BINDIR configuration"
				echo "Invalid ${RKHTMPVAR2} option: Invalid directory found: ${DIR}"
			elif [ -e "${DIR}" ]; then
				if [ -d "${DIR}" ]; then
					test -h "${DIR}" && BINISLINK=1

					DIR=`echo "${DIR}" | tr -s '/' | sed -e 's:/$::'`

					if [ -z "`echo \" ${RKHTMPVAR} \" | grep \" ${DIR} \"`" ]; then
						RKHTMPVAR="${RKHTMPVAR} ${DIR}"
					fi
				else
					LEAVE=1
					test $BINDIR_OPT -eq 1 && RKHTMPVAR2="'--bindir'" || RKHTMPVAR2="BINDIR configuration"
					echo "Invalid ${RKHTMPVAR2} option: Not a directory: ${DIR}"
				fi
			fi
		done

		if [ $LEAVE -eq 0 ]; then
			BINPATHS=`echo ${RKHTMPVAR}`

			test $BINDIR_OPT -eq 1 && RKHTMPVAR="--bindir" || RKHTMPVAR="BINDIR"

			check_paths BINPATHS "${RKHTMPVAR}" "NOWILD"

			test $ERRCODE -eq 1 && LEAVE=1
		else
			# We need to set something for the remaining checks.
			BINPATHS="${DFLT_BINPATHS}"
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_scriptdir_option() {

	#
	# Get the value from the configuration file, and do a simple
	# check on whether it is empty or a space.
	#
	# Note: The installer will set this option. As such there
	# is no default.
	#

	LEAVE=0
	ERRCODE=0

	SCRIPT_PATH=`get_option single SCRIPTDIR` || exit $?

	check_paths SCRIPT_PATH SCRIPTDIR "NOWILD EXIST NOBROKENLINK"

	if [ $ERRCODE -eq 0 ]; then
		if [ -z "${SCRIPT_PATH}" ]; then
			LEAVE=1
			echo "The SCRIPTDIR configuration option has not been set by the installer."
		fi
	else
		LEAVE=1
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ ! -r "${SCRIPT_PATH}" ]; then
		LEAVE=1
		echo "Script directory is not readable: ${SCRIPT_PATH}"
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


find_cmd() {

	#
	# This function performs a search of the BINPATHS directories
	# looking for the requested command. The full pathname is
	# returned if the command is found.
	#
	# If a full pathname is provided then we simply check that
	# it is executable.
	#

	CMD=$1

	test -z "${CMD}" && return

	if [ -n "`echo ${CMD} | grep '/'`" ]; then
		test -f "${CMD}" -a -x "${CMD}" && echo "${CMD}"
	else
		for CMDDIR in ${BINPATHS}; do
			if [ -f "${CMDDIR}/${CMD}" -a -x "${CMDDIR}/${CMD}" ]; then
				echo "${CMDDIR}/${CMD}"
				return
			fi
		done
	fi

	return
}


get_rootdir_option() {

	RKHTMPVAR=`get_option single ROOTDIR` || exit $?

	if [ -n "${RKHTMPVAR}" ]; then
		echo "The ROOTDIR configuration option is now deprecated."
	fi

	return
}


get_existwl_option() {

	#
	# This function gets the configuration option used to whitelist
	# files and directories from existing on the system. That is, they
	# may or may not exist at the time of checking, but either way it
	# will not cause an error.
	#
	# This option must be processed before other options because it will
	# be used to whitelist some subsequent configuration option pathnames.
	#

	LEAVE=0
	ERRCODE=0

	EXISTWL_OPT=`get_option newline-list EXISTWHITELIST` || exit $?

	if [ -n "${EXISTWL_OPT}" ]; then
		EXISTWHITELIST=`expand_paths EXISTWL_OPT`

		check_paths EXISTWHITELIST EXISTWHITELIST

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_mailonwarn_option() {

	#
	# Get the option from the configuration file. If it is set,
	# then we get the MAIL_CMD option as well.
	#

	LEAVE=0
	ERRCODE=0

	MAILONWARNING=`get_option space-list MAIL-ON-WARNING` || exit $?

	if [ -n "${MAILONWARNING}" ]; then
		MAILONWARNING=`echo ${MAILONWARNING}`

		#
		# If an email address is configured, then we need
		# to check the email command option as well.
		#

		MAIL_CMD=`get_option single MAIL_CMD` || exit $?

		test -z "${MAIL_CMD}" && MAIL_CMD="mail -s \"[rkhunter] Warnings found for \${HOST_NAME}\""

		MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f1`

		check_paths MCMD MAIL_CMD "NOWILD EXIST NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			#
			# Check that the mail command is executable.
			#

			MC=`find_cmd ${MCMD}`

			if [ -n "${MC}" ]; then
				#
				# We rebuild the command to use the full pathname.
				#

				MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f2-`

				if [ -z "${MCMD}" -o "${MCMD}" = "${MAIL_CMD}" ]; then
					MAIL_CMD=$MC
				else
					MAIL_CMD="${MC} ${MCMD}"
				fi
			else
				LEAVE=1
				echo "Invalid MAIL_CMD configuration option: command is non-existent or not executable: ${MCMD}"
			fi
		else
			LEAVE=1
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_webcmd_option() {

	#
	# Get the option from the configuration file. If it is set,
	# then we set the RKHWEBCMD_OPTS option as well if necessary.
	#
	# For backwards compatability we will also check for WEBCMD.
	#

	LEAVE=0
	ERRCODE=0

	RKHWEBCMD=`get_option single WEB_CMD` || exit $?

	if [ -z "${RKHWEBCMD}" ]; then
		RKHWEBCMD=`get_option single WEBCMD` || exit $?
	fi

	if [ -n "${RKHWEBCMD}" ]; then
		WCMD=`echo "${RKHWEBCMD}" | cut -d' ' -f1`

		check_paths WCMD WEB_CMD "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			#
			# Check that the command is executable.
			#

			WC=`find_cmd ${WCMD}`

			if [ -n "${WC}" ]; then
				#
				# We find if there any command options, and set
				# the command to use the full pathname.
				#

				RKHWEBCMD_OPTS=`echo "${RKHWEBCMD}" | cut -d' ' -f2-`

				test "${RKHWEBCMD_OPTS}" = "${RKHWEBCMD}" && RKHWEBCMD_OPTS=""

				RKHWEBCMD="${WC}"
				test -n "${BASENAME_CMD}" && RKHWEBCMD_BASE=`${BASENAME_CMD} "${WC}"` || RKHWEBCMD_BASE=`echo "${WC}" | sed -e 's:^.*/::'`
			else
				LEAVE=1
				echo "Invalid WEB_CMD configuration option: command is non-existent or not executable: ${WCMD}"
			fi
		else
			LEAVE=1
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_syslog_option() {

	#
	# First see if we want to use syslog or not from the command-line
	# or configuration file.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${USE_SYSLOG}" ]; then
		USE_SYSLOG=`echo "${USE_SYSLOG}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${USE_SYSLOG}" ]; then
			LEAVE=1
			echo "Invalid '--syslog' option - no facility/priority names given."
		fi
	else
		USE_SYSLOG=`get_option single USE_SYSLOG` || exit $?
	fi


	#
	# If we are to use syslog, then get the facility and priority levels.
	# Additionally, test that they are valid.
	#

	if [ $LEAVE -eq 0 ]; then
		if [ -n "${USE_SYSLOG}" ]; then
			USE_SYSLOG=`echo "${USE_SYSLOG}" | tr '[:upper:]' '[:lower:]'`

			if [ "${USE_SYSLOG}" = "none" ]; then
				# The value of 'none' will be processed later on.
				:
			elif [ -z "`echo \"${USE_SYSLOG}\" | grep '^[a-z][a-z0-7]*\.[a-z][a-z]*$'`" ]; then
				LEAVE=1
				echo "Invalid syslog facility/priority value: ${USE_SYSLOG}"
			fi

			if [ $LEAVE -eq 0 -a "${USE_SYSLOG}" != "none" ]; then
				FOUND=0

				SYSLOG_F=`echo "${USE_SYSLOG}" | cut -d. -f1`
				SYSLOG_P=`echo "${USE_SYSLOG}" | cut -d. -f2`

				for RKHTMPVAR in auth authpriv cron daemon kern user local0 local1 local2 local3 local4 local5 local6 local7; do
					if [ "${SYSLOG_F}" = "${RKHTMPVAR}" ]; then
						FOUND=1
						break
					fi
				done

				if [ $FOUND -eq 0 ]; then
					LEAVE=1
					echo "Invalid syslog facility name: ${SYSLOG_F}"
				fi

				FOUND=0

				for RKHTMPVAR in debug info notice warning err crit alert emerg; do
					if [ "${SYSLOG_P}" = "${RKHTMPVAR}" ]; then
						FOUND=1
						break
					fi
				done

				if [ $FOUND -eq 0 ]; then
					LEAVE=1
					echo "Invalid syslog priority name: ${SYSLOG_P}"
				fi
			fi
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_ssh_options() {

	#
	# We check some SSH options in this function. They can only
	# be set in the configuration file.
	#

	#
	# See if the ALLOW_SSH_ROOT_USER option is specified in the
	# configuration file. The value should match what has been set
	# in the SSH configuration file for the PermitRootLogin option.
	# As such it's value is not just zero or one.
	#

	LEAVE=0
	ERRCODE=0

	ALLOW_SSH_ROOT_USER=`get_option single ALLOW_SSH_ROOT_USER` || exit $?

	if [ -n "${ALLOW_SSH_ROOT_USER}" ]; then
		ALLOW_SSH_ROOT_USER=`echo "${ALLOW_SSH_ROOT_USER}" | tr '[:upper:]' '[:lower:]'`
	else
		#
		# By default SSH tends to allow root access. However, we
		# do not. By setting this option to 'no', the user will
		# receive a warning unless they set the options the same.
		#

		ALLOW_SSH_ROOT_USER="no"
	fi


	#
	# See if the ALLOW_SSH_PROT_V1 option is specified in the
	# configuration file.
	#

	ALLOW_SSH_PROT_V1=`get_option single ALLOW_SSH_PROT_V1` || exit $?

	if [ -n "${ALLOW_SSH_PROT_V1}" ]; then
		check_is_digit ALLOW_SSH_PROT_V1 ALLOW_SSH_PROT_V1 2

		test $ERRCODE -eq 1 && LEAVE=1
	else
		ALLOW_SSH_PROT_V1=0
	fi


	#
	# See if the directory of the SSH configuration file has been set.
	#

	SSH_CONFIG_DIR=`get_option single SSH_CONFIG_DIR` || exit $?

	if [ -n "${SSH_CONFIG_DIR}" ]; then
		check_paths SSH_CONFIG_DIR SSH_CONFIG_DIR "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			if [ ! -r "${SSH_CONFIG_DIR}" ]; then
				LEAVE=1
				echo "The SSH configuration file directory is not readable: ${SSH_CONFIG_DIR}"
			fi
		else
			LEAVE=1
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_syslog_config_options() {

	#
	# We check some syslog configuration options in this function.
	# They can only be set in the configuration file.
	#

	#
	# See if the ALLOW_SYSLOG_REMOTE_LOGGING option is specified
	# in the configuration file.
	#

	LEAVE=0
	ERRCODE=0

	ALLOW_SYSLOG_REMOTE_LOGGING=`get_option single ALLOW_SYSLOG_REMOTE_LOGGING` || exit $?

	if [ -n "${ALLOW_SYSLOG_REMOTE_LOGGING}" ]; then
		check_is_digit ALLOW_SYSLOG_REMOTE_LOGGING

		test $ERRCODE -eq 1 && LEAVE=1
	else
		ALLOW_SYSLOG_REMOTE_LOGGING=0
	fi


	#
	# See if the pathname to the syslog configuration file has been set.
	#

	SYSLOG_CONFIG_FILE=`get_option space-list SYSLOG_CONFIG_FILE` || exit $?

	if [ -n "${SYSLOG_CONFIG_FILE}" ]; then
		if [ -n "`echo \"${SYSLOG_CONFIG_FILE}\" | grep -i '^none$'`" ]; then
			SYSLOG_CONFIG_FILE="NONE"
		else
			check_paths SYSLOG_CONFIG_FILE SYSLOG_CONFIG_FILE "EXIST NOWILD NOBROKENLINK"

			test $ERRCODE -eq 1 && LEAVE=1
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_auto_x_option() {

	#
	# For the second colour set we first see if the auto X detect option
	# has been set. If it is set, and X is in use, then the second colour
	# set is used. If X is not in use, or the auto detect option is not
	# set, then we only use the second colour set if the command-line
	# option is used or it is configured in the configuration file.
	#

	LEAVE=0
	ERRCODE=0

	if [ $AUTO_X_OPT -eq 0 ]; then
		AUTO_X_DTCT=`get_option single AUTO_X_DETECT` || exit $?

		if [ -n "${AUTO_X_DTCT}" ]; then
			check_is_digit AUTO_X_DTCT AUTO_X_DETECT

			test $ERRCODE -eq 1 && LEAVE=1
		else
			AUTO_X_DTCT=0
		fi
	fi


	if [ $AUTO_X_DTCT -eq 1 -a -n "$DISPLAY" ]; then
		CLRSET2=1
	fi


	if [ $CLRSET2 -eq 0 ]; then
		CLRSET2=`get_option single COLOR_SET2` || exit $?

		if [ -n "${CLRSET2}" ]; then
			check_is_digit CLRSET2 COLOR_SET2

			test $ERRCODE -eq 1 && LEAVE=1
		else
			CLRSET2=0
		fi
	fi


	#
	# Finally, we get the option to see if whitelisted
	# results are to be shown as white rather than green.
	#

	WLIST_IS_WHITE=`get_option single WHITELISTED_IS_WHITE` || exit $?

	if [ -n "${WLIST_IS_WHITE}" ]; then
		check_is_digit WLIST_IS_WHITE WHITELISTED_IS_WHITE

		test $ERRCODE -eq 1 && LEAVE=1
	else
		WLIST_IS_WHITE=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_locking_options() {

	#
	# This function gets the configuration options to see if locking
	# should be used when RKH is run. The mechanism for locking uses
	# a simple timer, and will display some basic messages while RKH
	# is trying to get the lock.
	#
	# All of these options can only be set in the configuration file.
	#

	LEAVE=0
	ERRCODE=0

	USE_LOCKING=`get_option single USE_LOCKING` || exit $?

	if [ -n "${USE_LOCKING}" ]; then
		check_is_digit USE_LOCKING

		test $ERRCODE -eq 1 && LEAVE=1
	else
		USE_LOCKING=0
	fi


	#
	# Now get the lock directory to use. If this is unset, then
	# we need to look for a suitable directory.
	#

	LOCKDIR=`get_option single LOCKDIR` || exit $?

	if [ -n "${LOCKDIR}" ]; then
		check_paths LOCKDIR LOCKDIR "NOWILD EXIST NOBROKENLINK"

		test $ERRCODE -eq 1 && LEAVE=1
	else
		PATHNAMES="/run/lock /var/lock /var/run/lock /run /var/run ${RKHTMPDIR}"

		for DIR in ${PATHNAMES}; do
			# Check for read/write capability before accepting a default directory.
			if [ -d "${DIR}" -a -w "${DIR}" -a -r "${DIR}" ]; then
				LOCKDIR="${DIR}"
				break
			fi
		done

		if [ -z "${LOCKDIR}" ]; then
			LEAVE=1
			echo "No suitable directory found for LOCKDIR configuration option."
			echo "Locking directories checked: ${PATHNAMES}"
		fi
	fi

	#
	# Check that the directory we have is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ ! -w "${LOCKDIR}" ]; then
		LEAVE=1
		echo "The LOCKDIR directory is not writable: `name2text \"${LOCKDIR}\"`"
	elif [ ! -r "${LOCKDIR}" ]; then
		LEAVE=1
		echo "The LOCKDIR directory is not readable: `name2text \"${LOCKDIR}\"`"
	fi


	#
	# Now get the lock timeout value. This must be a positive integer.
	# The default value is 300 seconds (5 minutes).
	#

	LOCK_TIMEOUT=`get_option single LOCK_TIMEOUT` || exit $?

	if [ -n "${LOCK_TIMEOUT}" ]; then
		check_is_digit LOCK_TIMEOUT LOCK_TIMEOUT ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		LOCK_TIMEOUT=300
	fi


	#
	# Finally, we get the option to see if any lock messages should
	# be shown or not. If the user has used the '--quiet' option,
	# then we cannot display the lock messages. Otherwise, these are
	# only shown on the screen, and not logged anywhere. The default
	# is to show the messages.
	#

	if [ $QUIET -eq 0 ]; then
		SHOW_LOCK_MSGS=`get_option single SHOW_LOCK_MSGS` || exit $?

		if [ -n "${SHOW_LOCK_MSGS}" ]; then
			check_is_digit SHOW_LOCK_MSGS

			test $ERRCODE -eq 1 && LEAVE=1
		else
			SHOW_LOCK_MSGS=1
		fi
	else
		SHOW_LOCK_MSGS=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_scanmode_option() {

	#
	# This function gets the SCANROOTKITMODE configuration option.
	#

	LEAVE=0
	ERRCODE=0

	SCANROOTKITMODE=`get_option single SCANROOTKITMODE` || exit $?

	if [ -n "${SCANROOTKITMODE}" ]; then
		SCANROOTKITMODE=`echo "${SCANROOTKITMODE}" | tr '[:lower:]' '[:upper:]'`

		if [ "${SCANROOTKITMODE}" != "THOROUGH" ]; then
			LEAVE=1

			echo "Invalid SCANROOTKITMODE configuration option: ${SCANROOTKITMODE}"
		fi
	else
		SCANROOTKITMODE=""
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_shell_options() {

	#
	# This function gets any specific shell configuration options.
	#

	LEAVE=0
	ERRCODE=0

	#
	# This option will set the shell's globstar option.
	#

	GLOBSTAR=`get_option single GLOBSTAR` || exit $?

	if [ -n "${GLOBSTAR}" ]; then
		check_is_digit GLOBSTAR

		test $ERRCODE -eq 1 && LEAVE=1
	else
		GLOBSTAR=0
	fi

	#
	# To ensure that any further options which may include wildcarded paths
	# are handled correctly, we need to set the 'globstar' option immediately.
	#

	if [ $GLOBSTAR -eq 1 ]; then
		if [ "${MYSHELL}" = "ksh" ]; then
			set -o globstar
		else
			shopt -s globstar
		fi
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


sort_test_lists() {

	#
	# This function is used to sort the list of test names for
	# enabled and disabled tests. The first parameter determines
	# which list is to be sorted:
	#
	#	1: enabled tests
	#	2: disabled tests
	#

	RKHTMPVAR=$1

	test $RKHTMPVAR -eq 1 && ENABLE_TESTS=`echo ${ENABLE_TESTS} | tr ' ' '\n' | sort | uniq`
	test $RKHTMPVAR -eq 2 && DISABLE_TESTS=`echo ${DISABLE_TESTS} | tr ' ' '\n' | sort | uniq`

	ENABLE_TESTS=`echo ${ENABLE_TESTS}`
	DISABLE_TESTS=`echo ${DISABLE_TESTS}`


	#
	# Finally, test to see if the current lists are the same.
	#

	if [ "${ENABLE_TESTS}" = "${DISABLE_TESTS}" ]; then
		test $ENDIS_OPT -eq 0 && RKHTMPVAR=" configured" || RKHTMPVAR=""
		echo "The${RKHTMPVAR} enabled and disabled tests are the same."

		if [ $ENDIS_OPT -eq 1 -o $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


check_test_options() {

	#
	# This function is called after we have obtained the enabled and
	# disabled test names. It will check that the test names are valid,
	# and remove any enabled test names from the disabled list.
	#

	#
	# First we loop through the enabled and disabled test names, and see
	# if the special names of 'all' or 'none' are used. If so, then these
	# will either override all the other test names in the list, or be an
	# error. We also look for any invalid test names.
	#

	SEEN=0
	LEAVE=0

	RKHTMPVAR=" `echo ${KNOWN_TESTS}` "

	for TEST_NAME in ${ENABLE_TESTS}; do
		if [ "${TEST_NAME}" = "all" ]; then
			SEEN=1
		elif [ "${TEST_NAME}" = "none" ]; then
			if [ $ENABLE_OPT -eq 1 ]; then
				LEAVE=1
				echo "'none' cannot be used in the enabled test list."
			else
				LEAVE=1
				echo "'none' cannot be used in the configured enabled test list."
			fi
		elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
			LEAVE=1
			echo "Unknown enabled test name given: ${TEST_NAME}"
		fi
	done

	test $SEEN -eq 1 && ENABLE_TESTS="all"


	#
	# For the disabled tests we need to loop through the
	# command-line and configuration file test names separately.
	#

	SEEN=0

	for TEST_NAME in ${CL_DISABLE_TESTS}; do
		if [ "${TEST_NAME}" = "none" ]; then
			SEEN=1
		elif [ "${TEST_NAME}" = "all" ]; then
			LEAVE=1
			echo "'all' cannot be used in the disabled test list."
		elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
			LEAVE=1
			echo "Unknown disabled test name given: ${TEST_NAME}"
		fi
	done

	if [ $USECF -eq 1 ]; then
		for TEST_NAME in ${CONFIG_DISABLE_TESTS}; do
			if [ "${TEST_NAME}" = "none" ]; then
				SEEN=1
			elif [ "${TEST_NAME}" = "all" ]; then
				LEAVE=1
				echo "'all' cannot be used in the configured disabled test list."
			elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
				LEAVE=1
				echo "Unknown disabled test name in the configuration file: ${TEST_NAME}"
			fi
		done
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
			return
		fi
	fi


	test $SEEN -eq 1 && DISABLE_TESTS="none"

	#
	# If we are to run all the tests, then we use whatever
	# disabled tests the user has given us.
	#

	test "${ENABLE_TESTS}" = "all" && return


	#
	# Now we can loop through the command-line enabled specific test names,
	# and remove them from the disabled list. We need to do this otherwise
	# the tests would not run. We don't bother to do this for the configuration
	# file enabled tests because we assume the user has already checked this.
	#

	if [ $ENABLE_OPT -eq 1 -a "${DISABLE_TESTS}" != "none" ]; then
		#
		# First get a list of just the group test names.
		#

		GROUP_TEST_NAMES=""

		for RKHTMPVAR in ${GROUPED_TESTS}; do
			GROUP_TEST_NAMES="${GROUP_TEST_NAMES} `echo "${RKHTMPVAR}" | cut -d: -f1`"
		done

		GROUP_TEST_NAMES=" `echo ${GROUP_TEST_NAMES}` "


		#
		# Now loop through the specific test names.
		#

		DISABLE_TESTS=" ${DISABLE_TESTS} "

		for TEST_NAME in ${ENABLE_TESTS}; do
			if [ -z "`echo \"${GROUP_TEST_NAMES}\" | grep \" ${TEST_NAME} \"`" ]; then
				if [ -n "`echo \"${DISABLE_TESTS}\" | grep \" ${TEST_NAME} \"`" ]; then
					DISABLE_TESTS=`echo "${DISABLE_TESTS}" | sed -e "s/ ${TEST_NAME} / /"`
				fi
			fi
		done

		DISABLE_TESTS=`echo ${DISABLE_TESTS}`

		if [ -z "${DISABLE_TESTS}" ]; then
			DISABLE_TESTS="none"
		else
			sort_test_lists 2
		fi
	fi


	#
	# Next we expand the enabled test group names. This will leave us
	# with a list of specific test names, and their associated group test
	# names. We also need to check if a given test name is part of a
	# group. If it is, then we must add the group name.
	#

	for TEST_NAME in ${ENABLE_TESTS}; do
		for RKHTMPVAR in ${GROUPED_TESTS}; do
			GROUP_NAME=`echo "${RKHTMPVAR}" | cut -d: -f1`

			if [ -n "`echo \"${RKHTMPVAR}\" | grep ':'`" ]; then
				GROUP_TESTS=`echo "${RKHTMPVAR}" | cut -d: -f2-`
			else
				GROUP_TESTS=""
			fi

			if [ "${TEST_NAME}" = "${GROUP_NAME}" ]; then
				ENABLE_TESTS="${ENABLE_TESTS} `echo \"${GROUP_TESTS}\" | tr ':' ' '`"
				break
			elif [ -z "${GROUP_TESTS}" ]; then
				continue
			elif [ -n "`echo \":${GROUP_TESTS}:\" | grep \":${TEST_NAME}:\"`" ]; then
				ENABLE_TESTS="${ENABLE_TESTS} ${GROUP_NAME}"
			fi
		done
	done

	ENABLE_TESTS=`echo ${ENABLE_TESTS}`

	sort_test_lists 1


	#
	# Finally, we temporarily expand the disabled test names and temporarily
	# remove any matching names from the enabled test list. Although these
	# tests would never run, we need to do this in order to see if the user
	# has given us an invalid list of tests.
	#

	if [ "${DISABLE_TESTS}" != "none" ]; then
		TEMP_EN_TESTS="${ENABLE_TESTS}"
		TEMP_DIS_TESTS="${DISABLE_TESTS}"

		for TEST_NAME in ${TEMP_DIS_TESTS}; do
			for RKHTMPVAR in ${GROUPED_TESTS}; do
				GROUP_NAME=`echo "${RKHTMPVAR}" | cut -d: -f1`

				if [ -n "`echo \"${RKHTMPVAR}\" | grep ':'`" ]; then
					GROUP_TESTS=`echo "${RKHTMPVAR}" | cut -d: -f2-`
				else
					GROUP_TESTS=""
				fi

				if [ "${TEST_NAME}" = "${GROUP_NAME}" ]; then
					TEMP_DIS_TESTS="${TEMP_DIS_TESTS} `echo \"${GROUP_TESTS}\" | tr ':' ' '`"
					break
				elif [ -z "${GROUP_TESTS}" ]; then
					continue
				elif [ -n "`echo \":${GROUP_TESTS}:\" | grep \":${TEST_NAME}:\"`" ]; then
					TEMP_DIS_TESTS="${TEMP_DIS_TESTS} ${GROUP_NAME}"
				fi
			done
		done

		TEMP_DIS_TESTS=" `echo ${TEMP_DIS_TESTS}` "


		#
		# Now loop through the enabled tests and remove any matches.
		#

		for TEST_NAME in ${TEMP_EN_TESTS}; do
			if [ -n "`echo \"${TEMP_DIS_TESTS}\" | grep \" ${TEST_NAME} \"`" ]; then
				TEMP_EN_TESTS=`echo " ${TEMP_EN_TESTS} " | sed -e "s/ ${TEST_NAME} / /"`
			fi
		done

		TEMP_EN_TESTS=`echo ${TEMP_EN_TESTS}`

		if [ -z "${TEMP_EN_TESTS}" ]; then
			LEAVE=0

			if [ $ENABLE_OPT -eq 1 ]; then
				LEAVE=1
				echo "Invalid enabled test list - no tests to run."
			else
				LEAVE=1
				echo "Invalid configured enabled test list - no tests to run."
			fi

			if [ $LEAVE -eq 1 ]; then
				if [ $CONFIG_CHECK -eq 0 ]; then
					exit 1
				else
					RET_CODE=1
				fi
			fi
		fi
	fi

	return
}


get_enable_option() {

	#
	# This function gets the enabled test names from the command-line
	# or the configuration file as required. The test names will be
	# checked later on. By default all tests are enabled.
	#

	#
	# Get the command-line test names. These override
	# the configuration file enabled test names.
	#

	LEAVE=0
	ERRCODE=0

	if [ $ENABLE_OPT -eq 1 ]; then
		ENABLE_TESTS=`make_space_list "${CL_ENABLE_TESTS}"`
		ENABLE_TESTS=`echo ${ENABLE_TESTS}`

		if [ -z "${ENABLE_TESTS}" ]; then
			LEAVE=1
			echo "Invalid '--enable' option - no test names given."
		fi


		#
		# We do a simple test here to see if just one test was enabled.
		# If it was then we skip the key press feature since it is most
		# likely that the user doesn't want that. The test name cannot be
		# 'all'.
		#

		if [ "${ENABLE_TESTS}" != "all" -a -z "`echo \"${ENABLE_TESTS}\" | grep ' '`" ]; then
			SKIP_KEY_PRESS=1
		fi
	else
		#
		# We get the configuration file entries by default.
		#

		ENABLE_TESTS=`get_option space-list ENABLE_TESTS` || exit $?

		if [ -n "${ENABLE_TESTS}" ]; then
			ENABLE_TESTS=`make_space_list "${ENABLE_TESTS}"`
			ENABLE_TESTS=`echo ${ENABLE_TESTS}`

			if [ -n "${ENABLE_TESTS}" ]; then
				ENABLE_TESTS=`echo "${ENABLE_TESTS}" | tr '[:upper:]' '[:lower:]'`
			else
				# The system default.
				ENABLE_TESTS="all"
			fi
		else
			# The system default.
			ENABLE_TESTS="all"
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_disable_option() {

	#
	# This function gets the disabled test names from the command-line
	# and the configuration file if required. The test names will be
	# checked later on. By default no tests are disabled.
	#
	# Note: disabled tests are always compared against the list
	# of enabled tests. Hence, if we used
	#      'rkhunter -c --enable system_commands --disable apps'
	# then only the system command tests are run. Any other test is
	# not run because it is not in the '--enable' list. As such
	# the '--disable' option in the example above is not necessary.
	#

	#
	# Get the command-line test names.
	#

	LEAVE=0

	if [ -n "${CL_DISABLE_TESTS}" ]; then
		CL_DISABLE_TESTS=`make_space_list "${CL_DISABLE_TESTS}"`
		CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS}`

		if [ -z "${CL_DISABLE_TESTS}" ]; then
			LEAVE=1
			echo "Invalid '--disable' option - no test names given."
		fi
	fi

	#
	# Get the configuration file test names
	# unless specifically requested not to do so.
	#

	if [ $USECF -eq 1 ]; then
		CONFIG_DISABLE_TESTS=`get_option space-list DISABLE_TESTS` || exit $?

		if [ -n "${CONFIG_DISABLE_TESTS}" ]; then
			CONFIG_DISABLE_TESTS=`make_space_list "${CONFIG_DISABLE_TESTS}"`
			CONFIG_DISABLE_TESTS=`echo ${CONFIG_DISABLE_TESTS}`

			if [ -n "${CONFIG_DISABLE_TESTS}" ]; then
				CONFIG_DISABLE_TESTS=`echo ${CONFIG_DISABLE_TESTS} | tr '[:upper:]' '[:lower:]'`
			fi
		fi
	fi


	if [ $LEAVE -eq 0 ]; then
		DISABLE_TESTS="${CL_DISABLE_TESTS} ${CONFIG_DISABLE_TESTS}"
		DISABLE_TESTS=`echo ${DISABLE_TESTS}`

		if [ -z "${DISABLE_TESTS}" ]; then
			# The system default.
			DISABLE_TESTS="none"
		fi
	else
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_xinetd_option() {

	#
	# This function obtains the inetd and xinetd configuration
	# file pathnames from the config file. It also get the
	# whitelisted services.
	#

	LEAVE=0
	ERRCODE=0

	FNAME=`get_option single INETD_CONF_PATH` || exit $?

	if [ -n "${FNAME}" ]; then
		check_paths FNAME INETD_CONF_PATH "NOWILD EXIST NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			INETD_CONF_PATH="${FNAME}"
		else
			LEAVE=1
		fi
	fi

	INETDALLOWEDSVCS=`get_option space-list INETD_ALLOWED_SVC` || exit $?


	#
	# Now do the same for xinetd.
	#

	FNAME=`get_option single XINETD_CONF_PATH` || exit $?

	if [ -n "${FNAME}" ]; then
		check_paths FNAME XINETD_CONF_PATH "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			XINETD_CONF_PATH="${FNAME}"
		else
			LEAVE=1
		fi
	fi

	XINETDALLOWEDSVCS=`get_option space-list XINETD_ALLOWED_SVC` || exit $?


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_port_options() {

	#
	# This function will get the various PORT configuration options, and
	# build up PORT_WHITELIST as a newline-separated list.
	#
	# First get the PORT_WHITELIST option from the configuration file.
	#

	LEAVE=0
	ERRCODE=0

	PORT_WHITELIST=""

	RKHTMPVAR=`get_option space-list PORT_WHITELIST` || exit $?

	if [ -n "${RKHTMPVAR}" ]; then
		#
		# Loop through the list checking that it all looks okay.
		#

		for RKHTMPVAR2 in ${RKHTMPVAR}; do
			if [ -n "`echo \"${RKHTMPVAR2}\" | egrep -i '^(TCP|UDP):[1-9][0-9]*$'`" ]; then
				PROTO=`echo ${RKHTMPVAR2} | cut -d: -f1 | tr '[:lower:]' '[:upper:]'`
				PORT=`echo ${RKHTMPVAR2} | cut -d: -f2`

				if [ $PORT -gt 65535 ]; then
					LEAVE=1
					echo "Invalid PORT_WHITELIST configuration option - invalid port specified: `name2text \"${RKHTMPVAR2}\"`"
				fi

				PORT_WHITELIST="${PORT_WHITELIST}
${PROTO}:${PORT}"
			elif [ "${RKHTMPVAR2}" = "*" ]; then
				if [ -n "${LSOF_CMD}" ]; then
					PORT_WHITELIST_ALL_TRUSTED=1
				else
					LEAVE=1
					echo "Invalid PORT_WHITELIST configuration option - '*' requires the 'lsof' command."
				fi
			else
				LEAVE=1
				echo "Invalid entry specified in PORT_WHITELIST configuration option: `name2text \"${RKHTMPVAR2}\"`"
			fi
		done
	fi


	#
	# Now get the PORT_PATH_WHITELIST option from the configuration file.
	#

	RKHTMPVAR=`get_option newline-list PORT_PATH_WHITELIST` || exit $?

	if [ -z "${LSOF_CMD}" ]; then
		if [ -n "${RKHTMPVAR}" ]; then
			LEAVE=1
			echo "Invalid PORT_PATH_WHITELIST configuration option - the 'lsof' command is required."
		fi
	elif [ -n "${RKHTMPVAR}" ]; then
		#
		# Loop through the list checking that it all looks okay.
		#

		IFS=$IFSNL

		for RKHTMPVAR2 in ${RKHTMPVAR}; do
			if [ -n "`echo \"${RKHTMPVAR2}\" | grep '^/'`" ]; then
				PORT=0
				FNAME=""
				PROTO=""

				# Dig out the protocol and port number, if present.
				if [ -n "`echo \"${RKHTMPVAR2}\" | egrep -i '.:(TCP|UDP):[1-9][0-9]*$'`" ]; then
					PROTO=`echo "${RKHTMPVAR2}" | sed -e 's/^.*:\([a-zA-Z]*\):[1-9][0-9]*$/\1/'`
					PORT=`echo "${RKHTMPVAR2}" | sed -e 's/^.*:\([1-9][0-9]*\)$/\1/'`

					if [ $PORT -gt 65535 ]; then
						LEAVE=1
						echo "Invalid PORT_PATH_WHITELIST configuration option - invalid port specified: `name2text \"${RKHTMPVAR2}\"`"
					fi

					PROTO=`echo ${PROTO} | tr '[:lower:]' '[:upper:]'`
				fi

				# Dig out the pathname.
				if [ $PORT -gt 0 ]; then
					FNAME=`echo "${RKHTMPVAR2}" | sed -e 's/^\(.*\):[a-zA-Z]*:[1-9][0-9]*$/\1/'`
				else
					FNAME="${RKHTMPVAR2}"
				fi

				IFS=$RKHIFS
				check_paths FNAME PORT_PATH_WHITELIST "EXIST NOWILD NOBROKENLINK"
				IFS=$IFSNL

				if [ $ERRCODE -eq 1 ]; then
					LEAVE=1
				else
					if [ $PORT -gt 0 ]; then
						PORT_WHITELIST="${PORT_WHITELIST}
${FNAME}:${PROTO}:${PORT}"
					else
						PORT_WHITELIST="${PORT_WHITELIST}
${FNAME}"
					fi
				fi
			else
				LEAVE=1
				echo "Invalid entry specified in PORT_PATH_WHITELIST configuration option: `name2text \"${RKHTMPVAR2}\"`"
			fi
		done

		IFS=$RKHIFS
	fi

	if [ -n "${PORT_WHITELIST}" ]; then
		PORT_WHITELIST=`echo "${PORT_WHITELIST}" | sed -e '/^$/d'`
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_groups_accounts_options() {

	#
	# Get the location of the password/shadow file. We also cater
	# for cases such as BSD systems and users of TCB shadow files.
	# If the shadow file itself does not exist, then we look in
	# the password file itself to see if it contains the passwords.
	#

	LEAVE=0
	ERRCODE=0

	SHADOW_FILE=`get_option single PASSWORD_FILE` || exit $?

	if [ -n "${SHADOW_FILE}" ]; then
		check_paths SHADOW_FILE PASSWORD_FILE "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			if [ -s "${SHADOW_FILE}" ]; then
				SHADOW_FILE="${SHADOW_FILE}"
			else
				SHADOW_FILE=""
			fi
		else
			LEAVE=1
		fi
	elif [ -s "/etc/shadow" ]; then
		SHADOW_FILE="/etc/shadow"
	elif [ \( $BSDOS -eq 1 -o $MACOSX -eq 1 \) -a -s "/etc/master.passwd" ]; then
		SHADOW_FILE="/etc/master.passwd"
	elif [ -f "/etc/tcb/root/shadow" ]; then
		HAVE_TCB_SHADOW=1
	elif [ -s "/etc/passwd" ]; then
		#
		# If the passwords are stored in the passwd file, then
		# it should contain at least 3 non-colon characters in the
		# second field. Checking for 3 characters allows for normal
		# shadow entries such as 'x', '!!' or '*'. It is assumed
		# that at least one account will have a password.
		#

		if [ -n "`grep '^[^:]*:[^:][^:][^:]' /etc/passwd`" ]; then
			SHADOW_FILE="/etc/passwd"
		fi
	fi


	#
	# Now get the passwordless account whitelist option.
	#

	PWD_WHITELIST=`get_option space-list PWDLESS_ACCOUNTS` || exit $?

	test -n "${PWD_WHITELIST}" && PWD_WHITELIST=" `echo ${PWD_WHITELIST}` "


	#
	# Next get any root-equivalent whitelisted account names.
	#

	UID0_WHITELIST=`get_option space-list UID0_ACCOUNTS` || exit $?

	# By default we allow the root account.
	UID0_WHITELIST=" root `echo ${UID0_WHITELIST}` "


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


test_epoch_cmd() {

	#
	# This function simply checks if the supplied command
	# can process epoch second times. We do this by using
	# the '%s' formatting option, and the 'seconds ago'
	# time format. If the command understands both of these
	# then we can use it for the epoch date.
	#

	RKHTMPVAR=$1

	if [ -n "`${RKHTMPVAR} --date '5 seconds ago' '+%s' 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		EPOCH_DATE_CMD="${RKHTMPVAR}"
	fi

	return
}


get_epoch_date_cmd_option() {

	#
	# Get the option from the configuration file, or work out
	# if the 'date' command is suitable.
	#

	LEAVE=0
	ERRCODE=0

	EPOCH_DATE_CMD=`get_option single EPOCH_DATE_CMD` || exit $?

	#
	# Check the type of config file option we have. They user may have
	# specified a command to use or 'NONE', in which case we return.
	# If they specified 'PERL' then check we have a 'perl' command,
	# and then return.
	#

	if [ "${EPOCH_DATE_CMD}" = "PERL" ]; then
		EPOCH_DATE_CMD=""
		test -z "${PERL_CMD}" && EPOCH_DATE_CMD="NONE"
		return
	elif [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
		return
	elif [ -n "${EPOCH_DATE_CMD}" ]; then
		RKHTMPVAR=`echo "${EPOCH_DATE_CMD}" | cut -d' ' -f1`

		check_paths RKHTMPVAR EPOCH_DATE_CMD "EXIST NOWILD NOBROKENLINK"

		#
		# Check that the command exists and is executable.
		#

		if [ $ERRCODE -eq 0 ]; then
			FNAME=`find_cmd ${RKHTMPVAR}`

			if [ -n "${FNAME}" ]; then
				RKHTMPVAR2=`echo "${EPOCH_DATE_CMD}" | cut -d' ' -f2-`

				if [ -z "${RKHTMPVAR2}" -o "${RKHTMPVAR2}" = "${EPOCH_DATE_CMD}" ]; then
					EPOCH_DATE_CMD="${FNAME}"
				else
					EPOCH_DATE_CMD="${FNAME} ${RKHTMPVAR2}"
				fi
			else
				EPOCH_DATE_CMD="NONE"
			fi
		else
			LEAVE=1
		fi
	fi


	if [ $LEAVE -eq 0 ]; then
		#
		# Now we test if the 'date' command supports processing epoch seconds.
		#

		test_epoch_cmd "date"

		test -n "${EPOCH_DATE_CMD}" && return


		#
		# For SunOS systems we need to check some other 'date' commands.
		#

		if [ $SUNOS -eq 1 ]; then
			for RKHTMPVAR2 in `find_cmd gdate` /opt/sfw/bin/date; do
				test_epoch_cmd "${RKHTMPVAR2}"
				test -n "${EPOCH_DATE_CMD}" && break
			done
		fi
	else
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_phalanx2_option() {

	#
	# This is a specific function to get the PHALANX2_DIRTEST
	# option. It must be a digit, and can only be tested for
	# on Linux systems.
	#

	test $LINUXOS -eq 0 && return

	LEAVE=0
	ERRCODE=0

	ROOTKIT_PHALANX2_DIRTESTVAL=`get_option single PHALANX2_DIRTEST` || exit $?

	if [ -n "${ROOTKIT_PHALANX2_DIRTESTVAL}" ]; then
		check_is_digit ROOTKIT_PHALANX2_DIRTESTVAL

		test $ERRCODE -eq 1 && LEAVE=1
	else
		ROOTKIT_PHALANX2_DIRTESTVAL=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_dev_options() {

	#
	# This function processes the ALLOWDEVFILE option which is
	# used to whitelist files allowed in the '/dev' directory.
	#

	LEAVE=0
	ERRCODE=0

	ALLOWDEVFILES=""

	ALLOWDEVFILE_OPT=`get_option newline-list ALLOWDEVFILE` || exit $?

	if [ -n "${ALLOWDEVFILE_OPT}" ]; then
		# Note that we do not get the expanded list of pathnames at
		# this point. That will be done when the test actually runs.

		ALLOWDEVFILES=${ALLOWDEVFILE_OPT}

		check_paths ALLOWDEVFILES ALLOWDEVFILE

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_hidden_options() {

	#
	# This function processes the ALLOWHIDDENFILE and ALLOWHIDDENDIR
	# options which are used to whitelist hidden files and directories.
	#

	LEAVE=0
	ERRCODE=0

	ALLOWHIDDENFILES=""

	ALLOWHIDDENFILE_OPT=`get_option newline-list ALLOWHIDDENFILE` || exit $?

	if [ -n "${ALLOWHIDDENFILE_OPT}" ]; then
		# Note that we do not get the expanded list of pathnames at
		# this point. That will be done when the test actually runs.

		ALLOWHIDDENFILES=${ALLOWHIDDENFILE_OPT}

		check_paths ALLOWHIDDENFILES ALLOWHIDDENFILE

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	ALLOWHIDDENDIRS=""

	ALLOWHIDDENDIR_OPT=`get_option newline-list ALLOWHIDDENDIR` || exit $?

	if [ -n "${ALLOWHIDDENDIR_OPT}" ]; then
		ALLOWHIDDENDIRS=${ALLOWHIDDENDIR_OPT}

		check_paths ALLOWHIDDENDIRS ALLOWHIDDENDIR

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_missing_file_options() {

	#
	# This function processes the options used to detect missing or
	# empty files. Note that we do not use the 'EXIST' option for
	# 'check_paths' despite the fact that the files should exist.
	# However, if they are missing then that is exactly what we want
	# the test to report.
	#

	LEAVE=0
	ERRCODE=0

	LOGFILE_MISSING=`get_option space-list MISSING_LOGFILES` || exit $?

	if [ -n "${LOGFILE_MISSING}" ]; then
		check_paths LOGFILE_MISSING MISSING_LOGFILES "NOWILD"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	LOGFILE_EMPTY=`get_option space-list EMPTY_LOGFILES` || exit $?

	if [ -n "${LOGFILE_EMPTY}" ]; then
		check_paths LOGFILE_EMPTY EMPTY_LOGFILES "NOWILD"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_unhide_options() {

	#
	# This function processes the configuration options used
	# by the unhide command in the 'hidden_procs' test.
	#

	LEAVE=0
	ERRCODE=0

	UNHIDE_TESTS=`get_option space-list UNHIDE_TESTS` || exit $?

	if [ -n "${UNHIDE_TESTS}" ]; then
		# We need to include a space to avoid the problem with hyphens.
		UNHIDE_TESTS=" `echo ${UNHIDE_TESTS}`"
	else
		UNHIDE_TESTS="sys"
	fi

	if [ -z "`echo \" ${UNHIDE_TESTS}\" | grep ' [a-zA-Z]'`" ]; then
		LEAVE=1
		echo "Invalid UNHIDE_TESTS configuration option - no tests specified: ${UNHIDE_TESTS}"
	fi


	UNHIDETCP_OPTS=""

	RKHTMPVAR=`get_option space-list UNHIDETCP_OPTS` || exit $?

	if [ -n "${RKHTMPVAR}" ]; then
		for RKHTMPVAR2 in ${RKHTMPVAR}; do
			#
			# For options we need to add a space to the variable
			# to avoid problems with the 'echo' command.
			#

			if [ -z "`echo \"${RKHTMPVAR2} \" | grep '^-'`" ]; then
				# Options must begin with a '-'.
				LEAVE=1
				echo "Invalid UNHIDETCP_OPTS configuration option - not a valid option: ${RKHTMPVAR}"
			elif [ "${RKHTMPVAR2}" = "-V" -o "${RKHTMPVAR2}" = "-h" ]; then
				# Ignore obvious invalid options.
				continue
			else
				UNHIDETCP_OPTS="${UNHIDETCP_OPTS} ${RKHTMPVAR2}"
			fi
		done

		# Add a space to avoid the 'echo' problem with options.
		UNHIDETCP_OPTS=`echo "${UNHIDETCP_OPTS} " | sed -e 's/^ *//'`
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_process_options() {

	#
	# Get any options used by checks on processes.
	#

	#
	# We do no testing of this option because if the user gets it wrong,
	# then the processes will show up as warnings. The user should (!)
	# then check the configuration file to make sure it is correct.
	#

	LEAVE=0
	ERRCODE=0

	ALLOWPROCDELFILES=`get_option newline-list ALLOWPROCDELFILE` || exit $?


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_suspscan_options() {

	#
	# This function processes all the options
	# required for the suspscan test.
	#

	LEAVE=0
	ERRCODE=0

	#
	# Get the directories to scan.
	#

	SUSPSCAN_DIRS=`get_option space-list SUSPSCAN_DIRS` || exit $?

	if [ -z "${SUSPSCAN_DIRS}" ]; then
		SUSPSCAN_DIRS="${SUSPSCAN_DFLT_DIRS}"
	fi

	check_paths SUSPSCAN_DIRS SUSPSCAN_DIRS "EXIST NOBROKENLINK NOWILD"

	if [ $ERRCODE -eq 0 ]; then
		SUSPSCAN_DIRS=`echo ${SUSPSCAN_DIRS}`
	else
		LEAVE=1
	fi


	#
	# Get the tempdir to use. It should be a /dev/shm type.
	#

	SUSPSCAN_TEMP=`get_option single SUSPSCAN_TEMP` || exit $?

	if [ -z "${SUSPSCAN_TEMP}" ]; then
		SUSPSCAN_TEMP="${SUSPSCAN_DFLT_TMP}"
	fi

	check_paths SUSPSCAN_TEMP SUSPSCAN_TEMP "EXIST NOBROKENLINK NOWILD"

	if [ $ERRCODE -eq 0 ]; then
		if [ ! -w "${SUSPSCAN_TEMP}" ]; then
			LEAVE=1
			echo "The suspscan temporary directory is not writable: ${SUSPSCAN_TEMP}"
		fi
	else
		LEAVE=1
	fi


	#
	# Get the maximum file size to handle.
	#

	SUSPSCAN_MAXSIZE=`get_option single SUSPSCAN_MAXSIZE` || exit $?

	if [ -n "${SUSPSCAN_MAXSIZE}" ]; then
		check_is_digit SUSPSCAN_MAXSIZE SUSPSCAN_MAXSIZE ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_MAXSIZE=$SUSPSCAN_DFLT_MAXSIZE
	fi


	#
	# Get the score threshold, 200 seems sensible.
	#

	SUSPSCAN_THRESH=`get_option single SUSPSCAN_THRESH` || exit $?

	if [ -n "${SUSPSCAN_THRESH}" ]; then
		check_is_digit SUSPSCAN_THRESH SUSPSCAN_THRESH ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_THRESH=$SUSPSCAN_DFLT_THRESH
	fi


	#
	# Get the line threshold. This exists purely for performance reasons. 3000 seems sensible as
	# Linux Kernel Modules don't exceed 2000 lines and for example most binaries in /bin don't exceed 3000 lines.
	# Note this configuration option will remain unlisted in both the documentation and configuration file.
	#

	SUSPSCAN_LINETHRESH=`get_option single SUSPSCAN_LINETHRESH` || exit $?

	if [ -n "${SUSPSCAN_LINETHRESH}" ]; then
		check_is_digit SUSPSCAN_LINETHRESH SUSPSCAN_LINETHRESH ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_LINETHRESH=3000
	fi


	#
	# Get the debug flag value (defaults to 0). Setting this to 1 will cause verbose messages to be displayed
	# which will result in more warnings than you will want. Changing the SUSPSCAN_DEBUG default value implies
	# that you know what you are doing and that you don't need help "fixing" things afterwards.
	#

	SUSPSCAN_DEBUG=`get_option single SUSPSCAN_DEBUG` || exit $?

	if [ -n "${SUSPSCAN_DEBUG}" ]; then
		check_is_digit SUSPSCAN_DEBUG

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_DEBUG=0
	fi


	#
	# Get any whitelisted file pathnames.
	#

	SUSPSCAN_WL_OPT=`get_option newline-list SUSPSCAN_WHITELIST` || exit $?


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_ipc_options() {

	#
	# This function processes the configuration options which
	# are used during the shared memory segments checks.
	#

	LEAVE=0
	ERRCODE=0

	ALLOWIPCPID=""
	ALLOWIPCPROC=""
	ALLOWIPCUSER=""

	#
	# First see if any segment PIDs have been whitelisted.
	#

	ALLOWIPCPID=`get_option space-list ALLOWIPCPID` || exit $?

	if [ -n "${ALLOWIPCPID}" ]; then
		for RKHTMPVAR in ${ALLOWIPCPID}; do
			check_is_digit RKHTMPVAR ALLOWIPCPID ANY1

			test $ERRCODE -eq 1 && LEAVE=1
		done

		ALLOWIPCPID=" `echo ${ALLOWIPCPID}` "
	fi


	#
	# Next we check for any whitelisted process names.
	#

	ALLOWIPCPROC_OPT=`get_option newline-list ALLOWIPCPROC` || exit $?

	if [ -n "${ALLOWIPCPROC_OPT}" ]; then
		# Note that we do not get the expanded list of pathnames at
		# this point. That will be done when the test actually runs.

		ALLOWIPCPROC=${ALLOWIPCPROC_OPT}

		check_paths ALLOWIPCPROC ALLOWIPCPROC

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	#
	# Now check if any usernames have been whitelisted.
	#

	ALLOWIPCUSER=`get_option space-list ALLOWIPCUSER` || exit $?

	if [ -n "${ALLOWIPCUSER}" ]; then
		ALLOWIPCUSER=" `echo ${ALLOWIPCUSER}` "
	fi


	#
	# Finally, we check for the configured minimum segment size.
	# Any segment above this size is considered to be suspicious.
	#

	IPC_SEG_SIZE=`get_option single IPC_SEG_SIZE` || exit $?

	if [ -n "${IPC_SEG_SIZE}" ]; then
		check_is_digit IPC_SEG_SIZE IPC_SEG_SIZE ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		IPC_SEG_SIZE=$DFLT_SEG_SIZE
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_if_prelinked() {

	#
	# A prelinked system is defined here as one which has a 'prelink'
	# command, and the '/etc/prelink.cache' file exists.
	#

	if [ -f "/etc/prelink.cache" ]; then
		#
		# Check that we have a 'prelink' command. If it
		# doesn't exist, then we cannot use prelinking.
		#

		PRELINK_CMD=`find_cmd prelink`

		test -z "${PRELINK_CMD}" && return


		#
		# We test (twice) for the existence of Libsafe since this seems to
		# riddle prelink test results with "dependency cycle" errors.
		# Don't test for existence of /lib/libsafe since it may be
		# installed elsewhere. If Libsafe is found, then we'll skip the
		# file properties hash test.
		#

		LIBSAFE_TEST1=""
		LIBSAFE_TEST2=""

		if [ -f "/etc/ld.so.preload" ]; then
			LIBSAFE_TEST1=`grep 'libsafe' /etc/ld.so.preload 2>&1`
		fi

		if [ -z "${LIBSAFE_TEST1}" ]; then
			LIBSAFE_TEST1=`echo "$LD_PRELOAD" | grep 'libsafe' 2>&1`
		fi

		if [ -n "${LDD_CMD}" ]; then
			if [ -f /lib/libdl.so.? ]; then
				LIBSAFE_TEST2=`${LDD_CMD} /lib/libdl.so.? | grep 'libsafe' 2>&1`
			fi

			if [ -z "${LIBSAFE_TEST2}" -a -f /lib64/libdl.so.? ]; then
				LIBSAFE_TEST2=`${LDD_CMD} /lib64/libdl.so.? | grep 'libsafe' 2>&1`
			fi
		fi

		if [ -z "${LIBSAFE_TEST1}" -a -z "${LIBSAFE_TEST2}" ]; then
			PRELINKED=1

			#
			# Only use 'runcon' if SELinux is enabled.
			#

			SESTATUS_CMD=`find_cmd sestatus`

			if [ -n "${SESTATUS_CMD}" ]; then
				if [ -n "`${SESTATUS_CMD} 2>/dev/null | grep ' status: *enabled$'`" ]; then
					SELINUX_ENABLED=1
					RUNCON_CMD=`find_cmd runcon`
					test -n "${RUNCON_CMD}" && USE_RUNCON=1
				fi
			fi
		elif [ -n "${LIBSAFE_TEST1}" -a -n "${LIBSAFE_TEST2}" ]; then
			SKIP_HASH_MSG=2
		fi
	fi

	return
}


get_md5_hash_function() {

	#
	# This is a short function to try and locate
	# an MD5 hash function command.
	#

	if [ $PRELINKED -eq 1 ]; then
		if [ $USE_RUNCON -eq 1 ]; then
			echo "${RUNCON_CMD} -u root -- ${PRELINK_CMD} --verify --md5"
		else
			echo "${PRELINK_CMD} --verify --md5"
		fi
	else
		HFUNC=`find_cmd md5sum`

		test -z "${HFUNC}" && HFUNC=`find_cmd md5`

		if [ -z "${HFUNC}" -a -n "${PERL_CMD}" ]; then
			MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::MD5 2>/dev/null | grep 'Digest::MD5 installed'`

			test -n "${MOD_INSTALLED}" && echo "${PERL_CMD} ${SCRIPT_PATH}/filehashsha.pl Digest::MD5 0"
		else
			echo "${HFUNC}"
		fi
	fi

	return
}


get_sha_hash_function() {

	#
	# This is a short function to try and locate
	# a SHA hash function command.
	#
	# The function takes one argument which is the
	# SHA bit size.
	#

	SHA_SIZE=$1

	check_is_digit SHA_SIZE HASH_CMD ANY1

	if [ $ERRCODE -eq 1 ]; then
		echo "Error: Invalid argument to get_sha_hash_function function: $*" >&2
		return
	fi

	HFUNC=`find_cmd sha${SHA_SIZE}sum`

	if [ -z "${HFUNC}" ]; then
		HFUNC=`find_cmd sha${SHA_SIZE}`

		if [ -z "${HFUNC}" -a $MACOSX -eq 1 ]; then
			HFUNC=`find_cmd shasum`

			test -n "${HFUNC}" && HFUNC="${HFUNC} -a $SHA_SIZE"
		fi
	fi

	if [ -z "${HFUNC}" -a -n "${PERL_CMD}" ]; then
		MOD_INSTALLED=""

		if [ $SHA_SIZE -eq 1 ]; then
			MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::SHA Digest::SHA1 Digest::SHA::PurePerl 2>/dev/null`
		elif [ $SHA_SIZE -eq 224 ]; then
			MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::SHA Digest::SHA::PurePerl 2>/dev/null`
		else
			MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::SHA Digest::SHA256 Digest::SHA::PurePerl 2>/dev/null`
		fi

		USE_MOD=`echo "${MOD_INSTALLED}" | grep -v 'NOT installed' 2>/dev/null | head ${HEAD_OPT}1 | cut -d' ' -f1`

		if [ -n "${USE_MOD}" ]; then
			HFUNC="${PERL_CMD} "${SCRIPT_PATH}/filehashsha.pl" ${USE_MOD} $SHA_SIZE"
		fi
	fi

	echo "${HFUNC}"

	return
}


get_hash_function() {

	#
	# Get the option from the configuration file, and do a simple
	# check on whether it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ $HASH_OPT -eq 1 ]; then
		HASH_FUNC=`echo "${HASH_FUNC}" | tr -d '"' | tr -d "'" | tr -s '	 ' '  '`

		HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`

		# Stop globbing from being expanded.
		if [ -z "`echo \"${HASH_CMD}\" | grep '[][*?{}]'`" ]; then
			HASH_FUNC=`echo ${HASH_FUNC}`
		else
			LEAVE=1
			HASH_FUNC="NONE"
			echo "Invalid '--hash' option: invalid pathname: ${HASH_CMD}"
		fi

		if [ -z "${HASH_FUNC}" ]; then
			LEAVE=1
			HASH_FUNC="NONE"
			echo "Invalid '--hash' option: no hash function given."
		fi
	else
		HASH_FUNC=`get_option single HASH_CMD` || exit $?

		if [ -z "${HASH_FUNC}" ]; then
			HASH_FUNC=`get_option single HASH_FUNC` || exit $?
		fi
	fi

	#
	# Test to ensure that globbing and other invalid
	# pathnames have not been given.
	#

	if [ -n "${HASH_FUNC}" ]; then
		HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`

		check_paths HASH_CMD HASH_CMD "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 1 ]; then
			LEAVE=1
			HASH_FUNC="NONE"
		fi
	fi

	if [ -n "`echo \"${HASH_FUNC}\" | egrep -i '^(MD5|SHA1|SHA224|SHA256|SHA384|SHA512|RIPEMD160|WHIRLPOOL|NONE)$'`" ]; then
		HASH_FUNC=`echo "${HASH_FUNC}" | tr '[:lower:]' '[:upper:]'`
	fi


	#
	# At this point we have either been given a specific hash function
	# command, the reserved word 'NONE', one of the SHA or other functions,
	# or nothing. For the SHA and MD5 reserved words we must find the SHA
	# or MD5 command, or use the supplied perl scripts. For the RIPEMD160
	# and WHIRLPOOL reserved words, we only use the perl scripts.
	#

	SHA_SIZE=0

	if [ -z "${HASH_FUNC}" ]; then
		test $PRELINKED -eq 1 && HASH_FUNC="SHA1" || HASH_FUNC="SHA256"
	fi

	case "${HASH_FUNC}" in
	SHA1)	SHA_SIZE=1
		;;
	SHA224)	SHA_SIZE=224
		;;
	SHA256)	SHA_SIZE=256
		;;
	SHA384)	SHA_SIZE=384
		;;
	SHA512)	SHA_SIZE=512
		;;
	esac

	if [ $SHA_SIZE -eq 1 -a $PRELINKED -eq 1 ]; then
		PRELINK_HASH="SHA1"

		if [ $USE_RUNCON -eq 1 ]; then
			HASH_FUNC="${RUNCON_CMD} -u root -- ${PRELINK_CMD} --verify --sha"
		else
			HASH_FUNC="${PRELINK_CMD} --verify --sha"
		fi
	elif [ $SHA_SIZE -ge 1 ]; then
		HASH_FUNC=`get_sha_hash_function $SHA_SIZE`
	elif [ "${HASH_FUNC}" = "MD5" ]; then
		HF=`get_md5_hash_function`

		test -n "${HF}" && HASH_FUNC="${HF}"

		if [ $PRELINKED -eq 1 ]; then
			PRELINK_HASH="MD5"
		elif [ -z "`echo \"${HF}\" | grep '/filehashsha\.pl Digest::MD5'`" ]; then
			MD5_CMD="${HF}"
		fi
	elif [ "${HASH_FUNC}" = "RIPEMD160" ]; then
		MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Crypt::RIPEMD160 2>/dev/null`

		if [ -n "`echo \"${MOD_INSTALLED}\" | grep 'Crypt::RIPEMD160 installed'`" ]; then
			HASH_FUNC="${PERL_CMD} "${SCRIPT_PATH}/filehashsha.pl" Crypt::RIPEMD160 0"
		fi
	elif [ "${HASH_FUNC}" = "WHIRLPOOL" ]; then
		MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::Whirlpool 2>/dev/null`

		if [ -n "`echo \"${MOD_INSTALLED}\" | grep 'Digest::Whirlpool installed'`" ]; then
			HASH_FUNC="${PERL_CMD} "${SCRIPT_PATH}/filehashsha.pl" Digest::Whirlpool 0"
		fi
	fi


	#
	# A final check that the command is actually executable.
	# This will ensure that the perl scripts have been installed
	# correctly, should they be needed.
	#

	if [ "${HASH_FUNC}" = "NONE" ]; then
		:
	elif [ "${HASH_FUNC}" = "MD5" ]; then
		LEAVE=1

		if [ $HASH_OPT -eq 1 ]; then
			echo "Invalid '--hash' option: no usable hash command or perl module for MD5 could be found."
		else
			echo "Invalid HASH_CMD configuration option: no usable hash command or perl module for MD5 could be found."
		fi
	elif [ "${HASH_FUNC}" = "RIPEMD160" -o "${HASH_FUNC}" = "WHIRLPOOL" ]; then
		LEAVE=1

		if [ $HASH_OPT -eq 1 ]; then
			echo "Invalid '--hash' option: no perl module for ${HASH_FUNC} could be found."
		else
			echo "Invalid HASH_CMD configuration option: no perl module for ${HASH_FUNC} could be found."
		fi
	elif [ -n "${HASH_FUNC}" ]; then
		HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`
		HF=`find_cmd ${HASH_CMD}`

		if [ -n "${HF}" ]; then
			#
			# We rebuild the command to use the full pathname.
			#

			HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f2-`

			if [ -z "${HASH_CMD}" -o "${HASH_CMD}" = "${HASH_FUNC}" ]; then
				HASH_FUNC=$HF
			else
				HASH_FUNC="${HF} ${HASH_CMD}"
			fi
		elif [ $HASH_OPT -eq 1 ]; then
			LEAVE=1
			echo "Invalid '--hash' option: command is non-existent or not executable: ${HASH_CMD}"
		else
			LEAVE=1
			echo "Invalid HASH_CMD configuration option: command is non-existent or not executable: ${HASH_CMD}"
		fi
	elif [ $HASH_OPT -eq 1 ]; then
		LEAVE=1
		echo "Invalid '--hash' option: no usable hash command or perl module could be found."
	elif [ $SHA_SIZE -ge 1 ]; then
		LEAVE=1
		echo "Invalid HASH_CMD configuration option: no usable hash command or perl module for SHA${SHA_SIZE} could be found."
	else
		LEAVE=1
		echo "Invalid HASH_CMD configuration option: no usable hash command or perl module could be found."
	fi


	#
	# Now we get the hash field index. We will assume a field value
	# of one, but this value must be configurable since we allow
	# the user to specify the hash function to use.
	#

	RKHTMPVAR=`get_option single HASH_FLD_IDX` || exit $?

	if [ -n "${RKHTMPVAR}" ]; then
		check_is_digit RKHTMPVAR HASH_FLD_IDX ANY1

		if [ $ERRCODE -eq 0 ]; then
			HASH_FLD_IDX=${RKHTMPVAR}
		else
			LEAVE=1
		fi
	fi


	#
	# Next we get the package manager to use for the file
	# properties hash check and update. If a file is not owned
	# as part of a package, the hash function defined above
	# will be used instead.
	#

	if [ -n "${PKGMGR}" ]; then
		PKGMGR=`echo "${PKGMGR}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${PKGMGR}" ]; then
			LEAVE=1
			echo "Invalid '--pkgmgr' option: no package manager given."
		fi
	else
		PKGMGR=`get_option single PKGMGR` || exit $?
	fi

	PKGMGR=`echo "${PKGMGR}" | tr '[:lower:]' '[:upper:]'`

	test "${PKGMGR}" = "NONE" && PKGMGR=""


	#
	# Now check that the package manager we have been given is valid.
	#

	case "${PKGMGR}" in
	"")
		;;
	RPM)
		RPM_CMD=`find_cmd rpm`

		if [ -z "${RPM_CMD}" ]; then
			LEAVE=1
			echo "Unable to find the 'rpm' command for package manager 'RPM'."
		fi
		;;
	DPKG)
		DPKG_CMD=`find_cmd dpkg-query`

		test -z "${DPKG_CMD}" && DPKG_CMD=`find_cmd dpkg`

		if [ -z "${DPKG_CMD}" ]; then
			LEAVE=1
			echo "Unable to find 'dpkg-query' or 'dpkg' commands for package manager 'DPKG'."
		elif [ ! -d "/var/lib/dpkg/info" ]; then
			LEAVE=1
			echo "Unable to find the package database directory (/var/lib/dpkg/info) for package manager 'DPKG'."
		fi

		if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
			PKGMGR_MD5_HASH=`get_md5_hash_function`

			if [ -z "${PKGMGR_MD5_HASH}" ]; then
				LEAVE=1
				echo "Unable to find an MD5 hash function command to assist package manager 'DPKG'."
			fi
		fi
		;;
	BSD)
		PKG_CMD=`find_cmd pkg_info`

		if [ -z "${PKG_CMD}" ]; then
			LEAVE=1
			echo "Unable to find the 'pkg_info' command for package manager 'BSD'."
		elif [ ! -d "/var/db/pkg" ]; then
			LEAVE=1
			echo "Unable to find the package database directory (/var/db/pkg) for package manager 'BSD'."
		fi

		if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
			PKGMGR_MD5_HASH=`get_md5_hash_function`

			if [ -z "${PKGMGR_MD5_HASH}" ]; then
				LEAVE=1
				echo "Unable to find an MD5 hash function command to assist package manager 'BSD'."
			fi
		fi
		;;
	BSDNG)
		PKG_CMD=`find_cmd pkg`

		if [ -z "${PKG_CMD}" ]; then
			LEAVE=1
			echo "Unable to find the 'pkg' command for package manager 'BSDng'."
		else
			${PKG_CMD} -N >/dev/null 2>&1
			ERRCODE=$?

			if [ $ERRCODE -ne 0 ]; then
				LEAVE=1
				echo "System not set up for use with package manager 'BSDng'."
			fi
		fi

		if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
			PKGMGR_SHA_HASH=`get_sha_hash_function 256`

			if [ -z "${PKGMGR_SHA_HASH}" ]; then
				LEAVE=1
				echo "Unable to find a SHA256 hash function command to assist package manager 'BSDng'."
			fi
		fi
		;;
	SOLARIS)
		#
		# For the Solaris package manager, see if we want
		# to use the stored 16-bit checksum or not.
		#

		USE_SUNSUM=`get_option single USE_SUNSUM` || exit $?

		if [ -n "${USE_SUNSUM}" ]; then
			check_is_digit USE_SUNSUM

			if [ $ERRCODE -eq 0 ]; then
				SUM_CMD=`find_cmd sum`

				if [ -z "${SUM_CMD}" ]; then
					LEAVE=1
					echo "Unable to find the 'sum' command for package manager 'SOLARIS'."
				fi
			else
				LEAVE=1
			fi
		else
			USE_SUNSUM=0
		fi

		if [ ! -f "/var/sadm/install/contents" ]; then
			LEAVE=1
			echo "Unable to find the package database file (/var/sadm/install/contents) for package manager 'SOLARIS'."
		fi
		;;
	*)
		LEAVE=1
		echo "Invalid package manager given: ${PKGMGR}"
		;;
	esac


	#
	# Finally we see if any files are to be exempt from the
	# package manager verification. These will go through the
	# usual commands to get the file info, so they will still
	# be tested.
	#

	PKGMGRNOVRFY=`get_option newline-list PKGMGR_NO_VRFY` || exit $?

	if [ -n "${PKGMGRNOVRFY}" ]; then
		check_paths PKGMGRNOVRFY PKGMGR_NO_VRFY "EXIST NOWILD NOBROKENLINK"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_scan_mode_dev_option() {

	#
	# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
	# The two allowed values are "THOROUGH" or "LAZY". If the option
	# is commented out, the default, then we do a THOROUGH scan, which
	# will increase the runtime of rkhunter.
	#

	#
	# See if the option is specified in the configuration file.
	#

	LEAVE=0
	ERRCODE=0

	SCAN_MODE_DEV=`get_option single SCAN_MODE_DEV` || exit $?

	if [ -n "${SCAN_MODE_DEV}" ]; then
		SCAN_MODE_DEV=`echo "${SCAN_MODE_DEV}" | tr '[:lower:]' '[:upper:]'`

		case "${SCAN_MODE_DEV}" in
		THOROUGH|LAZY)
			;;
		*)	# Don't make this fatal.
			echo "Invalid SCAN_MODE_DEV configuration option: ${SCAN_MODE_DEV}"
			echo "Defaulting to THOROUGH mode."

			SCAN_MODE_DEV="THOROUGH"
			;;
		esac
	else
		SCAN_MODE_DEV="THOROUGH"
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_startup_paths_option() {

	#
	# This function gets the system startup files and directories
	# from the configuration file. There are no defaults.
	#

	LEAVE=0
	ERRCODE=0

	STARTUP_PATHS=`get_option space-list STARTUP_PATHS` || exit $?

	if [ -n "${STARTUP_PATHS}" ]; then
		#
		# First see if we have any startup files or not.
		#

		if [ -n "`echo \"${STARTUP_PATHS}\" | grep -i '^none$'`" ]; then
			STARTUP_PATHS="NONE"
		else
			#
			# Check that the given files and directories are usable.
			#

			check_paths STARTUP_PATHS STARTUP_PATHS "EXIST"

			if [ $ERRCODE -eq 0 ]; then
				for FNAME in ${STARTUP_PATHS}; do
					test -f "${FNAME}" && RKHTMPVAR="file" || RKHTMPVAR="directory"

					if [ -h "${FNAME}" ]; then
						LEAVE=1
						echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is a link: ${FNAME}"
					elif [ ! -r "${FNAME}" ]; then
						LEAVE=1
						echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is not readable: ${FNAME}"
					elif [ ! -s "${FNAME}" ]; then
						LEAVE=1
						echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is empty: ${FNAME}"
					fi
				done
			else
				LEAVE=1
			fi
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_rtkt_whitelist_options() {

	#
	# This function gets any whitelisted rootkit files
	# and directories from the configuration file.
	# There are no defaults.
	#

	LEAVE=0
	ERRCODE=0

	RTKT_FILE_WHITELIST=`get_option newline-list RTKT_FILE_WHITELIST` || exit $?

	if [ -n "${RTKT_FILE_WHITELIST}" ]; then
		#
		# Check that the given files are usable. But we must
		# first strip off any trailing text from the end if
		# it is present.
		#

		IFS=$IFSNL
		RKHTMPVAR=""

		for RKHTMPVAR2 in ${RTKT_FILE_WHITELIST}; do
			FNAME=`echo "${RKHTMPVAR2}" | sed -e 's/^\(.*\):[^:]*$/\1/'`

			RKHTMPVAR="${RKHTMPVAR}
${FNAME}"
		done

		IFS=$RKHIFS

		RKHTMPVAR=`echo "${RKHTMPVAR}" | sed -e '/^$/d'`

		check_paths RKHTMPVAR RTKT_FILE_WHITELIST "EXIST NOWILD NOBROKENLINK"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	RTKT_DIR_WHITELIST=`get_option newline-list RTKT_DIR_WHITELIST` || exit $?

	if [ -n "${RTKT_DIR_WHITELIST}" ]; then
		#
		# Check that the given directories are usable.
		#

		check_paths RTKT_DIR_WHITELIST RTKT_DIR_WHITELIST "EXIST NOWILD NOBROKENLINK"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_shared_lib_whitelist_option() {

	#
	# This function gets any whitelisted shared library files
	# from the configuration file. There are no defaults.
	#

	LEAVE=0
	ERRCODE=0

	SHARED_LIB_WHITELIST=`get_option space-list SHARED_LIB_WHITELIST` || exit $?

	if [ -n "${SHARED_LIB_WHITELIST}" ]; then
		check_paths SHARED_LIB_WHITELIST SHARED_LIB_WHITELIST "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			SHARED_LIB_WHITELIST=" `echo ${SHARED_LIB_WHITELIST}` "
		else
			LEAVE=1
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_mirror_options() {

	#
	# This function gets the mirrors file options.
	#

	#
	# First we see if the mirrors.dat file
	# should be rotated when it is used.
	#

	LEAVE=0
	ERRCODE=0

	ROTATE_MIRRORS=`get_option single ROTATE_MIRRORS` || exit $?

	if [ -n "${ROTATE_MIRRORS}" ]; then
		check_is_digit ROTATE_MIRRORS

		test $ERRCODE -eq 1 && LEAVE=1
	else
		ROTATE_MIRRORS=1
	fi

	#
	# Now check that the mirrors file is usable.
	#

	if [ -e "${DB_PATH}/mirrors.dat" -a \( ! -f "${DB_PATH}/mirrors.dat" -o -h "${DB_PATH}/mirrors.dat" \) ]; then
		LEAVE=1
		echo "The mirrors file is not a file: ${DB_PATH}/mirrors.dat"
	fi

	if [ $LEAVE -eq 0 -a $VERSIONCHECK -eq 1 ]; then
		if [ $ROTATE_MIRRORS -eq 0 ]; then
			# The mirrors file only needs to be readable.
			if [ ! -e "${DB_PATH}/mirrors.dat" -o ! -s "${DB_PATH}/mirrors.dat" ]; then
				LEAVE=1
				echo "The mirrors file does not exist or is empty: ${DB_PATH}/mirrors.dat"
				echo "Run 'rkhunter --update'" to restore the default mirrors file.
				echo "The default mirror will be used."
			fi
		else
			# The mirrors file needs to be writable.
			if [ ! -e "${DB_PATH}/mirrors.dat" -o ! -s "${DB_PATH}/mirrors.dat" ]; then
				LEAVE=1
				echo "The mirrors file does not exist or is empty: ${DB_PATH}/mirrors.dat"
				echo "Run 'rkhunter --update'" to restore the default mirrors file.
			elif [ ! -w "${DB_PATH}/mirrors.dat" ]; then
				LEAVE=1
				echo "The mirrors file is not writable: ${DB_PATH}/mirrors.dat"
			fi
		fi
	fi


	#
	# Next we see if the mirrors file is to be updated when
	# we use the '--update' option.
	#

	if [ $UPDATE -eq 1 ]; then
		UPDATE_MIRRORS=`get_option single UPDATE_MIRRORS` || exit $?

		if [ -n "${UPDATE_MIRRORS}" ]; then
			check_is_digit UPDATE_MIRRORS

			test $ERRCODE -eq 1 && LEAVE=1
		else
			UPDATE_MIRRORS=1
		fi
	fi


	#
	# Finally, we see which mirrors are to be used.
	#

	MIRRORS_MODE=`get_option single MIRRORS_MODE` || exit $?

	if [ -n "${MIRRORS_MODE}" ]; then
		check_is_digit MIRRORS_MODE MIRRORS_MODE 2

		test $ERRCODE -eq 1 && LEAVE=1
	else
		MIRRORS_MODE=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_os_info_options() {

	#
	# This function gets configuration options relating
	# to obtaining information about the O/S.
	#
	# The first part gets the 'release' file pathname
	# from the configuration file. There is no default.
	#

	LEAVE=0
	ERRCODE=0

	OS_VERSION_FILE=`get_option single OS_VERSION_FILE` || exit $?

	if [ -n "${OS_VERSION_FILE}" ]; then
		#
		# We must have a real pathname for this option. So, if it is a link,
		# then we get its real pathname before any further tests.
		#

		if [ $HAVE_READLINK -eq 1 -a -h "${OS_VERSION_FILE}" ]; then
			OS_VERSION_FILE=`${READLINK_CMD} ${READLINK_OPT} "${OS_VERSION_FILE}"`
		fi

		#
		# Check that the given file is usable.
		#

		check_paths OS_VERSION_FILE OS_VERSION_FILE "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			if [ ! -r "${OS_VERSION_FILE}" ]; then
				LEAVE=1
				echo "Invalid OS_VERSION_FILE configuration option: File is not readable: ${OS_VERSION_FILE}"
			elif [ ! -s "${OS_VERSION_FILE}" ]; then
				LEAVE=1
				echo "Invalid OS_VERSION_FILE configuration option: File is empty: ${OS_VERSION_FILE}"
			fi
		else
			LEAVE=1
		fi
	fi


	#
	# Next we get the option as to whether we should
	# issue a warning when the O/S info changes or not.
	#

	WARN_ON_OS_CHANGE=`get_option single WARN_ON_OS_CHANGE` || exit $?

	if [ -n "${WARN_ON_OS_CHANGE}" ]; then
		check_is_digit WARN_ON_OS_CHANGE

		test $ERRCODE -eq 1 && LEAVE=1
	else
		WARN_ON_OS_CHANGE=1
	fi


	#
	# Now get the option as to whether we should automatically run
	# a properties update ('--propupd') if the O/S has changed.
	#

	UPDT_ON_OS_CHANGE=`get_option single UPDT_ON_OS_CHANGE` || exit $?

	if [ -n "${UPDT_ON_OS_CHANGE}" ]; then
		check_is_digit UPDT_ON_OS_CHANGE

		test $ERRCODE -eq 1 && LEAVE=1
	else
		UPDT_ON_OS_CHANGE=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_user_fileprop_list() {

	#
	# This function gets any user supplied files and directories
	# for the file properties check and the properties file update.
	# It stores the different types of files and directories
	# found in different variables. Only basic syntax checking is
	# done here, further checking will be done later on.
	#
	# The configuration options can have three basic values:
	#
	#    1) A simple file (command) name - for example, 'top'
	#    2) A directory - for example, '/usr/local/sbin'
	#    3) A full file pathname - for example, '/usr/local/sbin/backup'
	#
	# The first two are simply added to the internal lists of files
	# and directories. These are then used to build the file properties
	# file list. The third type is added directly to the end of the file.
	#
	# The second and third types may be wildcarded. They may also be
	# excluded from the checks by including them in the
	# EXCLUDE_USER_FILEPROP_FILES_DIRS option. Only files and directories
	# matching user added ones can be excluded. This prevents users from
	# excluding anything in the internal list.
	# For example: USER_FILEPROP_FILES_DIRS=/opt/b*
	#              EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/backup
	#

	LEAVE=0
	ERRCODE=0

	for WHICH_OPT in USER_FILEPROP_FILES_DIRS EXCLUDE_USER_FILEPROP_FILES_DIRS; do
		FILENAMES=`get_option newline-list ${WHICH_OPT}` || exit $?

		test -z "${FILENAMES}" && continue


		#
		# We must first check to see if any of the names are
		# simple names but with wildcard characters included.
		#

		RKHTMPVAR=`echo "${FILENAMES}" | grep '^[^/]*[][?*{}]'`

		if [ -n "${RKHTMPVAR}" ]; then
			LEAVE=1

			# Make a space-separated list but without expanding the wildcards.
			RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`

			echo "Invalid ${WHICH_OPT} configuration option: Invalid pathname(s): ${RKHTMPVAR}"
		fi

		#
		# Next check the pathnames to ensure they are basically valid.
		#

		check_paths FILENAMES ${WHICH_OPT} "EXIST"

		if [ $ERRCODE -eq 1 ]; then
			LEAVE=1
			continue
		fi

		#
		# Now expand any wildcards.
		#

		FNAMES=`expand_paths FILENAMES`

		#
		# Now we loop through the entries and check them again. They
		# are then added to the relevant variable used to build the
		# file properties file list.
		#

		IFS=$IFSNL

		for FNAME in ${FNAMES}; do
			#
			# First check for any files or directories to be excluded.
			# We ignore any real checks on the pathnames since it is
			# safer if they fail (the relevant files/directories will
			# then be included in the file properties checks).
			#

			if [ "${WHICH_OPT}" = "EXCLUDE_USER_FILEPROP_FILES_DIRS" ]; then
				test -z "${USER_EXCLUDE_PROP}" && USER_EXCLUDE_PROP="${FNAME}" || USER_EXCLUDE_PROP="${USER_EXCLUDE_PROP}
${FNAME}"

				continue
			fi


			#
			# Now check to see if it is a simple file name.
			#

			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
				# Check that the file name hasn't already been set. If it has, then we just ignore it.

				if [ -z "`echo \"${USER_SIMPLE_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					test -z "${USER_SIMPLE_FILE_LIST}" && USER_SIMPLE_FILE_LIST="${FNAME}" || USER_SIMPLE_FILE_LIST="${USER_SIMPLE_FILE_LIST}
${FNAME}"
				fi
			else
				# It's an absolute pathname. This could be a file or a directory.

				if [ -f "${FNAME}" -o -h "${FNAME}" ]; then
					# Check that it hasn't already been set. If it has, then we just ignore it.

					test -n "`echo \"${USER_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" && continue

					if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
						RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`

						if [ -n "${RKHTMPVAR}" ]; then
							FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

							if [ -z "`echo \"${USER_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
								FNAME="${FNAME}
${RKHTMPVAR}"
							fi
						elif [ -z "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
							LEAVE=1
							echo "Invalid ${WHICH_OPT} configuration option: Broken link found: ${FNAME}"
							continue
						fi
					fi

					#
					# Now add the file name.
					#

					test -z "${USER_FILE_LIST}" && USER_FILE_LIST="${FNAME}" || USER_FILE_LIST="${USER_FILE_LIST}
${FNAME}"
				elif [ -d "${FNAME}" ]; then
					if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
						RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`

						if [ -z "${RKHTMPVAR}" ]; then
							if [ -z "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
								LEAVE=1
								echo "Invalid ${WHICH_OPT} configuration option: Broken link found: `name2text \"${FNAME}\"`"
								continue
							fi
						elif [ "${RKHTMPVAR}" = "/" ]; then
							LEAVE=1
							echo "Invalid ${WHICH_OPT} configuration option: Invalid pathname: `name2text \"${FNAME}\"` -> /"
							continue
						fi

						FNAME="${RKHTMPVAR}"
					fi

					#
					# Check that the name hasn't already been set. If it has, then we just ignore it.
					#

					FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

					if [ -z "`echo \"${USER_DIR_LIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
						test -z "${USER_DIR_LIST}" && USER_DIR_LIST="${FNAME}" || USER_DIR_LIST="${USER_DIR_LIST}
${FNAME}"
					fi
				fi
			fi
		done

		IFS=$RKHIFS
	done


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_properties_options() {

	#
	# This function gets any configuration options required for
	# the file properties check and the properties file update.
	#
	# For options where filenames are specified, the existence
	# of the filename is checked.
	#

	check_test hashes && HASH_CHECK_ENABLED=1
	check_test attributes && HASH_CHECK_ENABLED=1


	LEAVE=0
	ERRCODE=0

	ATTRWHITELIST=""

	ATTRWL_OPT=`get_option newline-list ATTRWHITELIST` || exit $?

	if [ -n "${ATTRWL_OPT}" ]; then
		ATTRWHITELIST=`expand_paths ATTRWL_OPT`

		check_paths ATTRWHITELIST ATTRWHITELIST "EXIST"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	WRITEWHITELIST=""

	WRITEWL_OPT=`get_option newline-list WRITEWHITELIST` || exit $?

	if [ -n "${WRITEWL_OPT}" ]; then
		WRITEWHITELIST=`expand_paths WRITEWL_OPT`

		check_paths WRITEWHITELIST WRITEWHITELIST "EXIST"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	IMMUTWHITELIST=""

	IMMUTWL_OPT=`get_option newline-list IMMUTWHITELIST` || exit $?

	if [ -n "${IMMUTWL_OPT}" ]; then
		IMMUTWHITELIST=`expand_paths IMMUTWL_OPT`

		check_paths IMMUTWHITELIST IMMUTWHITELIST "EXIST"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	IMMUTABLE_SET=`get_option single IMMUTABLE_SET` || exit $?

	if [ -n "${IMMUTABLE_SET}" ]; then
		check_is_digit IMMUTABLE_SET

		test $ERRCODE -eq 1 && LEAVE=1
	else
		IMMUTABLE_SET=0
	fi


	SCRIPTWHITELIST=""

	SCRIPTWL_OPT=`get_option newline-list SCRIPTWHITELIST` || exit $?

	if [ -n "${SCRIPTWL_OPT}" ]; then
		SCRIPTWHITELIST=`expand_paths SCRIPTWL_OPT`

		check_paths SCRIPTWHITELIST SCRIPTWHITELIST "EXIST"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	SKIP_INODE_CHECK=`get_option single SKIP_INODE_CHECK` || exit $?

	if [ -n "${SKIP_INODE_CHECK}" ]; then
		check_is_digit SKIP_INODE_CHECK

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SKIP_INODE_CHECK=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_prelink_dep_option() {

	#
	# This function gets the prelink dependency error option.
	# This option is a workaround for any files which persistently
	# give a prelinking dependency error.
	#

	LEAVE=0
	ERRCODE=0

	RKHTMPVAR=`get_option space-list IGNORE_PRELINK_DEP_ERR` || exit $?

	if [ -n "${RKHTMPVAR}" ]; then
		RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`

		check_paths RKHTMPVAR IGNORE_PRELINK_DEP_ERR "EXIST NOWILD NOBROKENLINK"

		if [ $ERRCODE -eq 0 ]; then
			PRELINK_DEP_ERR_CMDS=" ${RKHTMPVAR} "
		else
			LEAVE=1
		fi
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_summary_options() {

	#
	# Get the configuration options for the summary.
	#

	#
	# Get the option to see if we are to show the
	# actual number of warnings in the summary.
	#

	LEAVE=0
	ERRCODE=0

	SHOW_SUMMARY_WARNINGS_NUMBER=`get_option single SHOW_SUMMARY_WARNINGS_NUMBER` || exit $?

	if [ -n "${SHOW_SUMMARY_WARNINGS_NUMBER}" ]; then
		check_is_digit SHOW_SUMMARY_WARNINGS_NUMBER

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SHOW_SUMMARY_WARNINGS_NUMBER=0
	fi


	#
	# Get the option to see where, if at all,
	# we are to show the summary scan time.
	#

	SHOW_SUMMARY_TIME=`get_option single SHOW_SUMMARY_TIME` || exit $?

	if [ -n "${SHOW_SUMMARY_TIME}" ]; then
		check_is_digit SHOW_SUMMARY_TIME SHOW_SUMMARY_TIME ANY

		if [ $ERRCODE -eq 0 ]; then
			if [ $SHOW_SUMMARY_TIME -gt 3 ]; then
				LEAVE=1
				echo "Invalid SHOW_SUMMARY_TIME configuration option: not a valid number: ${SHOW_SUMMARY_TIME}"
			fi
		else
			LEAVE=1
		fi
	else
		SHOW_SUMMARY_TIME=3
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_network_options() {

	#
	# Get any options used for network tests.
	#

	LEAVE=0
	ERRCODE=0

	IFWLIST=`get_option space-list ALLOWPROMISCIF` || exit $?

	ALLOWPROCLIST_OPT=`get_option newline-list ALLOWPROCLISTEN` || exit $?


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_os_specific_options() {

	#
	# Get any O/S specific options.
	#

	LEAVE=0
	ERRCODE=0

	if [ $LINUXOS -eq 1 ]; then
		LKM_PATH=`get_option single MODULES_DIR` || exit $?

		if [ -z "${LKM_PATH}" ]; then
			LKM_PATH="/lib/modules/${UNAME_R}"
			test ! -d "${LKM_PATH}" && LKM_PATH="/lib/modules"
		fi

		check_paths LKM_PATH MODULES_DIR "NOBROKENLINK NOWILD"

		test $ERRCODE -eq 1 && LEAVE=1
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_app_options() {

	#
	# Get any options used for the application check.
	#

	LEAVE=0
	ERRCODE=0

	APP_WHITELIST=""

	RKHTMPVAR=`get_option space-list APP_WHITELIST` || exit $?

	if [ -n "${RKHTMPVAR}" ]; then
		RKHTMPVAR=`echo ${RKHTMPVAR}`
		APP_WHITELIST=`echo " ${RKHTMPVAR} " | tr '[:upper:]' '[:lower:]'`
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_configfile_options() {

	#
	# We call separate functions to process each option. The option
	# is checked first to see if it has been given on the command-line,
	# and, if not, then if it is specified in the configuration file.
	# Note that some of these functions are in a specific order. If you
	# change them around, then make sure the functions still work
	# correctly.
	#

	get_bindir_option

	get_scriptdir_option

	#
	# Now that we have processed BINDIR, we will recheck the required
	# commands.
	#
	# Before proceeding too far we also check that we have certain
	# commands available. Typically these are commands which might
	# not have been installed as part of the core system, but are
	# used by RKH. These commands are not 'required' though.
	#

	check_required_commands 2

	check_commands


	get_installdir_option

	get_rootdir_option

	get_logfile_option

	get_tmpdir_option

	get_dbdir_option

	get_language_option

	get_auto_x_option

	get_locking_options

	get_shell_options


	#
	# Some options are only required when checking the system.
	#

	if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		#
		# See if we are only to perform specific tests.
		#

		get_enable_option
		get_disable_option

		check_test_options

		get_existwl_option
	fi

	if [ $CHECK -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		get_scanmode_option

		get_syslog_option

		get_startup_paths_option

		get_rtkt_whitelist_options

		get_epoch_date_cmd_option

		get_phalanx2_option

		get_summary_options

		get_ipc_options

		test $NOMOW -eq 0 && get_mailonwarn_option

		if `check_test system_configs`; then
			get_ssh_options
			get_syslog_config_options
		fi

		if `check_test filesystem`; then
			get_scan_mode_dev_option
			get_missing_file_options
			get_hidden_options
			get_dev_options
		fi

		check_test trojans && get_xinetd_option

		check_test ports || check_test hidden_ports && get_port_options

		check_test group_accounts && get_groups_accounts_options

		check_test shared_libs && get_shared_lib_whitelist_option

		check_test hidden_procs || check_test hidden_ports && get_unhide_options

		check_test deleted_files && get_process_options

		check_test suspscan && get_suspscan_options

		check_test network && get_network_options

		check_test os_specific && get_os_specific_options

		check_test apps && get_app_options
	fi


	#
	# We only need the hash function option if we are going
	# to be checking the system or updating the file
	# properties database.
	#

	if `check_test properties` || test $PROP_UPDATE -eq 1 || test $CONFIG_CHECK -eq 1; then
		#
		# For the file properties check we need to find out if
		# we are a prelinked system, and if so, then find out
		# which hash function to use. Secondly, we need to find
		# the 'stat' command. Finally, we need to see if the
		# user has specified any files or directories for the
		# file properties check.
		#

		get_if_prelinked

		get_hash_function

		get_os_info_options

		get_user_fileprop_list

		get_properties_options
	fi

	#
	# If we are doing a file properties update, then we need to
	# see if we should be ignoring prelink errors for any files.
	#

	if [ $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		get_prelink_dep_option
	fi

	#
	# Get any set options when doing an update or version check.
	#

	if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		get_mirror_options

		get_webcmd_option
	fi

	return
}


get_readable_date() {

	#
	# This function returns a given epoch second time as a
	# human-readable date and time. It sets the READABLE_DATE
	# variable.
	#

	EPOCH_SECS=$1

	READABLE_DATE=""

	if [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
		:
	elif [ -n "${EPOCH_DATE_CMD}" ]; then
		EPOCH_NOW=`${EPOCH_DATE_CMD} '+%s'`
		EPOCH_SECS=`expr $EPOCH_NOW - $EPOCH_SECS`

		READABLE_DATE=`${EPOCH_DATE_CMD} --date "$EPOCH_SECS seconds ago" '+%d-%b-%Y %H:%M:%S' 2>/dev/null`
	elif [ -n "${PERL_CMD}" ]; then
		READABLE_DATE=`${PERL_CMD} -e "@a=split(' ',scalar(localtime($EPOCH_SECS))); printf \"%d-%s-%d %s\",\\$a[2],\\$a[1],\\$a[4],\\$a[3];" 2>/dev/null`
	fi

	return
}


rkh_dat_set_version() {

	#
	# This function calculates and writes out the 'Version:' value
	# for the rkhunter.dat file. It looks for an old value, and adds
	# one to it. If there is no value then simply start at zero.
	#
	# Note that the new temporary rkhunter.dat file is used.
	#

	TODAY=`date +%Y%m%d 2>/dev/null`

	OLDVER=`grep '^[Vv]ersion:' "${RKHDAT_FILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`

	if [ -n "${OLDVER}" ]; then
		OLDDATE=`echo "${OLDVER}" | cut -c1-8`
		OLDVER=`echo "${OLDVER}" | cut -c9-10`

		if [ "${OLDVER}" = "99" -o "${OLDDATE}" != "${TODAY}" -o -z "${OLDVER}" -o -n "`echo \"${OLDVER}\" | grep '[^0-9]'`" ]; then
			NEWVER="00"
		else
			NEWVER=`expr ${OLDVER} + 1`
			test $NEWVER -lt 10 && NEWVER="0${NEWVER}"
		fi
	else
		NEWVER="00"
	fi

	echo "Version:${TODAY}${NEWVER}" >>"${RKHDAT_TMPFILE}"

	return
}


rkh_dat_get_os_info() {

	#
	# This function obtains information about the local computer
	# system. This is then written into the rkhunter.dat file
	# using a simple 'keyword:<value>' format. The OSNAME and
	# ARCH values are not important, but are simply used to check
	# whether they have changed since RKH was last run.
	#
	# Obtaining the OSNAME is somewhat tricky. There is no sure
	# way of finding the information, so we have to use some tricks
	# to locate the correct file. First we look for certain specific
	# O/S release files, and then at the /etc/release file, but not
	# if it is a link. Next we look for a generic /etc/*-release
	# file, again not as a link. This should find most O/S versions.
	# Overall this should also save users having to ask us to support
	# their O/S. In other cases, we will have to ask what file does
	# contain their O/S release information.
	#

	ARCH=""
	OSNAME=""
	RELEASE=""

	UNAME_S=`uname -s 2>/dev/null`
	UNAME_M=`uname -m 2>/dev/null`

	if [ -n "${OS_VERSION_FILE}" ]; then
		REL_FILES="${OS_VERSION_FILE}"
	else
		REL_FILES="/etc/system-release /etc/os-release /usr/lib/os-release /etc/lsb-release /etc/debian_version /etc/devuan_version /etc/slackware-version /var/ipcop/general-functions.pl /etc/lunar.release /etc/ROCK-VERSION /etc/GoboLinuxVersion /etc/kanotix-version /etc/sidux-version /etc/knoppix-version /etc/zenwalk-version /etc/release /etc/*-release"
	fi

	RKH_LSB_SEEN=0

	for FNAME in ${REL_FILES}; do
		test ! -f "${FNAME}" && continue

		if [ "${FNAME}" = "/etc/system-release" ]; then
			RKH_IN_LSB=0
			RELEASE=$FNAME
			OSNAME=`cat "${FNAME}"`
			break
		elif [ ! -h "${FNAME}" ]; then
			RELEASE=$FNAME

			RKH_IN_LSB=0

			case "${RELEASE}" in
			/etc/os-release|/usr/lib/os-release)
				OSNAME=`grep '^PRETTY_NAME=' "${RELEASE}" | sed -e 's/PRETTY_NAME=//' | tr -d '"'`

				if [ -z "${OSNAME}" ]; then
					RKHTMPVAR=`grep '^NAME=' "${RELEASE}" | sed -e 's/NAME=//'`;
					RKHTMPVAR2=`grep '^VERSION=' "${RELEASE}" | sed -e 's/VERSION=//' | tr -d '"'`;

					if [ -z "${RKHTMPVAR2}" ]; then
						RKHTMPVAR2=`grep '^VERSION_ID=' "${RELEASE}" | sed -e 's/VERSION_ID=//' | tr -d '"'`;
					fi

					OSNAME="${RKHTMPVAR} ${RKHTMPVAR2}"
				fi
				;;
			/etc/lsb-release)
				RKH_IN_LSB=1
				RKH_LSB_SEEN=1
				OSNAME=`grep '^DISTRIB_DESCRIPTION=' "${RELEASE}" | sed -e 's/DISTRIB_DESCRIPTION=//' | tr -d '"'`
				;;
			/etc/gentoo-release)
				if [ -h "/etc/make.profile" ]; then
					OSNAME="Gentoo `ls -l /etc/make.profile 2>/dev/null | sed -e 's;^.*/\([^/]*/[^/]*\)$;\1;' | tr '/' ' '`"
				else
					OSNAME="Gentoo"
				fi
				;;
			/var/ipcop/general-functions.pl)
				OSNAME=`grep 'version *=' "${RELEASE}" 2>/dev/null | head ${HEAD_OPT}1`
				;;
			/etc/debian_version)
				OSNAME="Debian `cat \"${RELEASE}\"`"
				;;
			/etc/devuan_version)
				OSNAME="Devuan `cat \"${RELEASE}\"`"
				;;
			/etc/GoboLinuxVersion)
				OSNAME="GoboLinux `cat \"${RELEASE}\"`"
				;;
			/etc/knoppix-version)
				OSNAME="Knoppix `cat \"${RELEASE}\"`"
				;;
			/etc/zenwalk-version)
				OSNAME="Zenwalk `cat \"${RELEASE}\"`"
				;;
			*)
				OSNAME=`${AWK_CMD} '/^[ 	]*[^ 	]/ { print $0 }' "${RELEASE}" 2>/dev/null | head ${HEAD_OPT}1`
				;;
			esac


			#
			# Strip out any leading blanks and tabs from the O/S version.
			#

			test -n "${OSNAME}" && OSNAME=`echo ${OSNAME}`


			#
			# If we have a release file but it seems to be blank,
			# and we are not looking at the LSB release file, then
			# we take a look for the first non-blank line. We
			# then, again, strip out any leading blanks and tabs.
			#

			if [ $RKH_IN_LSB -eq 0 -a -z "${OSNAME}" ]; then
				OSNAME=`${AWK_CMD} '/^[ 	]*[^ 	]/ { print $0 }' "${RELEASE}" 2>/dev/null | head ${HEAD_OPT}1`
				OSNAME=`echo ${OSNAME}`
			fi

			test -n "${OSNAME}" && break
		fi
	done


	if [ -z "${OSNAME}" ]; then
		RELEASE=""

		if [ -d "/var/smoothwall" ]; then
			OSNAME="Smoothwall Linux"
			RELEASE="/var/smoothwall"
		elif [ -n "`which sorcery 2>/dev/null | grep -v ' '`" -a -n "`which gaze 2>/dev/null | grep -v ' '`" ]; then
			OSNAME="Source Mage Linux"
		fi
	fi

	case "${OPERATING_SYSTEM}" in
	SunOS)
		ARCH=`uname -p 2>/dev/null`
		;;
	FreeBSD|DragonFly)
		ARCH=`sysctl -n hw.machine_arch 2>/dev/null`
		OSNAME=`uname -v 2>/dev/null | cut -d' ' -f1,2`
		;;
	OpenBSD)
		OSNAME="OpenBSD ${UNAME_R}"
		;;
	Darwin)
		OSNAME=`sw_vers 2>/dev/null | grep '^ProductName:' | sed -e 's/ProductName:[ 	]*//'`
		OSNAME="${OSNAME} `sw_vers 2>/dev/null | grep '^ProductVersion:' | sed -e 's/ProductVersion:[ 	]*//'`"
#		OSNAME="${OSNAME} `sysctl kern.version 2>/dev/null | sed -e 's/^kern.version = //' | cut -d: -f1`"

		if [ -n "`sysctl -a 2>/dev/null | egrep '^(hw\.optional\.x86_64|hw\.optional\.64bitops|hw\.cpu64bit_capable).*1$'`" ]; then
			OSNAME="${OSNAME} (64-bit capable)"
		fi
		;;
	AIX)
		ARCH=`uname -p 2>/dev/null`
		OSNAME="IBM AIX `oslevel 2>/dev/null`"
		;;
	IRIX*)
		OSNAME="${OPERATING_SYSTEM} ${UNAME_R}"
		;;
	esac

	#
	# If the O/S name seems to be a string of numbers, then forget we saw it.
	#

	test -n "`echo \"${OSNAME}\" | grep '^[0-9._-][0-9._-]*$'`" && OSNAME=""


	#
	# If we still have no O/S version information, then as a last
	# resort we will look to see if an 'issue' file exists or use
	# whatever is in the LSB release file. We test these last because
	# they are not necessarily reliable in providing the O/S version.
	#

	if [ -z "${OSNAME}" ]; then
		if [ -f "/etc/issue" ]; then
			OSNAME=`${AWK_CMD} '/^[ 	]*[^ 	\\\]/ { print $0 }' /etc/issue 2>/dev/null | head ${HEAD_OPT}1`

			#
			# Modify or remove the escape sequences seen in the file.
			#

			OSNAME=`echo "${OSNAME}" | sed -e "s/\\\\\s/${UNAME_S}/g; s/\\\\\r/${UNAME_R}/g; s/\\\\\m/${UNAME_M}/g"`
			OSNAME=`echo "${OSNAME}" | sed -e 's/ (*\\\[^ ]*//g'`
			OSNAME=`echo ${OSNAME}`

			test -n "${OSNAME}" && RELEASE="/etc/issue"
		fi

		if [ $RKH_LSB_SEEN -eq 1 -a -z "${OSNAME}" ]; then
			OSNAME=`${AWK_CMD} '/^[ 	]*[^ 	]/ { print $0 }' /etc/lsb-release 2>/dev/null | head ${HEAD_OPT}1`
			OSNAME=`echo ${OSNAME}`
			test -n "${OSNAME}" && RELEASE="/etc/lsb-release"
		fi
	fi


	#
	# If some things have still not been set, then set them now.
	#

	test -z "${ARCH}" && ARCH="${UNAME_M}"
	test -z "${OSNAME}" && OSNAME="`uname` ${UNAME_R}"


	return
}


rkh_dat_set_file_properties() {

	#
	# This function obtains various bits of information about the files to
	# be checked. The current format in the rkhunter.dat file is:
	#
	#     File:<colon count>:<pathname>:<hash value>:<inode>:<permissions>:
	#	   <uid>:<gid>:<file size>:<date/time modified>:<package name>:
	#	   <symbolic link colon count>:<symbolic link target>
	#
	# The format is actually governed by the stat.pl file, and the output
	# it produces. Changing the order of options does not change the order
	# of the output.
	#
	# To save time in the loops below, we determine the exact commands
	# required before using them.
	#

	NODATFILE=0
	NOHASH_COUNT=0
	BROKEN_LINK_COUNT=0
	PROP_FILE_LIST_COUNT=0
	PROP_FILE_PROPOPT_COUNT=0

	DIR_FILE_COUNT=""

	display --to LOG --type PLAIN SET_FILE_PROP_START


	if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
		SCMD=""
		INODECMD=""
	elif [ -z "${STAT_CMD}" ]; then
		SCMD=""
		INODECMD=""
	else
		if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
			if [ "${PKGMGR}" = "SOLARIS" ]; then
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --mtime"
			else
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --Mtime"
			fi

			INODECMD="${STAT_CMD} --modeoct --raw --ino"
		elif [ $BSDOS -eq 1 -o $MACOSX -eq 1 ]; then
			SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'"
			INODECMD="${STAT_CMD} -f '%i'"
		else
			SCMD="${STAT_CMD} -c '%i 0%a %u %g %s %Y:'"
			INODECMD="${STAT_CMD} -c '%i'"
		fi
	fi


	if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
		HASH_CMD=""
	elif [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then
		HASH_CMD=""
	else
		HASH_CMD="${HASH_FUNC}"
	fi

	#
	# Next dig out the old file format version. We may need this if
	# we are only updating one file and the format has changed.
	#

	if [ -s "${RKHDAT_FILE}" ]; then
		OLD_FMTVERSION=`grep '^FormatVersion:' "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`

		test -z "${OLD_FMTVERSION}" && OLD_FMTVERSION=0
	else
		NODATFILE=1
	fi


	#
	# Now loop through the pathnames looking for the files.
	#
	# We must set IFS around this loop, otherwise any names in the file
	# properties list containing whitespace will be separated out.
	# However, because IFS interacts with some commands, executed via
	# backticks, we must then reset IFS for the duration of the loop
	# and set it again at the end of the loop. It's messy, but it works.
	#

	IFS=$IFSNL

	for FNAME in `cat "${RKH_FILEPROP_LIST}"`; do
		test ! -f "${FNAME}" -a ! -h "${FNAME}" && continue

		FDATA=""
		SYSLNK=""
		SYSHASH=""
		PKGNAME=""
		FNAMEGREP=""
		RPM_QUERY_RESULT=""
		SYSLNK_CC=0
		NOVRFYFILE=0
		COLON_COUNT=0
		FILE_IS_PKGD=0
		DEPENDENCY_ERR=0

		IFS=$RKHIFS

		PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`


		#
		# Set up some variables here based on the file name. We will
		# need them later on.
		#

		COLON_COUNT=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`

		FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`


		#
		# Test to see if we are looking for specific files or not.
		#

		if [ -n "${PROPUPD_OPT}" ]; then
			#
			# If we are looking for specific files, then just copy the
			# entries from the current rkhunter.dat file for the files
			# we aren't looking for. For the ones we do want, we fall
			# through and process them as before.
			#

			if [ $NODATFILE -eq 0 ]; then
				if [ -z "`echo \"${PROPUPD_OPT}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					if [ $OLD_FMTVERSION -eq 0 ]; then
						RKHTMPVAR=`grep "^File:${FNAMEGREP}:" "${RKHDAT_FILE}"`
					else
						RKHTMPVAR=`grep "^File:${COLON_COUNT}:${FNAMEGREP}:" "${RKHDAT_FILE}"`
					fi

					if [ -n "${RKHTMPVAR}" ]; then
						echo "${RKHTMPVAR}" >>"${RKHDAT_TMPFILE}"
						IFS=$IFSNL
						continue
					fi
				fi
			fi

			PROP_FILE_PROPOPT_COUNT=`expr ${PROP_FILE_PROPOPT_COUNT} + 1`
		fi


		#
		# Sort out the directory counters.
		#

		test -n "${DIRNAME_CMD}" && DIR=`${DIRNAME_CMD} "${FNAME}"` || DIR=`echo "${FNAME}" | sed -e 's:/[^/]*$::'`

		RKHTMPVAR2=`echo "${DIR}" | sed -e 's/\./\\\./g'`

		RKHTMPVAR=`echo "${DIR_FILE_COUNT}" | grep "^${RKHTMPVAR2}:"`

		if [ -z "${RKHTMPVAR}" ]; then
			DIR_FILE_COUNT="${DIR_FILE_COUNT}
${DIR}:1"
		else
			RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^.*:\([0-9]*\)$/\1/'`
			RKHTMPVAR=`expr ${RKHTMPVAR} + 1`

			DIR_FILE_COUNT=`echo "${DIR_FILE_COUNT}" | sed -e "s;^\(${DIR}:\).*;\1${RKHTMPVAR};"`
		fi


		#
		# See if the file is to be exempt from any package manager verification.
		#

		if [ -n "`echo \"${PKGMGRNOVRFY}\" | grep \"^${FNAMEGREP}$\"`" ]; then
			NOVRFYFILE=1
		fi


		#
		# Now start to get the file info by seeing if we are using a
		# package manager. If we are, then get the package name and
		# any other info we can except the hash value. That will be
		# dealt with afterwards.
		#

		case "${PKGMGR}" in
		RPM)
			#
			# First see if the file is exempt or belongs to a package.
			#

			if [ $NOVRFYFILE -eq 0 ]; then
				RKHTMPVAR=`${RPM_CMD} -qf "${FNAME}" --queryformat '%{NAME}\n' 2>/dev/null`
				ERRCODE=$?

				if [ $ERRCODE -eq 0 ]; then
					#
					# Okay we have a package name.
					#

					FILE_IS_PKGD=1
					PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1`

					RPM_QUERY_RESULT_ARCH=`${RPM_CMD} -qf --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{=ARCH}:%{FILELINKTOS}:%{FILENAMES}\n]' "${FNAME}" 2>/dev/null | grep ":${FNAMEGREP}\$"`
					ERRCODE=$?

					#
					# The error code actually refers to the 'grep' command above. If the
					# file is not found in the package, then this is probably due to the
					# 'bin' directory being a link. So we change the filename, and retest.
					#

					if [ $ERRCODE -eq 1 -a $BINISLINK -eq 1 ]; then
						if [ -n "`echo \"$FNAME\" | grep '^\/usr\/'`" ]; then
							RKHTMPVAR3=`echo "$FNAMEGREP" | sed -e 's:^/usr::'`
						else
							RKHTMPVAR3="/usr${FNAMEGREP}"
						fi

						RPM_QUERY_RESULT_ARCH=`${RPM_CMD} -qf --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{=ARCH}:%{FILELINKTOS}:%{FILENAMES}\n]' "${FNAME}" 2>/dev/null | grep ":${RKHTMPVAR3}\$"`
						ERRCODE=$?
					fi

					if [ $ERRCODE -eq 0 ]; then
						#
						# If multiple packages claim the same file, we
						# use the last one in the list. However, if we
						# have 64-bit as well as 32-bit packages, then
						# we use the 64-bit package in preference (as
						# this is what RPM does).
						#

						RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT_ARCH}" | egrep ':(x86_64|ia64):' 2>/dev/null | tail ${TAIL_OPT}1`

						test -z "${RPM_QUERY_RESULT}" && RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT_ARCH}" | tail ${TAIL_OPT}1`

						FPERM="0`echo \"${RPM_QUERY_RESULT}\" | cut -d: -f1 | cut -c 3-`"
						FPERM=`echo "${FPERM}" | sed -e 's/^00/0/'`

						RKHUID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f2`
						RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

						RKHGID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f3`
						RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

						RKHSIZE=`echo "${RPM_QUERY_RESULT}" | cut -d: -f4`

						RKHDTM=`echo "${RPM_QUERY_RESULT}" | cut -d: -f5`

						if [ -h "${FNAME}" ]; then
							test -n "${DIRNAME_CMD}" && DIR=`${DIRNAME_CMD} "${FNAME}"` || DIR=`echo "${FNAME}" | sed -e 's:/[^/]*$::'`

							SYSLNK=`echo "${RPM_QUERY_RESULT}" | cut -d: -f8`
							SYSLNK="${DIR}/${SYSLNK}"

							# This ensures the link target has things like '..' removed.
							test $HAVE_READLINK -eq 1 && SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${SYSLNK}"`
						fi

						#
						# Now get the inode value directly from the disk,
						# but only if prelinking is not being used.
						#

						RKHTMPVAR2=""

						if [ $PRELINKED -eq 0 -a -n "${INODECMD}" ]; then
							RKHTMPVAR2=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`
						fi

						FDATA="${RKHTMPVAR2}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
					else
						NOHASH_COUNT=`expr $NOHASH_COUNT + 1`
						display --to LOG --type INFO CMD_ERROR "rpm -qf --queryformat... ${FNAME}" $ERRCODE
					fi
				fi
			fi
			;;
		DPKG)
			#
			# First see if the file is exempt or part of a known package.
			#

			if [ $NOVRFYFILE -eq 1 ]; then
				ERRCODE=1
			else
				RKHTMPVAR=`${DPKG_CMD} --search "${FNAME}" 2>/dev/null`
				ERRCODE=$?
			fi

			if [ $ERRCODE -eq 0 ]; then
				#
				# Now we sort out the base part of the package name.
				#

				PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1 | cut -d: -f1`
			fi
			;;
		BSD)
			#
			# First see if the file is exempt or part of a known package.
			#

			PKGNAME=""

			if [ $NOVRFYFILE -eq 0 ]; then
				RKHTMPVAR=`${PKG_CMD} -F -e "${FNAME}" 2>/dev/null`
				ERRCODE=$?

				if [ $ERRCODE -ne 0 ]; then
					#
					# It may be that we need to use the '-W' option instead.
					#

					RKHTMPVAR=`${PKG_CMD} -q -W "${FNAME}" 2>/dev/null`
					ERRCODE=$?
				fi

				if [ $ERRCODE -eq 0 -a -n "${RKHTMPVAR}" ]; then
					PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1`
				fi
			fi
			;;
		BSDNG)
			#
			# First see if the file is exempt or part of a known package.
			#

			if [ $NOVRFYFILE -eq 1 ]; then
				ERRCODE=1
			else
				RKHTMPVAR=`${PKG_CMD} which -q "${FNAME}" 2>/dev/null`
				ERRCODE=$?
			fi

			test $ERRCODE -eq 0 && PKGNAME="${RKHTMPVAR}" || PKGNAME=""
			;;
		SOLARIS)
			#
			# First see if the file is exempt or belongs to a package.
			#

			if [ $NOVRFYFILE -eq 1 ]; then
				ERRCODE=1
			else
				RKHTMPVAR=`grep "^${FNAMEGREP} " /var/sadm/install/contents 2>/dev/null`
				test -n "${RKHTMPVAR}" && ERRCODE=0 || ERRCODE=1
			fi

			if [ $ERRCODE -eq 0 ]; then
				#
				# Okay we have a package name.
				#

				PKGNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f10-`

				FPERM=`echo "${RKHTMPVAR}" | cut -d' ' -f4`

				RKHUID=`echo "${RKHTMPVAR}" | cut -d' ' -f5`
				RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

				RKHGID=`echo "${RKHTMPVAR}" | cut -d' ' -f6`
				RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

				RKHSIZE=`echo "${RKHTMPVAR}" | cut -d' ' -f7`

				if [ $USE_SUNSUM -eq 1 ]; then
					# Treat this as a fully packaged file.
					FILE_IS_PKGD=1
					SYSHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f8`
				fi

				RKHDTM=`echo "${RKHTMPVAR}" | cut -d' ' -f9`

				#
				# Now get the inode value.
				#

				RKHTMPVAR2=""

				test -n "${INODECMD}" && RKHTMPVAR2=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`

				FDATA="${RKHTMPVAR2}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
			fi
			;;
		esac


		if [ -n "${HASH_CMD}" ]; then
			if [ -n "`echo \"${PRELINK_DEP_ERR_CMDS}\" | grep \" ${FNAMEGREP} \"`" ]; then
				FILE_IS_PKGD=1
				SYSHASH="ignore-prelink-dep-err"
				display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
			else
				case "${PKGMGR}" in
				RPM)
					test $FILE_IS_PKGD -eq 1 && SYSHASH=`echo "${RPM_QUERY_RESULT}" | cut -d: -f6`
					;;
				DPKG)
					#
					# If we have a package name, then strip off the leading
					# '/' from the pathname, and then get the hash value.
					#

					if [ -n "${PKGNAME}" ]; then
						if [ -f "/var/lib/dpkg/info/${PKGNAME}.md5sums" ]; then
							FILNAM=`echo "${FNAME}" | sed -e 's:^/::; s:\.:\\\.:g'`
							SYSHASH=`egrep "( |\./)${FILNAM}\$" "/var/lib/dpkg/info/${PKGNAME}.md5sums" 2>/dev/null | cut -d' ' -f1`
							test -n "${SYSHASH}" && FILE_IS_PKGD=1
						fi
					fi
					;;
				BSD)
					#
					# If we have a package name, then strip off the leading '/usr/pkg/' or
					# '/usr/local/' from the pathname, and then get the hash value.
					#

					if [ -n "${PKGNAME}" ]; then
						FILNAM=`echo "${FNAME}" | sed -e 's:^/usr/pkg/::; s:^/usr/local/::; s:\.:\\\.:g'`
						SYSHASH=`${PKG_CMD} -v -L "${PKGNAME}" 2>/dev/null | grep -A 1 "File: ${FILNAM}\$" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f3`
						test -n "${SYSHASH}" && FILE_IS_PKGD=1
					fi
					;;
				BSDNG)
					#
					# If we have a package name, then get the hash value.
					#

					if [ -n "${PKGNAME}" ]; then
						SYSHASH=`${PKG_CMD} query '%Fp: %Fs' ${PKGNAME} 2>/dev/null | grep "^${FNAME}: " 2>/dev/null | sed -r -e 's/^.*: (1\\$)?([A-Fa-f0-9]+)$/\2/'`
						test -n "${SYSHASH}" && FILE_IS_PKGD=1
					fi
					;;
				SOLARIS)
					#
					# If we are to use the stored 16-bit checksum, then
					# SYSHASH will already have been set above. Otherwise,
					# just calculate the hash as for non-packaged files.
					#
					;;
				esac
			fi

			if [ $FILE_IS_PKGD -eq 0 ]; then
				if [ "${HASH_CMD}" != "NONE" ]; then
					SYSHASH=""
					RKHTMPVAR=`${HASH_CMD} "${FNAME}" 2>&1`

					if [ -n "`echo \"${RKHTMPVAR}\" | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
						DEPENDENCY_ERR=1
						RKHTMPVAR=`echo "${RKHTMPVAR}" | tr '\n' ':' | sed -e 's/:$//'`
					else
						SYSHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f $HASH_FLD_IDX | grep '^[0-9a-fA-F]*$'`
					fi
				fi

				if [ -z "${SYSHASH}" ]; then
					if [ "${HASH_CMD}" = "NONE" ]; then
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type INFO FILE_PROP_NO_PKGMGR_FILE "`name2text \"${FNAME}\"`"
						fi
					elif [ -h "${FNAME}" -a ! -e "${FNAME}" ]; then
						if [ $HAVE_READLINK -eq 1 ]; then
							SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`

							RKHTMPVAR="${SYSLNK}"
							RKHTMPVAR2=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
						else
							RKHTMPVAR=""
						fi

						# Check the link target to see if it is whitelisted.
						if [ $HAVE_READLINK -eq 1 -a -n "`echo \"${EXISTWHITELIST}\" | grep \"^${RKHTMPVAR2}$\"`" ]; then
							if [ $VERBOSE_LOGGING -eq 1 ]; then
								display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
							fi
						else
							# Treat a broken link simply as a file with no hash.
							BROKEN_LINK_COUNT=`expr ${BROKEN_LINK_COUNT} + 1`

							display --to LOG --type WARNING FILE_PROP_NO_SYSHASH "`name2text \"${FNAME}\"`"

							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_BL "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
						fi
					else
						NOHASH_COUNT=`expr ${NOHASH_COUNT} + 1`

						display --to LOG --type WARNING FILE_PROP_NO_SYSHASH "`name2text \"${FNAME}\"`"

						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_CMD "${RKHTMPVAR}"

						if [ $DEPENDENCY_ERR -eq 1 ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "`name2text \"${FNAME}\"`"
						fi
					fi
				fi
			fi
		fi


		if [ -h "${FNAME}" -a -z "${SYSLNK}" ]; then
			test $HAVE_READLINK -eq 1 && SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
		fi


		if [ -z "${SCMD}" ]; then
			FDATA=":::::"
		else
			if [ -z "${FDATA}" ]; then
				FDATA=`eval ${SCMD} "\"${FNAME}\"" 2>/dev/null | tr ' ' ':' | sed -e 's/:$//'`

				if [ -z "${FDATA}" ]; then
					FDATA=":::::"
				elif [ -n "`echo ${FDATA} | grep '^[^:]*:0[0-9][0-9][0-9][0-9]:'`" ]; then
					# Ensure the file permissions consist of only 4 digits.
					FDATA=`echo $FDATA | sed -e 's/^\([^:]*:\)0\(.*\)$/\1\2/'`
				fi
			fi
		fi

		# Check if the symbolic link has any colon characters in it.
		SYSLNK_CC=`echo "${SYSLNK}" | tr -c -d ':' | wc -c | tr -d ' '`

		echo "File:${COLON_COUNT}:${FNAME}:${SYSHASH}:${FDATA}:${PKGNAME}:${SYSLNK_CC}:${SYSLNK}:" >>"${RKHDAT_TMPFILE}"

		IFS=$IFSNL
	done

	IFS=$RKHIFS


	#
	# Display the number of files found in the directories.
	#

	for DIR in ${DIR_FILE_COUNT}; do
		test -z "${DIR}" && continue

		RKHTMPVAR=`echo $DIR | cut -d: -f1`
		RKHTMPVAR2=`echo $DIR | cut -d: -f2`

		display --to LOG --type INFO SET_FILE_PROP_DIR_FILE_COUNT $RKHTMPVAR2 "${RKHTMPVAR}"
	done


	#
	# Finally put the new file in place.
	#

	if [ -f "${RKHDAT_FILE}" ]; then
		RKHTMPVAR="updated"
	else
		RKHTMPVAR="created"
	fi

	test $NOHASH_COUNT -gt 0 -o $BROKEN_LINK_COUNT -gt 0 && RET_CODE=1

	# Don't display messages if this is an automatic update.
	if [ $OS_CHANGED -eq 1 -a $UPDT_ON_OS_CHANGE -eq 1 ]; then
		:
	else
		if [ $NOHASH_COUNT -eq 0 ]; then
			if [ $BROKEN_LINK_COUNT -eq 0 ]; then
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_PROPOPT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT
				fi
			else
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_PROPOPT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $BROKEN_LINK_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $BROKEN_LINK_COUNT
				fi
			fi
		else
			if [ $BROKEN_LINK_COUNT -eq 0 ]; then
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $NOHASH_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $NOHASH_COUNT
				fi
			else
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $NOHASH_COUNT $BROKEN_LINK_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $NOHASH_COUNT $BROKEN_LINK_COUNT
				fi
			fi
		fi
	fi

	return
}


create_rkh_file_prop_list() {

	#
	# This function creates the file of pathnames
	# used for the file properties check.
	#

	get_temp_file "${RKHTMPDIR}/rkh_prop_list.new"
	touch "${TEMPFILE}"

	IFS=$IFSNL

	for DIR in ${PROP_DIR_LIST}; do
		for FNAME in ${PROP_FILE_LIST}; do
			echo "${DIR}/${FNAME}" >>"${TEMPFILE}"
		done
	done


	#
	# Now we add any user specified absolute
	# pathnames to be included in the list.
	#

	if [ -n "${USER_FILE_LIST}" ]; then
		for FNAME in ${USER_FILE_LIST}; do
			#
			# We must exclude any user requested files or directories.
			#

			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ -n "${USER_EXCLUDE_PROP}" ]; then
				test -n "`echo \"${USER_EXCLUDE_PROP}\" | grep \"^${FNAMEGREP}$\"`" && continue
			fi

			test -z "`grep \"^${FNAMEGREP}$\" "${TEMPFILE}" 2>/dev/null`" && echo "${FNAME}" >>"${TEMPFILE}"
		done
	fi

	IFS=$RKHIFS


	cp -f "${TEMPFILE}" "${RKH_FILEPROP_LIST}" >/dev/null 2>&1
	chmod 600 "${RKH_FILEPROP_LIST}" >/dev/null 2>&1

	rm -f "${TEMPFILE}" >/dev/null 2>&1

	return
}


get_old_prop_attrs() {

	#
	# This function simply determines some of the attributes
	# used when the file properties database was created.
	#

	FNAME=$1

	test -z "${FNAME}" -o ! -f "${FNAME}" && return

	if [ -s "${FNAME}" ]; then
		OLD_HASH_FUNC=`grep '^Hash:' "${FNAME}" | cut -d: -f2-`

		OLD_PKGMGR=`grep '^Pkgmgr:' "${FNAME}" | cut -d: -f2`

		OLD_ATTRUPD=`grep '^Attributes:' "${FNAME}" | cut -d: -f2`
	fi

	return
}


do_prop_update() {

	#
	# This function updates the local hosts rkhunter.dat file
	# with O/S information and file properties.
	#

	display --to LOG --type INFO --nl PROPUPD_START

	#
	# First we need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.dat"
	RKHDAT_TMPFILE="${TEMPFILE}"
	touch "${RKHDAT_TMPFILE}"

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE}"


	#
	# We now start to write out information about this system
	# to the file. Some information we already have available,
	# but for others we call functions to obtain what is wanted.
	#

	rkh_dat_set_version

	display --to LOG --type PLAIN PROPUPD_OSINFO_START

	rkh_dat_get_os_info

	echo "Host:${HOST_NAME}" >>"${RKHDAT_TMPFILE}"

	if [ -n "${ARCH}" ]; then
		echo "Arch:${ARCH}" >>"${RKHDAT_TMPFILE}"
		display --to LOG --type INFO PROPUPD_ARCH_FOUND "${ARCH}"
	fi

	if [ -n "${RELEASE}" ]; then
		display --to LOG --type INFO PROPUPD_REL_FILE "${RELEASE}"
	else
		RKHTMPVAR=`ls -ld /etc/*release* /etc/*version* 2>/dev/null | tr '\n' ' '`

		if [ -n "${RKHTMPVAR}" ]; then
			display --to LOG --type INFO PROPUPD_NO_REL_FILE
			display --to LOG --type PLAIN NAME "      ${RKHTMPVAR}"
		else
			display --to LOG --type INFO PROPUPD_NO_REL_FILE_NO_OUTPUT
		fi
	fi

	if [ -n "${OSNAME}" ]; then
		echo "OS:${OSNAME}" >>"${RKHDAT_TMPFILE}"
		display --to LOG --type INFO PROPUPD_OSNAME_FOUND "${OSNAME}"
	fi

	if [ $PRELINKED -eq 0 ]; then
		echo "Prelinked:No" >>"${RKHDAT_TMPFILE}"
	else
		echo "Prelinked:Yes" >>"${RKHDAT_TMPFILE}"
	fi

	#
	# We do not want to bother storing the file hashes or other attibutes
	# if the user has disabled these tests permanently. However, to do
	# this we must check whether the relevant test is enabled or not, and
	# that the --enable/--disable command-line options have not been used.
	#

	if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
		echo "Hash:Disabled" >>"${RKHDAT_TMPFILE}"
	elif [ -n "${PRELINK_HASH}" ]; then
		echo "Hash:${PRELINK_HASH}" >>"${RKHDAT_TMPFILE}"
	else
		echo "Hash:${HASH_FUNC}" >>"${RKHDAT_TMPFILE}"
	fi

	echo "Pkgmgr:${PKGMGR}" >>"${RKHDAT_TMPFILE}"

	if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
		echo "Attributes:Disabled" >>"${RKHDAT_TMPFILE}"
	elif [ -z "${STAT_CMD}" ]; then
		echo "Attributes:Nostatcmd" >>"${RKHDAT_TMPFILE}"
	else
		echo "Attributes:Stored" >>"${RKHDAT_TMPFILE}"
	fi

	echo "FormatVersion:1" >>"${RKHDAT_TMPFILE}"


	#
	# Before we get the actual file properties we need
	# to write out the current list of pathnames.
	#

	create_rkh_file_prop_list


	#
	# Next get the file properties.
	#

	rkh_dat_set_file_properties


	#
	# We now need to record the hash function and
	# package manager as if they were the old values.
	#

	get_old_prop_attrs "${RKHDAT_TMPFILE}"


	#
	# Now put the new rkhunter.dat file in place.
	#

	cp -f -p "${RKHDAT_FILE}" "${RKHDAT_FILE}.old" >/dev/null 2>&1
	cp -f "${RKHDAT_TMPFILE}" "${RKHDAT_FILE}" >/dev/null 2>&1
	ERRCODE=$?

	if [ $ERRCODE -ne 0 ]; then
		RET_CODE=1
		display --to LOG --type INFO CMD_ERROR "cp ${RKHDAT_TMPFILE} ${RKHDAT_FILE}" $ERRCODE
		display --to SCREEN+LOG --type WARNING PROPUPD_ERROR $ERRCODE
	else
		display --to LOG --type INFO PROPUPD_NEW_DAT_FILE "${DB_PATH}"
	fi

	chmod 600 "${RKHDAT_FILE}" >/dev/null 2>&1

	rm -f "${RKHDAT_TMPFILE}" >/dev/null 2>&1

	return
}


get_next_mirror() {

	#
	# This function will obtain the next mirror in the mirrors file
	# if no mirror is currently being used. It then optionally
	# rotates the mirrors in the file.
	#


	#
	# Return if there is no mirrors file.
	#

	if [ ! -f "${DB_PATH}/mirrors.dat" ]; then
		display --to LOG --type INFO MIRRORS_NO_FILE "${DB_PATH}/mirrors.dat"
		return
	fi


	#
	# Return if there are no defined mirrors.
	#

	case $MIRRORS_MODE in
	0)
		MIRROR=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}1`
		;;
	1)
		MIRROR=`egrep -i '^local=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}1`
		;;
	2)
		MIRROR=`egrep -i '^remote=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}1`
		;;
	esac

	if [ -z "${MIRROR}" ]; then
		display --to LOG --type INFO MIRRORS_NO_MIRRORS "${DB_PATH}/mirrors.dat"
		return
	fi


	#
	# If we are not rotating the mirrors, then we need to calculate
	# which one to use next in the list. Return when we have done that.
	#

	if [ $ROTATE_MIRRORS -eq 0 ]; then
		N=`expr $TOTAL_MIRRORS - $MIRROR_COUNT`

		case $MIRRORS_MODE in
		0)
			MIRROR=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
			;;
		1)
			MIRROR=`egrep -i '^local=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
			;;
		2)
			MIRROR=`egrep -i '^remote=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
			;;
		esac

		return
	fi


	#
	# Now get the version number of the mirrors file. If the version
	# does not exist or is corrupt, then we reset it to zero. This
	# then allows the file to be updated next time the '--update'
	# option is used.
	#

	MIRRORSVERSION=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | tail ${TAIL_OPT}1`

	if [ -z "${MIRRORSVERSION}" ]; then
		display --to LOG --type INFO MIRRORS_NO_VERSION "${DB_PATH}/mirrors.dat"
		MIRRORSVERSION="Version:0000000000"
	fi


	#
	# Next get the remaining mirrors.
	#

	OTHERMIRRORS=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | grep -v "^${MIRROR}\$"`


	#
	# We need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/mirrors.dat"
	MIRRORS_FILE="${TEMPFILE}"
	touch "${MIRRORS_FILE}"

	display --to LOG --type INFO CREATED_TEMP_FILE "${MIRRORS_FILE}"


	#
	# Output to the temporary file the mirrors version, the other
	# mirrors, and finally the mirror we are about to use.
	#

	echo "${MIRRORSVERSION}" >"${MIRRORS_FILE}"

	for RKHM in ${OTHERMIRRORS}; do
		echo "${RKHM}" >>"${MIRRORS_FILE}"
	done;

	echo "${MIRROR}" >>"${MIRRORS_FILE}"

	MIRROR=`echo "${MIRROR}" | cut -d= -f2-`


	#
	# Move the new file into place, and delete the temporary file.
	#

	cat "${MIRRORS_FILE}" >"${DB_PATH}/mirrors.dat"

	rm -f "${MIRRORS_FILE}" >/dev/null 2>&1

	display --to LOG --type INFO MIRRORS_ROTATED "${DB_PATH}/mirrors.dat"

	return
}


download_file() {

	#
	# This function downloads a specified file. It takes three parameters:
	#     1=mirror, 2=url, 3=output file
	#
	# The URL is just the filename portion. The user will supply the
	# full URL, less the filename, to where the files are stored on
	# the local or remote server. For the SourceForge mirrors we will
	# provide the URL.
	#
	# The function sets a return code (DNLOADERR).
	#

	#
	# We loop round through the mirrors until the file is downloaded.
	# We do this by first seeing how many mirrors are available. Then
	# we call a function to get the next mirror, which also rotates
	# the mirror file. If a mirror has already been set, then that
	# mirror is used. That way, in effect, once we find a good mirror
	# then it will be used for all the downloads.
	#

	MIRROR=$1
	URL=$2
	OUTPUT_FILE=$3

	DNLOADERR=0
	MIRROR_COUNT=0
	TOTAL_MIRRORS=0

	if [ -n "`echo \"${URL}\" | grep '/rkhunter_latest\.dat$'`" ]; then
		DOING_VERS_CHK=1
	else
		DOING_VERS_CHK=0
	fi

	if [ -f "${DB_PATH}/mirrors.dat" ]; then
		#
		# The version check will use both the
		# SF mirrors and remote mirrors.
		#

		case $MIRRORS_MODE in
		0)
			MIRROR_COUNT=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | wc -l | tr -d ' '`
			;;
		1)
			MIRROR_COUNT=`egrep -i '^local=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | wc -l | tr -d ' '`
			;;
		2)
			MIRROR_COUNT=`egrep -i '^remote=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | wc -l | tr -d ' '`
			;;
		esac

		test -z "${MIRROR_COUNT}" && MIRROR_COUNT=0
	fi

	test $MIRROR_COUNT -eq 0 && MIRROR_COUNT=1

	TOTAL_MIRRORS=$MIRROR_COUNT


	while test $MIRROR_COUNT -gt 0; do
		MIRROR_COUNT=`expr $MIRROR_COUNT - 1`

		if [ -z "${MIRROR}" ]; then
			get_next_mirror

			if [ -z "${MIRROR}" ]; then
				if [ $MIRRORS_MODE -eq 0 ]; then
					MIRROR="http://rkhunter.sourceforge.net"
					display --to LOG --type INFO MIRRORS_SF_DEFAULT "${MIRROR}"
				else
					DNLOADERR=1
					break
				fi
			fi


			#
			# For the SF mirrors add on the final part of the
			# mirror URL, unless we are doing a version check.
			#

			if [ $DOING_VERS_CHK -eq 0 -a "${MIRROR}" = "http://rkhunter.sourceforge.net" ]; then
				MIRROR="${MIRROR}/${RKH_VER_MAJ}.${RKH_VER_MIN}"
			fi
		fi


		#
		# Now we can download the data into the temporary file.
		#

		# uns - WGET_CMD (cmd, version tested, comments):
		#       wget, *, none.
		#       bget, 1.2, appends output.
		#       curl, 7.15.3: none.
		#       links/elinks, 0.4.2, decompresses output.
		#       lynx, 2.8.5dev.7, decompresses output.

		CMD=""
		DNLOADERR=0

		rm -f "${OUTPUT_FILE}" >/dev/null 2>&1

		case "${RKHWEBCMD_BASE}" in
		wget)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -q -O \"${OUTPUT_FILE}\" ${MIRROR}${URL} 2>/dev/null"
			;;
		curl)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} --fail --output \"${OUTPUT_FILE}\" ${MIRROR}${URL} 2>/dev/null"
			;;
		bget)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} --out \"${OUTPUT_FILE}\" ${MIRROR}${URL} 2>/dev/null"
			;;
		links|elinks)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -no-home 1 -source ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
			;;
		lynx)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -source ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
			;;
		GET)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
			;;
		*)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
			;;
		esac

		display --to LOG --type INFO DOWNLOAD_CMD "${CMD}"

		eval ${CMD}
		DNLOADERR=$?

		test $DNLOADERR -gt 1 && DNLOADERR=1


		#
		# Some of these commands do not set the return code. As such we
		# need to look in the output file to see if an error occurred.
		#

		if [ $DNLOADERR -eq 0 ]; then
			if [ -n "`echo \"${URL}\" | grep '/i18n\.ver$'`" ]; then
				#
				# The i18n.ver file is of a different
				# format from the other files.
				#

				:
			elif [ $DOING_VERS_CHK -eq 1 ]; then
				#
				# The versioncheck file should just be a version number.
				#

				if [ -z "`grep '^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' \"${OUTPUT_FILE}\"`" ]; then
					DNLOADERR=1
				fi
			else
				#
				# All other files should have a normal
				# version number as the first line in them.
				#

				if [ -z "`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' \"${OUTPUT_FILE}\"`" ]; then
					DNLOADERR=1
				fi
			fi
		fi

		test ! -s "${OUTPUT_FILE}" && DNLOADERR=1

		if [ $DNLOADERR -eq 0 ]; then
			break
		elif [ $MIRROR_COUNT -gt 0 ]; then
			MIRROR=""
			display --to LOG --type INFO DOWNLOAD_FAIL $MIRROR_COUNT
		fi
	done

	return $DNLOADERR
}


do_i18n_update() {

	#
	# This function updates the i18n language files.
	#
	# We do not know which i18n files should be checked until we
	# have downloaded the i18n/i18n.ver file. This file will tell
	# us which i18n files are available, and their latest version
	# number. We loop through the files, and check each version
	# number against the installed file.
	#

	download_file "${MIRROR}" "/i18n/${PROGRAM_version}/i18n.ver" "${RKHUPD_FILE}"
	ERRCODE=$?

	if [ $ERRCODE -eq 0 ]; then
		#
		# Check that we have some version numbers. There
		# should always be at least one, for the English
		# language! Once we have the list of files, we can
		# remove the temporary file and re-use it when
		# downloading the language files.
		#

		FOUNDFILES=`grep '^[a-zA-Z][a-zA-Z0-9._-]*:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${RKHUPD_FILE}"`

		rm -f "${RKHUPD_FILE}" >/dev/null 2>&1

		if [ -z "${FOUNDFILES}" ]; then
			RET_CODE=1
			UPD_ERROR=1

			display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE 'i18n versions'

			display --to LOG --type WARNING UPDATE_I18N_NO_VERS

			return
		fi


		#
		# Now loop through the language files checking their
		# version numbers.
		#

		for FNAME in ${FOUNDFILES}; do
			LANGFILE=`echo "${FNAME}" | cut -d: -f1`
			LATEST_VERS=`echo "${FNAME}" | cut -d: -f2`

			#
			# Only update the language files the user has asked for.
			#

			if [ -n "${UPDATE_LANG}" ]; then
				if [ -z "`echo \" ${UPDATE_LANG} \" | grep \" ${LANGFILE} \"`" ]; then
					display --to LOG --type INFO UPDATE_SKIPPED
					display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color YELLOW --result SKIPPED UPDATE_CHECKING_FILE "i18n/${LANGFILE}"

					continue
				fi
			fi

			if [ -s "${DB_PATH}/i18n/${LANGFILE}" ]; then
				PROG_VERS=`grep ${GREP_OPT} '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${DB_PATH}/i18n/${LANGFILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`

				if [ -z "${PROG_VERS}" ]; then
					PROG_VERS=0
					display --to LOG --type INFO UPDATE_FILE_NO_VERS "${DB_PATH}/i18n/${LANGFILE}"
				fi
			else
				PROG_VERS=0

				touch "${DB_PATH}/i18n/${LANGFILE}" >/dev/null 2>&1
				chmod 600 "${DB_PATH}/i18n/${LANGFILE}" >/dev/null 2>&1

				display --to LOG --type INFO UPDATE_FILE_MISSING "${DB_PATH}/i18n/${LANGFILE}"
			fi


			display --to LOG --type INFO VERSIONCHECK_CURRENT "${PROG_VERS}"
			display --to LOG --type INFO VERSIONCHECK_LATEST "${LATEST_VERS}"


			if [ $PROG_VERS -lt $LATEST_VERS ]; then
				download_file "${MIRROR}" "/i18n/${PROGRAM_version}/${LANGFILE}" "${RKHUPD_FILE}"
				ERRCODE=$?

				if [ $ERRCODE -eq 0 ]; then
					test $RET_CODE -eq 0 && RET_CODE=2

					cat "${RKHUPD_FILE}" >"${DB_PATH}/i18n/${LANGFILE}"

					display --to LOG --type INFO VERSIONCHECK_UPDT_AVAIL
					display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result UPD UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
				else
					RET_CODE=1
					UPD_ERROR=1

					display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL "i18n/${LANGFILE}"
					display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
				fi

				rm -f "${RKHUPD_FILE}" >/dev/null 2>&1
			else
				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result NO_UPD UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
			fi
		done
	else
		RET_CODE=1
		UPD_ERROR=1

		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE 'i18n versions'

		display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL 'i18n.ver'
	fi


	rm -f "${RKHUPD_FILE}" >/dev/null 2>&1

	return
}


do_update() {

	#
	# This function checks to see if any of the supplied RKH
	# *.dat and i18n files needs updating. If it does, then the
	# file is overwritten with the new version.
	#

	display --to SCREEN+LOG --type PLAIN --color YELLOW --nl UPDATE_START


	#
	# First we need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.upd"
	RKHUPD_FILE="${TEMPFILE}"
	touch "${RKHUPD_FILE}"

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHUPD_FILE}"


	#
	# Now we loop round through the files we need to check. Each file
	# will use the first mirror, and if necessary loop through the
	# remaining mirrors until the file is downloaded. In theory this
	# could take some time if the mirror sites are all experiencing
	# problems and this is affecting all the files.
	#
	# For each file we look at the current version number. If there
	# is a problem doing this, then we just try and download a new
	# copy of the file. If the version number is okay, then we
	# download the file to find the latest version number. If
	# that is successful, we then update the file if necessary.
	#

	UPD_ERROR=0
	MIRROR=""

	for UPDFILE in mirrors.dat programs_bad.dat backdoorports.dat suspscan.dat; do
		if [ $UPDATE_MIRRORS -eq 0 -a "${UPDFILE}" = "mirrors.dat" ]; then
			display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result SKIPPED UPDATE_CHECKING_FILE "${UPDFILE}"
			continue
		fi


		LATEST_VERS=0

		if [ -s "${DB_PATH}/${UPDFILE}" ]; then
			PROG_VERS=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${DB_PATH}/${UPDFILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`

			if [ -z "${PROG_VERS}" ]; then
				PROG_VERS=0
				display --to LOG --type INFO UPDATE_FILE_NO_VERS "${UPDFILE}"
			fi
		else
			PROG_VERS=0

			touch "${DB_PATH}/${UPDFILE}" >/dev/null 2>&1
			chmod 600 "${DB_PATH}/${UPDFILE}" >/dev/null 2>&1

			display --to LOG --type INFO UPDATE_FILE_MISSING "${UPDFILE}"
		fi


		#
		# Now download the file.
		#
		# Note: To avoid any backward incompatability we
		# get the files from a specific directory which
		# previous versions do not use.
		#

		download_file "${MIRROR}" "/${UPDFILE}" "${RKHUPD_FILE}"
		ERRCODE=$?


		#
		# Next we compare the current and downloaded
		# file version numbers.
		#

		if [ $ERRCODE -eq 0 ]; then
			LATEST_VERS=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${RKHUPD_FILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`

			if [ -z "${LATEST_VERS}" ]; then
				LATEST_VERS=0
			elif [ -z "`echo \"${LATEST_VERS}\" | grep '^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$'`" ]; then
				LATEST_VERS=0
			fi


			display --to LOG --type INFO VERSIONCHECK_CURRENT "${PROG_VERS}"
			display --to LOG --type INFO VERSIONCHECK_LATEST "${LATEST_VERS}"

			if [ $LATEST_VERS -eq 0 ]; then
				RET_CODE=1
				UPD_ERROR=1

				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result VCHK_FAILED UPDATE_CHECKING_FILE "${UPDFILE}"

				LATEST_VERS=`head ${HEAD_OPT}1 ${RKHUPD_FILE}`

				display --to LOG --type WARNING VERSIONCHECK_CONV_FAIL "${PROG_VERS}" "${LATEST_VERS}"
			elif [ $PROG_VERS -lt $LATEST_VERS ]; then
				test $RET_CODE -eq 0 && RET_CODE=2

				display --to LOG --type INFO VERSIONCHECK_UPDT_AVAIL

				cat "${RKHUPD_FILE}" >"${DB_PATH}/${UPDFILE}"

				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result UPD UPDATE_CHECKING_FILE "${UPDFILE}"
			else
				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result NO_UPD UPDATE_CHECKING_FILE "${UPDFILE}"
			fi
		else
			RET_CODE=1
			UPD_ERROR=1

			display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL "${UPDFILE}"
			display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "${UPDFILE}"
		fi

		rm -f "${RKHUPD_FILE}" >/dev/null 2>&1
	done


	#
	# We now need to update the i18n files. Since this is a little
	# more complicated, it is handled in a separate function.
	#

	do_i18n_update


	if [ $UPD_ERROR -eq 1 ]; then
		if [ $NOLOG -eq 1 ]; then
			display --to SCREEN --type PLAIN --nl --nl-after CHECK_WARNINGS_FOUND_RERUN
		else
			display --to SCREEN --type PLAIN --nl --nl-after CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
		fi
	fi

	return
}


do_versioncheck() {

	#
	# This function performs a program version check.
	#
	# It will set the return code in some instances:
	#       0 - (implied) no error, no new version available
	#	1 - a download (of the version number) error occurred
	#	2 - no error occurred, but a new version is available
	#

	MIRROR=""
	LATESTVERSION=""

	display --to SCREEN+LOG --type PLAIN --color YELLOW --nl VERSIONCHECK_START


	#
	# First we need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.vc"
	RKHVC_FILE="${TEMPFILE}"
	touch "${RKHVC_FILE}"

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHVC_FILE}"


	#
	# Next we get the current program version number.
	#

	PROG_VERS=`echo "${PROGRAM_version}" | cut -d. -f1-3 | sed -e 's/\.\([0-9]\)\./.0\1./' | sed -e 's/\.\([0-9]\)$/.0\1/' | tr -d '.'`

	test -z "${PROG_VERS}" && PROG_VERS=0

	display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_CURRENT "${PROGRAM_version}"


	#
	# Download the file, and then compare the current value
	# with the downloaded one.
	#

	download_file "${MIRROR}" "/rkhunter_latest.dat" "${RKHVC_FILE}"
	ERRCODE=$?

	if [ $ERRCODE -eq 0 ]; then
		LATESTVERSION=`cat "${RKHVC_FILE}" 2>/dev/null`

		#
		# Convert the version string to zero-spaced numbers.
		# This allows us to numerically compare the versions,
		# even when the numbers go above ten.
		#
		# E.g. '1.2.10' => 10210,   '1.3.2' => 10302.
		#

		LATEST_VERS=`echo "${LATESTVERSION}" | cut -d. -f1-3 | sed -e 's/\.\([0-9]\)\./.0\1./' | sed -e 's/\.\([0-9]\)$/.0\1/' | tr -d '.'`

		test -z "${LATEST_VERS}" && LATEST_VERS=0

		display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_LATEST "${LATESTVERSION}"

		if [ $LATEST_VERS -eq 0 ]; then
			RET_CODE=1
			display --to SCREEN+LOG --type WARNING --screen-indent 2 VERSIONCHECK_CONV_FAIL "${PROGRAM_version}" "${LATESTVERSION}"
		elif [ $PROG_VERS -lt $LATEST_VERS ]; then
			test $RET_CODE -eq 0 && RET_CODE=2
			display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_UPDT_AVAIL
		fi
	else
		RET_CODE=1

		display --to LOG --type WARNING VERSIONCHECK_FAIL_ALL
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_LATEST_FAIL
	fi

	rm -f "${RKHVC_FILE}" >/dev/null 2>&1

	return
}


do_config_file_check() {

	#
	# This function performs a basic configuration file check. Use of
	# the configuration check command-line option will cause the known
	# configured options to be checked as usual. So all we need to do
	# here is look for any configuration options which are unknown.
	#

	#
	# First we define the list of valid configuration options.
	#

	#
	# All the following specified options should be single
	# value options (that is, not any sort of list).
	#

	VALIDOPTS="${SPACE_LIST_OPTS} ${NEWLINE_LIST_OPTS}
		   ALLOW_SSH_PROT_V1 ALLOW_SSH_ROOT_USER ALLOW_SYSLOG_REMOTE_LOGGING APPEND_LOG
		   AUTO_X_DETECT COLOR_SET2 COPY_LOG_ON_ERROR DBDIR EPOCH_DATE_CMD GLOBSTAR
		   HASH_FLD_IDX HASH_FUNC HASH_CMD IMMUTABLE_SET INETD_CONF_PATH INSTALLDIR
		   IPC_SEG_SIZE LANGUAGE LOCKDIR LOCK_TIMEOUT LOGFILE MAIL_CMD MIRRORS_MODE MODULES_DIR
		   OS_VERSION_FILE PASSWORD_FILE PHALANX2_DIRTEST PKGMGR ROOTDIR ROTATE_MIRRORS
		   SCAN_MODE_DEV SCANROOTKITMODE SCRIPTDIR SHOW_LOCK_MSGS SHOW_SUMMARY_TIME SHOW_SUMMARY_WARNINGS_NUMBER
		   SKIP_INODE_CHECK SSH_CONFIG_DIR SUSPSCAN_DEBUG SUSPSCAN_LINETHRESH SUSPSCAN_MAXSIZE SUSPSCAN_TEMP
		   SUSPSCAN_THRESH TMPDIR UPDATE_MIRRORS UPDT_ON_OS_CHANGE USE_SUNSUM USE_LOCKING
		   USE_SYSLOG WARN_ON_OS_CHANGE WEBCMD WEB_CMD WHITELISTED_IS_WHITE
		   XINETD_CONF_PATH"

	VALIDOPTS=" `echo ${VALIDOPTS}` "


	#
	# Now check to see if any unknown options have been configured.
	#

	RKHTMPVAR=`egrep -h -v '^[ 	]*(#|$)' ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES}`

	IFS=$IFSNL

	for CONFIGOPT in ${RKHTMPVAR}; do
		CONFIGCMD=`echo ${CONFIGOPT} | cut -d= -f1`

		#
		# We have to handle the *_CMD entries specially because
		# only certain commands are allowed to be replaced by
		# a configuration option.
		#

		if [ -n "`echo ${CONFIGCMD} | grep '_CMD$'`" ]; then
			case "${CONFIGCMD}" in
			EPOCH_DATE_CMD|MAIL_CMD|WEB_CMD|HASH_CMD)
				# We know about these ones.
				;;
			*)
				# Dig out the actual command name used.
				CFG_CMD=`echo ${CONFIGCMD} | sed -e 's/_CMD$//'`

				# Check to see if the command is one we now about.
				if [ -z "`echo \" ${CMDLIST} \" | grep -i \" ${CFG_CMD} \"`" ]; then
					RET_CODE=1
					echo "Unknown configuration file option: ${CONFIGOPT}"
				fi
				;;
			esac

			continue
		fi

		if [ -z "`echo \"${VALIDOPTS}\" | grep \" ${CONFIGCMD} \"`" ]; then
			RET_CODE=1
			echo "Unknown configuration file option: ${CONFIGOPT}"
		fi
	done

	IFS=$RKHIFS

	return
}


do_system_check_initialisation() {

	#
	# This function simply initialises the default rootkit
	# files and directories.
	#


	# 55808 Variant A
	W55808A_FILES="/tmp/.../r
		       /tmp/.../a"
	W55808A_DIRS=
	W55808A_KSYMS=


	# Adore Rootkit. OK, nobody calls it that but basically it uses Adore.
	# In one commercial AV vendors naming scheme it's called Dextenea.
	AKIT_FILES="/usr/secure
		    /usr/doc/sys/qrt
		    /usr/doc/sys/run
		    /usr/doc/sys/crond
		    /usr/sbin/kfd
		    /usr/doc/kern/var
		    /usr/doc/kern/string.o
		    /usr/doc/kern/ava
		    /usr/doc/kern/adore.o
		    /var/log/ssh/old"
	AKIT_DIRS="/lib/security/.config/ssh
		   /usr/doc/kern
		   /usr/doc/backup
		   /usr/doc/backup/txt
		   /lib/backup
		   /lib/backup/txt
		   /usr/doc/work
		   /usr/doc/sys
		   /var/log/ssh
		   /usr/doc/.spool
		   /usr/lib/kterm"
	AKIT_KSYMS=


	# AjaKit Rootkit
	AJAKIT_FILES="/dev/tux/.addr
		      /dev/tux/.proc
		      /dev/tux/.file
		      /lib/.libgh-gh/cleaner
		      /lib/.libgh-gh/Patch/patch
		      /lib/.libgh-gh/sb0k"
	AJAKIT_DIRS="/dev/tux
		     /lib/.libgh-gh"
	AJAKIT_KSYMS=


	# aPa Kit Rootkit
	APAKIT_FILES="/usr/share/.aPa"
	APAKIT_DIRS=
	APAKIT_KSYMS=


	# Apache Worm
	APACHEWORM_FILES="/bin/.log"
	APACHEWORM_DIRS=
	APACHEWORM_KSYMS=


	# Ambient (ark) Rootkit
	ARK_FILES="/usr/lib/.ark?
		   /dev/ptyxx/.log
		   /dev/ptyxx/.file
		   /dev/ptyxx/.proc
		   /dev/ptyxx/.addr"
	ARK_DIRS="/dev/ptyxx"
	ARK_KSYMS=


	# Balaur Rootkit 2.0 (LRK5 based)
	BALAUR_FILES="/usr/lib/liblog.o"
	BALAUR_DIRS="/usr/lib/.kinetic
		     /usr/lib/.egcs
		     /usr/lib/.wormie"
	BALAUR_KSYMS=


	# Beastkit Rootkit
	BEASTKIT_FILES="/usr/sbin/arobia
			/usr/sbin/idrun
			/usr/lib/elm/arobia/elm
			/usr/lib/elm/arobia/elm/hk
			/usr/lib/elm/arobia/elm/hk.pub
			/usr/lib/elm/arobia/elm/sc
			/usr/lib/elm/arobia/elm/sd.pp
			/usr/lib/elm/arobia/elm/sdco
			/usr/lib/elm/arobia/elm/srsd"
	BEASTKIT_DIRS="/lib/ldd.so/bktools"
	BEASTKIT_KSYMS=


	# beX2 Rootkit
	BEX_FILES="/usr/info/termcap.info-5.gz
		   /usr/bin/sshd2"
	BEX_DIRS="/usr/include/bex"
	BEX_KSYMS=


	# BOBkit Rootkit
	BOBKIT_FILES="/usr/sbin/ntpsx
		      /usr/sbin/.../bkit-ava
		      /usr/sbin/.../bkit-d
		      /usr/sbin/.../bkit-shd
		      /usr/sbin/.../bkit-f
		      /usr/include/.../proc.h
		      /usr/include/.../.bash_history
		      /usr/include/.../bkit-get
		      /usr/include/.../bkit-dl
		      /usr/include/.../bkit-screen
		      /usr/include/.../bkit-sleep
		      /usr/lib/.../bkit-adore.o
		      /usr/lib/.../ls
		      /usr/lib/.../netstat
		      /usr/lib/.../lsof
		      /usr/lib/.../bkit-ssh/bkit-shdcfg
		      /usr/lib/.../bkit-ssh/bkit-shhk
		      /usr/lib/.../bkit-ssh/bkit-pw
		      /usr/lib/.../bkit-ssh/bkit-shrs
		      /usr/lib/.../bkit-ssh/bkit-mots
		      /usr/lib/.../uconf.inv
		      /usr/lib/.../psr
		      /usr/lib/.../find
		      /usr/lib/.../pstree
		      /usr/lib/.../slocate
		      /usr/lib/.../du
		      /usr/lib/.../top"
	BOBKIT_DIRS="/usr/sbin/...
		     /usr/include/...
		     /usr/include/.../.tmp
		     /usr/lib/...
		     /usr/lib/.../.ssh
		     /usr/lib/.../bkit-ssh
		     /usr/lib/.bkit-
		     /tmp/.bkp"
	BOBKIT_KSYMS=


	# OSX Boonana-A Trojan (aka Koobface.A)
	BOONANA_FILES="/Library/StartupItems/OSXDriverUpdates/OSXDriverUpdates
		       /Library/StartupItems/OSXDriverUpdates/StartupParameters.plist"
	BOONANA_DIRS="/var/root/.jnana"
	BOONANA_KSYMS=


	# cb Rootkit (w00tkit by ZeeN) 
	# The '%' character represents a space.
	# xC.o = Adore LKM
	CB_FILES="/dev/srd0
		  /lib/libproc.so.2.0.6
		  /dev/mounnt
		  /etc/rc.d/init.d/init
		  /usr/bin/.zeen/..%/cl
		  /usr/bin/.zeen/..%/.x.tgz
		  /usr/bin/.zeen/..%/statdx
		  /usr/bin/.zeen/..%/wted
		  /usr/bin/.zeen/..%/write
		  /usr/bin/.zeen/..%/scan
		  /usr/bin/.zeen/..%/sc
		  /usr/bin/.zeen/..%/sl2
		  /usr/bin/.zeen/..%/wroot
		  /usr/bin/.zeen/..%/wscan
		  /usr/bin/.zeen/..%/wu
		  /usr/bin/.zeen/..%/v
		  /usr/bin/.zeen/..%/read
		  /usr/lib/sshrc
		  /usr/lib/ssh_host_key
		  /usr/lib/ssh_host_key.pub
		  /usr/lib/ssh_random_seed
		  /usr/lib/sshd_config
		  /usr/lib/shosts.equiv
		  /usr/lib/ssh_known_hosts
		  /u/zappa/.ssh/pid
		  /usr/bin/.system/..%/tcp.log
		  /usr/bin/.zeen/..%/curatare/attrib
		  /usr/bin/.zeen/..%/curatare/chattr
		  /usr/bin/.zeen/..%/curatare/ps
		  /usr/bin/.zeen/..%/curatare/pstree
		  /usr/bin/.system/..%/.x/xC.o"
	CB_DIRS="/usr/bin/.zeen
		 /usr/bin/.zeen/..%/curatare
		 /usr/bin/.zeen/..%/scan
		 /usr/bin/.system/..%"
	CB_KSYMS=


	# CiNIK Worm (Slapper.B variant)
	CINIK_FILES="/tmp/.cinik"
	CINIK_DIRS="/tmp/.font-unix/.cinik"
	CINIK_KSYMS=


	# CX Rootkit
	CXKIT_FILES="/usr/lib/ldlibso
		     /usr/lib/configlibso
		     /usr/lib/shklibso
		     /usr/lib/randomlibso
		     /usr/lib/ldlibstrings.so
		     /usr/lib/ldlibdu.so
		     /usr/lib/ldlibns.so
		     /usr/include/db"
	CXKIT_DIRS="/usr/include/cxk"
	CXKIT_KSYMS=


	# Danny-Boy's Abuse Kit
	DANNYBOYS_FILES="/dev/mdev
			 /usr/lib/libX.a"
	DANNYBOYS_DIRS=
	DANNYBOYS_KSYMS=


	# Devil Rootkit
	DEVIL_FILES="/var/lib/games/.src
		     /dev/dsx
		     /dev/caca
		     /dev/pro
		     /bin/bye
		     /bin/homedir
		     /usr/bin/xfss
		     /usr/sbin/tzava
		     /usr/doc/tar/.../.dracusor/stuff/holber
		     /usr/doc/tar/.../.dracusor/stuff/sense
		     /usr/doc/tar/.../.dracusor/stuff/clear
		     /usr/doc/tar/.../.dracusor/stuff/tzava
		     /usr/doc/tar/.../.dracusor/stuff/citeste
		     /usr/doc/tar/.../.dracusor/stuff/killrk
		     /usr/doc/tar/.../.dracusor/stuff/searchlog
		     /usr/doc/tar/.../.dracusor/stuff/gaoaza
		     /usr/doc/tar/.../.dracusor/stuff/cleaner
		     /usr/doc/tar/.../.dracusor/stuff/shk
		     /usr/doc/tar/.../.dracusor/stuff/srs
		     /usr/doc/tar/.../.dracusor/utile.tgz
		     /usr/doc/tar/.../.dracusor/webpage
		     /usr/doc/tar/.../.dracusor/getpsy
		     /usr/doc/tar/.../.dracusor/getbnc
		     /usr/doc/tar/.../.dracusor/getemech
		     /usr/doc/tar/.../.dracusor/localroot.sh
		     /usr/doc/tar/.../.dracusor/stuff/old/sense"
	DEVIL_DIRS="/usr/doc/tar/.../.dracusor"
	DEVIL_KSYMS=


	# Diamorphine LKM
	DIAMORPHINE_FILES=
	DIAMORPHINE_DIRS=
	DIAMORPHINE_KSYMS="diamorphine
			   module_hide
			   module_hidden
			   is_invisible
			   hacked_getdents
			   hacked_kill"


	# Dica-Kit (T0rn variant) Rootkit
	DICA_FILES="/lib/.sso
		    /lib/.so
		    /var/run/...dica/clean
		    /var/run/...dica/dxr
		    /var/run/...dica/read
		    /var/run/...dica/write
		    /var/run/...dica/lf
		    /var/run/...dica/xl
		    /var/run/...dica/xdr
		    /var/run/...dica/psg
		    /var/run/...dica/secure
		    /var/run/...dica/rdx
		    /var/run/...dica/va
		    /var/run/...dica/cl.sh
		    /var/run/...dica/last.log
		    /usr/bin/.etc
		    /etc/sshd_config
		    /etc/ssh_host_key
		    /etc/ssh_random_seed"
	DICA_DIRS="/var/run/...dica
		   /var/run/...dica/mh
		   /var/run/...dica/scan"
	DICA_KSYMS=


	# Dreams Rootkit
	DREAMS_FILES="/dev/ttyoa
		      /dev/ttyof
		      /dev/ttyop
		      /usr/bin/sense
		      /usr/bin/sl2
		      /usr/bin/logclear
		      /usr/bin/(swapd)
		      /usr/bin/initrd
		      /usr/bin/crontabs
		      /usr/bin/snfs
		      /usr/lib/libsss
		      /usr/lib/libsnf.log
		      /usr/lib/libshtift/top
		      /usr/lib/libshtift/ps
		      /usr/lib/libshtift/netstat
		      /usr/lib/libshtift/ls
		      /usr/lib/libshtift/ifconfig
		      /usr/include/linseed.h
		      /usr/include/linpid.h
		      /usr/include/linkey.h
		      /usr/include/linconf.h
		      /usr/include/iceseed.h
		      /usr/include/icepid.h
		      /usr/include/icekey.h
		      /usr/include/iceconf.h" 
	DREAMS_DIRS="/dev/ida/.hpd
		     /usr/lib/libshtift"
	DREAMS_KSYMS=


	# Duarawkz Rootkit
	DUARAWKZ_FILES="/usr/bin/duarawkz/loginpass"
	DUARAWKZ_DIRS="/usr/bin/duarawkz"
	DUARAWKZ_KSYMS=


	# Ebury sshd backdoor
	EBURY_FILES="/lib/libns2.so
		     /lib64/libns2.so
		     /lib/libns5.so
		     /lib64/libns5.so
		     /lib/libpw3.so
		     /lib64/libpw3.so
		     /lib/libpw5.so
		     /lib64/libpw5.so
		     /lib/libsbr.so
		     /lib64/libsbr.so
		     /lib/libslr.so
		     /lib64/libslr.so"
	EBURY_DIRS=
	EBURY_KSYMS=


	# ENYE LKM v1.1, v1.2
	# Installer default.
	ENYELKM_FILES="/etc/.enyelkmHIDE^IT.ko
		       /etc/.enyelkmOCULTAR.ko"
	ENYELKM_DIRS=
	ENYELKM_KSYMS=


	# Flea Linux Rootkit
	FLEA_FILES="/etc/ld.so.hash
		    /lib/security/.config/ssh/sshd_config
		    /lib/security/.config/ssh/ssh_host_key
		    /lib/security/.config/ssh/ssh_host_key.pub
		    /lib/security/.config/ssh/ssh_random_seed
		    /usr/bin/ssh2d
		    /usr/lib/ldlibns.so
		    /usr/lib/ldlibps.so
		    /usr/lib/ldlibpst.so
		    /usr/lib/ldlibdu.so
		    /usr/lib/ldlibct.so"
	FLEA_DIRS="/lib/security/.config/ssh
		   /dev/..0
		   /dev/..0/backup"
	FLEA_KSYMS=


	# FreeBSD Rootkit (FBRK) catering to versions and compile-time defaults used by: 
	# 1.0 (1997, Method), 1.2 (1997, Method), "ImperialS-FBRK 1.0" (2001, Nyo)
	FREEBSD_RK_FILES="/dev/ptyp
			  /dev/ptyq
			  /dev/ptyr
			  /dev/ptys
			  /dev/ptyt
			  /dev/fd/.88/freshb-bsd
			  /dev/fd/.88/fresht
			  /dev/fd/.88/zxsniff
			  /dev/fd/.88/zxsniff.log
			  /dev/fd/.99/.ttyf00
			  /dev/fd/.99/.ttyp00
			  /dev/fd/.99/.ttyq00
			  /dev/fd/.99/.ttys00
			  /dev/fd/.99/.pwsx00
			  /etc/.acid
			  /usr/lib/.fx/sched_host.2
			  /usr/lib/.fx/random_d.2
			  /usr/lib/.fx/set_pid.2
			  /usr/lib/.fx/setrgrp.2
			  /usr/lib/.fx/TOHIDE
			  /usr/lib/.fx/cons.saver
			  /usr/lib/.fx/adore/ava/ava
			  /usr/lib/.fx/adore/adore/adore.ko
			  /bin/sysback
			  /usr/local/bin/sysback"
	FREEBSD_RK_DIRS="/dev/fd/.88
			 /dev/fd/.99
			 /usr/lib/.fx
			 /usr/lib/.fx/adore"
	FREEBSD_RK_KSYMS=


	# Fu Rootkit
	FU_FILES="/sbin/xc
		  /usr/include/ivtype.h
		  /bin/.lib"
	FU_DIRS=
	FU_KSYMS=


	# Fuckit Rootkit
	FUCKIT_FILES="/lib/libproc.so.2.0.7
		      /dev/proc/.bash_profile
		      /dev/proc/.bashrc
		      /dev/proc/.cshrc
		      /dev/proc/fuckit/hax0r
		      /dev/proc/fuckit/hax0rshell
		      /dev/proc/fuckit/config/lports
		      /dev/proc/fuckit/config/rports
		      /dev/proc/fuckit/config/rkconf
		      /dev/proc/fuckit/config/password
		      /dev/proc/fuckit/config/progs
		      /dev/proc/fuckit/system-bins/init
		      /usr/lib/libcps.a
		      /usr/lib/libtty.a"
	FUCKIT_DIRS="/dev/proc
		     /dev/proc/fuckit
		     /dev/proc/fuckit/system-bins
		     /dev/proc/toolz"
	FUCKIT_KSYMS=


	# GasKit Rootkit
	GASKIT_FILES="/dev/dev/gaskit/sshd/sshdd"
	GASKIT_DIRS="/dev/dev
		     /dev/dev/gaskit
		     /dev/dev/gaskit/sshd"
	GASKIT_KSYMS=


	# Heroin LKM
	HEROIN_FILES=
	HEROIN_DIRS=
	HEROIN_KSYMS="heroin"


	# HjC Kit Rootkit
	HJCKIT_FILES=
	HJCKIT_DIRS="/dev/.hijackerz"
	HJCKIT_KSYMS=


	# ignoKit Rootkit
	IGNOKIT_FILES="/lib/defs/p
		       /lib/defs/q
		       /lib/defs/r
		       /lib/defs/s
		       /lib/defs/t
		       /usr/lib/defs/p
		       /usr/lib/defs/q
		       /usr/lib/defs/r
		       /usr/lib/defs/s
		       /usr/lib/defs/t
		       /usr/lib/.libigno/pkunsec
		       /usr/lib/.libigno/.igno/psybnc/psybnc"
	IGNOKIT_DIRS="/usr/lib/.libigno
		      /usr/lib/.libigno/.igno"
	IGNOKIT_KSYMS=


	# iLLogiC Rootkit (SunOS Rootkit variant)
	ILLOGIC_FILES="/dev/kmod
		       /dev/dos
		       /usr/lib/crth.o
		       /usr/lib/crtz.o
		       /etc/ld.so.hash
		       /usr/bin/sia
		       /usr/bin/ssh2d
		       /lib/security/.config/sn
		       /lib/security/.config/iver
		       /lib/security/.config/uconf.inv
		       /lib/security/.config/ssh/ssh_host_key
		       /lib/security/.config/ssh/ssh_host_key.pub
		       /lib/security/.config/ssh/sshport
		       /lib/security/.config/ssh/ssh_random_seed
		       /lib/security/.config/ava
		       /lib/security/.config/cleaner
		       /lib/security/.config/lpsched
		       /lib/security/.config/sz
		       /lib/security/.config/rcp
		       /lib/security/.config/patcher
		       /lib/security/.config/pg
		       /lib/security/.config/crypt
		       /lib/security/.config/utime
		       /lib/security/.config/wget
		       /lib/security/.config/instmod
		       /lib/security/.config/bin/find
		       /lib/security/.config/bin/du
		       /lib/security/.config/bin/ls
		       /lib/security/.config/bin/psr
		       /lib/security/.config/bin/netstat
		       /lib/security/.config/bin/su
		       /lib/security/.config/bin/ping
		       /lib/security/.config/bin/passwd"
	ILLOGIC_DIRS="/lib/security/.config
		      /lib/security/.config/ssh
		      /lib/security/.config/bin
		      /lib/security/.config/backup
		      /root/%%%/.dir
		      /root/%%%/.dir/mass-scan
		      /root/%%%/.dir/flood"
	ILLOGIC_KSYMS=


	# OSX Inqtana (Variant A)
	INQTANAA_FILES="/Users/w0rm-support.tgz
			/Users/InqTest.class
			/Users/com.openbundle.plist
			/Users/com.pwned.plist
			/Users/libavetanaBT.jnilib"
	INQTANAA_DIRS="/Users/de
		       /Users/javax"
	INQTANAA_KSYMS=


	# OSX Inqtana (Variant B)
	INQTANAB_FILES="/Users/w0rms.love.apples.tgz
			/Users/InqTest.class
			/Users/InqTest.java
			/Users/libavetanaBT.jnilib
			/Users/InqTanaHandler
			/Users/InqTanaHandler.bundle"
	INQTANAB_DIRS="/Users/de
		       /Users/javax"
	INQTANAB_KSYMS=


	# OSX Inqtana (Variant C)
	INQTANAC_FILES="/Users/applec0re.tgz
			/Users/InqTest.class
			/Users/InqTest.java
			/Users/libavetanaBT.jnilib
			/Users/environment.plist
			/Users/pwned.c
			/Users/pwned.dylib"
	INQTANAC_DIRS="/Users/de
		       /Users/javax"
	INQTANAC_KSYMS=


	# IntoXonia-NG Rootkit
	INTOXONIA_FILES=
	INTOXONIA_DIRS=
	INTOXONIA_KSYMS="funces
			ixinit
			tricks
			kernel_unlink
			rootme
			hide_module
			find_sys_call_tbl"


	# Irix Rootkit (for Irix 6.x)
	IRIXRK_FILES=
	IRIXRK_DIRS="/dev/pts/01
		     /dev/pts/01/backup
		     /dev/pts/01/etc
		     /dev/pts/01/tmp"
	IRIXRK_KSYMS=


	# Jynx Rootkit 
	JYNX_FILES="/xochikit/bc
		    /xochikit/ld_poison.so
		    /omgxochi/bc
		    /omgxochi/ld_poison.so
		    /var/local/^^/bc
		    /var/local/^^/ld_poison.so"
	JYNX_DIRS="/xochikit
		   /omgxochi
		   /var/local/^^"
	JYNX_KSYMS=


	# Jynx2 Rootkit 
	JYNX2_FILES="/XxJynx/reality.so"
	JYNX2_DIRS="/XxJynx"
	JYNX2_KSYMS=


	# KBeast (Kernel Beast) Rootkit
	KBEAST_FILES="/usr/_h4x_/ipsecs-kbeast-v1.ko
		      /usr/_h4x_/_h4x_bd
		      /usr/_h4x_/acctlog"
	KBEAST_DIRS="/usr/_h4x_"
	KBEAST_KSYMS="h4x_delete_module
		     h4x_getdents64
		     h4x_kill
		     h4x_open
		     h4x_read
		     h4x_rename
		     h4x_rmdir
		     h4x_tcp4_seq_show
		     h4x_write"


	# OSX Keydnap backdoor
	# The '%' character represents a space.
	KEYDNAP_FILES="/Applications/Transmission.app/Contents/Resources/License.rtf
		       /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
		       /Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
		       /Library/LaunchAgents/com.geticloud.icloud.photo.plist"
	KEYDNAP_DIRS="/Library/Application%Support/com.apple.iCloud.sync.daemon/"
	KEYDNAP_KSYMS=


	# Kitko Rootkit
	KITKO_FILES=
	KITKO_DIRS="/usr/src/redhat/SRPMS/..."
	KITKO_KSYMS=


	# Knark Rootkit
	KNARK_FILES="/proc/knark/pids"
	KNARK_DIRS="/proc/knark"
	KNARK_KSYMS=


	# OSX Komplex Trojan
	KOMPLEX_FILES="/Users/Shared/.local/kextd
		       /Users/Shared/com.apple.updates.plist
		       /Users/Shared/start.sh"
	KOMPLEX_DIRS=
	KOMPLEX_KSYMS=


	# ld-linuxv.so (LD_PRELOAD shared library rootkit)
	LINUXV_FILES="/lib/ld-linuxv.so.1"
	LINUXV_DIRS="/var/opt/_so_cache
		     /var/opt/_so_cache/ld
		     /var/opt/_so_cache/lc"
	LINUXV_KSYMS=


	# Lion Worm
	LION_FILES="/bin/in.telnetd
		    /bin/mjy
		    /usr/man/man1/man1/lib/.lib/mjy
		    /usr/man/man1/man1/lib/.lib/in.telnetd
		    /usr/man/man1/man1/lib/.lib/.x
		    /dev/.lib/lib/scan/1i0n.sh
		    /dev/.lib/lib/scan/hack.sh
		    /dev/.lib/lib/scan/bind
		    /dev/.lib/lib/scan/randb
		    /dev/.lib/lib/scan/scan.sh
		    /dev/.lib/lib/scan/pscan
		    /dev/.lib/lib/scan/star.sh
		    /dev/.lib/lib/scan/bindx.sh
		    /dev/.lib/lib/scan/bindname.log
		    /dev/.lib/lib/1i0n.sh
		    /dev/.lib/lib/lib/netstat
		    /dev/.lib/lib/lib/dev/.1addr
		    /dev/.lib/lib/lib/dev/.1logz
		    /dev/.lib/lib/lib/dev/.1proc
		    /dev/.lib/lib/lib/dev/.1file"
	LION_DIRS=
	LION_KSYMS=


	# Lockit Rootkit (aka LJK2)
	LOCKIT_FILES="/usr/lib/libmen.oo/.LJK2/ssh_config
		      /usr/lib/libmen.oo/.LJK2/ssh_host_key
		      /usr/lib/libmen.oo/.LJK2/ssh_host_key.pub
		      /usr/lib/libmen.oo/.LJK2/ssh_random_seed*
		      /usr/lib/libmen.oo/.LJK2/sshd_config
		      /usr/lib/libmen.oo/.LJK2/backdoor/RK1bd
		      /usr/lib/libmen.oo/.LJK2/backup/du
		      /usr/lib/libmen.oo/.LJK2/backup/ifconfig
		      /usr/lib/libmen.oo/.LJK2/backup/inetd.conf
		      /usr/lib/libmen.oo/.LJK2/backup/locate
		      /usr/lib/libmen.oo/.LJK2/backup/login
		      /usr/lib/libmen.oo/.LJK2/backup/ls
		      /usr/lib/libmen.oo/.LJK2/backup/netstat
		      /usr/lib/libmen.oo/.LJK2/backup/ps
		      /usr/lib/libmen.oo/.LJK2/backup/pstree
		      /usr/lib/libmen.oo/.LJK2/backup/rc.sysinit
		      /usr/lib/libmen.oo/.LJK2/backup/syslogd
		      /usr/lib/libmen.oo/.LJK2/backup/tcpd
		      /usr/lib/libmen.oo/.LJK2/backup/top
		      /usr/lib/libmen.oo/.LJK2/clean/RK1sauber
		      /usr/lib/libmen.oo/.LJK2/clean/RK1wted
		      /usr/lib/libmen.oo/.LJK2/hack/RK1parse
		      /usr/lib/libmen.oo/.LJK2/hack/RK1sniff
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1addr
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1dir
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1log
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1proc
		      /usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c
		      /usr/lib/libmen.oo/.LJK2/modules/README.modules
		      /usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c
		      /usr/lib/libmen.oo/.LJK2/modules/RK1phide
		      /usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh"
	LOCKIT_DIRS="/usr/lib/libmen.oo/.LJK2"
	LOCKIT_KSYMS=


	# Mokes backdoor
	MOKES_FILES="/tmp/ss0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].sst
		     /tmp/aa0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].aat
		     /tmp/kk0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].kkt
		     /tmp/dd0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].ddt"
	MOKES_DIRS=
	MOKES_KSYMS=


	# MRK (MiCrobul?) RootKit (based on Devil RootKit, also see Xzibit)
	MRK_FILES="/dev/ida/.inet/pid
		   /dev/ida/.inet/ssh_host_key
		   /dev/ida/.inet/ssh_random_seed
		   /dev/ida/.inet/tcp.log"
	MRK_DIRS="/dev/ida/.inet
		  /var/spool/cron/.sh"
	MRK_KSYMS=


	# Mood-NT Rootkit
	# Binary is by default called "mood-nt" but can be anywhere.
	# Here we look for collaterals, from include/prefs.h defaults
	# until sig-based dirscan() is added.
	MOODNT_FILES="/sbin/init__mood-nt-_-_cthulhu
		      /_cthulhu/mood-nt.init
		      /_cthulhu/mood-nt.conf
		      /_cthulhu/mood-nt.sniff"
	MOODNT_DIRS="/_cthulhu"
	MOODNT_KSYMS=


	# Ni0 Rootkit
	NIO_FILES="/var/lock/subsys/...datafile.../...net...
		   /var/lock/subsys/...datafile.../...port...
		   /var/lock/subsys/...datafile.../...ps...
		   /var/lock/subsys/...datafile.../...file..."
	NIO_DIRS="/tmp/waza
		  /var/lock/subsys/...datafile...
		  /usr/sbin/es"
	NIO_KSYMS=


	# Ohhara Rootkit
	OHHARA_FILES="/var/lock/subsys/...datafile.../...datafile.../in.smbd.log"
	OHHARA_DIRS="/var/lock/subsys/...datafile...
		     /var/lock/subsys/...datafile.../...datafile...
		     /var/lock/subsys/...datafile.../...datafile.../bin
		     /var/lock/subsys/...datafile.../...datafile.../usr/bin
		     /var/lock/subsys/...datafile.../...datafile.../usr/sbin
		     /var/lock/subsys/...datafile.../...datafile.../lib/security"
	OHHARA_KSYMS=


	# Optic Kit (Tux variant) Rootkit
	OPTICKIT_FILES=
	OPTICKIT_DIRS="/dev/tux
		       /usr/bin/xchk
		       /usr/bin/xsf
		       /usr/bin/ssh2d"
	OPTICKIT_KSYMS=


	# OSX Rootkit 0.2.1 (OSXRK)
	OSXRK_FILES="/dev/.rk/nc
		     /dev/.rk/diepu
		     /dev/.rk/backd
		     /Library/StartupItems/opener
		     /Library/StartupItems/opener.sh
		     /System/Library/StartupItems/opener
		     /System/Library/StartupItems/opener.sh"
	OSXRK_DIRS="/dev/.rk
		    /Users/LDAP-daemon
		    /tmp/.work"
	OSXRK_KSYMS=


	# Oz Rootkit
	OZ_FILES="/dev/.oz/.nap/rkit/terror"
	OZ_DIRS="/dev/.oz"
	OZ_KSYMS=


	# Phalanx Rootkit
	PHALANX_FILES="/uNFuNF
		       /etc/host.ph1
		       /bin/host.ph1
		       /usr/share/.home.ph1/phalanx
		       /usr/share/.home.ph1/cb
		       /usr/share/.home.ph1/kebab"
	PHALANX_DIRS="/usr/share/.home.ph1
		      /usr/share/.home.ph1/tty"
	PHALANX_KSYMS=


	# Phalanx2 Rootkit
	PHALANX2_FILES="/etc/khubd.p2/.p2rc
		        /etc/khubd.p2/.phalanx2
		        /etc/khubd.p2/.sniff
		        /etc/khubd.p2/sshgrab.py
		        /etc/lolzz.p2/.p2rc
		        /etc/lolzz.p2/.phalanx2
		        /etc/lolzz.p2/.sniff
		        /etc/lolzz.p2/sshgrab.py
			/etc/cron.d/zupzzplaceholder
			/usr/lib/zupzz.p2/.p-2.3d
			/usr/lib/zupzz.p2/.p2rc"
	PHALANX2_DIRS="/etc/khubd.p2
		       /etc/lolzz.p2
		       /usr/lib/zupzz.p2"
	PHALANX2_KSYMS=


	# Portacelo Rootkit
	PORTACELO_FILES="/var/lib/.../.ak
			 /var/lib/.../.hk
			 /var/lib/.../.rs
			 /var/lib/.../.p
			 /var/lib/.../getty
			 /var/lib/.../lkt.o
			 /var/lib/.../show
			 /var/lib/.../nlkt.o
			 /var/lib/.../ssshrc
			 /var/lib/.../sssh_equiv
			 /var/lib/.../sssh_known_hosts
			 /var/lib/.../sssh_pid ~/.sssh/known_hosts"
	PORTACELO_DIRS=
	PORTACELO_KSYMS=


	# OSX Proton backdoor
	PROTON_FILES="/Library/LaunchAgents/com.apple.xpcd.plist
		      /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
		      /Library/.rand/updateragent.app
		      /tmp/Updater.app"
	PROTON_DIRS="/Library/.rand
		     /Library/.cachedir
		     /Library/.random"
	PROTON_KSYMS=


	# R3dstorm Toolkit
	REDSTORM_FILES="/var/log/tk02/see_all
			/var/log/tk02/.scris
			/bin/.../sshd/sbin/sshd1
			/bin/.../hate/sk
			/bin/.../see_all"
	REDSTORM_DIRS="/var/log/tk02
		       /var/log/tk02/old
		       /bin/..."
	REDSTORM_KSYMS=


	# RH-Sharpe's Rootkit
	RHSHARPES_FILES="/bin/lps
			 /usr/bin/lpstree
			 /usr/bin/ltop
			 /usr/bin/lkillall
			 /usr/bin/ldu
			 /usr/bin/lnetstat
			 /usr/bin/wp
			 /usr/bin/shad
			 /usr/bin/vadim
			 /usr/bin/slice
			 /usr/bin/cleaner
			 /usr/include/rpcsvc/du"
	RHSHARPES_DIRS=
	RHSHARPES_KSYMS=


	# RSHA's Rootkit
	RSHA_FILES="/bin/kr4p
		    /usr/bin/n3tstat
		    /usr/bin/chsh2
		    /usr/bin/slice2
		    /usr/src/linux/arch/alpha/lib/.lib/.1proc
		    /etc/rc.d/arch/alpha/lib/.lib/.1addr"
	RSHA_DIRS="/etc/rc.d/rsha
		   /etc/rc.d/arch/alpha/lib/.lib"
	RSHA_KSYMS=


	# Shutdown Rootkit
	# The '%' character represents a space.
	SHUTDOWN_FILES="/usr/man/man5/..%/.dir/scannah/asus
			/usr/man/man5/..%/.dir/see
			/usr/man/man5/..%/.dir/nscd
			/usr/man/man5/..%/.dir/alpd
			/etc/rc.d/rc.local%"
	SHUTDOWN_DIRS="/usr/man/man5/..%/.dir
		       /usr/man/man5/..%/.dir/scannah
		       /etc/rc.d/rc0.d/..%/.dir"
	SHUTDOWN_KSYMS=


	# Scalper (FreeBSD.Scalper.Worm) Worm
	SCALPER_FILES="/tmp/.a
		       /tmp/.uua"
	SCALPER_DIRS=
	SCALPER_KSYMS=


	# SHV4 Rootkit
	SHV4_FILES="/etc/ld.so.hash
		    /lib/libext-2.so.7
		    /lib/lidps1.so
		    /lib/libproc.a
		    /lib/libproc.so.2.0.6
		    /lib/ldd.so/tks
		    /lib/ldd.so/tkp
		    /lib/ldd.so/tksb
		    /lib/security/.config/sshd
		    /lib/security/.config/ssh/ssh_host_key
		    /lib/security/.config/ssh/ssh_host_key.pub
		    /lib/security/.config/ssh/ssh_random_seed
		    /usr/include/file.h
		    /usr/include/hosts.h
		    /usr/include/lidps1.so
		    /usr/include/log.h
		    /usr/include/proc.h
		    /usr/sbin/xntps
		    /dev/srd0"
	SHV4_DIRS="/lib/ldd.so
		   /lib/security/.config
		   /lib/security/.config/ssh"
	SHV4_KSYMS=


	# SHV5 Rootkit
	SHV5_FILES="/etc/sh.conf
		    /lib/libproc.a
		    /lib/libproc.so.2.0.6
		    /lib/lidps1.so
		    /lib/libsh.so/bash
		    /usr/include/file.h
		    /usr/include/hosts.h
		    /usr/include/log.h
		    /usr/include/proc.h
		    /lib/libsh.so/shdcf2
		    /lib/libsh.so/shhk
		    /lib/libsh.so/shhk.pub
		    /lib/libsh.so/shrs
		    /usr/lib/libsh/.bashrc
		    /usr/lib/libsh/shsb
		    /usr/lib/libsh/hide
		    /usr/lib/libsh/.sniff/shsniff
		    /usr/lib/libsh/.sniff/shp
		    /dev/srd0"
	SHV5_DIRS="/lib/libsh.so
		   /usr/lib/libsh
		   /usr/lib/libsh/utilz
		   /usr/lib/libsh/.backup"
	SHV5_KSYMS=


	# Sin Rootkit
	SINROOTKIT_FILES="/dev/.haos/haos1/.f/Denyed
			  /dev/ttyoa
			  /dev/ttyof
			  /dev/ttyop
			  /dev/ttyos
			  /usr/lib/.lib
			  /usr/lib/sn/.X
			  /usr/lib/sn/.sys
			  /usr/lib/ld/.X
			  /usr/man/man1/...
			  /usr/man/man1/.../.m
			  /usr/man/man1/.../.w"
	SINROOTKIT_DIRS="/usr/lib/sn
			 /usr/lib/man1/...
			 /dev/.haos"
	SINROOTKIT_KSYMS=


	# Slapper Worm
	SLAPPER_FILES="/tmp/.bugtraq
		       /tmp/.uubugtraq
		       /tmp/.bugtraq.c
		       /tmp/httpd
		       /tmp/.unlock
		       /tmp/update
		       /tmp/.cinik
		       /tmp/.b"
	SLAPPER_DIRS=
	SLAPPER_KSYMS=


	# Sneakin Rootkit
	SNEAKIN_FILES=
	SNEAKIN_DIRS="/tmp/.X11-unix/.../rk"
	SNEAKIN_KSYMS=


	# Solaris Wanuk backdoor
	WANUKDOOR_FILES="/var/adm/sa/.adm/.lp-door.i86pc
			 /var/adm/sa/.adm/.lp-door.sun4
			 /var/spool/lp/admins/.lp-door.i86pc
			 /var/spool/lp/admins/.lp-door.sun4
			 /var/spool/lp/admins/lpshut
			 /var/spool/lp/admins/lpsystem
			 /var/spool/lp/admins/lpadmin
			 /var/spool/lp/admins/lpmove
			 /var/spool/lp/admins/lpusers
			 /var/spool/lp/admins/lpfilter
			 /var/spool/lp/admins/lpstat
			 /var/spool/lp/admins/lpd
			 /var/spool/lp/admins/lpsched
			 /var/spool/lp/admins/lpc"
	WANUKDOOR_DIRS="/var/adm/sa/.adm"
	WANUKDOOR_KSYMS=


	# Solaris Wanuk Worm (ELF_WANUK.A)
	WANUKWORM_FILES="/var/adm/.adm
			 /var/adm/.i86pc
			 /var/adm/.sun4
			 /var/adm/sa/.adm
			 /var/adm/sa/.adm/.i86pc
			 /var/adm/sa/.adm/.sun4
			 /var/adm/sa/.adm/.crontab
			 /var/adm/sa/.adm/devfsadmd
			 /var/adm/sa/.adm/svcadm
			 /var/adm/sa/.adm/cfgadm
			 /var/adm/sa/.adm/kadmind
			 /var/adm/sa/.adm/zoneadmd
			 /var/adm/sa/.adm/sadm
			 /var/adm/sa/.adm/sysadm
			 /var/adm/sa/.adm/dladm
			 /var/adm/sa/.adm/bootadm
			 /var/adm/sa/.adm/routeadm
			 /var/adm/sa/.adm/uadmin
			 /var/adm/sa/.adm/acctadm
			 /var/adm/sa/.adm/cryptoadm
			 /var/adm/sa/.adm/inetadm
			 /var/adm/sa/.adm/logadm
			 /var/adm/sa/.adm/nlsadmin
			 /var/adm/sa/.adm/sacadm
			 /var/adm/sa/.adm/syseventadmd
			 /var/adm/sa/.adm/ttyadmd
			 /var/adm/sa/.adm/consadmd
			 /var/adm/sa/.adm/metadevadm
			 /var/adm/sa/.i86pc
			 /var/adm/sa/.sun4
			 /var/adm/sa/acctadm
			 /var/adm/sa/bootadm
			 /var/adm/sa/cfgadm
			 /var/adm/sa/consadmd
			 /var/adm/sa/cryptoadm
			 /var/adm/sa/devfsadmd
			 /var/adm/sa/dladm
			 /var/adm/sa/inetadm
			 /var/adm/sa/kadmind
			 /var/adm/sa/logadm
			 /var/adm/sa/metadevadm
			 /var/adm/sa/nlsadmin
			 /var/adm/sa/routeadm
			 /var/adm/sa/sacadm
			 /var/adm/sa/sadm
			 /var/adm/sa/svcadm
			 /var/adm/sa/sysadm
			 /var/adm/sa/syseventadmd
			 /var/adm/sa/ttyadmd
			 /var/adm/sa/uadmin
			 /var/adm/sa/zoneadmd
			 /var/spool/lp/admins/.lp/.crontab
			 /var/spool/lp/admins/.lp/lpshut
			 /var/spool/lp/admins/.lp/lpsystem
			 /var/spool/lp/admins/.lp/lpadmin
			 /var/spool/lp/admins/.lp/lpmove
			 /var/spool/lp/admins/.lp/lpusers
			 /var/spool/lp/admins/.lp/lpfilter
			 /var/spool/lp/admins/.lp/lpstat
			 /var/spool/lp/admins/.lp/lpd
			 /var/spool/lp/admins/.lp/lpsched
			 /var/spool/lp/admins/.lp/lpc"
	WANUKWORM_DIRS="/var/adm/sa/.adm
			/var/spool/lp/admins/.lp"
	WANUKWORM_KSYMS=


	# 'Spanish' Rootkit
	SPANISH_FILES="/dev/ptyq
		       /bin/ad
		       /bin/ava
		       /bin/server
		       /usr/sbin/rescue
		       /usr/share/.../chrps
		       /usr/share/.../chrifconfig
		       /usr/share/.../netstat
		       /usr/share/.../linsniffer
		       /usr/share/.../charbd
		       /usr/share/.../charbd2
		       /usr/share/.../charbd3
		       /usr/share/.../charbd4
		       /usr/man/tmp/update.tgz
		       /var/lib/rpm/db.rpm
		       /var/cache/man/.cat
		       /var/spool/lpd/remote/.lpq"
	SPANISH_DIRS="/usr/share/..."
	SPANISH_KSYMS= 


	# Suckit Rootkit
	SUCKIT_FILES="/sbin/initsk12
		      /sbin/initxrk
		      /usr/bin/null
		      /usr/share/locale/sk/.sk12/sk
		      /etc/rc.d/rc0.d/S23kmdac
		      /etc/rc.d/rc1.d/S23kmdac
		      /etc/rc.d/rc2.d/S23kmdac
		      /etc/rc.d/rc3.d/S23kmdac
		      /etc/rc.d/rc4.d/S23kmdac
		      /etc/rc.d/rc5.d/S23kmdac
		      /etc/rc.d/rc6.d/S23kmdac"
	SUCKIT_DIRS="/dev/sdhu0/tehdrakg
		     /etc/.MG
		     /usr/share/locale/sk/.sk12
		     /usr/lib/perl5/site_perl/i386-linux/auto/TimeDate/.packlist"
	SUCKIT_KSYMS=


	# SunOS / NSDAP Rootkit
	NSDAP_FILES="/dev/pts/01/55su
		     /dev/pts/01/55ps
		     /dev/pts/01/55ping
		     /dev/pts/01/55login
		     /dev/pts/01/PATCHER_COMPLETED
		     /dev/prom/sn.l
		     /dev/prom/dos
		     /usr/lib/vold/nsdap/.kit
		     /usr/lib/vold/nsdap/defines
		     /usr/lib/vold/nsdap/patcher
		     /usr/lib/vold/nsdap/pg
		     /usr/lib/vold/nsdap/cleaner
		     /usr/lib/vold/nsdap/utime
		     /usr/lib/vold/nsdap/crypt
		     /usr/lib/vold/nsdap/findkit
		     /usr/lib/vold/nsdap/sn2
		     /usr/lib/vold/nsdap/sniffload
		     /usr/lib/vold/nsdap/runsniff
		     /usr/lib/lpset
		     /usr/lib/lpstart
		     /usr/bin/mc68000
		     /usr/bin/mc68010
		     /usr/bin/mc68020
		     /usr/ucb/bin/ps
		     /usr/bin/m68k
		     /usr/bin/sun2
		     /usr/bin/mc68030
		     /usr/bin/mc68040
		     /usr/bin/sun3
		     /usr/bin/sun3x
		     /usr/bin/lso
		     /usr/bin/u370"
	NSDAP_DIRS="/dev/pts/01
		    /dev/prom
		    /usr/lib/vold/nsdap
		    /.pat"
	NSDAP_KSYMS=


	# SunOS Rootkit
	SUNOSROOTKIT_FILES="/etc/ld.so.hash
			    /lib/libext-2.so.7
			    /usr/bin/ssh2d
			    /bin/xlogin
			    /usr/lib/crth.o
			    /usr/lib/crtz.o
			    /sbin/login
			    /lib/security/.config/sn
			    /lib/security/.config/lpsched
			    /dev/kmod
			    /dev/dos"
	SUNOSROOTKIT_DIRS=
	SUNOSROOTKIT_KSYMS=


	# Superkit Rootkit (Suckit 1.3b-based)
	SUPERKIT_FILES="/usr/man/.sman/sk/backsh
			/usr/man/.sman/sk/izbtrag
			/usr/man/.sman/sk/sksniff
			/var/www/cgi-bin/cgiback.cgi"
	SUPERKIT_DIRS="/usr/man/.sman/sk"
	SUPERKIT_KSYMS=


	# Telnet Backdoor
	TBD_FILES="/usr/lib/.tbd"
	TBD_DIRS=
	TBD_KSYMS=


	# TeLeKiT Rootkit
	TELEKIT_FILES="/usr/man/man3/.../TeLeKiT/bin/sniff
		       /usr/man/man3/.../TeLeKiT/bin/telnetd
		       /usr/man/man3/.../TeLeKiT/bin/teleulo
		       /usr/man/man3/.../cl
		       /dev/ptyr
		       /dev/ptyp
		       /dev/ptyq
		       /dev/hda06
		       /usr/info/libc1.so"
	TELEKIT_DIRS="/usr/man/man3/...
		      /usr/man/man3/.../lsniff
		      /usr/man/man3/.../TeLeKiT"
	TELEKIT_KSYMS=


	# OSX Togroot Rootkit
	TOGROOT_FILES="/System/Library/Extensions/Togroot.kext/Contents/Info.plist
		       /System/Library/Extensions/Togroot.kext/Contents/pbdevelopment.plist
		       /System/Library/Extensions/Togroot.kext/Contents/MacOS/togrootkext"
	TOGROOT_DIRS="/System/Library/Extensions/Togroot.kext
		      /System/Library/Extensions/Togroot.kext/Contents
		      /System/Library/Extensions/Togroot.kext/Contents/MacOS"
	TOGROOT_KSYMS=


	# T0rn (and misc) Rootkit
	TORN_FILES="/dev/.lib/lib/lib/t0rns
		    /dev/.lib/lib/lib/du
		    /dev/.lib/lib/lib/ls
		    /dev/.lib/lib/lib/t0rnsb
		    /dev/.lib/lib/lib/ps
		    /dev/.lib/lib/lib/t0rnp
		    /dev/.lib/lib/lib/find
		    /dev/.lib/lib/lib/ifconfig
		    /dev/.lib/lib/lib/pg
		    /dev/.lib/lib/lib/ssh.tgz
		    /dev/.lib/lib/lib/top
		    /dev/.lib/lib/lib/sz
		    /dev/.lib/lib/lib/login
		    /dev/.lib/lib/lib/in.fingerd
		    /dev/.lib/lib/lib/1i0n.sh
		    /dev/.lib/lib/lib/pstree
		    /dev/.lib/lib/lib/in.telnetd
		    /dev/.lib/lib/lib/mjy
		    /dev/.lib/lib/lib/sush
		    /dev/.lib/lib/lib/tfn
		    /dev/.lib/lib/lib/name
		    /dev/.lib/lib/lib/getip.sh
		    /usr/info/.torn/sh*
		    /usr/src/.puta/.1addr
		    /usr/src/.puta/.1file
		    /usr/src/.puta/.1proc
		    /usr/src/.puta/.1logz
		    /usr/info/.t0rn"
	TORN_DIRS="/dev/.lib
		   /dev/.lib/lib
		   /dev/.lib/lib/lib
		   /dev/.lib/lib/lib/dev
		   /dev/.lib/lib/scan
		   /usr/src/.puta
		   /usr/man/man1/man1
		   /usr/man/man1/man1/lib
		   /usr/man/man1/man1/lib/.lib
		   /usr/man/man1/man1/lib/.lib/.backup"
	TORN_KSYMS=


	# trNkit Rootkit
	TRNKIT_FILES="/usr/lib/libbins.la
		      /usr/lib/libtcs.so
		      /dev/.ttpy/ulogin.sh
		      /dev/.ttpy/tcpshell.sh
		      /dev/.ttpy/bupdu
		      /dev/.ttpy/buloc
		      /dev/.ttpy/buloc1
		      /dev/.ttpy/buloc2
		      /dev/.ttpy/stat
		      /dev/.ttpy/backps
		      /dev/.ttpy/tree
		      /dev/.ttpy/topk
		      /dev/.ttpy/wold
		      /dev/.ttpy/whoold
		      /dev/.ttpy/backdoors"
	TRNKIT_DIRS=
	TRNKIT_KSYMS=


	# Trojanit Kit Rootkit
	TROJANIT_FILES="/bin/.ls
			/bin/.ps
			/bin/.netstat
			/usr/bin/.nop
			/usr/bin/.who"
	TROJANIT_DIRS=
	TROJANIT_KSYMS=


	# Turtle / Turtle2 Rootkit
	TURTLE_FILES="/dev/turtle2dev"
	TURTLE_DIRS=
	TURTLE_KSYMS=


	# Tuxtendo (Tuxkit) Rootkit
	TUXTENDO_FILES="/lib/libproc.so.2.0.7
			/usr/bin/xchk
			/usr/bin/xsf
			/dev/tux/suidsh
			/dev/tux/.addr
			/dev/tux/.cron
			/dev/tux/.file
			/dev/tux/.log
			/dev/tux/.proc
			/dev/tux/.iface
			/dev/tux/.pw
			/dev/tux/.df
			/dev/tux/.ssh
			/dev/tux/.tux
			/dev/tux/ssh2/sshd2_config
			/dev/tux/ssh2/hostkey
			/dev/tux/ssh2/hostkey.pub
			/dev/tux/ssh2/logo
			/dev/tux/ssh2/random_seed
			/dev/tux/backup/crontab
			/dev/tux/backup/df
			/dev/tux/backup/dir
			/dev/tux/backup/find
			/dev/tux/backup/ifconfig
			/dev/tux/backup/locate
			/dev/tux/backup/netstat
			/dev/tux/backup/ps
			/dev/tux/backup/pstree
			/dev/tux/backup/syslogd
			/dev/tux/backup/tcpd
			/dev/tux/backup/top
			/dev/tux/backup/updatedb
			/dev/tux/backup/vdir"
	TUXTENDO_DIRS="/dev/tux
		       /dev/tux/ssh2
		       /dev/tux/backup"
	TUXTENDO_KSYMS=


	# Universal Rootkit by K2 (URK) Release 0.9.8
	URK_FILES="/dev/prom/sn.l
		   /usr/lib/ldlibps.so
		   /usr/lib/ldlibnet.so
		   /dev/pts/01/uconf.inv
		   /dev/pts/01/cleaner
		   /dev/pts/01/bin/psniff
		   /dev/pts/01/bin/du
		   /dev/pts/01/bin/ls
		   /dev/pts/01/bin/passwd
		   /dev/pts/01/bin/ps
		   /dev/pts/01/bin/psr
		   /dev/pts/01/bin/su
		   /dev/pts/01/bin/find
		   /dev/pts/01/bin/netstat
		   /dev/pts/01/bin/ping
		   /dev/pts/01/bin/strings
		   /dev/pts/01/bin/bash
		   /usr/man/man1/xxxxxxbin/du
		   /usr/man/man1/xxxxxxbin/ls
		   /usr/man/man1/xxxxxxbin/passwd
		   /usr/man/man1/xxxxxxbin/ps
		   /usr/man/man1/xxxxxxbin/psr
		   /usr/man/man1/xxxxxxbin/su
		   /usr/man/man1/xxxxxxbin/find
		   /usr/man/man1/xxxxxxbin/netstat
		   /usr/man/man1/xxxxxxbin/ping
		   /usr/man/man1/xxxxxxbin/strings
		   /usr/man/man1/xxxxxxbin/bash
		   /tmp/conf.inv"
	URK_DIRS="/dev/prom
		  /dev/pts/01
		  /dev/pts/01/bin
		  /usr/man/man1/xxxxxxbin"
	URK_KSYMS=
	# Also-see: /usr/lib/lpset (esniff), /var/lp/lpacct/ (files), /usr/lib/bnclp, /usr/lib/lpsys (identd),
	# Also-see: /usr/lib/lptd (backdoor?), /sbin/rc2 and /sbin/rc3 containing string "/usr/lib/lpstart",
	# Also-see: dos, psbnc, lpacct, USER, lp,
	# Also see: /etc/lpconfig vs /etc/ttyhash, uconv.inv vs urk.conf.


	# VcKit Rootkit
	VCKIT_FILES=
	VCKIT_DIRS="/usr/include/linux/modules/lib.so
		    /usr/include/linux/modules/lib.so/bin"
	VCKIT_KSYMS=


	# Vampire Rootkit
	VAMPIRE_FILES=
	VAMPIRE_DIRS=
	VAMPIRE_KSYMS="new_getdents
			old_getdents
			should_hide_file_name
			should_hide_task_name"	


	# Volc Rootkit
	# Omit listing system binaries that should be picked up by changed hashes.
	VOLC_FILES="/usr/bin/volc
		    /usr/lib/volc/backdoor/divine
		    /usr/lib/volc/linsniff
		    /etc/rc.d/rc1.d/S25sysconf
		    /etc/rc.d/rc2.d/S25sysconf
		    /etc/rc.d/rc3.d/S25sysconf
		    /etc/rc.d/rc4.d/S25sysconf
		    /etc/rc.d/rc5.d/S25sysconf"
	VOLC_DIRS="/var/spool/.recent
		   /var/spool/.recent/.files
		   /usr/lib/volc
		   /usr/lib/volc/backup"
	VOLC_KSYMS=


	# weaponX 0.1
	WEAPONX_FILES="/System/Library/Extensions/WeaponX.kext"
	WEAPONX_DIRS="/tmp/..."
	WEAPONX_KSYMS=


	# WMKR26 2.0, WindEX, XND Crew, LKM for kernel 2.6
	# (2.6.12 -  2.6.19.2, i[456]86 and x86_64)
	# These files don't exist and can't be seen:
	# /proc/qwerty
	# /proc/givemeroot
	# /proc/hide+[PID]
	# /proc/hide-[PID]
	# /proc/active-
	# /proc/module_hide+
	# /proc/module_hide-
	# /proc/givemeinfo


	# Xzibit Rootkit (also see MRK (MiCrobul?) RootKit)
	XZIBIT_FILES="/dev/dsx
		      /dev/caca
		      /dev/ida/.inet/linsniffer
		      /dev/ida/.inet/logclear
		      /dev/ida/.inet/sense
		      /dev/ida/.inet/sl2
		      /dev/ida/.inet/sshdu
		      /dev/ida/.inet/s
		      /dev/ida/.inet/ssh_host_key
		      /dev/ida/.inet/ssh_random_seed
		      /dev/ida/.inet/sl2new.c
		      /dev/ida/.inet/tcp.log
		      /home/httpd/cgi-bin/becys.cgi
		      /usr/local/httpd/cgi-bin/becys.cgi
		      /usr/local/apache/cgi-bin/becys.cgi
		      /www/httpd/cgi-bin/becys.cgi
		      /www/cgi-bin/becys.cgi"
	XZIBIT_DIRS="/dev/ida/.inet"
	XZIBIT_KSYMS=


	# X-Org SunOS Rootkit
	XORGSUNOS_FILES="/usr/lib/libX.a/bin/tmpfl
			 /usr/lib/libX.a/bin/rps
			 /usr/bin/srload
			 /usr/lib/libX.a/bin/sparcv7/rps
			 /usr/sbin/modcheck"
	XORGSUNOS_DIRS="/usr/lib/libX.a
			/usr/lib/libX.a/bin
			/usr/lib/libX.a/bin/sparcv7
			/usr/share/man..."
	XORGSUNOS_KSYMS=


	# zaRwT.KiT Rootkit
	ZARWT_FILES="/dev/rd/s/sendmeil
		     /dev/ttyf
		     /dev/ttyp
		     /dev/ttyn
		     /rk/tulz"
	ZARWT_DIRS="/rk
		    /dev/rd/s"
	ZARWT_KSYMS=


	# ZK Rootkit
	ZK_FILES="/usr/share/.zk/zk
		  /usr/X11R6/.zk/xfs
		  /usr/X11R6/.zk/echo
		  /etc/1ssue.net
		  /etc/sysconfig/console/load.zk"
	ZK_DIRS="/usr/share/.zk
		 /usr/X11R6/.zk"
	ZK_KSYMS=


	# Miscellaneous login backdoors
	LOGIN_BACKDOOR_FILES="/bin/.login
			      /sbin/.login"


	# Suspicious directories
	SUSPICIOUS_DIRS="/usr/X11R6/bin/.,/copy
			 /dev/rd/cdb"


	# Evil strings
	STRINGSCAN="crond:LOGNAME=root:Illogic Rootkit
		    hostname:phalanx:Phalanx Rootkit
		    init:/dev/proc/fuckit:Fuckit Rootkit
		    init:FUCK:Suckit Rootkit
		    init:backdoor:Suckit Rootkit (backdoored init file)
		    init:/usr/bin/rcpc:Portacelo Rootkit
		    init:/usr/sbin/login:trNkit Rootkit ulogin
		    killall:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    login:vt200:Linux Rootkit (LRK4)
		    login:/usr/bin/xstat:Linux Rootkit (LRK4)
		    login:/bin/envpc:Linux Rootkit (LRK4)
		    login:L4m3r0x:Linux Rootkit (LRK4)
		    login:/lib/libext:SHV4 Rootkit
		    login:/usr/sbin/login:Flea Linux Rootkit
		    login:/usr/lib/.tbd:TBD Rootkit
		    login:sendmail:Ambient (ark) Rootkit
		    login:cocacola:cb Rootkit
		    login:joao:Spanish Rootkit
		    ls:/dev/ptyxx/.file:Dica-Kit Rootkit
		    ls:/dev/ptyxx/.file:Ambient (ark) Rootkit
		    ls:/dev/sgk:Linux Rootkit (LRK4)
		    ls:/var/lock/subsys/...datafile...:Ohhara Rootkit
		    ls:/usr/lib/.tbd:TBD Rootkit
		    netstat:/dev/proc/fuckit:Fuckit Rootkit
		    netstat:/lib/.sso:Dica-Kit Rootkit
		    netstat:/var/lock/subsys/...datafile...:Ohhara Rootkit
		    netstat:/dev/caca:MRK Rootkit
		    netstat:/dev/ttyoa:Sin Rootkit
		    netstat:/usr/lib/ldlibns.so:Flea Linux Rootkit
		    netstat:/dev/ptyxx/.addr:Ambient (ark) Rootkit
		    netstat:syg:Trojaned netstat
		    nscd:sshd_config:Backdoor shell installed (SSH)
                    ps:/var/lock/subsys/...datafile...:Ohhara Rootkit or Ni0 Rootkit
		    ps:/dev/pts/01:Universal Rootkit (URK)
		    ps:tw33dl3:SunOS Rootkit
		    ps:psniff:SunOS Rootkit
		    ps:uconf.inv:Universal Rootkit (URK)
		    ps:lib/ldlibps.so:Flea Linux Rootkit or Universal Rootkit (URK)
		    pstree:/usr/lib/ldlibpst.so:Flea Linux Rootkit
		    ps:libproc.so.2.0.7:Fuckit Rootkit
		    ps:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    pstree:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    pgrep:libproc.so.2.0.7:Fuckit Rootkit
		    pkill:libproc.so.2.0.7:Fuckit Rootkit
		    ping:/bin/bash:Ping Rootkit or other backdoor
		    rpc.nfsd:cant open log:Sniffer installed
		    rpc.nfsd:sniff.pid:Sniffer installed
		    rpc.nfsd:tcp.log:Sniffer installed
		    sshd:/dev/ptyxx:OpenBSD Rootkit
		    sshd:/.config:SHV4 Rootkit
		    sshd:+\\$.*\\$\!.*\!\!\\$:Backdoored SSH daemon installed
		    sshd:backdoor.h:Trojaned SSH daemon
		    sshd:backdoor_active:Trojaned SSH daemon
		    sshd:magic_pass_active:Trojaned SSH daemon
		    sshd:/usr/include/gpm2.h:Trojaned SSH daemon
		    sshd:/usr/include/openssl:Trojaned SSH daemon
		    sshd:aion:Trojaned SSH daemon
		    sshd:pcszPass:Trojaned SSH daemon
		    sshd:LogPass:Trojaned SSH daemon
		    sshd:Login_Check:Trojaned SSH daemon
		    sshd:includes.h:Trojaned SSH daemon
		    sshd:DecodeString:Trojaned SSH daemon
		    sshd:EncodeString:Trojaned SSH daemon
		    sshd:libns2.so:Ebury sshd backdoor
		    sshd:libns5.so:Ebury sshd backdoor
		    sshd:libpw3.so:Ebury sshd backdoor
		    sshd:libpw5.so:Ebury sshd backdoor
		    sshd:libsbr.so:Ebury sshd backdoor
		    sshd:libslr.so:Ebury sshd backdoor
		    xntps:/.config:SHV4 Rootkit
		    syslogd:promiscuous:Sniffer installed
		    syslogd:/usr/lib/.tbd:TBD Rootkit
		    syslogd:/dev/ptyxx/.log:Ambient (ark) Rootkit
		    syslogd:/usr/share/pci.r:Trojaned Syslog daemon
		    tcpd:/dev/xdta:Dica-Kit Rootkit
		    top:/usr/lib/.tbd:TBD Rootkit
		    top:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    xtty:/bin/sh:Backdoor shell
		    ttymon:fucknut:SHV5 Rootkit
		    ttymon:lamersucks:SHV5 Rootkit
		    ttymon:skillz:SHV5 Rootkit
		    ttyload:/sbin/ttyload:SHV5 Rootkit
		    ttyload:/sbin/ttymon:SHV5 Rootkit
		    ttyload:propert of SH:SHV5 Rootkit
		    rcfile:in.inetd:SHV4 Rootkit
		    rcfile:+#<HIDE_.*>:Enye LKM
		    rcfile:bin/xchk:Optic Kit (Tux) Worm
		    rcfile:bin/xsf:Optic Kit (Tux) Worm
		    rcfile:/usr/bin/ssh2d:Flea Linux Rootkit or Optic Kit (Tux variant) Rootkit or SunOS Rootkit 
		    rcfile:/usr/sbin/xntps:SHV4 Rootkit
		    rcfile:ttyload:SHV5 Rootkit
		    rcfile:/etc/rc.d/init.d/init:cb Rootkit or w00tkit Rootkit
		    rcfile:usr/bin/xfss:Devil Rootkit
		    rcfile:/usr/sbin/rpc.netinet:FreeBSD (FBRK) Rootkit
		    rcfile:/usr/lib/.fx/cons.saver:FreeBSD (FBRK) Rootkit
		    rcfile:/usr/lib/.fx/xs:FreeBSD (FBRK) Rootkit
		    rcfile:/ssh2d:Illogic Rootkit or SunOS Rootkit
		    rcfile:/dev/kmod:Illogic Rootkit or SunOS Rootkit
		    rcfile:/crth.o:Illogic Rootkit or SunOS Rootkit
		    rcfile:/crtz.o:Illogic Rootkit or SunOS Rootkit
		    rcfile:/dev/dos:Illogic Rootkit or SunOS Rootkit
		    rcfile:/lpq:Illogic Rootkit or SunOS Rootkit
		    rcfile:/usr/sbin/rescue:Spanish Rootkit
		    rcfile:/usr/lib/lpstart:SunOS NSDAP Rootkit or Universal Rootkit (URK)
		    rcfile:/volc:Volc Rootkit
		    rcfile:sourcemask:Rootkit component
		    rcfile:/bin/vobiscum:Rootkit component
		    rcfile:/usr/sbin/in.telnet:Rootkit component
		    rcfile:/usr/bin/hdparm?-t1?-X53?-p:Xzibit Rootkit
		    rcfile:/lib/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		    rcfile:/etc/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		    rcfile:/lib/.ssyslog:Flooder (Linux/Bckdr-RKC) component
		    rcfile:/tmp/.sendmail:Flooder (Linux/Bckdr-RKC) component
		    rcfile:IptabLex:malware component
		    rcfile:IptabLes:malware component
		    ssh:/lib/ldd.so/tkps:SHV4 Rootkit
		    ssh1:/lib/ldd.so/tkps:SHV4 Rootkit
		    ssh:t0rnkit:T0rn Rootkit
		    ssh:/dev/proc/fuckit:Fuckit Rootkit
		    ssh:backdoor.h:Trojaned SSH daemon
		    ssh:backdoor_active:Trojaned SSH daemon
		    ssh:magic_pass_active:Trojaned SSH daemon
		    ssh:/usr/include/gpm2.h:Trojaned SSH daemon
		    skill:libproc.so.2.0.7:Fuckit Rootkit
		    snice:libproc.so.2.0.7:Fuckit Rootkit
		    top:libproc.so.2.0.7:Fuckit Rootkit
		    slocate:/usr/lib/ldlibct.so:Flea Linux Rootkit
		    locate:/usr/lib/ldlibct.so:Flea Linux Rootkit
		    du:/usr/lib/ldlibdu.so:Flea Linux Rootkit
		    du:/dev/ptyxx/.file:Ambient (ark) Rootkit
		    w:libproc.so.2.0.7:Fuckit Rootkit
		    xlogin:/lib/libext:SHV4 Rootkit
		    hdparm:/dev/ida/.inet:Xzibit Rootkit
		    pgrep:/usr/include/mysql/mysql.hh1:Rootkit component
		    pkill:/usr/include/mysql/mysql.hh1:Rootkit component
		    pmap:/usr/include/mysql/mysql.hh1:Rootkit component
		    ps:/usr/include/mysql/mysql.hh1:Rootkit component
		    w:/usr/include/mysql/mysql.hh1:Rootkit component
		    top:/usr/include/mysql/mysql.hh1:Rootkit component
		    bc:backconnect:Jynx Rootkit
		    bc:magic?packet?received:Jynx Rootkit"


	# Possible rootkit files and directories
	# The '%' character represents a space.
	FILESCAN="file:/dev/sdr0:T0rn Rootkit MD5 hash database
		  file:/dev/pisu:Rootkit component
		  file:/dev/xdta:Dica-Kit Rootkit
		  file:/dev/saux:Trojaned SSH daemon sniffer log
		  file:/dev/hdx:Linux.RST.B infection
		  file:/dev/hdx1:Linux.RST.B infection
		  file:/dev/hdx2:Linux.RST.B infection
		  file:/dev/ptyy:Rootkit component
		  file:/dev/ptyu:Rootkit component
		  file:/dev/ptyv:Rootkit component
		  file:/dev/hdbb:Rootkit component
		  file:/tmp/.syshackfile:Trojaned syslog daemon
		  file:/tmp/.bash_history:Lite5-r Rootkit
		  file:/usr/info/.clib:Backdoor component
		  file:/usr/sbin/tcp.log:Sniffer log
		  file:/usr/bin/take/pid:Trojaned SSH daemon
		  file:/sbin/create:MzOzD Local backdoor
		  file:/dev/ttypz:spwn login backdoor
		  file:/var/log/tcp.log:beX2 Rootkit
		  file:/usr/include/audit.h:beX2 Rootkit
		  file:/usr/bin/sourcemask:Rootkit component
		  file:/usr/bin/ras2xm:Rootkit component
		  file:/dev/xmx:Dica-Kit Rootkit
		  file:/usr/sbin/gpm.root:Rootkit component
		  file:/bin/vobiscum:Rootkit component
		  file:/bin/psr:Rootkit component
		  file:/dev/kdx:Rootkit component
		  file:/dev/dkx:Rootkit component
		  file:/usr/sbin/sshd3:Rootkit component
		  file:/usr/sbin/jcd:Rootkit component
		  file:/usr/sbin/atd2:Rootkit component
		  file:/home/httpd/cgi-bin/linux.cgi:Dica-Kit Rootkit
		  file:/home/httpd/cgi-bin/psid:Dica-Kit Rootkit
		  file:/home/httpd/cgi-bin/void.cgi:Dica-Kit Rootkit
		  file:/etc/rc.d/init.d/system:Rootkit component
		  file:/etc/rc.d/rc3.d/S93users:Rootkit component
		  file:/tmp/.ush:Dica-Kit Rootkit
		  file:/usr/lib/libhidefile.so:HIDEFILE envvar file-hiding library
		  file:/etc/cron.d/kmod:Illogic Rootkit
		  file:/usr/lib/dmis/dmisd:Trojaned SSH daemon
		  file:/lib/secure/libhij.so:Solaris Trojaned SSH daemon
		  file:/usr/sbin/sshd3:Rootkit component
		  file:/etc/rc.d/init.d/crontab:Rootkit component
		  file:/etc/rc.d/init.d/jcd:Rootkit component
		  file:/usr/sbin/atd2:Rootkit component
		  file:/etc/rc.d/rc5.d/S93users:Rootkit component
		  file:/usr/include/mysql/mysql.hh1:Rootkit component
		  file:/etc/init.d/xfs3:Rootkit component
		  file:/usr/sbin/t.txt:Opyum kit component
		  file:/usr/sbin/change:Opyum kit component
		  file:/usr/sbin/s:Opyum kit component
		  file:/bin/f:Opyum kit component
		  file:/bin/i:Opyum kit component
		  file:/lib/libncom.so.4.0.1:ncom rootkit library
		  file:/sbin/zinit:Rootkit component
		  file:/tmp/pass_ssh.log:Trojaned SSH daemon
		  file:/usr/include/gpm2.h:Trojaned SSH daemon
		  file:/etc/ssh/.sshd_auth:Trojaned SSH daemon (logins)
		  file:/usr/lib/.sshd.h:Trojaned SSH daemon (logins)
		  file:/var/run/.defunct:Trojaned SSH daemon
		  file:/etc/httpd/run/.defunct:Trojaned SSH daemon
		  file:/usr/share/pci.r:Trojaned Syslog daemon
		  file:/etc/cron.daily/dnsquery:Sniffer
		  file:/usr/lib/libutil1.2.1.2.so:Trojaned SSH daemon component (hwclock binary)
		  file:/usr/lib/libppopen.so:Trojaned SSH daemon component
		  file:/usr/include/libutil2.1.h:Trojaned SSH daemon component
		  file:/usr/bin/munchhausen:Trojaned SSH daemon component
		  file:/bin/ceva:Trojaned SSH daemon (client binary)
		  file:/sbin/syslogd%:Trojaned SSH daemon (sebd)
		  file:/usr/include/shup.h:Trojaned SSH daemon (client binary)
		  file:/etc/rpm/sshdOLD:Trojaned SSH daemon (original sshd binary)
		  file:/etc/rpm/sshOLD:Trojaned SSH daemon (original ssh binary)
		  file:/usr/share/passwd.h:Trojaned SSH daemon (default configuration)
		  file:/lib/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		  file:/etc/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		  file:/lib/.ssyslog:Flooder (Linux/Bckdr-RKC) component
		  file:/tmp/.sendmail:Flooder (Linux/Bckdr-RKC) component
		  file:/usr/share/sshd.sync:Trojaned SSH daemon
		  file:/bin/zcut:Trojaned SSH daemon
		  file:/usr/bin/zmuie:Trojaned SSH daemon
		  file:/IptabLes:malware component
		  file:/.IptabLex:malware component
		  file:/boot/.IptabLex:malware component
		  file:/boot/.IptabLes:malware component
		  file:/boot/IptabLes:malware component
		  file:/tmp/IptabLes:malware component
		  file:/etc/rc.d/init.d/IptabLex:malware component
		  file:/etc/rc.d/init.d/IptabLes:malware component
		  file:/etc/rc.d/rc0.d/S55IptabLex:malware component
		  file:/etc/rc.d/rc1.d/S55IptabLex:malware component
		  file:/etc/rc.d/rc2.d/S55IptabLex:malware component
		  file:/etc/rc.d/rc3.d/S55IptabLex:malware component
		  file:/etc/rc.d/rc4.d/S55IptabLex:malware component
		  file:/etc/rc.d/rc5.d/S55IptabLex:malware component
		  file:/etc/rc.d/rc6.d/S55IptabLex:malware component
		  file:/var/lib/update-rc.d/IptabLex:malware component
		  file:/delallmykkk:malware component
		  file:/usr/.IptabLes:malware component
		  file:/usr/IptabLes:malware component
		  file:/tmp/.flush:malware component
		  file:/var/log/.flush:malware component
		  file:/usr/.flush:malware component
		  file:/etc/init.d/bluetoothdaemon:malware component
		  file:/usr/bin/btdaemon:malware component
		  file:/etc/rc1.d/S90bluetooth:malware component
		  file:/etc/rc2.d/S90bluetooth:malware component
		  file:/etc/rc3.d/S90bluetooth:malware component
		  file:/etc/rc4.d/S90bluetooth:malware component
		  file:/etc/rc5.d/S90bluetooth:malware component
		  file:/etc/rc6.d/S90bluetooth:malware component
		  file:/boot/pro:BillGates botnet component
		  file:/boot/proh:BillGates botnet component
		  file:/etc/atdd:BillGates botnet component
		  file:/etc/atddd:BillGates botnet component
		  file:/etc/cupsdd:BillGates botnet component
		  file:/etc/cupsddd:BillGates botnet component
		  file:/etc/cupsddh:BillGates botnet component
		  file:/etc/dsfrefr:BillGates botnet component
		  file:/etc/fdsfsfvff:BillGates botnet component
		  file:/etc/ferwfrre:BillGates botnet component
		  file:/etc/fwke.cfg:BillGates botnet component
		  file:/etc/gdmorpen:BillGates botnet component
		  file:/etc/gfhddsfew:BillGates botnet component
		  file:/etc/gfhjrtfyhuf:BillGates botnet component
		  file:/etc/ksapd:BillGates botnet component
		  file:/etc/ksapdd:BillGates botnet component
		  file:/etc/kysapd:BillGates botnet component
		  file:/etc/kysapdd:BillGates botnet component
		  file:/etc/rewgtf3er4t:BillGates botnet component
		  file:/etc/sdmfdsfhjfe:BillGates botnet component
		  file:/etc/sfewfesfs:BillGates botnet component
		  file:/etc/sfewfesfsh:BillGates botnet component
		  file:/etc/sksapd:BillGates botnet component
		  file:/etc/sksapdd:BillGates botnet component
		  file:/etc/skysapd:BillGates botnet component
		  file:/etc/skysapdd:BillGates botnet component
		  file:/etc/smarvtd:BillGates botnet component
		  file:/etc/whitptabil:BillGates botnet component
		  file:/etc/xfsdx:BillGates botnet component
		  file:/etc/xfsdxd:BillGates botnet component		  
		  file:/tmp/bill.lock:BillGates botnet component
		  file:/tmp/gates.lock:BillGates botnet component
		  file:/tmp/gates.lod:BillGates botnet component
		  file:/tmp/moni.lock:BillGates botnet component
		  file:/tmp/moni.lod:BillGates botnet component
		  file:/tmp/notify.file:BillGates botnet component
		  file:/usr/bin/.sshd:BillGates botnet component
		  file:/usr/bin/bsd-port/getty:BillGates botnet component
		  file:/usr/bin/bsd-port/getty.lock:BillGates botnet component
		  file:/usr/bin/bsd-port/udevd.lock:BillGates botnet component
		  file:/usr/bin/pojie:BillGates botnet component
		  file:/usr/lib/libamplify.so:BillGates botnet component
		  file:/etc/init.d/DbSecuritySpt:BillGates botnet component
		  file:/etc/rc.d/init.d/DbSecuritySpt:BillGates botnet component
		  file:/etc/cron.hourly/gcc.sh:BillGates botnet component
		  file:/root/2016ttfacai:BillGates botnet component
		  file:/proc/rs_dev:xorddos component
		  file:/var/run/sftp.pid:xorddos component
		  file:/var/run/udev.pid:xorddos component
		  file:/var/run/mount.pid:xorddos component
		  file:/etc/cron.hourly/cron.sh:xorddos component
		  file:/etc/cron.hourly/udev.sh:xorddos component
		  file:/etc/cron.hourly/udev.sh:xorddos component
		  file:/lib/libgcc.so:xorddos component
		  file:/lib/libgcc.so.bak:xorddos component
		  file:/lib/libgcc4.so:xorddos component
		  file:/lib/libgcc4.4.so:xorddos component
		  file:/lib/udev/udev:xorddos component
		  file:/lib/udev/debug:xorddos component
		  dir:/dev/ptyas:Langsuir installation directory
		  dir:/usr/bin/take:Trojaned SSH daemon
		  dir:/usr/src/.lib:Rootkit component
		  dir:/usr/share/man/man1/.1c:Eggdrop (IRC bot)
		  dir:/lib/lblip.tk:T0rn Rootkit directory with backdoored SSH-configuration
		  dir:/usr/sbin/...:Rootkit component
		  dir:/usr/share/.gun:Rootkit component
		  dir:/unde/vrei/tu/sa/te/ascunzi/in/server:Unknown rootkit
		  dir:/usr/man/man1/..%%/.dir:Unknown rootkit
		  dir:/usr/X11R6/include/X11/...:Unknown rootkit
		  dir:/usr/X11R6/lib/X11/.fonts/misc/...:Unknown rootkit
		  dir:/tmp/.sys:Rootkit component
		  dir:/tmp/':Rootkit component
		  dir:/tmp/.,:Rootkit component
		  dir:/tmp/,.,:Rootkit component
		  dir:/dev/shm/emilien:Rootkit component
		  dir:/var/tmp/.log:Rootkit component
		  dir:/tmp/zmeu/...%:Rootkit component
		  dir:/var/log/ssh:Rootkit component
		  dir:/dev/ida:Rootkit component
		  dir:/var/lib/games/.src/ssk/shit:Rootkit component
		  dir:/usr/lib/libshtift:Rootkit component
		  dir:/usr/src/.poop:Ramen worm
		  dir:/dev/wd4:IRC bot
		  dir:/var/run/.tmp:Rootkit component
		  dir:/usr/man/man1/lib/.lib:Rootkit component
		  dir:/dev/portd:Rootkit component
		  dir:/dev/...:Rootkit component
		  dir:/usr/share/man/mansps:Rootkit component
		  dir:/lib/.so:Rootkit component
		  dir:/lib/.sso:Rootkit component
		  dir:/usr/include/sslv3:Rootkit component
		  dir:/dev/shm/sshd:Trojaned SSH daemon
		  dir:/usr/share/locale/mk/.dev/sk:Sniffer
		  dir:/usr/share/locale/mk/.dev:Sniffer
		  dir:/usr/include/netda.h:Trojaned SSH daemon
		  dir:/usr/include/.ssh:Trojaned SSH daemon
		  dir:/usr/share/locale/jp/.%:IRC bot
		  dir:/usr/share/.sqe:IRC bot"


	# Evil strings for FreeBSD KLD (Dynamic Kernel Linker modules)
	KLDSTATKEYWORDS="backd00r backdoor darkside nekit rpldev rpldev_mod spapem_core spapem_genr00t hide_process turtle"


	# Suspicious startup file strings
	RCLOCAL_STRINGS="/usr/bin/rpc.wall:Linux Rootkit (LRK4)
			 sshdd:GasKit Rootkit
			 hidef:Knark Rootkit
			 /usr/bin/.etc:Dica-Kit Rootkit"


	# Suspicious open files
	# If the file information field starts with 'OSX ' then
	# it will only be tested for on OSX systems.
	SUSP_FILES_INFO="backdoor:Generic backdoor
			 adore.o:Adore kernel module
			 mod_rootme.so:Apache mod_rootme backdoor
			 phide_mod.o:Process hiding kernel module
			 lbk.ko:LBK FreeBSD kernel module
			 vlogger.o:THC-Vlogger kernel module
			 cleaner.o:Adore kernel module
			 cleaner:Adore Rootkit
			 ava:Adore Rootkit
			 tzava:Adore Rootkit
			 mod_klgr.o:klgr, keyboard logger (kernel module)
			 hydra:THC-Hydra (password capture)
			 hydra.restore:THC-Hydra (password capture)
			 ras2xm:Unknown rootkit
			 vobiscum:Unknown rootkit
			 sshd3:Unknown rootkit
			 system:Unknown rootkit
			 t0rnsb:T0rn Rootkit
			 t0rns:T0rn Rootkit
			 t0rnp:T0rn Rootkit
			 rx4u:Unknown rootkit
			 rx2me:Unknown rootkit
			 sshdu:Unknown rootkit
			 glotzer:Unknown rootkit
			 holber:Devil Rootkit
			 xhide:Process hiding software
			 xh:Process hiding software (alternative of XHide)
			 emech:IRC bot
			 psybnc:IRC bot
			 mech:IRC bot
			 httpd.bin:IRC bot
			 mh:Dica-Kit Rootkit IRC bot
			 xl:Dica-Kit Rootkit
			 write:Dica-Kit Rootkit
			 Phantasmagoria.o:Process hiding Linux kernel module
			 lkt.o:Portacelo Rootkit
			 nlkt.o:Portacelo Rootkit
			 ld_poison.so:Jynx Rootkit
			 .xsyslog:Flooder (Linux/Bckdr-RKC) component
			 .ssyslog:Flooder (Linux/Bckdr-RKC) component
			 pscan2:Port scanner
			 scanssh:Port scanner
			 sshf:Possible port scanner
			 ssh-scan:Port scanner
			 atac:Port scanner component
			 \[pdflush\]:IRC bot
			 .IptabLex:malware component
			 .IptabLes:malware component
			 .flush:malware component
			 \[bluetooth\]:malware component
			 \[flush:malware component
			 jynx2.so:Jynx2 Rootkit
			 reality.so:Jynx2 Rootkit
			 kernel_service:OSX KeRanger ransomware
			 icloudsyncd:OSX Keydnap backdoor
			 icloudproc:OSX Keydnap backdoor
			 dbd:OSX Eleanor backdoor
			 check_hostname:OSX Eleanor backdoor
			 profiled:Mokes backdoor
			 DropboxCache:Mokes backdoor
			 storeuserd:OSX Mokes backdoor
			 updateragent:OSX Proton backdoor"


	# System startup file pathnames
	RCLOCATIONS="/etc/rc.d
		     /etc/rc.local
		     /usr/local/etc/rc.d
		     /usr/local/etc/rc.local
		     /etc/conf.d/local.start
		     /etc/init.d
		     /etc/inittab
		     /etc/systemd/system"


	# Integrity tests
	STRINGS_INTEGRITY="${BOBKIT_FILES} ${BOBKIT_DIRS} ${CINIK_FILES}
			   ${CINIK_DIRS} ${DICA_FILES} ${FREEBSD_RK_FILES}
			   ${TBD_FILES} ${TORN_FILES} ${TORN_DIRS}"


	SNIFFER_FILES="/usr/lib/libice.log
		       /dev/prom/sn.l
		       /dev/fd/.88/zxsniff.log"


	# Known bad Linux kernel modules
	LKM_BADNAMES="adore.o
		      bkit-adore.o
		      cleaner.o
		      flkm.o
		      knark.o
		      modhide.o
		      mod_klgr.o
		      phide_mod.o
		      vlogger.o
		      p2.ko
		      rpldev.o
		      xC.o
		      strings.o
		      wkmr26.ko
		      diamorphine.ko"

	return
}


strings_check() {

	#
	# This function carries out the 'strings' command check.
	# It passes specific strings through the strings command to
	# see if they are missing. If so, then it can indicate that
	# the command has been modified to hide information.
	#

	if `check_test strings`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST strings
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 STRINGS_CHECK_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST strings
		fi

		return
	fi


	#
	# First check to see if we have a 'strings' command.
	#

	if [ -z "${STRINGS_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 STRINGS_CHECK

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' strings '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'strings'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'strings'
		fi

		return
	fi


	STRINGSFAILED=0

	for STRING in ${STRINGS_INTEGRITY}; do
		STRINGNAME=`echo "${STRING}" | sed -e 's/\./\\\./g'`
		STRING_SEEN=`echo "${STRING}" | ${STRINGS_CMD} -a | grep "${STRINGNAME}" | tr -d ' '`

		if [ -z "${STRING_SEEN}" ]; then
			STRINGSFAILED=1
			display --to LOG --type WARNING --result WARNING --log-indent 2 STRINGS_SCANNING_BAD "${STRING}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result OK --log-indent 2 STRINGS_SCANNING_OK "${STRING}"
		fi
	done


	if [ $STRINGSFAILED -eq 0 ]; then
		RKHTMPVAR="SCREEN"
		test $VERBOSE_LOGGING -eq 0 && RKHTMPVAR="SCREEN+LOG"

		display --to "${RKHTMPVAR}" --type PLAIN --result OK --color GREEN --screen-indent 4 STRINGS_CHECK
	else
		display --to SCREEN --type PLAIN --result WARNING --color RED --screen-indent 4 STRINGS_CHECK
	fi

	return
}


shared_libs_check() {

	#
	# This function checks shared library loading problems.
	# It is part of do_system_commands_checks and should precede or run
	# just after strings_check if enabled.
	#

	#
	# Remarks:
	# Oracle-10.1.0.3 on RHEL3 needs /etc/libcwait.so,
	# F-PROT Antivirus for GNU/Linux needs f-prot.so,
	# AVAYA Labs "stack overflow protection" uses libsafe.
	#

	if `check_test shared_libs`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST shared_libs
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 SHARED_LIBS_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST shared_libs
		fi

		return
	fi


	#
	# First check for preloading exported variables.
	#

	VARFOUND=""

	for VARNAME in LD_PRELOAD LD_AOUT_PRELOAD LD_ELF_PRELOAD; do
		VARNAME_VALUE_ORIG=`eval echo "\\$${VARNAME}"`
		VARNAME_VALUE=`echo "${VARNAME_VALUE_ORIG}" | tr ':' ' '`

		FOUND=0

		for FNAME in ${VARNAME_VALUE}; do
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ -z "`echo \"${SHARED_LIB_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				FOUND=1
			else
				display --to LOG --type INFO SHARED_LIBS_PRELOAD_LIB_WLIST "${FNAME}"
			fi
		done

		if [ $FOUND -eq 1 ]; then
			VARFOUND="${VARFOUND}
${VARNAME}=\"${VARNAME_VALUE_ORIG}\""
		fi
	done


	VARFOUND=`echo "${VARFOUND}" | sed -e '/^$/d'`

	if [ -z "${VARFOUND}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_VAR
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_VAR

		IFS=$IFSNL

		for FNAME in ${VARFOUND}; do
			display --to LOG --type WARNING SHARED_LIBS_PRELOAD_VAR_FOUND "${FNAME}"
		done

		IFS=$RKHIFS
	fi


	#
	# Next check for a preload file.
	#

	FOUND=0
	PRELOAD_FILE="/etc/ld.so.preload"

	if [ -s "${PRELOAD_FILE}" ]; then
		RKHLIBLIST=""

		display --to LOG --type INFO SHARED_LIBS_PRELOAD_FILE_FOUND "${PRELOAD_FILE}"

		for FNAME in `grep -v '^#' "${PRELOAD_FILE}"`; do
			FOUND=1

			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ -z "`echo \"${SHARED_LIB_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				RKHLIBLIST="${RKHLIBLIST} ${FNAME}"
			else
				display --to LOG --type INFO SHARED_LIBS_PRELOAD_LIB_WLIST "${FNAME}"
			fi
		done

		if [ -n "${RKHLIBLIST}" ]; then
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE

			for FNAME in ${RKHLIBLIST}; do
				display --to LOG --type WARNING SHARED_LIBS_PRELOAD_LIB_FOUND "${FNAME}"
			done
		elif [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
		else
			display --to SCREEN+LOG --type PLAIN --result WHITELISTED --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
	fi


	#
	# Finally we check the LD_LIBRARY_PATH. This check may be
	# disabled by the user if the 'ldd' command is not available.
	#

	if `check_test shared_libs_path`; then
		display --to LOG --type INFO --log-nl STARTING_TEST shared_libs_path

		if [ -n "${LDD_CMD}" ]; then
			if [ -n "${LD_LIBRARY_PATH}" ]; then
				LD_LIBR_FAILED=0
				RKHTMPVAR_BIN=""
				LD_LIBRARY_PATH_SAVED="${LD_LIBRARY_PATH}"

				if [ -z "${MD5_CMD}" ]; then
					MD5_CMD=`find_cmd md5sum`
					test -z "${MD5_CMD}" && MD5_CMD=`find_cmd md5`
				fi

				LS_CMD=`find_cmd ls`

				for RKHTMPVAR in FIND PS STRINGS MD5 LS STAT; do
					RKHTMPVAR=`eval echo "\\$${RKHTMPVAR}_CMD"`
					RKHTMPVAR=`echo "${RKHTMPVAR}" | cut -d' ' -f1`

					RKHTMPVAR_BIN="${RKHTMPVAR_BIN} ${RKHTMPVAR}"
				done

				for RKHTMPVAR in ${RKHTMPVAR_BIN}; do
					LD_LIBRARY_PATH="${LD_LIBRARY_PATH_SAVED}"
					export LD_LIBRARY_PATH
					RKHTMPVAR_WITH=`${LDD_CMD} ${RKHTMPVAR} | sed -e 's/(0x[0-9a-f]*)/0xHEX/' 2>&1`

					unset LD_LIBRARY_PATH
					RKHTMPVAR_WITHOUT=`${LDD_CMD} ${RKHTMPVAR} | sed -e 's/(0x[0-9a-f]*)/0xHEX/' 2>&1`

					if [ "${RKHTMPVAR_WITH}" != "${RKHTMPVAR_WITHOUT}" ]; then
						#
						# Testing one command should be "evidence" enough.
						#

						LD_LIBR_FAILED=1
						break
					fi
				done


				#
				# Reset things to the way they were before.
				#

				LD_LIBRARY_PATH="${LD_LIBRARY_PATH_SAVED}"
				export LD_LIBRARY_PATH

				if [ $LD_LIBR_FAILED -eq 0 ]; then
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
				else
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
					display --to LOG --type WARNING SHARED_LIBS_PATH_BAD "${LD_LIBRARY_PATH}"
				fi
			else
				display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH

			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ldd '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'ldd'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'ldd'
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST shared_libs_path
	fi

	return
}


updt_rkhdat() {

	#
	# This function is part of the file properties check. It is
	# used to add and remove entries from the rkhunter.dat file.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.dat"
	RKHDAT_TMPFILE="${TEMPFILE}"

	get_temp_file "${RKHTMPDIR}/rkhunter.dat2"
	RKHDAT_TMPFILE2="${TEMPFILE}"

	touch "${RKHDAT_TMPFILE}" "${RKHDAT_TMPFILE2}"

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE}"
	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE2}"

	cp -f -p "${RKHDAT_FILE}" "${RKHDAT_TMPFILE}"


	IFS=$IFSNL

	OLDRKHENTRIES=`echo "${OLDRKHENTRIES}" | sed -e '/^$/d'`

	for FNAME in ${OLDRKHENTRIES}; do
		if [ $FMTVERSION -eq 0 ]; then
			FILENAME=`echo "${FNAME}" | cut -d: -f2`
		else
			RKH_CC=`echo "${FNAME}" | cut -d: -f2`
			RKH_CC2=`expr 3 + $RKH_CC`

			FILENAME=`echo "${FNAME}" | cut -d: -f3-$RKH_CC2`
		fi

		display --to LOG --type INFO RKHDAT_DEL_OLD_ENTRY "`name2text \"${FILENAME}\"`"

		FNAMEGREP=`echo "${FNAME}" | sed -e 's:/:\\\/:g'`

		sed -e "/^${FNAMEGREP}$/d" "${RKHDAT_TMPFILE}" >"${RKHDAT_TMPFILE2}"

		cp -f "${RKHDAT_TMPFILE2}" "${RKHDAT_TMPFILE}"
	done


	NEWRKHENTRIES=`echo "${NEWRKHENTRIES}" | sed -e '/^$/d'`

	for FNAME in ${NEWRKHENTRIES}; do
		if [ $FMTVERSION -eq 0 ]; then
			FILENAME=`echo "${FNAME}" | cut -d: -f2`
		else
			RKH_CC=`echo "${FNAME}" | cut -d: -f2`
			RKH_CC2=`expr 3 + $RKH_CC`

			FILENAME=`echo "${FNAME}" | cut -d: -f3-$RKH_CC2`
		fi

		display --to LOG --type INFO RKHDAT_ADD_NEW_ENTRY "`name2text \"${FILENAME}\"`"

		echo "${FNAME}" >>"${RKHDAT_TMPFILE}"
	done

	IFS=$RKHIFS


	#
	# Now put the new rkhunter.dat file in place.
	#

	cp -f -p "${RKHDAT_FILE}" "${RKHDAT_FILE}.old" >/dev/null 2>&1
	cp -f "${RKHDAT_TMPFILE}" "${RKHDAT_FILE}" >/dev/null 2>&1
	ERRCODE=$?

	if [ $ERRCODE -ne 0 ]; then
		RET_CODE=1
		display --to LOG --type INFO CMD_ERROR "cp ${RKHDAT_TMPFILE} ${RKHDAT_FILE}" $ERRCODE
		display --to SCREEN+LOG --type WARNING PROPUPD_ERROR $ERRCODE
	else
		display --to LOG --type INFO PROPUPD_NEW_DAT_FILE "${DB_PATH}"
	fi

	chmod 600 "${RKHDAT_FILE}" >/dev/null 2>&1

	rm -f "${RKHDAT_TMPFILE}" "${RKHDAT_TMPFILE2}" >/dev/null 2>&1


	return
}


file_properties_check() {

	#
	# This function carries out a check of system command property
	# values checked against their previous value, which is stored
	# in the rkhunter.dat file. Other checks work on the current
	# file, and do not use any previously stored value (for example,
	# the immutable-bit check).
	#

	#
	# Each test will set the variable TEST_RESULT, and use it to
	# display the actual result. Typically a null string indicates
	# 'OK', and anything else is a 'Warning'.
	#

	TEST_RESULT=""
	NEWRKHENTRIES=""
	OLDRKHENTRIES=""
	WHITELIST_RESULT=""
	SKIP_ATTR=0; SKIP_HASH=0; SKIP_IMMUT=0; SKIP_SCRIPT=0
	USE_DAT_FILE=1
	SKIP_IMMUT_OS=0
	PROP_FILE_LIST_COUNT=0
	ADDNEWENTRY=0

	#
	# In order to disable the whole test we have to check if
	# each specific test has been disabled.
	#

	for RKHTMPVAR in attributes hashes immutable scripts; do
		if ! `check_test ${RKHTMPVAR}`; then
			case "${RKHTMPVAR}" in
			attributes)
				SKIP_ATTR=1
				;;
			hashes)
				SKIP_HASH=1
				;;
			immutable)
				SKIP_IMMUT=1
				;;
			scripts)
				SKIP_SCRIPT=1
				;;
			esac
		fi
	done

	#
	# The immutable-bit test is only applicable to Linux and
	# BSD systems. We need to disable the test, but not have
	# it logged as if the user had disabled it (that would be
	# confusing).
	#

	if [ $BSDOS -eq 0 -a $LINUXOS -eq 0 ]; then
		if [ $SKIP_IMMUT -eq 0 ]; then
			SKIP_IMMUT=1
			SKIP_IMMUT_OS=1
		fi
	fi

	if ! `check_test properties`; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST properties
		fi

		return
	elif [ $SKIP_ATTR -eq 1 -a $SKIP_HASH -eq 1 -a $SKIP_IMMUT -eq 1 -a $SKIP_SCRIPT -eq 1 ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST properties
		fi

		return
	else
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST properties
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 FILE_PROP_START
	fi


	#
	# If the user wants to skip a test then log it.
	#

	for RKHTMPVAR in attributes hashes immutable scripts; do
		case "${RKHTMPVAR}" in
		attributes)
			TEST_NAME=$SKIP_ATTR
			;;
		hashes)
			TEST_NAME=$SKIP_HASH
			;;
		scripts)
			TEST_NAME=$SKIP_SCRIPT
			;;
		immutable)
			TEST_NAME=0
			test $SKIP_IMMUT_OS -eq 0 && TEST_NAME=$SKIP_IMMUT
			;;
		esac

		if [ $TEST_NAME -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO USER_DISABLED_TEST ${RKHTMPVAR}
		fi
	done


	#
	# The first test we do is on the commands needed to
	# perform all the file checks. If the user has not
	# disabled any test, and a command is missing, then
	# we must let them know that without marking each file
	# test as a 'Warning' (because that could hide a real
	# problem). We include checks on the rkhunter.dat file
	# as well.
	#

	RKHTMPVAR=""

	if [ $SKIP_ATTR -eq 0 -a -z "${STAT_CMD}" ]; then
		SKIP_ATTR=1
		RKHTMPVAR="${RKHTMPVAR} attr"
	fi

	if [ $SKIP_HASH -eq 0 ]; then
		# Not sure about this one...!
		if [ -z "${OLD_PKGMGR}" -a -s ${RKHDAT_FILE} -a "${HASH_FUNC}" != "NONE" -a \( "${OLD_HASH_FUNC}" = "NONE" -o "${OLD_HASH_FUNC}" = "Disabled" -o -z "${OLD_HASH_FUNC}" \) ]; then
			SKIP_HASH=1
			RKHTMPVAR="${RKHTMPVAR} hash"

			if [ -n "${PRELINK_HASH}" ]; then
				HASH_FUNC_ERR="prelink with ${PRELINK_HASH}"
			else
				HASH_FUNC_ERR="${HASH_FUNC}"
			fi

			if [ -z "${OLD_HASH_FUNC}" ]; then
				OLD_HASH_FUNC_ERR="Unset"
			elif [ "${OLD_HASH_FUNC}" = "MD5" -o "${OLD_HASH_FUNC}" = "SHA1" ]; then
				# Oops! This can't be reached.
				OLD_HASH_FUNC_ERR="prelink with ${OLD_HASH_FUNC}"
			else
				OLD_HASH_FUNC_ERR="${OLD_HASH_FUNC}"
			fi

			if [ -z "${PKGMGR}" ]; then
				PKGMGR_ERR="Unset"
			else
				PKGMGR_ERR="${PKGMGR}"
			fi

			if [ -z "${OLD_PKGMGR}" ]; then
				OLD_PKGMGR_ERR="Unset"
			else
				OLD_PKGMGR_ERR="${OLD_PKGMGR}"
			fi
		fi


		if [ $SKIP_HASH_MSG -eq 1 ]; then
			SKIP_HASH=1
			RKHTMPVAR="${RKHTMPVAR} sha1"
		elif [ $SKIP_HASH_MSG -eq 2 ]; then
			SKIP_HASH=1
			RKHTMPVAR="${RKHTMPVAR} libsafe"
		fi
	fi

	if [ $SKIP_IMMUT -eq 0 ]; then
		if [ $BSDOS -eq 1 ]; then
			for FNAME in ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES} ${DB_PATH}/*.dat ${DB_PATH}/i18n/*; do
				test -f "${FNAME}" -a ! -h "${FNAME}" && break
			done

			if [ -z "`ls -lno \"${FNAME}\" 2>/dev/null`" ]; then
				SKIP_IMMUT=1
				RKHTMPVAR="${RKHTMPVAR} immutable-bsd"
			fi
		else
			if [ -z "${LSATTR_CMD}" ]; then
				SKIP_IMMUT=1
				RKHTMPVAR="${RKHTMPVAR} immutable"
			else
				for FNAME in ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES} ${DB_PATH}/*.dat ${DB_PATH}/i18n/*; do
					test -f "${FNAME}" -a ! -h "${FNAME}" && break
				done

				if [ -z "`${LSATTR_CMD} \"${FNAME}\" 2>/dev/null`" ]; then
					SKIP_IMMUT=1
					RKHTMPVAR="${RKHTMPVAR} immutable-cmd"
				fi
			fi
		fi
	fi

	if [ $SKIP_SCRIPT -eq 0 ]; then
		if [ -z "${FILE_CMD}" ]; then
			SKIP_SCRIPT=1
			RKHTMPVAR="${RKHTMPVAR} script"
		elif [ -z "`${FILE_CMD} \"${CONFIGFILE}\" 2>/dev/null`" ]; then
			SKIP_SCRIPT=1
			RKHTMPVAR="${RKHTMPVAR} script-cmd"
		fi
	fi

	if [ $SKIP_ATTR -eq 0 -o $SKIP_HASH -eq 0 ]; then
		if [ ! -f "${RKHDAT_FILE}" ]; then
			SKIP_HASH=1
			SKIP_ATTR=1
			USE_DAT_FILE=0
			RKHTMPVAR="${RKHTMPVAR} missing"
		fi

		if [ $USE_DAT_FILE -eq 1 -a ! -s ${RKHDAT_FILE} ]; then
			SKIP_HASH=1
			SKIP_ATTR=1
			USE_DAT_FILE=0
			RKHTMPVAR="${RKHTMPVAR} empty"
		fi
	else
		#
		# If we are not checking the file attributes or
		# the hash value, then we don't need to look at
		# the rkhunter.dat file. The other tests can be
		# done without the file.
		#

		USE_DAT_FILE=0
	fi

	#
	# If the O/S has changed in some way, and we are not just reporting warnings,
	# and O/S warnings are enabled, then show a warning in the prerequisites test.
	#

	if [ $OS_CHANGED -eq 1 -a $SHOWWARNINGSONLY -eq 0 -a $WARN_ON_OS_CHANGE -eq 1 ]; then
		RKHTMPVAR="${RKHTMPVAR} os_changed"
	fi

	#
	# If all the previous checks have disabled all the tests,
	# then we tell the user and then return.
	#

	if [ $SKIP_ATTR -eq 1 -a $SKIP_HASH -eq 1 -a $SKIP_IMMUT -eq 1 -a $SKIP_SCRIPT -eq 1 ]; then
		RKHTMPVAR="${RKHTMPVAR} notests"
	fi


	#
	# Display the results.
	#

	if [ $SKIP_IMMUT_OS -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO FILE_PROP_IMMUT_OS
	fi

	if [ $IMMUTABLE_SET -eq 1 ]; then
		display --to LOG --type INFO FILE_PROP_IMMUT_SET
	fi

	if [ $SKIP_INODE_CHECK -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO FILE_PROP_SKIP_INODE
	fi

	if [ -z "${RKHTMPVAR}" ]; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result OK --color GREEN FILE_PROP_CMDS
	else
		SUMMARY_PROP_REQCMDS=1

		display --to SCREEN+LOG --type WARNING --screen-indent 4 --log-indent 2 --result WARNING --color RED FILE_PROP_CMDS


		RKHTMPVAR2=0

		for TEST_RESULT in ${RKHTMPVAR}; do
			case "${TEST_RESULT}" in
			attr)
				if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_ATTR_DISABLED
				else
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_ATTR
				fi
				;;
			hash|prelink|sha1|libsafe)
				if [ $RKHTMPVAR2 -eq 0 ]; then
					RKHTMPVAR2=1
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_HASH
				fi

				case "${TEST_RESULT}" in
				hash)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_FUNC "${HASH_FUNC_ERR}" "${PKGMGR_ERR}" "${OLD_HASH_FUNC_ERR}" "${OLD_PKGMGR_ERR}"
					;;
				prelink)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_PRELINK
					;;
				sha1)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_SHA1
					;;
				libsafe)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_LIBSAFE
					;;
				esac
				;;
			immutable)
				if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsattr '`" ]; then
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_DISABLED
				else
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT
				fi
				;;
			immutable-bsd)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_CMD 'ls -lno'
				;;
			immutable-cmd)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_CMD 'lsattr'
				;;
			script)
				if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_SCRIPT_DISABLED
				else
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_SCRIPT
				fi
				;;
			script-cmd)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_FILE_CMD
				;;
			os_changed)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_OS_CHANGED
				;;
			missing)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_DAT_MISSING
				display --to LOG --type INFO FILE_PROP_DAT_MISSING_INFO
				;;
			empty)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_DAT_EMPTY
				display --to LOG --type INFO FILE_PROP_DAT_MISSING_INFO
				;;
			esac
		done


		if [ -n "`echo \"${RKHTMPVAR}\" | egrep 'libsafe|missing|empty'`" ]; then
			display --to LOG --type WARNING --nl PROPUPD_WARN
		fi

		if [ -n "`echo \"${RKHTMPVAR}\" | grep 'notests'`" ]; then
			display --to LOG --type WARNING --nl FILE_PROP_SKIP_ALL
			return
		fi
	fi


	#
	# Set up some local variables depending on what
	# commands we have available.
	#

	if [ $SKIP_ATTR -eq 1 ]; then
		SCMD=""
		INODECMD=""
	else
		if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
			if [ "${PKGMGR}" = "SOLARIS" ]; then
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --mtime"
			else
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --Mtime"
			fi

			INODECMD="${STAT_CMD} --modeoct --raw --ino"
		elif [ $BSDOS -eq 1 -o $MACOSX -eq 1 ]; then
			SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'"
			INODECMD="${STAT_CMD} -f '%i'"
		else
			SCMD="${STAT_CMD} -c '%i 0%a %u %g %s %Y:'"
			INODECMD="${STAT_CMD} -c '%i'"
		fi
	fi

	if [ $SKIP_HASH -eq 1 ]; then
		SYSHASH=""
		HASH_CMD=""
	else
		HASH_CMD="${HASH_FUNC}"
	fi


	#
	# Next we have to recreate the list of pathnames for the
	# file properties checks. We need to recreate it because
	# the root PATH may have changed, and so there may be more
	# directories to be checked. However, if we have just run
	# the '--propupd' option, then we can skip this.
	#

	test $PROP_UPDATE -eq 0 && create_rkh_file_prop_list


	#
	# We need the current 'rkhunter.dat' file format.
	#

	if [ $USE_DAT_FILE -eq 1 ]; then
		FMTVERSION=`grep '^FormatVersion:' "${RKHDAT_FILE}" | cut -d: -f2`

		test -z "${FMTVERSION}" && FMTVERSION=0
	else
		FMTVERSION=0
	fi


	#
	# Now loop through each of the files and perform the tests on each one.
	#
	# We must set IFS around this loop, otherwise any names in the file
	# properties list containing whitespace will be separated out.
	# However, because IFS interacts with some commands, executed via
	# backticks, we must then reset IFS for the duration of the loop
	# and set it again at the end of the loop. It's messy, but it works.
	#

	IFS=$IFSNL

	VERIFIED_PKG_LIST=""

	for FNAME in `cat "${RKH_FILEPROP_LIST}"`; do
		SYSLNK=""
		FILENAME=""
		FNAMEGREP=""
		TEST_RESULT=""
		WHITELIST_RESULT=""

		RKH_CC=0
		SYSLNK_CC=0
		NOVRFYFILE=0
		ADDNEWENTRY=0
		COLON_COUNT=0
		FILE_IS_PKGD=0
		DEPENDENCY_ERR=0
		HASH_TEST_PASSED=0
		SIZE_TEST_PASSED=0

		IFS=$RKHIFS


		#
		# We first need to test if the file exists or not,
		# and if the file is listed in the rkhunter.dat
		# file or not. This can indicate files that have
		# appeared on or disappeared from the system.
		#

		FNAME=`echo "${FNAME}" | sed -e 's/^"\(.*\)"$/\1/'`

		if [ -f "${FNAME}" -o -h "${FNAME}" ]; then
			FILE_EXISTS=1
			PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`
		else
			FILE_EXISTS=0
		fi

		if [ $USE_DAT_FILE -eq 1 ]; then
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ $FMTVERSION -eq 0 ]; then
				RKHLINE=`grep "^File:${FNAMEGREP}:" "${RKHDAT_FILE}"`
			else
				COLON_COUNT=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`

				RKHLINE=`grep "^File:${COLON_COUNT}:${FNAMEGREP}:" "${RKHDAT_FILE}"`
			fi

			if [ $FILE_EXISTS -eq 1 -a -z "${RKHLINE}" ]; then
				if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					#
					# We need to add the file to the rkhunter.dat file.
					# We add a dummy entry to start with, but it must contain values.
					#

					ADDNEWENTRY=1

					if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
						SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
					fi

					if [ $FMTVERSION -eq 0 ]; then
						RKHLINE="File:${FNAME}:1:1:1:1:1:1:1::${SYSLNK}:"
					else
						SYSLNK_CC=`echo "${SYSLNK}" | tr -c -d ':' | wc -c | tr -d ' '`

						RKHLINE="File:${COLON_COUNT}:${FNAME}:1:1:1:1:1:1:1::${SYSLNK_CC}:${SYSLNK}:"
					fi
				else
					TEST_RESULT="${TEST_RESULT} norkhline"
				fi
			elif [ $FILE_EXISTS -eq 0 ]; then
				if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					if [ -n "${RKHLINE}" ]; then
						#
						# We need to remove the file from the rkhunter.dat file.
						#

						OLDRKHENTRIES="${OLDRKHENTRIES}
${RKHLINE}"
					fi
				elif [ -n "${RKHLINE}" ]; then
					PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`

					display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "`name2text \"${FNAME}\"`"
					display --to LOG --type WARNING FILE_PROP_FILE_NOT_EXIST "`name2text \"${FNAME}\"`"
				fi

				IFS=$IFSNL

				continue
			fi
		elif [ $FILE_EXISTS -eq 1 ]; then
			RKHLINE=""
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
		else
			IFS=$IFSNL
			continue
		fi


		#
		# Start the tests.
		#

		SYSUID=0
		SYSGID=0
		SYSDTM=0
		SYSSIZE=0
		SYSPERM=0
		SYSINODE=0

		RKHLNK=""
		SYSHASH=""

		if [ $USE_DAT_FILE -eq 1 -a -n "${RKHLINE}" ]; then
			FDATA=""
			RPM_QUERY_RESULT=""
			PKGMGR_VERIFY_RESULT=""

			#
			# We need to calculate if the filename (in the file) has any colons in it.
			# We then set RKH_CC to point to the field after the filename (the hash field).
			#

			if [ $FMTVERSION -eq 0 ]; then
				RKH_CC=3
			else
				RKH_CC=`echo "${RKHLINE}" | cut -d: -f2`
				RKH_CC=`expr 4 + $RKH_CC`
			fi

			#
			# See if the file is to be exempt from any package manager verification.
			#

			if [ -n "`echo \"${PKGMGRNOVRFY}\" | grep \"^${FNAMEGREP}$\"`" ]; then
				NOVRFYFILE=1
			fi


			#
			# Because the RPM package manager can verify most of the tests we are
			# doing, we obtain the verified data now. The Solaris package manager
			# provides some data, but does not verify it against the values on disk.
			# With all the package managers we have to obtain unverified data by
			# using commands. The other package managers, at present, only provide
			# the MD5 checksum. As such we simply handle them within the hash test.
			#

			if [ "${PKGMGR}" = "RPM" ]; then
				#
				# First we see if the file is exempt or part of a package.
				#

				if [ $NOVRFYFILE -eq 0 ]; then
					PKGNAME_ARCH=`${RPM_CMD} -qf "${FNAME}" --queryformat '%{N}-%{V}-%{R}.%{ARCH}\n' 2>/dev/null`
					ERRCODE=$?

					if [ $ERRCODE -eq 0 ]; then
						#
						# Okay we have a package name. Is it in the list
						# of packages we have already tested as verified?
						#
						# If multiple packages claim the same file, we use
						# 64-bit over 32-bit, or simply the last one.
						#

						FILE_IS_PKGD=1

						PKGNAME=`echo "${PKGNAME_ARCH}" | egrep '\.(x86_64|ia64)$' 2>/dev/null | tail ${TAIL_OPT}1`

						test -z "${PKGNAME}" && PKGNAME=`echo "${PKGNAME_ARCH}" | tail ${TAIL_OPT}1`

						RKHTMPVAR=`echo "${PKGNAME}" | sed -e 's/\./\\\./g'`

						if [ -z "`echo \"${VERIFIED_PKG_LIST}\" | grep \" ${RKHTMPVAR} \"`" ]; then
							#
							# No, it isn't in the list. So we verify the package
							# and either add it to the list if it verifies okay,
							# or get the verification result for the file.
							#

							PKGMGR_VERIFY_RESULT=`${RPM_CMD} -V "${PKGNAME}" 2>&1`

							if [ -z "${PKGMGR_VERIFY_RESULT}" ]; then
								VERIFIED_PKG_LIST="${VERIFIED_PKG_LIST} ${PKGNAME} "
							else
								if [ -n "`echo \"${PKGMGR_VERIFY_RESULT}\" | grep \"prelink.* ${FNAME}.* dependenc\"`" ]; then
									DEPENDENCY_ERR=1
								fi

								PKGMGR_VERIFY_RESULT=`echo "${PKGMGR_VERIFY_RESULT}" | grep " ${FNAMEGREP}\$" | cut -d' ' -f1`
							fi
						fi


						#
						# The package manager check does not verify all the items
						# we check. So we still need to dig out the rest of the
						# information about this file from the package manager database.
						# Note that the filenames are displayed at the end of the rpm output.
						# This means that any filename containing a colon will not cause
						# a problem.
						#

						RPM_QUERY_RESULT=`${RPM_CMD} -q --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{FILELINKTOS}:%{FILENAMES}\n]' "${PKGNAME}" 2>/dev/null | grep ":${FNAMEGREP}\$"`
						ERRCODE=$?

						#
						# The error code actually refers to the 'grep' command above. If the
						# file is not found in the package, then this is probably due to the
						# 'bin' directory being a link. So we change the filename, and retest.
						#

						if [ $ERRCODE -eq 1 -a $BINISLINK -eq 1 ]; then
							if [ -n "`echo \"${FNAME}\" | grep '^\/usr\/'`" ]; then
								RKHTMPVAR3=`echo "${FNAMEGREP}" | sed -e 's:^/usr::'`
							else
								RKHTMPVAR3="/usr${FNAMEGREP}"
							fi

							RPM_QUERY_RESULT=`${RPM_CMD} -q --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{FILELINKTOS}:%{FILENAMES}\n]' "${PKGNAME}" 2>/dev/null | grep ":${RKHTMPVAR3}\$"`
							ERRCODE=$?
						fi

						if [ $ERRCODE -eq 0 ]; then
							RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT}" | tail ${TAIL_OPT}1`

							FPERM="0`echo \"${RPM_QUERY_RESULT}\" | cut -d: -f1 | cut -c 3-`"
							FPERM=`echo "${FPERM}" | sed -e 's/^00/0/'`

							RKHUID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f2`
							RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

							RKHGID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f3`
							RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

							RKHSIZE=`echo "${RPM_QUERY_RESULT}" | cut -d: -f4`

							RKHDTM=`echo "${RPM_QUERY_RESULT}" | cut -d: -f5`

							if [ -h "${FNAME}" ]; then
								RKHLNK=`echo "${RPM_QUERY_RESULT}" | cut -d: -f7`

								if [ -z "`echo \"${RKHLNK}\" | grep '^/'`" ]; then
									test -n "${DIRNAME_CMD}" && DIR=`${DIRNAME_CMD} "${FNAME}"` || DIR=`echo "${FNAME}" | sed -e 's:/[^/]*$::'`

									RKHLNK="${DIR}/${RKHLNK}"
								fi

								# This ensures the link target has things like '..' removed.
								test $HAVE_READLINK -eq 1 && RKHLNK=`${READLINK_CMD} ${READLINK_OPT} "${RKHLNK}"`
							fi

							FDATA="${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}:"
						else
							#
							# If, for some reason, we cannot get the package information,
							# then treat it as if it returned all null values.
							#

							FDATA=":::::"
							display --to LOG --type INFO CMD_ERROR "rpm -qf --queryformat... \"${FNAME}\" (${PKGNAME})" $ERRCODE
						fi

						#
						# Now get the inode value directly from the disk,
						# but only if prelinking is not being used.
						#

						RKHTMPVAR=""

						if [ $PRELINKED -eq 0 -a -n "${INODECMD}" ]; then
							RKHTMPVAR=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`
						fi

						FDATA="${RKHTMPVAR}:${FDATA}"
					fi
				fi
			elif [ "${PKGMGR}" = "SOLARIS" ]; then
				#
				# First we see if the file is exempt or part of a package.
				#

				if [ $NOVRFYFILE -eq 1 ]; then
					ERRCODE=1
				else
					RKHTMPVAR=`grep "^${FNAMEGREP} " /var/sadm/install/contents 2>/dev/null`
					test -n "${RKHTMPVAR}" && ERRCODE=0 || ERRCODE=1
				fi

				if [ $ERRCODE -eq 0 ]; then
					#
					# We will rebuild the RKHLINE value with the values from
					# the package manager database. We can then verify it just
					# as if it had been read from the RKH database.
					#

					FPERM=`echo "${RKHTMPVAR}" | cut -d' ' -f4`

					RKHUID=`echo "${RKHTMPVAR}" | cut -d' ' -f5`
					RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

					RKHGID=`echo "${RKHTMPVAR}" | cut -d' ' -f6`
					RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

					RKHSIZE=`echo "${RKHTMPVAR}" | cut -d' ' -f7`

					if [ $USE_SUNSUM -eq 1 ]; then
						# Treat this as a fully packaged file.
						FILE_IS_PKGD=1
						RKHHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f8`
					else
						RKHHASH=`echo "${RKHLINE}" | cut -d: -f$RKH_CC`
					fi

					RKHDTM=`echo "${RKHTMPVAR}" | cut -d' ' -f9`

					#
					# Now get the inode value.
					#

					RKHTMPVAR=""

					test -n "${INODECMD}" && RKHTMPVAR=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`

					#
					# Finally, get the file name. To do this we adjust RKH_CC back one field.
					#

					RKH_CC2=`expr $RKH_CC - 1`
					RKHTMPVAR2=`echo "${RKHLINE}" | cut -d: -f1-$RKH_CC2`

					#
					# Now put it all together.
					#

					RKHLINE="${RKHTMPVAR2}:${RKHHASH}:${RKHTMPVAR}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
				fi
			fi


			#
			# Do the file hash value check.
			#

			if [ $SKIP_HASH -eq 0 ]; then
				#
				# First we get all the package manager results.
				#

				case "${PKGMGR}" in
				RPM)
					;;
				DPKG)
					#
					# First see if the file is exempt or part of a known package.
					#

					if [ $NOVRFYFILE -eq 1 ]; then
						PKGNAME=""
					else
						PKGNAME=`${DPKG_CMD} --search "${FNAME}" 2>/dev/null | cut -d: -f1`
					fi

					if [ -n "${PKGNAME}" -a -f "/var/lib/dpkg/info/${PKGNAME}.md5sums" ]; then
						FNGREP=`echo "${FNAMEGREP}" | sed -e 's:^/::'`

						SYSHASH=`egrep "( |\./)${FNGREP}\$" "/var/lib/dpkg/info/${PKGNAME}.md5sums" | cut -d' ' -f1`

						if [ -n "${SYSHASH}" ]; then
							FILE_IS_PKGD=1
							RKHTMPVAR=`${PKGMGR_MD5_HASH} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

							if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
								PKGMGR_VERIFY_RESULT="5"

								if [ -n "`${PKGMGR_MD5_HASH} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
									DEPENDENCY_ERR=1
								fi
							fi
						fi
					fi
					;;
				BSD)
					#
					# First see if the file is exempt or part of a known package.
					#

					PKGNAME=""

					if [ $NOVRFYFILE -eq 0 ]; then
						RKHTMPVAR=`${PKG_CMD} -F -e "${FNAME}" 2>/dev/null`
						ERRCODE=$?

						if [ $ERRCODE -ne 0 ]; then
							#
							# It may be that we need to use the '-W' option instead.
							#

							RKHTMPVAR=`${PKG_CMD} -q -W "${FNAME}" 2>/dev/null`
							ERRCODE=$?
						fi

						if [ $ERRCODE -eq 0 -a -n "${RKHTMPVAR}" ]; then
							PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1`
						fi
					fi

					if [ -n "${PKGNAME}" ]; then
						#
						# Next strip off the '/usr/pkg/' or '/usr/local/' from the
						# pathname, and then get the hash value.
						#

						FNGREP=`echo "${FNAMEGREP}" | sed -e 's:^/usr/pkg/::; s:^/usr/local/::'`

						SYSHASH=`${PKG_CMD} -v -L "${PKGNAME}" 2>/dev/null | grep -A 1 "File: ${FNGREP}\$" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f3`

						if [ -n "${SYSHASH}" ]; then
							FILE_IS_PKGD=1
							RKHTMPVAR=`${PKGMGR_MD5_HASH} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

							if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
								PKGMGR_VERIFY_RESULT="5"

								if [ -n "`${PKGMGR_MD5_HASH} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
									DEPENDENCY_ERR=1
								fi
							fi
						fi
					fi
					;;
				BSDNG)
					#
					# First see if the file is exempt or part of a known package.
					#

					if [ $NOVRFYFILE -eq 1 ]; then
						PKGNAME=""
					else
						RKHTMPVAR=`${PKG_CMD} which -q "${FNAME}" 2>/dev/null`
						ERRCODE=$?

						test $ERRCODE -eq 0 && PKGNAME="${RKHTMPVAR}" || PKGNAME=""
					fi

					if [ -n "${PKGNAME}" ]; then
						SYSHASH=`${PKG_CMD} query '%Fp: %Fs' ${PKGNAME} 2>/dev/null | grep "^${FNAME}: " 2>/dev/null | sed -r -e 's/^.*: (1\\$)?([A-Fa-f0-9]+)$/\2/'`

						if [ -n "${SYSHASH}" ]; then
							FILE_IS_PKGD=1
							RKHTMPVAR=`${PKGMGR_SHA_HASH} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

							if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
								PKGMGR_VERIFY_RESULT="5"

								if [ -n "`${PKGMGR_SHA_HASH} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
									DEPENDENCY_ERR=1
								fi
							fi
						fi
					fi
					;;
				SOLARIS)
					#
					# We only use the Solaris package manager
					# hash value if we have been told to do so.
					#

					if [ $NOVRFYFILE -eq 0 -a $USE_SUNSUM -eq 1 ]; then
						SYSHASH="${RKHHASH}"

						RKHTMPVAR=`${SUM_CMD} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

						if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
							PKGMGR_VERIFY_RESULT="5"
						fi
					fi
					;;
				esac


				#
				# Now see if we need to work out the hash value or not.
				#

				RKHHASH=`echo "${RKHLINE}" | cut -d: -f$RKH_CC`

				if [ $FILE_IS_PKGD -eq 1 ]; then
					if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
						if [ $DEPENDENCY_ERR -eq 1 ]; then
							DEPENDENCY_ERR=0
							PKGMGR_VERIFY_RESULT=""
							display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
						else
							PKGMGR_VERIFY_RESULT="5"
						fi
					fi

					if [ -z "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep '5|(^..\?)'`" ]; then
						HASH_TEST_PASSED=1
					else
						TEST_RESULT="${TEST_RESULT} verify:hashchanged"
					fi
				else
					#
					# The file is not part of a package. So we need
					# to compare the on-disk hash value against the
					# value in the rkhunter.dat file.
					#
					# First see if we have a stored hash value.
					#

					RKHTMPVAR=0

					if [ -z "${RKHHASH}" ]; then
						if [ "${HASH_CMD}" = "NONE" ]; then
							:
						else
							#
							# Broken links may not give a hash value, so we must check to see if the link is whitelisted.
							#

							if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
								# Check the link target to see if it is whitelisted.

								if [ -z "${SYSLNK}" ]; then
									SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
								fi

								FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

								if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
									RKHTMPVAR=1

									if [ ! -e "${FNAME}" -a $VERBOSE_LOGGING -eq 1 ]; then
										# Only log this if it is a broken link.
										display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "`name2text \"${FNAME}\"`" "`name2text \"${SYSLNK}\"`"
									fi
								fi
							fi

							test $RKHTMPVAR -eq 0 && TEST_RESULT="${TEST_RESULT} norkhhash"
						fi
					fi

					if [ $RKHTMPVAR -eq 0 -a -z "${TEST_RESULT}" ]; then
						if [ "${HASH_CMD}" = "NONE" ]; then
							SYSHASH=""
						else
							SYSHASH=`${HASH_CMD} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

							if [ -z "${SYSHASH}" ]; then
								if [ -n "`${HASH_CMD} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
									if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
										SYSHASH="${RKHHASH}"
										display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
									else
										DEPENDENCY_ERR=1
									fi
								fi
							fi
						fi

						if [ "${RKHHASH}" != "${SYSHASH}" ]; then
							#
							# We must test for cases where a symbolic link becomes broken. In those
							# cases the link would have had a hash value, but will now have none.
							# If it was whitelisted, then we should not give a warning.
							#

							if [ -h "${FNAME}" -a ! -e "${FNAME}" ]; then
								if [ $HAVE_READLINK -eq 1 ]; then
									# Check the link target to see if it is whitelisted.

									if [ -z "${SYSLNK}" ]; then
										SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
									fi

									FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

									if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
										if [ $VERBOSE_LOGGING -eq 1 ]; then
											display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "`name2text \"${FNAME}\"`" "`name2text \"${SYSLNK}\"`"
										fi
									else
										TEST_RESULT="${TEST_RESULT} hashchanged"
									fi
								else
									TEST_RESULT="${TEST_RESULT} hashchanged"
								fi
							else
								TEST_RESULT="${TEST_RESULT} hashchanged"
							fi
						fi
					fi
				fi


				#
				# Because the BSD and DPKG package managers only provide the MD5
				# checksum, and the Solaris package manager does not provide verified
				# data, we can assume that any file which is part of a package after
				# this test must be an RPM file.
				#

				test "${PKGMGR}" != "RPM" && FILE_IS_PKGD=0
			fi


			#
			# Do the file attributes checks.
			#
			# This checks the files permissions, and the uid/gid.
			# The file permissions are also checked to see if 'w'
			# has been allowed for all users. If prelinking is not
			# in use then the inode, file size, and modification
			# date-time are checked as well.
			#

			if [ $SKIP_ATTR -eq 0 ]; then
				#
				# First check to see if the file is whitelisted here,
				# just the once. It is better than checking after
				# each individual attribute test.
				#

				WL_FILE=""

				if [ -n "`echo \"${ATTRWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					WL_FILE="whitelisted"
					WHITELIST_RESULT="${WHITELIST_RESULT} attr"
				fi

				if [ -z "${FDATA}" ]; then
					FDATA=`eval ${SCMD} "\"${FNAME}\"" 2>/dev/null | tr ' ' ':'`

					# Ensure the file permissions consist of only 4 digits.
					if [ -n "`echo ${FDATA} | grep '^[^:]*:0[0-9][0-9][0-9][0-9]:'`" ]; then
						FDATA=`echo $FDATA | sed -e 's/^\([^:]*:\)0\(.*\)$/\1\2/'`
					fi
				fi

				if [ -z "${WL_FILE}" -a -n "${FDATA}" ]; then
					#
					# Check the file permissions.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'M|(^.\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:permchanged"
					else
						RKH_CC2=`expr $RKH_CC + 2`

						RKHPERM=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
						SYSPERM=`echo ${FDATA} | cut -d: -f2`

						if [ -n "${RKHPERM}" ]; then
							test "${RKHPERM}" != "${SYSPERM}" && TEST_RESULT="${TEST_RESULT} permchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhperm"
						fi
					fi


					#
					# Check the file user-id.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'U|(^.....\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:uidchanged"
					else
						RKH_CC2=`expr $RKH_CC + 3`

						RKHUID=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
						SYSUID=`echo ${FDATA} | cut -d: -f3`

						if [ -n "${RKHUID}" ]; then
							test "${RKHUID}" != "${SYSUID}" && TEST_RESULT="${TEST_RESULT} uidchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhuid"
						fi
					fi


					#
					# Check the file group-id.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'G|(^......\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:gidchanged"
					else
						RKH_CC2=`expr $RKH_CC + 4`

						RKHGID=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
						SYSGID=`echo ${FDATA} | cut -d: -f4`

						if [ -n "${RKHGID}" ]; then
							test "${RKHGID}" != "${SYSGID}" && TEST_RESULT="${TEST_RESULT} gidchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhgid"
						fi
					fi


					#
					# Check the file inode number.
					#

					if [ $PRELINKED -eq 0 ]; then
						RKH_CC2=`expr $RKH_CC + 1`

						RKHINODE=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
						SYSINODE=`echo ${FDATA} | cut -d: -f1`

						if [ $SKIP_INODE_CHECK -eq 0 ]; then
							if [ -n "${RKHINODE}" ]; then
								test "${RKHINODE}" != "${SYSINODE}" && TEST_RESULT="${TEST_RESULT} inodechanged"
							else
								TEST_RESULT="${TEST_RESULT} norkhinode"
							fi
						fi
					fi


					#
					# Check the file size.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						if [ -z "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep 'S|(^\?)'`" ]; then
							SIZE_TEST_PASSED=1
						else
							TEST_RESULT="${TEST_RESULT} verify:sizechanged"
						fi
					elif [ $PRELINKED -eq 0 -o $FILE_IS_PKGD -eq 0 ]; then
						RKH_CC2=`expr $RKH_CC + 5`

						RKHSIZE=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
						SYSSIZE=`echo ${FDATA} | cut -d: -f5`

						if [ -n "${RKHSIZE}" ]; then
							if [ "${RKHSIZE}" = "${SYSSIZE}" ]; then
								SIZE_TEST_PASSED=1
							else
								TEST_RESULT="${TEST_RESULT} sizechanged"
							fi
						else
							TEST_RESULT="${TEST_RESULT} norkhsize"
						fi
					fi


					#
					# Check the file modification date-time.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'T|(^.......\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:dtmchanged"
					elif [ $PRELINKED -eq 0 -o $FILE_IS_PKGD -eq 0 ]; then
						RKH_CC2=`expr $RKH_CC + 6`

						RKHDTM=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
						SYSDTM=`echo ${FDATA} | cut -d: -f6`

						if [ -n "${RKHDTM}" ]; then
							test "${RKHDTM}" != "${SYSDTM}" && TEST_RESULT="${TEST_RESULT} dtmchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhdtm"
						fi
					fi


					#
					# If the file is a link, then check that the target has not changed.
					#

					if [ -h "${FNAME}" ]; then
						if [ $FILE_IS_PKGD -eq 1 ]; then
							if [ -n "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep 'L|(^....\?)'`" ]; then
								if [ $HAVE_READLINK -eq 1 ]; then
									# Check the link target to see if it is whitelisted.

									if [ -z "${SYSLNK}" ]; then
										SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
									fi

									FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

									if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
										if [ $VERBOSE_LOGGING -eq 1 ]; then
											test -z "${SYSLNK}" && RKHTMPVAR="Unavailable" || RKHTMPVAR=${SYSLNK}
											display --to LOG --type INFO FILE_PROP_LINK_WL "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
										fi
									else
										TEST_RESULT="${TEST_RESULT} verify:linkchanged"
									fi
								else
									TEST_RESULT="${TEST_RESULT} verify:linkchanged"
								fi
							fi
						else
							RKH_CC2=`expr $RKH_CC + 8`
							SYSLNK_CC=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`

							RKH_CC2=`expr $RKH_CC + 9`
							SYSLNK_CC=`expr $RKH_CC2 + $SYSLNK_CC`

							RKHLNK=`echo ${RKHLINE} | cut -d: -f${RKH_CC2}-${SYSLNK_CC}`

							if [ $HAVE_READLINK -eq 1 -a -z "${SYSLNK}" ]; then
								SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
							fi

							if [ -n "${RKHLNK}" ]; then
								if [ "${RKHLNK}" != "${SYSLNK}" ]; then
									FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

									if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
										if [ $VERBOSE_LOGGING -eq 1 ]; then
											test -z "${SYSLNK}" && RKHTMPVAR="Unavailable" || RKHTMPVAR="${SYSLNK}"
											display --to LOG --type INFO FILE_PROP_LINK_WL "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
										fi
									else
										TEST_RESULT="${TEST_RESULT} linkchanged"
									fi
								fi
							else
								TEST_RESULT="${TEST_RESULT} norkhlnk"
							fi
						fi
					fi
				elif [ -z "${WL_FILE}" ]; then
					TEST_RESULT="${TEST_RESULT} sysattrunavail"
				fi


				#
				# Check the file permissions here to see if the 'other' permission
				# contains a 'w'. The check is against the octal value. Symbolic
				# links are ignored.
				#

				if [ ! -h "${FNAME}" -a $FILE_IS_PKGD -eq 0 ]; then
					WL_FILE=""

					if [ -n "`echo \"${WRITEWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
						WL_FILE="whitelisted"
						WHITELIST_RESULT="${WHITELIST_RESULT} write"
					fi

					if [ -z "${WL_FILE}" ]; then
						SYSPERM=`echo ${FDATA} | cut -d: -f2`

						if [ -n "`echo ${SYSPERM} | grep '[2367]\$'`" ]; then
							TEST_RESULT="${TEST_RESULT} write"
						elif [ -z "${SYSPERM}" ]; then
							TEST_RESULT="${TEST_RESULT} syspermunavail"
						fi
					fi
				fi
			fi


			#
			# If we are adding this file to the rkhunter.dat file, then we
			# need to remove any failed test results caused by the file
			# currently being missing. We then add the file to the list of
			# files to be added, and include the detected system attributes
			# of the file.
			#

			if [ $ADDNEWENTRY -eq 1 ]; then
				if [ -n "${TEST_RESULT}" ]; then
					for RKHTMPVAR in ${TEST_RESULT}; do
						case "${RKHTMPVAR}" in 
						hashchanged|permchanged|uidchanged|gidchanged|inodechanged|sizechanged|dtmchanged|linkchanged)
							TEST_RESULT=`echo "${TEST_RESULT}" | sed -e "s/ ${RKHTMPVAR}//"`
							;;
						esac
					done
				fi

				if [ $FMTVERSION -eq 0 ]; then
					NEWRKHENTRIES="${NEWRKHENTRIES}
File:${FNAME}:${SYSHASH}:${SYSINODE}:${SYSPERM}:${SYSUID}:${SYSGID}:${SYSSIZE}:${SYSDTM}::${SYSLNK}:"
				else
					RKH_CC=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`
					SYSLNK_CC=`echo "${SYSLNK}" | tr -c -d ':' | wc -c | tr -d ' '`

					NEWRKHENTRIES="${NEWRKHENTRIES}
File:${RKH_CC}:${FNAME}:${SYSHASH}:${SYSINODE}:${SYSPERM}:${SYSUID}:${SYSGID}:${SYSSIZE}:${SYSDTM}::${SYSLNK_CC}:${SYSLNK}:"
				fi
			fi
		fi


		#
		# We can now carry out the tests which do not
		# require the rkhunter.dat file.
		#

		#
		# Do the file immutable-bit check.
		#

		if [ $SKIP_IMMUT -eq 0 ]; then
			#
			# Test if the file is whitelisted.
			#

			WL_FILE=""
			RKHTMPVAR=""

			if [ -n "`echo \"${IMMUTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
				WL_FILE="whitelisted"
				WHITELIST_RESULT="${WHITELIST_RESULT} immutable"
			fi

			if [ -z "${WL_FILE}" ]; then
				if [ $BSDOS -eq 0 ]; then
					if [ ! -h "${FNAME}" ]; then
						RKHTMPVAR=`${LSATTR_CMD} "${FNAME}" 2>&1 | cut -d' ' -f1 | grep 'i'`
					fi
				else
					RKHTMPVAR=`ls -lno "${FNAME}" 2>&1 | ${AWK_CMD} '{ print $5 }' | egrep 'uchg|schg|sappnd|uappnd|sunlnk|sunlink|schange|simmutable|sappend|uappend|uchange|uimmutable'`
				fi

				#
				# Reverse the test result if the immutable bit is always set.
				#

				if [ $IMMUTABLE_SET -eq 1 ]; then
					test -n "${RKHTMPVAR}" && RKHTMPVAR="" || RKHTMPVAR="set"
				fi

				test -n "${RKHTMPVAR}" && TEST_RESULT="${TEST_RESULT} immutable"
			fi
		fi


		#
		# Do the file script replacement check.
		#

		if [ $SKIP_SCRIPT -eq 0 ]; then
			#
			# If we are using a package manager, and both the hash test
			# and the file size test have passed, then we skip the script
			# replacement check. The assumption is that to change a file
			# with one value remaining the same is possible, but to change
			# it such that both are the same is improbable. It would also
			# require the package manager database having being corrupted
			# as well.
			#

			if [ $HASH_TEST_PASSED -eq 0 -o $SIZE_TEST_PASSED -eq 0 ]; then
				#
				# See if the file is whitelisted.
				#

				WL_FILE=""
				SYSSCRIPT=""

				if [ -n "`echo \"${SCRIPTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					WL_FILE="whitelisted"
					WHITELIST_RESULT="${WHITELIST_RESULT} script"
				fi

				if [ -z "${WL_FILE}" ]; then
					test -n "${BASENAME_CMD}" && RKHTMPVAR=`${BASENAME_CMD} "${FNAME}"` || RKHTMPVAR=`echo "${FNAME}" | sed -e 's:^.*/::'`

					if [ "${RKHTMPVAR}" = "rkhunter" ]; then
						SYSSCRIPT=`${FILE_CMD} "${FNAME}" 2>&1 | tr -d '\n' | tr '[:cntrl:]' '?' | egrep -i -v '(shell|/bin/sh) script( |,|$)'`
					else
						SYSSCRIPT=`${FILE_CMD} "${FNAME}" 2>&1 | tr -d '\n' | tr '[:cntrl:]' '?' | egrep -i ' script( |,|$)'`
					fi

					test -n "${SYSSCRIPT}" && TEST_RESULT="${TEST_RESULT} script"
				fi
			fi
		fi


		#
		# Now output the results.
		#

		if [ -z "${TEST_RESULT}" ]; then
			display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result OK --color GREEN NAME "`name2text \"${FNAME}\"`"
		else
			display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "`name2text \"${FNAME}\"`"

			PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`

			RKHTMPVAR2=0
			RKHTMPVAR3=0
			for RKHTMPVAR in ${TEST_RESULT}; do
				case "${RKHTMPVAR}" in
				hashchanged|permchanged|uidchanged|gidchanged|inodechanged|sizechanged|dtmchanged|linkchanged)
					if [ $RKHTMPVAR2 -eq 0 ]; then
						RKHTMPVAR2=1
						display --to LOG --type WARNING FILE_PROP_CHANGED
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_CHANGED2 "`name2text \"${FNAME}\"`"
					fi

					case "${RKHTMPVAR}" in
					hashchanged)
						if [ -z "${SYSHASH}" ]; then
							if [ -h "${FNAME}" ]; then
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH_UNAVAIL_BL
							else
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH_UNAVAIL
							fi
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH "${SYSHASH}"
						fi

						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHHASH "${RKHHASH}"

						test $DEPENDENCY_ERR -eq 1 && display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "`name2text \"${FNAME}\"`"
						;;
					permchanged)
						if [ -z "${SYSPERM}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_PERM_UNAVAIL "${RKHPERM}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_PERM "${SYSPERM}" "${RKHPERM}"
						fi
						;;
					uidchanged)
						if [ -z "${SYSUID}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_UID_UNAVAIL "${RKHUID}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_UID "${SYSUID}" "${RKHUID}"
						fi
						;;
					gidchanged)
						if [ -z "${SYSGID}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_GID_UNAVAIL "${RKHGID}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_GID "${SYSGID}" "${RKHGID}"
						fi
						;;
					inodechanged)
						if [ -z "${SYSINODE}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_INODE_UNAVAIL "${RKHINODE}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_INODE "${SYSINODE}" "${RKHINODE}"
						fi
						;;
					sizechanged)
						if [ -z "${SYSSIZE}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SIZE_UNAVAIL "${RKHSIZE}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SIZE "${SYSSIZE}" "${RKHSIZE}"
						fi
						;;
					dtmchanged)
						if [ -z "${SYSDTM}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM_UNAVAIL
						else
							get_readable_date ${SYSDTM}

							if [ -n "${READABLE_DATE}" ]; then
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM "${SYSDTM} (${READABLE_DATE})"
							else
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM "${SYSDTM}"
							fi
						fi

						get_readable_date ${RKHDTM}

						if [ -n "${READABLE_DATE}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHDTM "${RKHDTM} (${READABLE_DATE})"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHDTM "${RKHDTM}"
						fi
						;;
					linkchanged)
						test -z "${RKHLNK}" && RKHLNK="Unavailable"
						test -z "${SYSLNK}" && SYSLNK="Unavailable"

						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSLNK "`name2text \"${FNAME}\"`" "`name2text \"${SYSLNK}\"`"
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHLNK "`name2text \"${FNAME}\"`" "`name2text \"${RKHLNK}\"`"
						;;
					esac
					;;
				verify:hashchanged|verify:permchanged|verify:uidchanged|verify:gidchanged|verify:sizechanged|verify:dtmchanged|verify:linkchanged)
					if [ $RKHTMPVAR3 -eq 0 ]; then
						RKHTMPVAR3=1
						display --to LOG --type WARNING FILE_PROP_VRFY
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_CHANGED2 "`name2text \"${FNAME}\"`"

						test $DEPENDENCY_ERR -eq 1 && display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "`name2text \"${FNAME}\"`"
					fi

					case "${RKHTMPVAR}" in
					verify:hashchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_HASH

						if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
							display --to LOG --type INFO --log-indent 9 FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
						fi
						;;
					verify:permchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_PERM
						;;
					verify:uidchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_UID
						;;
					verify:gidchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_GID
						;;
					verify:sizechanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_SIZE
						;;
					verify:dtmchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_DTM
						;;
					verify:linkchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_LNK
						;;
					esac
					;;
				norkhline)
					display --to LOG --type WARNING FILE_PROP_NO_RKH_REC "`name2text \"${FNAME}\"`"
					;;
				norkhhash)
					display --to LOG --type WARNING FILE_PROP_NO_RKHHASH "`name2text \"${FNAME}\"`"
					;;
				norkhperm)
					display --to LOG --type WARNING FILE_PROP_NO_RKHPERM "`name2text \"${FNAME}\"`"
					;;
				norkhuid)
					display --to LOG --type WARNING FILE_PROP_NO_RKHUID "`name2text \"${FNAME}\"`"
					;;
				norkhgid)
					display --to LOG --type WARNING FILE_PROP_NO_RKHGID "`name2text \"${FNAME}\"`"
					;;
				norkhinode)
					display --to LOG --type WARNING FILE_PROP_NO_RKHINODE "`name2text \"${FNAME}\"`"
					;;
				norkhsize)
					display --to LOG --type WARNING FILE_PROP_NO_RKHSIZE "`name2text \"${FNAME}\"`"
					;;
				norkhdtm)
					display --to LOG --type WARNING FILE_PROP_NO_RKHDTM "`name2text \"${FNAME}\"`"
					;;
				norkhlnk)
					display --to LOG --type WARNING FILE_PROP_NO_RKHLNK "`name2text \"${FNAME}\"`"
					;;
				sysattrunavail)
					display --to LOG --type WARNING FILE_PROP_NO_SYSATTR "`name2text \"${FNAME}\"`"
					;;
				write)
					display --to LOG --type WARNING FILE_PROP_WRITE "`name2text \"${FNAME}\"`"
					;;
				syspermunavail)
					display --to LOG --type WARNING FILE_PROP_SYSPERM_UNAVAIL "`name2text \"${FNAME}\"`"
					;;
				immutable)
					if [ $IMMUTABLE_SET -eq 0 ]; then
						display --to LOG --type WARNING FILE_PROP_IMMUT "`name2text \"${FNAME}\"`"
					else
						display --to LOG --type WARNING FILE_PROP_IMMUT_NOT_SET "`name2text \"${FNAME}\"`"
					fi
					;;
				script)
					test -n "${BASENAME_CMD}" && RKHTMPVAR4=`${BASENAME_CMD} "${FNAME}"` || RKHTMPVAR4=`echo "${FNAME}" | sed -e 's:^.*/::'`

					if [ "${RKHTMPVAR4}" = "rkhunter" ]; then
						display --to LOG --type WARNING FILE_PROP_SCRIPT_RKH "`name2text \"${FNAME}\"`" "${SYSSCRIPT}"
					else
						display --to LOG --type WARNING FILE_PROP_SCRIPT "`name2text \"${FNAME}\"`" "${SYSSCRIPT}"
					fi
					;;
				esac
			done
		fi

		if [ -n "${WHITELIST_RESULT}" -a $VERBOSE_LOGGING -eq 1 ]; then
			for WL_FILE in ${WHITELIST_RESULT}; do
				case "${WL_FILE}" in
				hash)
					RKHTMPVAR="file hash"
					;;
				attr)
					RKHTMPVAR="file attributes"
					;;
				write)
					RKHTMPVAR="file write permission"
					;;
				immutable)
					RKHTMPVAR="file immutable-bit"
					;;
				script)
					RKHTMPVAR="script replacement"
					;;
				esac

				display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" "${RKHTMPVAR}"
			done
		fi

		IFS=$IFSNL
	done

	IFS=$RKHIFS


	#
	# We must now loop through the rkhunter.dat file and see if any filenames
	# are missing from the rkhunter_prop_list.dat file. If so, then this
	# indicates a (probably wildcarded) file has been removed from the system.
	#

	if [ $USE_DAT_FILE -eq 1 ]; then
		IFS=$IFSNL

		for RKHTMPVAR in `grep '^File:' "${RKHDAT_FILE}"`; do
			if [ $FMTVERSION -eq 0 ]; then
				FNAME=`echo "${RKHTMPVAR}" | cut -d: -f2`
			else
				RKH_CC=`echo "${RKHTMPVAR}" | cut -d: -f2`
				RKH_CC2=`expr 3 + $RKH_CC`

				FNAME=`echo "${RKHTMPVAR}" | cut -d: -f3-$RKH_CC2`
			fi

			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ -z "`grep \"^${FNAMEGREP}$\" \"${RKH_FILEPROP_LIST}\"`" ]; then
				if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					#
					# Remove the entry from the rkhunter.dat file.
					#

					if [ $FMTVERSION -eq 0 ]; then
						OLDRKHENTRIES="${OLDRKHENTRIES}
File:${FNAME}:.*"
					else
						OLDRKHENTRIES="${OLDRKHENTRIES}
File:${RKH_CC}:${FNAME}:.*"
					fi
				elif [ ! -e "${FNAME}" ]; then
					PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`
					PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`

					display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "`name2text \"${FNAME}\"`"
					display --to LOG --type WARNING FILE_PROP_FILE_NOT_EXIST "`name2text \"${FNAME}\"`"
				fi
			fi
		done

		IFS=$RKHIFS
	fi


	#
	# Finally, add or remove any specified entries to/from the rkhunter.dat file.
	#

	test -n "${OLDRKHENTRIES}" -o -n "${NEWRKHENTRIES}" && updt_rkhdat


	return
}


suspscan() {

	#
	# Suspscan content scan using fixed strings.
	#
	# Suspscan is a CPU hog and only useful to some limit.
	# Suspscan should NEVER be enabled by default.
	#

	if `check_test suspscan`; then
		display --to LOG --type INFO --nl STARTING_TEST suspscan
		display --to LOG --type PLAIN --log-indent 2 SUSPSCAN_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST suspscan
		fi

		return
	fi


	#
	# First check that we have the commands we need.
	#

	if [ -z "${FILE_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 SUSPSCAN_CHECK

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'file'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'file'
		fi

		return
	elif [ -z "${STRINGS_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 SUSPSCAN_CHECK

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' strings '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'strings'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'strings'
		fi

		return
	fi

	#
	# Now check that the suspscan data file is usable.
	#

	if [ ! -e "${DB_PATH}/suspscan.dat" -o ! -s "${DB_PATH}/suspscan.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
		display --to LOG --type WARNING --log-indent 9 SUSPSCAN_DAT_MISSING "${DB_PATH}/suspscan.dat"
		return
	elif [ ! -f "${DB_PATH}/suspscan.dat" -o -h "${DB_PATH}/suspscan.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
		display --to LOG --type WARNING --log-indent 9 SUSPSCAN_DAT_NOTAFILE "${DB_PATH}/suspscan.dat"
		return
	fi

	#
	# Next log our configuration settings.
	#

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO SUSPSCAN_DIRS "${SUSPSCAN_DIRS}"
		display --to LOG --type INFO SUSPSCAN_TEMP "${SUSPSCAN_TEMP}"
		display --to LOG --type INFO SUSPSCAN_SIZE "${SUSPSCAN_MAXSIZE}"
		display --to LOG --type INFO SUSPSCAN_THRESH "${SUSPSCAN_THRESH}"
	fi

	#
	# Finally start the test.
	#

	FOUND=0
	FOUNDDIRS=""
	FILENAME="${SUSPSCAN_TEMP}/suspscan.$$.strings"

	ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

	rm -f ${SUSPSCAN_TEMP}/suspscan.*.strings >/dev/null 2>&1

	#
	# Get a temporary file used to log the scan results.
	#

	get_temp_file "${RKHTMPDIR}/suspscan.tmp"
	SUSPSCAN_TMPFILE="${TEMPFILE}"
	touch "${SUSPSCAN_TMPFILE}"

	#
	# We expand the whitelist option here to ensure
	# that any wildcard entries are the most recent.
	#

	if [ -n "${SUSPSCAN_WL_OPT}" ]; then
		SUSPSCAN_WHITELIST=`expand_paths SUSPSCAN_WL_OPT`
	else
		SUSPSCAN_WHITELIST=""
	fi

	for SUSPSCAN_DIR in ${SUSPSCAN_DIRS}; do
		if [ -d "${SUSPSCAN_DIR}" ]; then
			FOUND=0

			if [ $SUSPSCAN_DEBUG -eq 1 ]; then
				echo "4 SUSPSCAN_DIR_CHECK "${SUSPSCAN_DIR}"" >>"${SUSPSCAN_TMPFILE}"
			fi

			$FIND_CMD "${SUSPSCAN_DIR}" -type f -o -type l 2>/dev/null | while read SUSPSCAN_ITEM; do
				#
				# Skip the debug file which may well be in one of the default suspscan directories.
				#

				test $DEBUG_OPT -eq 1 -a "${SUSPSCAN_ITEM}" = "${RKHDEBUGFILE}" && continue

				#
				# If the file is a link, then find what it points to.
				#

				if [ -h "${SUSPSCAN_ITEM}" ]; then
					if [ $HAVE_READLINK -eq 1 ]; then
						RKHTMPVAR="${SUSPSCAN_ITEM}"

						SUSPSCAN_ITEM=`${READLINK_CMD} ${READLINK_OPT} "${RKHTMPVAR}" 2>/dev/null`

						if [ -z "${SUSPSCAN_ITEM}" ]; then
							continue
						elif [ $SUSPSCAN_DEBUG -eq 1 ]; then
							echo "6 SUSPSCAN_FILE_LINK_CHANGE "${RKHTMPVAR}" "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
						fi
					else
						if [ $SUSPSCAN_DEBUG -eq 1 ]; then
							echo "6 SUSPSCAN_FILE_SKIPPED_LINK "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
						fi

						continue
					fi
				fi

				#
				# Ignore any whitelisted files.
				#

				FNAMEGREP=`echo "${SUSPSCAN_ITEM}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -n "`echo \"${SUSPSCAN_WHITELIST}\" | grep \"^${SUSPSCAN_ITEM}$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO SUSPSCAN_WL "${SUSPSCAN_ITEM}"
					fi

					continue
				fi

				#
				# Next check the size of the file.
				#

				if [ ! -s "${SUSPSCAN_ITEM}" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_EMPTY "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
					fi

					continue
				elif [ -z "`${FIND_CMD} "${SUSPSCAN_ITEM}" -size -${SUSPSCAN_MAXSIZE}c 2>/dev/null`" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_SIZE "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
					fi

					continue
				fi


				#
				# Finally, test the file type.
				#

				FTYPE=`${FILE_CMD} "${SUSPSCAN_ITEM}" 2>&1 | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`

				#
				# We need to check errors from the file command, but not
				# if they are caused by the file disappearing beneath us.
				#

				test ! -e "${SUSPSCAN_ITEM}" && continue

				#
				# Adding "text" to the egrep below widens scope at the expense of more false-positives and extending running time.
				#

				if [ -n "`echo \"${FTYPE}\" | grep -v -i 'compres' | egrep -i 'execu|reloc|shell|libr|data|obj|text'`" ]; then
					FOUND=1
					SUSPSCAN_NUM=1; SUSPSCAN_SCORE=0; SUSPSCAN_HITCOUNT=0
					SUSPSCAN_STRINGS=""

					$STRINGS_CMD -n 4 -a "${SUSPSCAN_ITEM}" 2>/dev/null | head ${HEAD_OPT}$SUSPSCAN_LINETHRESH >"${FILENAME}" 2>&1

					for SUSPSCAN_STRING in `grep -v '^Version' "${DB_PATH}/suspscan.dat" 2>/dev/null | tail ${TAIL_OPT}1` ; do
						#
						# Break off if the score already exceeds the threshold.
						#

						if [ $SUSPSCAN_SCORE -ge $SUSPSCAN_THRESH ]; then
							break
						fi

						SUSPSCAN_TERM="${SUSPSCAN_STRING}"

						#
						# Searchterm with class.
						#

						case "${SUSPSCAN_STRING}" in
						[a-z]:*) 
								SUSPSCAN_CLASS=`echo "${SUSPSCAN_STRING}" | cut -d: -f1`
								SUSPSCAN_TERM=`echo "${SUSPSCAN_STRING}" | cut -d: -f2-`
							 	;;
						esac

						#
						# Searchterm with multiplier.
						#

						case "${SUSPSCAN_STRING}" in
						*+[0-9][0-9]*) 
							SUSPSCAN_TERM=`echo "${SUSPSCAN_TERM}" | cut -d'+' -f1`
							SUSPSCAN_MULTIPLIER=`echo "${SUSPSCAN_STRING}" | cut -d'+' -f2`
							;;
						esac

						grep -i ${SUSPSCAN_TERM} "${FILENAME}" >/dev/null 2>&1
						ERRCODE=$?

						if [ $ERRCODE -eq 0 ]; then

							if [ "$SUSPSCAN_CLASS" = "$SUSPSCAN_CLASS_PREV" ]; then
								SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + 10`
							fi

							SUSPSCAN_HITS="$SUSPSCAN_NUM ${SUSPSCAN_HITS}"

							if [ -n "$SUSPSCAN_MULTIPLIER" ]; then
								SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + ${SUSPSCAN_MULTIPLIER}` 
								unset SUSPSCAN_MULTIPLIER
							else
								SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + 1`
							fi

							SUSPSCAN_HITCOUNT=`expr $SUSPSCAN_HITCOUNT + 1`

							SUSPSCAN_STRINGS="${SUSPSCAN_STRINGS} ${SUSPSCAN_TERM}"

							SUSPSCAN_CLASS_PREV="$SUSPSCAN_CLASS"
						fi

						SUSPSCAN_NUM=`expr ${SUSPSCAN_NUM} + 1`
					done

					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_CHECK_DEBUG "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE" "$SUSPSCAN_HITCOUNT" "${SUSPSCAN_STRINGS}"" >>"${SUSPSCAN_TMPFILE}"
					fi

					if [ $SUSPSCAN_SCORE -ge $SUSPSCAN_THRESH ]; then
						echo "6 SUSPSCAN_FILE_CHECK "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE"" >>"${SUSPSCAN_TMPFILE}"
						echo "SUSPSCAN_INSPECT "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE"" >>"${SUSPSCAN_TMPFILE}"
					fi

					unset SUSPSCAN_TERM

				#
				# Compressed or obfuscated.
				#

				elif [ -n "`echo \"${FTYPE}\" | grep 'corrupted section header size'`" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "Possible UPX-compressed or Dexter01s obfuscated binary"" >>"${SUSPSCAN_TMPFILE}"
					fi

				#
				# ELF ultimate compression kit (ELFuck).
				#

				elif [ -n "`echo \"${FTYPE}\" | grep 'invalid class invalid byte order'`" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "Possible ELFuck obfuscated binary"" >>"${SUSPSCAN_TMPFILE}"
					fi
				elif [ $SUSPSCAN_DEBUG -eq 1 ]; then
					echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "${FTYPE}"" >>"${SUSPSCAN_TMPFILE}"
				fi
			done

		else
			echo "4 SUSPSCAN_DIR_NOT_EXIST "${SUSPSCAN_DIR}"" >>"${SUSPSCAN_TMPFILE}"
		fi
	done

	rm -f ${SUSPSCAN_TEMP}/suspscan.*.strings >/dev/null 2>&1


	#
	# Now display the results.
	#
	
	cat "${SUSPSCAN_TMPFILE}" | while read LINE; do
		LOGCHAR=`echo "$LINE" | cut -c 1`
		case "$LOGCHAR" in
			4|6)	LOGTYPE=`echo "$LINE" | cut -d ' ' -f 2`
				case "$LOGTYPE" in
					SUSPSCAN_FILE_SKIPPED_TYPE)
						SUSP_SKIP_ITEM=`echo "$LINE" | cut -d ' ' -f 3`
						SUSP_SKIP_MSG=`echo "$LINE" | cut -d ' ' -f 4-`
						if [ $SUSPSCAN_DEBUG -eq 1 ]; then
							display --to LOG --type PLAIN --log-indent $LOGCHAR $LOGTYPE "${SUSP_SKIP_ITEM}" "${SUSP_SKIP_MSG}"
						fi
					;;
					*)
						display --to LOG --type PLAIN --log-indent $LINE
					;;
				esac
			;;
			S)	
				display --to LOG --type WARNING $LINE
			;;
		esac
	done

	FOUNDDIRS=`grep '^6 SUSPSCAN_FILE_CHECK' "${SUSPSCAN_TMPFILE}" 2>/dev/null | head ${HEAD_OPT}1`

	if [ -z "${FOUNDDIRS}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 SUSPSCAN_CHECK
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

		# The 'type' here should be PLAIN, but the loop prevents RKH from seeing that a warning has occurred.
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
	fi

	rm -f "${SUSPSCAN_TMPFILE}" >/dev/null 2>&1

	return
}


do_system_commands_checks() {

	#
	# This function carries out a sequence of tests on
	# system commands. These consist of the 'strings' command
	# check, library checks and the file properties checks.
	#

	if `check_test system_commands`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST system_commands
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_SYS_COMMANDS
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST system_commands
		fi

		return
	fi


	strings_check

	shared_libs_check

	file_properties_check

	keypresspause

	return
}


rootkit_file_dir_checks() {

	#
	# This function performs the check for known rootkit
	# files and directories.
	#

	if `check_test known_rkts`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST known_rkts
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_FILES_DIRS_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST known_rkts
		fi

		return
	fi


	# 55808 Trojan - Variant A

	SCAN_ROOTKIT="55808 Trojan - Variant A"
	SCAN_FILES=${W55808A_FILES}
	SCAN_DIRS=${W55808A_DIRS}
	SCAN_KSYMS=${W55808A_KSYMS}
	scanrootkit

	# ADM Worm

	SCAN_ROOTKIT="ADM Worm"

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"

	if [ -f "/etc/passwd" ]; then
		RKHTMPVAR=`grep 'w0rm' /etc/passwd`

		if [ -z "${RKHTMPVAR}" ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_STR 'w0rm'
			display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		else
			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

			display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_STR 'w0rm'

			display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_STR_FOUND 'w0rm' '/etc/passwd'
		fi
	else
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_NOFILE '/etc/passwd'
	fi

	# AjaKit Rootkit

	SCAN_ROOTKIT="AjaKit Rootkit"
	SCAN_FILES=${AJAKIT_FILES}
	SCAN_DIRS=${AJAKIT_DIRS}
	SCAN_KSYMS=${AJAKIT_KSYMS}
	scanrootkit

	# "Adore" Rootkit

	SCAN_ROOTKIT="Adore Rootkit"
	SCAN_FILES=${AKIT_FILES}
	SCAN_DIRS=${AKIT_DIRS}
	SCAN_KSYMS=${AKIT_KSYMS}
	scanrootkit

	# aPa Kit

	SCAN_ROOTKIT="aPa Kit"
	SCAN_FILES=${APAKIT_FILES}
	SCAN_DIRS=${APAKIT_DIRS}
	SCAN_KSYMS=${APAKIT_KSYMS}
	scanrootkit

	# Apache worm

	SCAN_ROOTKIT="Apache Worm"
	SCAN_FILES=${APACHEWORM_FILES}
	SCAN_DIRS=${APACHEWORM_DIRS}
	SCAN_KSYMS=${APACHEWORM_KSYMS}
	scanrootkit

	# Ambient (ark) Rootkit

	SCAN_ROOTKIT="Ambient (ark) Rootkit"
	SCAN_FILES=${ARK_FILES}
	SCAN_DIRS=${ARK_DIRS}
	SCAN_KSYMS=${ARK_KSYMS}
	scanrootkit

	# Balaur Rootkit

	SCAN_ROOTKIT="Balaur Rootkit"
	SCAN_FILES=${BALAUR_FILES}
	SCAN_DIRS=${BALAUR_DIRS}
	SCAN_KSYMS=${BALAUR_KSYMS}
	scanrootkit

	# BeastKit Rootkit

	SCAN_ROOTKIT="BeastKit Rootkit"
	SCAN_FILES=${BEASTKIT_FILES}
	SCAN_DIRS=${BEASTKIT_DIRS}
	SCAN_KSYMS=${BEASTKIT_KSYMS}
	scanrootkit

	# beX2 Rootkit

	SCAN_ROOTKIT="beX2 Rootkit"
	SCAN_FILES=${BEX_FILES}
	SCAN_DIRS=${BEX_DIRS}
	SCAN_KSYMS=${BEX_KSYMS}
	scanrootkit

	# BOBKit Rootkit

	SCAN_ROOTKIT="BOBKit Rootkit"
	SCAN_FILES=${BOBKIT_FILES}
	SCAN_DIRS=${BOBKIT_DIRS}
	SCAN_KSYMS=${BOBKIT_KSYMS}
	scanrootkit

	# OSX Boonana Trojan
	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Boonana Trojan"
		SCAN_FILES=${BOONANA_FILES}
		SCAN_DIRS=${BOONANA_DIRS}
		SCAN_KSYMS=${BOONANA_KSYMS}
		scanrootkit
	fi

	# cb Rootkit
	SCAN_ROOTKIT="cb Rootkit"
	SCAN_FILES=${CB_FILES}
	SCAN_DIRS=${CB_DIRS}
	SCAN_KSYMS=${CB_KSYMS}
	scanrootkit

	# CiNIK Worm (Slapper.B variant)

	SCAN_ROOTKIT="CiNIK Worm (Slapper.B variant)"
	SCAN_FILES=${CINIK_FILES}
	SCAN_DIRS=${CINIK_DIRS}
	SCAN_KSYMS=${CINIK_KSYMS}
	scanrootkit

	# CX Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="CX Rootkit"
		SCAN_FILES=${CXKIT_FILES}
		SCAN_DIRS=${CXKIT_DIRS}
		SCAN_KSYMS=${CXKIT_KSYMS}
		scanrootkit
	fi

	# Danny-Boy's Abuse Kit

	SCAN_ROOTKIT="Danny-Boy's Abuse Kit"
	SCAN_FILES=${DANNYBOYS_FILES}
	SCAN_DIRS=${DANNYBOYS_DIRS}
	SCAN_KSYMS=${DANNYBOYS_KSYMS}
	scanrootkit

	# Devil RootKit

	SCAN_ROOTKIT="Devil RootKit"
	SCAN_FILES=${DEVIL_FILES}
	SCAN_DIRS=${DEVIL_DIRS}
	SCAN_KSYMS=${DEVIL_KSYMS}
	scanrootkit

	# Diamorphine LKM

	SCAN_ROOTKIT="Diamorphine LKM"
	SCAN_FILES=${DIAMORPHINE_FILES}
	SCAN_DIRS=${DIAMORPHINE_DIRS}
	SCAN_KSYMS=${DIAMORPHINE_KSYMS}
	scanrootkit

	# Dica-Kit Rootkit

	SCAN_ROOTKIT="Dica-Kit Rootkit"
	SCAN_FILES=${DICA_FILES}
	SCAN_DIRS=${DICA_DIRS}
	SCAN_KSYMS=${DICA_KSYMS}
	scanrootkit

	# Dreams RootKit

	SCAN_ROOTKIT="Dreams Rootkit"
	SCAN_FILES=${DREAMS_FILES}
	SCAN_DIRS=${DREAMS_DIRS}
	SCAN_KSYMS=${DREAMS_KSYMS}
	scanrootkit

	# Duarawkz Rootkit

	SCAN_ROOTKIT="Duarawkz Rootkit"
	SCAN_FILES=${DUARAWKZ_FILES}
	SCAN_DIRS=${DUARAWKZ_DIRS}
	SCAN_KSYMS=${DUARAWKZ_KSYMS}
	scanrootkit

	# Ebury sshd backdoor

	SCAN_ROOTKIT="Ebury backdoor"
	SCAN_FILES=${EBURY_FILES}
	SCAN_DIRS=${EBURY_DIRS}
	SCAN_KSYMS=${EBURY_KSYMS}
	scanrootkit

	# Enye LKM

	SCAN_ROOTKIT="Enye LKM"
	SCAN_FILES=${ENYELKM_FILES}
	SCAN_DIRS=${ENYELKM_DIRS}
	SCAN_KSYMS=${ENYELKM_KSYMS}
	scanrootkit

	# Flea Linux Rootkit

	SCAN_ROOTKIT="Flea Linux Rootkit"
	SCAN_FILES=${FLEA_FILES}
	SCAN_DIRS=${FLEA_DIRS}
	SCAN_KSYMS=${FLEA_KSYMS}
	scanrootkit

	# FreeBSD Rootkit

	if [ $BSDOS -eq 1 ]; then
		SCAN_ROOTKIT="FreeBSD Rootkit"
		SCAN_FILES=${FREEBSD_RK_FILES}
		SCAN_DIRS=${FREEBSD_RK_DIRS}
		SCAN_KSYMS=${FREEBSD_RK_KSYMS}
		scanrootkit
	fi

	# Fu Rootkit

	SCAN_ROOTKIT="Fu Rootkit"
	SCAN_FILES=${FU_FILES}
	SCAN_DIRS=${FU_DIRS}
	SCAN_KSYMS=${FU_KSYMS}
	scanrootkit

	# Fuck`it Rootkit

	SCAN_ROOTKIT="Fuck\`it Rootkit"
	SCAN_FILES=${FUCKIT_FILES}
	SCAN_DIRS=${FUCKIT_DIRS}
	SCAN_KSYMS=${FUCKIT_KSYMS}
	scanrootkit

	# GasKit Rootkit

	SCAN_ROOTKIT="GasKit Rootkit"
	SCAN_FILES=${GASKIT_FILES}
	SCAN_DIRS=${GASKIT_DIRS}
	SCAN_KSYMS=${GASKIT_KSYMS}
	scanrootkit

	# Heroin LKM

	SCAN_ROOTKIT="Heroin LKM"
	SCAN_FILES=${HEROIN_FILES}
	SCAN_DIRS=${HEROIN_DIRS}
	SCAN_KSYMS=${HEROIN_KSYMS}
	scanrootkit

	# HjC Kit

	SCAN_ROOTKIT="HjC Kit"
	SCAN_FILES=${HJCKIT_FILES}
	SCAN_DIRS=${HJCKIT_DIRS}
	SCAN_KSYMS=${HJCKIT_KSYMS}
	scanrootkit

	# ignoKit Rootkit

	SCAN_ROOTKIT="ignoKit Rootkit"
	SCAN_FILES=${IGNOKIT_FILES}
	SCAN_DIRS=${IGNOKIT_DIRS}
	SCAN_KSYMS=${IGNOKIT_KSYMS}
	scanrootkit

	# iLLogiC Rootkit (SunOS Rootkit variant)

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="iLLogiC Rootkit"
		SCAN_FILES=${ILLOGIC_FILES}
		SCAN_DIRS=${ILLOGIC_DIRS}
		SCAN_KSYMS=${ILLOGIC_KSYMS}
		scanrootkit
	fi

	# OSX Inqtana (Variant A)

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Inqtana Worm (Variant A)"
		SCAN_FILES=${INQTANAA_FILES}
		SCAN_DIRS=${INQTANAA_DIRS}
		SCAN_KSYMS=${INQTANAA_KSYMS}
		scanrootkit
	fi

	# OSX Inqtana (Variant B)

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Inqtana Worm (Variant B)"
		SCAN_FILES=${INQTANAB_FILES}
		SCAN_DIRS=${INQTANAB_DIRS}
		SCAN_KSYMS=${INQTANAB_KSYMS}
		scanrootkit
	fi

	# OSX Inqtana (Variant C)

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Inqtana Worm (Variant C)"
		SCAN_FILES=${INQTANAC_FILES}
		SCAN_DIRS=${INQTANAC_DIRS}
		SCAN_KSYMS=${INQTANAC_KSYMS}
		scanrootkit
	fi

	# IntoXonia-NG Rootkit

	SCAN_ROOTKIT="IntoXonia-NG Rootkit"
	SCAN_FILES=${INTOXONIA_FILES}
	SCAN_DIRS=${INTOXONIA_DIRS}
	SCAN_KSYMS=${INTOXONIA_KSYMS}
	scanrootkit

	# Irix Rootkit

	SCAN_ROOTKIT="Irix Rootkit"
	SCAN_FILES=${IRIXRK_FILES}
	SCAN_DIRS=${IRIXRK_DIRS}
	SCAN_KSYMS=${IRIXRK_KSYMS}
	scanrootkit

	# Jynx Rootkit

	SCAN_ROOTKIT="Jynx Rootkit"
	SCAN_FILES=${JYNX_FILES}
	SCAN_DIRS=${JYNX_DIRS}
	SCAN_KSYMS=${JYNX_KSYMS}
	scanrootkit

	# Jynx2 Rootkit

	SCAN_ROOTKIT="Jynx2 Rootkit"
	SCAN_FILES=${JYNX2_FILES}
	SCAN_DIRS=${JYNX2_DIRS}
	SCAN_KSYMS=${JYNX2_KSYMS}
	scanrootkit

	# KBeast Rootkit

	SCAN_ROOTKIT="KBeast Rootkit"
	SCAN_FILES=${KBEAST_FILES}
	SCAN_DIRS=${KBEAST_DIRS}
	SCAN_KSYMS=${KBEAST_KSYMS}
	scanrootkit

	# OSX Keydnap backdoor

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Keydnap backdoor"
		SCAN_FILES=${KEYDNAP_FILES}
		SCAN_DIRS=${KEYDNAP_DIRS}
		SCAN_KSYMS=${KEYDNAP_KSYMS}
		scanrootkit
	fi

	# Kitko Rootkit

	SCAN_ROOTKIT="Kitko Rootkit"
	SCAN_FILES=${KITKO_FILES}
	SCAN_DIRS=${KITKO_DIRS}
	SCAN_KSYMS=${KITKO_KSYMS}
	scanrootkit

	# Knark Rootkit

	SCAN_ROOTKIT="Knark Rootkit"
	SCAN_FILES=${KNARK_FILES}
	SCAN_DIRS=${KNARK_DIRS}
	SCAN_KSYMS=${KNARK_KSYMS}
	scanrootkit

	# OSX Komplex Trojan

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Komplex Trojan"
		SCAN_FILES=${KOMPLEX_FILES}
		SCAN_DIRS=${KOMPLEX_DIRS}
		SCAN_KSYMS=${KOMPLEX_KSYMS}
		scanrootkit
	fi

	# ld-linuxv.so (LD_PRELOAD shared library rootkit)

	SCAN_ROOTKIT="ld-linuxv.so Rootkit"
	SCAN_FILES=${LINUXV_FILES}
	SCAN_DIRS=${LINUXV_DIRS}
	SCAN_KSYMS=${LINUXV_KSYMS}
	scanrootkit

	# Li0n Worm

	SCAN_ROOTKIT="Li0n Worm"
	SCAN_FILES=${LION_FILES}
	SCAN_DIRS=${LION_DIRS}
	SCAN_KSYMS=${LION_KSYMS}
	scanrootkit

	# Lockit / LJK2 Rootkit

	SCAN_ROOTKIT="Lockit / LJK2 Rootkit"
	SCAN_FILES=${LOCKIT_FILES}
	SCAN_DIRS=${LOCKIT_DIRS}
	SCAN_KSYMS=${LOCKIT_KSYMS}
	scanrootkit

	# Mokes backdoor

	SCAN_ROOTKIT="Mokes backdoor"
	SCAN_FILES=${MOKES_FILES}
	SCAN_DIRS=${MOKES_DIRS}
	SCAN_KSYMS=${MOKES_KSYMS}
	scanrootkit

	# Mood-NT Rootkit

	SCAN_ROOTKIT="Mood-NT Rootkit"
	SCAN_FILES=${MOODNT_FILES}
	SCAN_DIRS=${MOODNT_DIRS}
	SCAN_KSYMS=${MOODNT_KSYMS}
	scanrootkit

	# MRK (MiCrobul?) RootKit

	SCAN_ROOTKIT="MRK Rootkit"
	SCAN_FILES=${MRK_FILES}
	SCAN_DIRS=${MRK_DIRS}
	SCAN_KSYMS=${MRK_KSYMS}
	scanrootkit

	# Ni0 Rootkit

	SCAN_ROOTKIT="Ni0 Rootkit"
	SCAN_FILES=${NIO_FILES}
	SCAN_DIRS=${NIO_DIRS}
	SCAN_KSYMS=${NIO_KSYMS}
	scanrootkit

	# Ohhara Rootkit

	SCAN_ROOTKIT="Ohhara Rootkit"
	SCAN_FILES=${OHHARA_FILES}
	SCAN_DIRS=${OHHARA_DIRS}
	SCAN_KSYMS=${OHHARA_KSYMS}
	scanrootkit

	# Optic Kit Worm

	SCAN_ROOTKIT="Optic Kit (Tux) Worm"
	SCAN_FILES=${OPTICKIT_FILES}
	SCAN_DIRS=${OPTICKIT_DIRS}
	SCAN_KSYMS=${OPTICKIT_KSYMS}
	scanrootkit

	# OSX Rootkit 0.2.1

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="OS X Rootkit"
		SCAN_FILES="${OSXRK_FILES}"
		SCAN_DIRS="${OSXRK_DIRS}"
		SCAN_KSYMS=${OSXRK_KSYMS}
		scanrootkit
	fi

	# Oz Rootkit

	SCAN_ROOTKIT="Oz Rootkit"
	SCAN_FILES=${OZ_FILES}
	SCAN_DIRS=${OZ_DIRS}
	SCAN_KSYMS=${OZ_KSYMS}
	scanrootkit

	# Phalanx Rootkit

	SCAN_ROOTKIT="Phalanx Rootkit"
	SCAN_FILES=${PHALANX_FILES}
	SCAN_DIRS=${PHALANX_DIRS}
	SCAN_KSYMS=${PHALANX_KSYMS}
	scanrootkit

	# Phalanx2 Rootkit (dirs and files)

	SCAN_ROOTKIT="Phalanx2 Rootkit"
	SCAN_FILES=${PHALANX2_FILES}
	SCAN_DIRS=${PHALANX2_DIRS}
	SCAN_KSYMS=${PHALANX2_KSYMS}
	scanrootkit


	# Phalanx2 Rootkit (extended tests)

	if [ $LINUXOS -eq 1 ]; then
		SCAN_ROOTKIT="Phalanx2 Rootkit (extended tests)"

		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		ROOTKIT_PHALANX2_TEST=0

		display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"

		if [ $ROOTKIT_PHALANX2_DIRTESTVAL -eq 1 ]; then
			ROOTKIT_PHALANX2_DIRNAMES=`${FIND_CMD} /etc /usr -type d -iname "*.p2"`
		else
			ROOTKIT_PHALANX2_DIRNAMES="/etc/khubd.p2 /etc/lolzz.p2 /usr/lib/zupzz.p2"
		fi

		if [ -n "${ROOTKIT_PHALANX2_DIRNAMES}" ]; then
			for ROOTKIT_PHALANX2_DIRNAME in ${ROOTKIT_PHALANX2_DIRNAMES}; do
				if `cd ${ROOTKIT_PHALANX2_DIRNAME} >/dev/null 2>&1`; then
					ROOTKIT_PHALANX2_TEST=1

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${ROOTKIT_PHALANX2_DIRNAME}"

						display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
						display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_DIR_FOUND "${ROOTKIT_PHALANX2_DIRNAME}"
					fi
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${ROOTKIT_PHALANX2_DIRNAME}"
				fi
			done
		elif [ $ROOTKIT_PHALANX2_DIRTESTVAL -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "*.p2"
		fi

		if `grep -q '^/dev/root .* ext[23] ' /proc/mounts 2>/dev/null`; then 
			if [ -n "${STAT_CMD}" ]; then
				for DIR_NAME in /etc /usr/share; do
					if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
						NLINKS1=`${STAT_CMD} --nlink ${DIR_NAME} 2>/dev/null`
					else
						NLINKS1=`${STAT_CMD} -c %h ${DIR_NAME} 2>/dev/null`
					fi

					NLINKS2=`ls -ld ${DIR_NAME} 2>/dev/null | ${AWK_CMD} -F' ' '/^d/ {print $2}' 2>/dev/null | head ${HEAD_OPT}1`

					test -z "${NLINKS1}" && NLINKS1=-1
					test -z "${NLINKS2}" && NLINKS2=-2

					if [ $NLINKS1 -ne $NLINKS2 ]; then
						display --to LOG --type PLAIN --result WARNING --log-indent 2 ROOTKIT_LINK_COUNT "${DIR_NAME}"

						if [ $NLINKS1 -eq -1 ]; then
							display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_CMDERR "${STAT_CMD}" "${DIR_NAME}"
						fi

						if [ $NLINKS2 -eq -2 ]; then
							display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_CMDERR 'ls -ld' "${DIR_NAME}"
						fi

						display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_FAIL "${STAT_CMD}" "$NLINKS1"
						display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_FAIL 'ls -ld' "$NLINKS2"

						if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
							ROOTKIT_PHALANX2_TEST=1
							display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
						fi

						display --to LOG --type PLAIN --log-indent 9 ROOTKIT_PHALANX2_LINK_COUNT_FAIL "${DIR_NAME}"
					else
						display --to LOG --type PLAIN --result OK --log-indent 2 ROOTKIT_LINK_COUNT "${DIR_NAME}"
					fi
				done
			else
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_LINK_COUNT '/etc and /usr/share'

				if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
					display --to LOG --type INFO DISABLED_CMD 'stat'
				else
					display --to LOG --type INFO NOT_FOUND_CMD 'stat'
				fi
			fi
		fi

		# On Linux 2.6 kernels certain processes are children of the kthread process which itself is a child of init.
		# argv[0] hiding in plain sight works OK (who expects '^ata/0$' processes to be illegal?) but if the parent process Id is not kthread's
		# then suspicion is justified. Like other process listing relying on 'ps' the usual process hiding caveat remains.

		if [ -n "${PGREP_CMD}" ]; then
			if [ -n "`${PGREP_CMD} 'ata/0'`" ]; then
				ROOTKIT_PHALANX2_PROC_KTHREAD_PPID=`${PGREP_CMD} -f '^kthread.?$'`
				ROOTKIT_PHALANX2_PROC_ATA_PPID=`${PS_CMD} --no-headers -C 'ata/0' -oppid 2>/dev/null`

				if [ -n "${ROOTKIT_PHALANX2_PROC_ATA_PPID}" -a -n "${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID}" ]; then
					if [ ${ROOTKIT_PHALANX2_PROC_ATA_PPID} -ne ${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID} ]; then
						display --to LOG --type PLAIN --result WARNING --log-indent 2 ROOTKIT_PHALANX2_PROC_FOUND
						display --to LOG --type PLAIN --log-indent 4 ROOTKIT_PHALANX2_PROC_PPID "${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID}" "${ROOTKIT_PHALANX2_PROC_ATA_PPID}"

						if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
							ROOTKIT_PHALANX2_TEST=1
							display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
						fi

						display --to LOG --type PLAIN --log-indent 9 ROOTKIT_PHALANX2_PROC_FOUND
					else
						display --to LOG --type PLAIN --result OK --log-indent 2 ROOTKIT_PHALANX2_PROC
					fi

				else # ROOTKIT_PHALANX2_PROC_ATA_PPID ps might not support some cmdline args
					display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_PHALANX2_PROC
					display --to LOG --type INFO ROOTKIT_PHALANX2_PROC_PS_ERR
				fi

			# else # This kernel does not run any 'ata/0' kthread child processes, no warning necessary.
			fi
		else # PGREP_CMD not found
			display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_PHALANX2_PROC

			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' pgrep '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'pgrep'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'pgrep'
			fi
		fi

		if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		else
			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "
		fi

	fi

	# Portacelo Rootkit

	SCAN_ROOTKIT="Portacelo Rootkit"
	SCAN_FILES=${PORTACELO_FILES}
	SCAN_DIRS=${PORTACELO_DIRS}
	SCAN_KSYMS=${PORTACELO_KSYMS}
	scanrootkit

	# OSX Proton backdoor

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Proton backdoor"
		SCAN_FILES=${PROTON_FILES}
		SCAN_DIRS=${PROTON_DIRS}
		SCAN_KSYMS=${PROTON_KSYMS}
		scanrootkit
	fi

	# R3dstorm Toolkit

	SCAN_ROOTKIT="R3dstorm Toolkit"
	SCAN_FILES=${REDSTORM_FILES}
	SCAN_DIRS=${REDSTORM_DIRS}
	SCAN_KSYMS=${REDSTORM_KSYMS}
	scanrootkit

	# RH-Sharpe's Rootkit

	SCAN_ROOTKIT="RH-Sharpe's Rootkit"
	SCAN_FILES=${RHSHARPES_FILES}
	SCAN_DIRS=${RHSHARPES_DIRS}
	SCAN_KSYMS=${RHSHARPES_KSYMS}
	scanrootkit

	# RSHA's Rootkit

	SCAN_ROOTKIT="RSHA's Rootkit"
	SCAN_FILES=${RSHA_FILES}
	SCAN_DIRS=${RSHA_DIRS}
	SCAN_KSYMS=${RSHA_KSYMS}
	scanrootkit

	# Scalper Worm

	SCAN_ROOTKIT="Scalper Worm"
	SCAN_FILES=${SCALPER_FILES}
	SCAN_DIRS=${SCALPER_DIRS}
	SCAN_KSYMS=${SCALPER_KSYMS}
	scanrootkit

	# Sebek LKM (Honeypot)

	SCAN_ROOTKIT="Sebek LKM"

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"

	FOUND=0

	if [ -n "${KSYMS_FILE}" ]; then
		egrep -i 'adore|sebek' "${KSYMS_FILE}" >/dev/null 2>&1 && FOUND=1
	fi

	if [ $FOUND -eq 0 ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			if [ -n "${KSYMS_FILE}" ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM 'adore or sebek'
			else
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_FILES_DIRS_KSYM 'adore or sebek'
			fi
		fi

		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

		display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM 'adore or sebek'

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_KSYM_FOUND 'adore or sebek'
	fi

	# Shutdown Rootkit

	SCAN_ROOTKIT="Shutdown Rootkit"
	SCAN_FILES=${SHUTDOWN_FILES}
	SCAN_DIRS=${SHUTDOWN_DIRS}
	SCAN_KSYMS=${SHUTDOWN_KSYMS}
	scanrootkit

	# SHV4 Rootkit

	SCAN_ROOTKIT="SHV4 Rootkit"
	SCAN_FILES=${SHV4_FILES}
	SCAN_DIRS=${SHV4_DIRS}
	SCAN_KSYMS=${SHV4_KSYMS}
	scanrootkit

	# SHV5 Rootkit

	SCAN_ROOTKIT="SHV5 Rootkit"
	SCAN_FILES=${SHV5_FILES}
	SCAN_DIRS=${SHV5_DIRS}
	SCAN_KSYMS=${SHV5_KSYMS}
	scanrootkit

	# Sin Rootkit

	SCAN_ROOTKIT="Sin Rootkit"
	SCAN_FILES=${SINROOTKIT_FILES}
	SCAN_DIRS=${SINROOTKIT_DIRS}
	SCAN_KSYMS=${SINROOTKIT_KSYMS}
	scanrootkit

	# SInAR Rootkit

	if [ $SUNOS -eq 1 ]; then
		FOUND=0
		SINARFILES=""

		SCAN_ROOTKIT="SInAR Rootkit"

		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"

		if [ -n "${FIND_CMD}" ]; then
			for DIR in ${BINPATHS}; do
				FOUNDINDIR="NOT_FOUND"

				for FNAME in `${FIND_CMD} "${DIR}" -type f -name "*[sS][iI][nN][aA][rR]*" 2>/dev/null`; do
					FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

					if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type INFO FILE_PROP_WL "${FNAME}" known_rkts
						fi
					elif `grep -i 'sinar' "${FNAME}" >/dev/null 2>&1`; then
						FOUND=1
						FOUNDINDIR="FOUND"
						SINARFILES="${SINARFILES} ${FNAME}"
					fi
				done

				display --to LOG --type PLAIN --result "${FOUNDINDIR}" --log-indent 2 ROOTKIT_FILES_DIRS_SINAR_DIR "${DIR}"
			done


			#
			# Now display the result.
			#

			if [ $FOUND -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
			else
				ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
				ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

				display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_SINAR "${SINARFILES}"
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NAME "${SCAN_ROOTKIT}"

			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' find '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'find'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'find'
			fi
		fi
	fi

	# Slapper Worm

	SCAN_ROOTKIT="Slapper Worm"
	SCAN_FILES=${SLAPPER_FILES}
	SCAN_DIRS=${SLAPPER_DIRS}
	SCAN_KSYMS=${SLAPPER_KSYMS}
	scanrootkit

	# Sneakin Rootkit

	SCAN_ROOTKIT="Sneakin Rootkit"
	SCAN_FILES=${SNEAKIN_FILES}
	SCAN_DIRS=${SNEAKIN_DIRS}
	SCAN_KSYMS=${SNEAKIN_KSYMS}
	scanrootkit

	# Solaris Wanuk backdoor

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="Solaris Wanuk backdoor"
		SCAN_FILES=${WANUKDOOR_FILES}
		SCAN_DIRS=${WANUKDOOR_DIRS}
		SCAN_KSYMS=${WANUKDOOR_KSYMS}
		scanrootkit
	fi

	# Solaris Wanuk Worm

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="Solaris Wanuk Worm"
		SCAN_FILES=${WANUKWORM_FILES}
		SCAN_DIRS=${WANUKWORM_DIRS}
		SCAN_KSYMS=${WANUKWORM_KSYMS}
		scanrootkit
	fi

	# 'Spanish' Rootkit

	SCAN_ROOTKIT="'Spanish' Rootkit"
	SCAN_FILES=${SPANISH_FILES}
	SCAN_DIRS=${SPANISH_DIRS}
	SCAN_KSYMS=${SPANISH_KSYMS}
	scanrootkit

	# Suckit Rootkit

	SCAN_ROOTKIT="Suckit Rootkit"
	SCAN_FILES=${SUCKIT_FILES}
	SCAN_DIRS=${SUCKIT_DIRS}
	SCAN_KSYMS=${SUCKIT_KSYMS}
	scanrootkit

	# SunOS Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="SunOS Rootkit"
		SCAN_FILES=${SUNOSROOTKIT_FILES}
		SCAN_DIRS=${SUNOSROOTKIT_DIRS}
		SCAN_KSYMS=${SUNOSROOTKIT_KSYMS}
		scanrootkit
	fi

	# SunOS / NSDAP Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="SunOS / NSDAP Rootkit"
		SCAN_FILES=${NSDAP_FILES}
		SCAN_DIRS=${NSDAP_DIRS}
		SCAN_KSYMS=${NSDAP_KSYMS}
		scanrootkit
	fi

	# Superkit Rootkit

	SCAN_ROOTKIT="Superkit Rootkit"
	SCAN_FILES=${SUPERKIT_FILES}
	SCAN_DIRS=${SUPERKIT_DIRS}
	SCAN_KSYMS=${SUPERKIT_KSYMS}
	scanrootkit

	# TBD (Telnet BackDoor)

	SCAN_ROOTKIT="TBD (Telnet BackDoor)"
	SCAN_FILES=${TBD_FILES}
	SCAN_DIRS=${TBD_DIRS}
	SCAN_KSYMS=${TBD_KSYMS}
	scanrootkit

	# TeLeKiT Rootkit

	SCAN_ROOTKIT="TeLeKiT Rootkit"
	SCAN_FILES=${TELEKIT_FILES}
	SCAN_DIRS=${TELEKIT_DIRS}
	SCAN_KSYMS=${TELEKIT_KSYMS}
	scanrootkit

	# OSX Togroot Rootkit

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Togroot Rootkit"
		SCAN_FILES=${TOGROOT_FILES}
		SCAN_DIRS=${TOGROOT_DIRS}
		SCAN_KSYMS=${TOGROOT_KSYMS}
		scanrootkit
	fi

	# T0rn Rootkit

	SCAN_ROOTKIT="T0rn Rootkit"
	SCAN_FILES=${TORN_FILES}
	SCAN_DIRS=${TORN_DIRS}
	SCAN_KSYMS=${TORN_KSYMS}
	scanrootkit

	# TrNkit Rootkit

	SCAN_ROOTKIT="trNkit Rootkit"
	SCAN_FILES=${TRNKIT_FILES}
	SCAN_DIRS=${TRNKIT_DIRS}
	SCAN_KSYMS=${TRNKIT_KSYMS}
	scanrootkit

	# Trojanit Kit

	SCAN_ROOTKIT="Trojanit Kit"
	SCAN_FILES=${TROJANIT_FILES}
	SCAN_DIRS=${TROJANIT_DIRS}
	SCAN_KSYMS=${TROJANIT_KSYMS}
	scanrootkit

	# Turtle / Turtle2 Rootkit

	if [ $BSDOS -eq 1 ]; then
		SCAN_ROOTKIT="Turtle Rootkit"
		SCAN_FILES=${TURTLE_FILES}
		SCAN_DIRS=${TURTLE_DIRS}
		SCAN_KSYMS=${TURTLE_KSYMS}
		scanrootkit
	fi

	# Tuxtendo Rootkit

	SCAN_ROOTKIT="Tuxtendo Rootkit"
	SCAN_FILES=${TUXTENDO_FILES}
	SCAN_DIRS=${TUXTENDO_DIRS}
	SCAN_KSYMS=${TUXTENDO_KSYMS}
	scanrootkit

	# Universal Rootkit by K2 (URK)

	SCAN_ROOTKIT="URK Rootkit"
	SCAN_FILES=${URK_FILES}
	SCAN_DIRS=${URK_DIRS}
	SCAN_KSYMS=${URK_KSYMS}
	scanrootkit

	# Vampire Rootkit

	SCAN_ROOTKIT="Vampire Rootkit"
	SCAN_FILES=${VAMPIRE_FILES}
	SCAN_DIRS=${VAMPIRE_DIRS}
	SCAN_KSYMS=${VAMPIRE_KSYMS}
	scanrootkit

	# VcKit Rootkit

	SCAN_ROOTKIT="VcKit Rootkit"
	SCAN_FILES=${VCKIT_FILES}
	SCAN_DIRS=${VCKIT_DIRS}
	SCAN_KSYMS=${VCKIT_KSYMS}
	scanrootkit

	# Volc Rootkit

	SCAN_ROOTKIT="Volc Rootkit"
	SCAN_FILES=${VOLC_FILES}
	SCAN_DIRS=${VOLC_DIRS}
	SCAN_KSYMS=${VOLC_KSYMS}
	scanrootkit

	# weaponX Rootkit

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="weaponX Rootkit"
		SCAN_FILES=${WEAPONX_FILES}
		SCAN_DIRS=${WEAPONX_DIRS}
		SCAN_KSYMS=${WEAPONX_KSYMS}
		scanrootkit
	fi

	# Xzibit Rootkit

	SCAN_ROOTKIT="Xzibit Rootkit"
	SCAN_FILES=${XZIBIT_FILES}
	SCAN_DIRS=${XZIBIT_DIRS}
	SCAN_KSYMS=${XZIBIT_KSYMS}
	scanrootkit

	# X-Org SunOS Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="X-Org SunOS Rootkit"
		SCAN_FILES=${XORGSUNOS_FILES}
		SCAN_DIRS=${XORGSUNOS_DIRS}
		SCAN_KSYMS=${XORGSUNOS_KSYMS}
		scanrootkit
	fi

	# zaRwT.KiT Rootkit

	SCAN_ROOTKIT="zaRwT.KiT Rootkit"
	SCAN_FILES=${ZARWT_FILES}
	SCAN_DIRS=${ZARWT_DIRS}
	SCAN_KSYMS=${ZARWT_KSYMS}
	scanrootkit

	# ZK Rootkit

	SCAN_ROOTKIT="ZK Rootkit"
	SCAN_FILES=${ZK_FILES}
	SCAN_DIRS=${ZK_DIRS}
	SCAN_KSYMS=${ZK_KSYMS}
	scanrootkit

	return
}


possible_rootkit_file_dir_checks() {

	#
	# This function performs the check for possible rootkit
	# files and directories.
	#

	if `check_test possible_rkt_files`; then
		display --to LOG --type INFO --nl STARTING_TEST possible_rkt_files
		display --to LOG --type PLAIN --log-indent 2 ROOTKIT_POSS_FILES_DIRS_LOG
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST possible_rkt_files
		fi

		return
	fi

	FOUND=0
	FOUNDFILES=""
	FOUNDDIRS=""

	IFS=$IFSNL

	for RKHTMPVAR in ${FILESCAN}; do
		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ 	]*//'`

		TYPE=`echo ${RKHTMPVAR} | cut -d: -f1`
		FILE=`echo ${RKHTMPVAR} | cut -d: -f2`
		INFO=`echo ${RKHTMPVAR} | cut -d: -f3`

		FNAME=`echo "${FILE}" | tr '%' ' '`

		case "${TYPE}" in
		dir)
			if [ -d "${FNAME}" ]; then
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO FILE_PROP_WL_DIR "`name2text \"${FNAME}\"`" 'possible_rkt_files'
						display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${FNAME}\"`"
					fi
				else
					FOUND=1
					FOUNDDIRS="${FOUNDDIRS}
${FNAME}:${INFO}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${FNAME}\"`"
					fi
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${FNAME}\"`"
			fi
			;;
		file)
			if [ -f "${FNAME}" ]; then
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'possible_rkt_files'
						display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
					fi
				else
					FOUND=1
					FOUNDFILES="${FOUNDFILES}
${FNAME}:${INFO}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
					fi
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
			fi
			;;
		*)
			echo "Error: Unknown file type in possible rootkit check: FILESCAN contains: ${TYPE}"
			;;
		esac
	done

	IFS=$RKHIFS


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_POSS_FILES_DIRS
	else
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_POSS_FILES_DIRS

		IFS=$IFSNL

		FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDFILES}; do
			FILE=`echo "${RKHTMPVAR}" | cut -d: -f1`
			INFO=`echo "${RKHTMPVAR}" | cut -d: -f2`

			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "

			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_FILES_FILE_FOUND "`name2text \"${FILE}\"`" "${INFO}"
		done

		FOUNDDIRS=`echo "${FOUNDDIRS}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDDIRS}; do
			FILE=`echo "${RKHTMPVAR}" | cut -d: -f1`
			INFO=`echo "${RKHTMPVAR}" | cut -d: -f2`

			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "

			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_FILES_DIR_FOUND "`name2text \"${FILE}\"`" "${INFO}"
		done

		IFS=$RKHIFS
	fi

	return
}


get_rc_paths() {

	#
	# This function gets a list of the system startup files.
	# Directories are searched for files.
	#
	# This functions will set the variable RC_PATHS.
	#

	RC_PATHS=""
	RKHTMPVAR2=""

	#
	# For systemd systems we should follow symbolic links, but
	# for init systems we do not. Additionally, older UNIX
	# systems do not recognise the 'find' command '-L' option.
	# (The '-follow' option is now deprecated.) So we need to
	# check that '-L' is valid, and only use it if the systemd
	# startup directory is being used.
	#

	FINDFOLLOW=0

	if [ -n "${FIND_CMD}" ]; then
		test -z "`${FIND_CMD} -L ${DB_PATH} 2>&1 >/dev/null`" && FINDFOLLOW=1
	fi

	if [ -n "${STARTUP_PATHS}" ]; then
		RKHTMPVAR="${STARTUP_PATHS}"
	else
		RKHTMPVAR="${RCLOCATIONS}"
	fi


	for DIR in ${RKHTMPVAR}; do
		test -h "${DIR}" && continue

		if [ -f "${DIR}" ]; then
			RC_PATHS="${RC_PATHS}
${DIR}"
			RKHTMPVAR2="${RKHTMPVAR2} ${DIR}"
		elif [ -d "${DIR}" ]; then
			RKHTMPVAR2="${RKHTMPVAR2} ${DIR}"

			if [ -n "${FIND_CMD}" ]; then
				if [ $FINDFOLLOW -eq 1 -a -n "`echo \"${DIR}\" | grep '^/etc/systemd/'`" ]; then
					RKHTMPVAR3=`${FIND_CMD} -L "${DIR}" -type f 2>/dev/null`
				else
					RKHTMPVAR3=`${FIND_CMD} "${DIR}" -type f -a ! -type l 2>/dev/null`
				fi

				if [ -n "${RKHTMPVAR3}" ]; then
					RC_PATHS="${RC_PATHS}
${RKHTMPVAR3}"
				fi
			else
				for FNAME in ${DIR}/*; do
					test -f "${FNAME}" -a ! -h "${FNAME}" && RC_PATHS="${RC_PATHS}
${FNAME}"
				done
			fi
		fi
	done

	if [ $STARTUP_PATHS_LOGGED -eq 0 ]; then
		STARTUP_PATHS_LOGGED=1

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			test -z "${RKHTMPVAR2}" && RKHTMPVAR2="${RKHTMPVAR}"

			RKHTMPVAR2=`echo ${RKHTMPVAR2}`
			display --to LOG --type INFO CONFIG_STARTUP_PATHS "${RKHTMPVAR2}"
		fi
	fi

	return
}


possible_rootkit_string_checks() {

	#
	# This function performs the check for possible rootkit
	# strings in files.
	#

	if `check_test possible_rkt_strings`; then
		display --to LOG --type INFO --nl STARTING_TEST possible_rkt_strings
		display --to LOG --type PLAIN --log-indent 2 ROOTKIT_POSS_STRINGS_LOG
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST possible_rkt_strings
		fi

		return
	fi

	#
	# First check to see that we can run the test.
	#

	if [ -z "${STRINGS_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 ROOTKIT_POSS_STRINGS

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' strings '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'strings'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'strings'
		fi

		return
	elif [ "${STARTUP_PATHS}" = "NONE" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color GREEN --screen-indent 4 ROOTKIT_POSS_STRINGS
		display --to LOG --type INFO STARTUP_NONE_GIVEN
		return
	fi


	#
	# Now get and check that the system startup files are okay.
	#

	get_rc_paths

	if [ -z "${RC_PATHS}" ]; then
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 ROOTKIT_POSS_STRINGS
		display --to LOG --type PLAIN --log-indent 9 STARTUP_CHECK_NO_RC_FILES
		return
	fi


	FOUND=0
	FOUNDFILES=""

	IFS=$IFSNL

	for RKHTMPVAR in ${STRINGSCAN}; do
		FOUNDFILE=0
		STRINGFOUND=0
		FOUNDSTRING=""

		RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ 	]*//'`

		FILE=`echo ${RKHTMPVAR} | cut -d: -f1`
		FILESTRING=`echo ${RKHTMPVAR} | cut -d: -f2`

		# If the string begins with '+', then it is already a regular expression.
		if [ "`echo ${FILESTRING} | cut -c 1`" = "+" ]; then
			STRINGGREP=`echo ${FILESTRING} | cut -c 2-`
			FILESTRING="${STRINGGREP}"
		else
			STRINGGREP=`echo ${FILESTRING} | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
		fi

		INFO=`echo ${RKHTMPVAR} | cut -d: -f3`

		if [ "${FILE}" = "rcfile" ]; then
			FOUNDFILE=1

			for FNAME in ${RC_PATHS}; do
				FOUNDSTRING=`${STRINGS_CMD} -n 3 -a "${FNAME}" | grep -v '^[ 	]*#' | grep "${STRINGGREP}"`

				if [ -n "${FOUNDSTRING}" ]; then
					FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

					if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:${STRINGGREP}$\"`" ]; then
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type INFO FILE_PROP_WL_STR "`name2text \"${FNAME}\"`" "${FILESTRING}" 'possible_rkt_strings'
						fi
					elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:$\"`" ]; then
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'possible_rkt_strings'
						fi
					else
						FOUND=1
						STRINGFOUND=1
						FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${FILESTRING}:${INFO}"
					fi
				fi
			done
		else
			#
			# We cannot use the 'find_cmd' function here because we
			# are looking at the command binaries themselves, not
			# executing them as commands from the local system.
			#
			# We need to jiggle with IFS here because we are in
			# two loops which are using different field separators.
			#

			IFS=$RKHIFS

			for DIR in ${BINPATHS}; do
				FNAME="${DIR}/${FILE}"

				if [ -f "${FNAME}" ]; then
					FOUNDFILE=1
					FOUNDSTRING=`${STRINGS_CMD} -n 3 -a "${FNAME}" | grep "${STRINGGREP}"`

					if [ -n "${FOUNDSTRING}" ]; then
						FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

						if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:${STRINGGREP}$\"`" ]; then
							if [ $VERBOSE_LOGGING -eq 1 ]; then
								display --to LOG --type INFO FILE_PROP_WL_STR "`name2text \"${FNAME}\"`" "${FILESTRING}" 'possible_rkt_strings'
							fi
						elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:$\"`" ]; then
							if [ $VERBOSE_LOGGING -eq 1 ]; then
								display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'possible_rkt_strings'
							fi
						else
							FOUND=1
							STRINGFOUND=1
							FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${FILESTRING}:${INFO}"
						fi
					fi

					break
				fi
			done
		fi

		if [ $FOUNDFILE -eq 1 ]; then
			ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

			if [ $STRINGFOUND -eq 0 ]; then
				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_STR "${FILESTRING}"
				fi
			else
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_STR "${FILESTRING}"
			fi
		fi

		IFS=$IFSNL
	done

	IFS=$RKHIFS


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_POSS_STRINGS
	else
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_POSS_STRINGS

		IFS=$IFSNL

		FOUNDSTRINGS=`echo "${FOUNDSTRINGS}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDSTRINGS}; do
			FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
			STRING=`echo "${RKHTMPVAR}" | cut -d: -f2`

			if [ "`echo ${STRING} | cut -c 1`" = "+" ]; then
				STRING=`echo ${STRING} | cut -c 2-`
			fi

			INFO=`echo "${RKHTMPVAR}" | cut -d: -f3`

			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "

			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_STRINGS_FOUND "${STRING}" "`name2text \"${FNAME}\"`" "${INFO}"
		done

		IFS=$RKHIFS
	fi

	return
}


additional_rootkit_checks() {

	#
	# This function performs additional rootkit checks.
	#

	if `check_test additional_rkts`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST additional_rkts
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_ADD_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST additional_rkts
		fi

		return
	fi

	test $LINUXOS -eq 1 && suckit_extra_checks

	possible_rootkit_file_dir_checks

	possible_rootkit_string_checks

	return
}


malware_checks() {

	#
	# This function performs malware checks.
	#

	if `check_test malware`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST malware
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_MALWARE_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST malware
		fi

		return
	fi


	#
	# First we check for processes using deleted files.
	#

	if `check_test deleted_files`; then
		display --to LOG --type INFO --nl STARTING_TEST deleted_files

		if [ -n "${LSOF_CMD}" ]; then
			FOUND=0

			WHITEPROC=""
			BLACKPROC=""

			ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

			DELE_FILES=`${LSOF_CMD} -wnlP +c 0 ${SOLARISX} 2>/dev/null | grep '(dele' 2>/dev/null | head ${HEAD_OPT}1`

			if [ -n "${DELE_FILES}" ]; then
				PIDLIST=" "

				IFS=$IFSNL

				for LINE in `${LSOF_CMD} -wnlP +c 0 ${SOLARISX} 2>/dev/null | grep '(dele'`; do
					PROC=""

					PID=`echo "${LINE}" | ${AWK_CMD} '{ print $2 }'`
					NODE=`echo "${LINE}" | ${AWK_CMD} '{ print $8 }'`
					FNAME=`echo "${LINE}" | ${AWK_CMD} '{ print $9 }'`

					#
					# Skip any PID's we have already seen.
					#

					test -n "`echo \"${PIDLIST}\" | grep \" $PID \"`" && continue

					#
					# Try and get the running process name.
					#

					if [ $HAVE_READLINK -eq 1 ]; then
						RKHTMPVAR=""

						if [ $SOL_PROC -eq 1 ]; then
							test -h "/proc/${PID}/path/a.out" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/path/a.out"`
						elif [ $SUNOS -eq 0 -o -h "/proc/${PID}/exe" ]; then
							test -h "/proc/${PID}/exe" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/exe"`
						fi

						test -n "${RKHTMPVAR}" && PROC=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
					fi

					if [ -z "${PROC}" ]; then
						if [ $SUNOS -eq 1 ]; then
							PROC=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ 	]txt[ 	][ 	]*VREG[ 	]' 2>/dev/null | head ${HEAD_OPT}1 | ${AWK_CMD} '{ print $NF }'`
						else
							PROC=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ 	]txt[ 	][ 	]*REG[ 	]' | ${AWK_CMD} '{ print $NF }'`
						fi

						test -z "${PROC}" && PROC=`echo "${LINE}" | ${AWK_CMD} '{ print $1 }'`
					fi

					#
					# If FNAME is not a pathname then look at the NODE.
					#

					if [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
						if [ -n "`echo \"${NODE}\" | grep '^/'`" ]; then
							FNAME="${NODE}"
						fi
					fi

					#
					# Strip anything after the pathname.
					#

					if [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
						FNAME=`echo "${FNAME}" | cut -d' ' -f1`
					fi

					#
					# Now see if the process is whitelisted.
					#

					PROCWHITELISTED=0
					PROCDELFILES_GIVEN=0

					#
					# For this test we do not want to use globbing because it may match with
					# files that actually exist. This could then lead to a false-positive for
					# what should have been a whitelisted pathname. Instead we disable globbing,
					# and then change the glob characters to regular expression ones. We also
					# escape typical grep regex characters (e.g. '.'). The resulting regular
					# expression is then matched against the deleted file pathname.
					#

					set -f

					for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
						RKHTMPVAR2=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F ':/' '{ print $1 }'`

						test "${RKHTMPVAR}" = "${RKHTMPVAR2}" && PROCDELFILES_GIVEN=0 || PROCDELFILES_GIVEN=1

						if [ "${PROC}" = "${RKHTMPVAR2}" ]; then
							if [ $PROCDELFILES_GIVEN -eq 1 ]; then
								RKHTMPVAR3=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F ':/' '{ for (i = 2; i <= NF; i++) { a[i] = $i } } END { for (i in a) { print "/" a[i] } }'`

								FNAMEGREP=""

								for FN in ${RKHTMPVAR3}; do
									FNGREP=`echo "${FN}" | sed -e 's/\([.^+]\)/\\\\\1/g; s/\([^\\]\)\*/\1.*/g; s/\([^\\]\)?/\1./g;'`
									FNAMEGREP="${FNAMEGREP}|${FNGREP}"
								done

								FNAMEGREP=`echo "${FNAMEGREP}" | sed -e 's/^|//;'`

								if [ -n "`echo \"${FNAME}\" | egrep \"^(${FNAMEGREP})$\"`" ]; then
									PROCWHITELISTED=1
								fi
							else
								PROCWHITELISTED=1
							fi

							test $PROCWHITELISTED -eq 1 && break
						fi
					done

					set +f


					test $HAVE_READLINK -eq 0 && PROC="\"${PROC}\""

					if [ $PROCWHITELISTED -eq 1 ]; then
						if [ $PROCDELFILES_GIVEN -eq 1 ]; then
							if [ -z "`echo \"${WHITEPROC}\" | grep \"^${PROC} ${FNAME}$\"`" ]; then
								WHITEPROC="${WHITEPROC}
${PROC} ${FNAME}"
							fi
						elif [ -z "`echo \"${WHITEPROC}\" | grep \"^${PROC}$\"`" ]; then
							WHITEPROC="${WHITEPROC}
${PROC}"
						fi
					else
						FOUND=1
						BLACKPROC="${BLACKPROC}
${PROC} ${PID} ${FNAME}"
					fi


					#
					# Finally add the PID to the seen PID list.
					#

					PIDLIST="$PIDLIST $PID "
				done
			fi


			#
			# Now display the results.
			#

			if [ $FOUND -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
			else
				ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES

				display --to LOG --type WARNING ROOTKIT_MALWARE_DELETED_FILES_FOUND

				for LINE in ${BLACKPROC}; do
					test -z "${LINE}" && continue

					PROC=`echo "$LINE" | cut -d' ' -f1`
					PID=`echo "$LINE" | cut -d' ' -f2`
					FNAME=`echo "$LINE" | cut -d' ' -f3-`

					display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA "${PROC}" "${PID}" "`name2text \"${FNAME}\"`"
				done
			fi

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				for RKHTMPVAR in ${WHITEPROC}; do
					test -z "${RKHTMPVAR}" && continue

					if [ -n "`echo \"${RKHTMPVAR}\" | grep ' /'`" ]; then
						PROC=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
						FNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f2-`

						display --to LOG --type INFO ROOTKIT_MALWARE_DELETED_FILES_WL "${PROC}" "`name2text \"${FNAME}\"`"
					else
						display --to LOG --type INFO NETWORK_PACKET_CAP_WL "${RKHTMPVAR}"
					fi
				done
			fi

			IFS=$RKHIFS
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES

			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsof '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'lsof'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'lsof'
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST deleted_files
	fi


	#
	# Next we check to see if there any running processes
	# using suspicious files.
	#

	if `check_test running_procs`; then
		display --to LOG --type INFO --nl STARTING_TEST running_procs

		if [ -n "${LSOF_CMD}" ]; then
			#
			# First get a temporary file to store the output.
			#

			get_temp_file "${RKHTMPDIR}/lsofprocs.out"
			RKHLSOF_FILE="${TEMPFILE}"
			touch "${RKHLSOF_FILE}"

			${LSOF_CMD} -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) ' | sort | uniq >"${RKHLSOF_FILE}"

			#
			# Now loop through the known suspicious filenames,
			# and see if any are in the lsof output.
			#

			FOUND=0
			SUSP_FILES=""

			IFS=$IFSNL

			for RKHTMPVAR in ${SUSP_FILES_INFO}; do
				ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

				RKHTMPVAR=`echo "${RKHTMPVAR}" | sed -e 's/^[ 	]*//'`

				FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`

				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				FOUNDFILES=`grep "/${FNAMEGREP}$" "${RKHLSOF_FILE}"`

				if [ -n "${FOUNDFILES}" ]; then
					FOUND=0

					INFO=`echo "${RKHTMPVAR}" | cut -d: -f2-`

					if [ -n "`echo \"${INFO}\" | grep '^OSX '`" ]; then
						if [ $MACOSX -eq 1 ]; then
							INFO=`echo "${INFO}" | cut -d' ' -f2-`
						else
							ROOTKIT_COUNT=`expr $ROOTKIT_COUNT - 1`
							continue
						fi
					fi

					#
					# It is possible that more than one line of output was found.
					# So we must loop through them and record them all.
					#

					for FNAME in ${FOUNDFILES}; do
						#
						# See if the filename has been whitelisted.
						#

						FILENAME=`echo "${FNAME}" | sed -e 's/^.*[ 	]\([^ 	][^ 	]*\)$/\1/'`
						FNAMEGREP=`echo "${FILENAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

						if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
							if [ $VERBOSE_LOGGING -eq 1 ]; then
								display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FILENAME}\"`" 'running_procs'
							fi
						else
							FOUND=1
							SUSP_FILES="${SUSP_FILES}
${RKHTMPVAR}:${FNAME}"
						fi
					done

					if [ $FOUND -eq 1 ]; then
						ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
						ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "
					fi
				fi
			done

			IFS=$RKHIFS

			rm -f "${RKHLSOF_FILE}" >/dev/null 2>&1

			if [ $FOUND -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
				display --to LOG --type WARNING ROOTKIT_MALWARE_SUSP_FILES_FOUND

				IFS=$IFSNL

				SUSP_FILES=`echo "${SUSP_FILES}" | sed -e '/^$/d'`

				for FILENAME in ${SUSP_FILES}; do
					INFO=`echo ${FILENAME} | cut -d: -f2`
					RKHTMPVAR=`echo ${FILENAME} | cut -d: -f3-`

					FOUNDINFO=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $1 }'`
					display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD "${FOUNDINFO}"

					FOUNDINFO=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $3 }'`
					RKHTMPVAR2=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $2 }'`
					display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_UID "${FOUNDINFO}" "${RKHTMPVAR2}"

					FOUNDINFO=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $9 }'`
					display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH "${FOUNDINFO}"

					display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT "${INFO}"
				done

				IFS=$RKHIFS
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES

			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsof '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'lsof'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'lsof'
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST running_procs
	fi


	#
	# Next we check for any hidden processes.
	#

	if `check_test hidden_procs`; then
		FOUND=0
		UNHIDE_VERS=0
		HIDDEN_PROCS=""

		display --to LOG --type INFO --nl STARTING_TEST hidden_procs


		#
		# First we test for the 'unhide' C program.
		#

		SEEN=0
		RKHTMPVAR="unhide"
		UNHIDE_CMD=`find_cmd unhide`

		if [ -z "${UNHIDE_CMD}" ]; then
			RKHTMPVAR="unhide-posix"
			UNHIDE_CMD=`find_cmd unhide-posix`
		fi

		if [ $LINUXOS -eq 1 -a -z "${UNHIDE_CMD}" ]; then
			RKHTMPVAR="unhide-linux"
			UNHIDE_CMD=`find_cmd unhide-linux`

			if [ -z "${UNHIDE_CMD}" ]; then
				if [ -n "`echo \"${UNAME_R}\" | grep '^2\.6'`" ]; then
					RKHTMPVAR="unhide-linux26"
					UNHIDE_CMD=`find_cmd unhide-linux26`
				fi
			fi
		fi

		if [ -n "${UNHIDE_CMD}" ]; then
			FOUND=1

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO FOUND_CMD "${RKHTMPVAR}" "${UNHIDE_CMD}"
			fi

			#
			# Dig out the version number for use later on.
			#

			UNHIDE_VERS=`${UNHIDE_CMD} -V 2>/dev/null | head ${HEAD_OPT}1`

			if [ -n "`echo ${UNHIDE_VERS} | grep '^Unhide [2-9][0-9]*$'`" ]; then
				UNHIDE_VERS=`echo ${UNHIDE_VERS} | cut -d' ' -f2`
			else
				UNHIDE_VERS=0
			fi

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS "${UNHIDE_VERS}"
			fi


			#
			# Now run each of the configured tests.
			#

			UNHIDE_OPTS=""
			FOUND_PROCS=""

			for RKHTMPVAR in ${UNHIDE_TESTS}; do
				if [ -n "`echo \"${RKHTMPVAR} \" | grep '^-'`" ]; then
					# Only newer versions have command-line options.
					if [ $UNHIDE_VERS -ge 20100919 ]; then
						# Ignore obvious invalid options.
						test "${RKHTMPVAR}" = "-V" -o "${RKHTMPVAR}" = "-h" && continue

						UNHIDE_OPTS="${UNHIDE_OPTS} ${RKHTMPVAR}"
					fi

					continue
				elif [ $UNHIDE_VERS -lt 20100819 ]; then
					# Ignore unknown tests for earlier versions.
					test "${RKHTMPVAR}" != "sys" -a "${RKHTMPVAR}" != "proc" -a "${RKHTMPVAR}" != "brute" && continue
				fi

				ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

				SEEN=1
				FOUND_PROCS=`${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR} 2>&1 | egrep -v '^(Unhide |yjesus@|http:|Copyright |License |NOTE :|Used options:|\[\*\]|$)'`

				if [ -z "${FOUND_PROCS}" ]; then
					# Nothing found.
					display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR}"
				else
					ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

					# For newer versions we can sort the messages.
					if [ $UNHIDE_VERS -ge 20100919 ]; then
						FOUND_PROCS=`echo "${FOUND_PROCS}" | sort | uniq`
					fi

					HIDDEN_PROCS="${HIDDEN_PROCS}
${FOUND_PROCS}"

					display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR}"
				fi
			done


			#
			# Mark the test as skipped if we have not executed any command because of invalid test names.
			#

			if [ $SEEN -eq 0 ]; then
				display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR}"
			fi
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO NOT_FOUND_CMD 'unhide'

			if [ "${RKHTMPVAR}" != "unhide" ]; then
				display --to LOG --type INFO NOT_FOUND_CMD "${RKHTMPVAR}"
			fi
		fi


		#
		# Now display the results.
		#
		# At this point if SEEN is 0, then a problem occurred with the 'unhide' program.
		# We treat these as warnings so that the user is aware that something went
		# wrong.
		#

		HIDDEN_PROCS=`echo "${HIDDEN_PROCS}" | sed -e '/^$/d'`

		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS
		elif [ -z "${HIDDEN_PROCS}" -a $SEEN -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS
		else
			#
			# At this point we have either found a hidden PID, or an error occurred with the 'unhide' program,
			# or both. We need to warn the user in either case. We also need to display all the information.
			#

			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS

			#
			# Lets see if there was a problem executing the 'unhide' commands.
			#

			if [ $SEEN -eq 0 ]; then
				display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR "${UNHIDE_TESTS}"
			fi

			#
			# Now display if any actual hidden PIDs were found.
			#

			if [ -n "${HIDDEN_PROCS}" ]; then
				display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND

				IFS=$IFSNL

				for RKHTMPVAR in ${HIDDEN_PROCS}; do
					display --to LOG --type PLAIN --log-indent 9 NAME "${RKHTMPVAR}"
				done

				IFS=$RKHIFS
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST hidden_procs
	fi


	# 
	# Next we run the check for suspicious file contents.
	# 

	suspscan


	#
	# Next we check for login backdoors.
	#

	if `check_test login_backdoors`; then
		FOUND=0
		FOUNDFILES=""

		ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

		display --to LOG --type INFO --nl STARTING_TEST login_backdoors

		for FNAME in ${LOGIN_BACKDOOR_FILES}; do
			if [ -e "${FNAME}" ]; then
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'login_backdoors'
					fi
				else
					FOUND=1
					FOUNDFILES="${FOUNDFILES} ${FNAME}"
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_MALWARE_LOGIN_BDOOR_CHK "`name2text \"${FNAME}\"`"
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_MALWARE_LOGIN_BDOOR_CHK "`name2text \"${FNAME}\"`"
			fi
		done


		#
		# Now display the results.
		#

		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR

			for FNAME in ${FOUNDFILES}; do
				ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

				display --to LOG --type WARNING ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND "`name2text \"${FNAME}\"`"
			done
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST login_backdoors
	fi


	#
	# Next, check for sniffer log files.
	#

	if `check_test sniffer_logs`; then
		FOUND=0
		FOUNDFILES=""

		ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

		display --to LOG --type INFO --nl STARTING_TEST sniffer_logs

		for FNAME in ${SNIFFER_FILES}; do
			if [ -f "${FNAME}" ]; then
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'sniffer_logs'
					fi
				else
					FOUND=1
					FOUNDFILES="${FOUNDFILES} ${FNAME}"
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
			fi
		done


		#
		# Now display the results.
		#

		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SNIFFER
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SNIFFER

			for FNAME in ${FOUNDFILES}; do
				ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

				display --to LOG --type WARNING ROOTKIT_MALWARE_SNIFFER_FOUND "`name2text \"${FNAME}\"`"
			done
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST sniffer_logs
	fi


	#
	# Next we check for any software intrusions.
	#

	if `check_test tripwire`; then
		display --to LOG --type INFO --nl STARTING_TEST tripwire

		TRIPWIREFILE="/var/lib/tripwire/`uname -n 2>/dev/null`.twd"

		if [ -f "${TRIPWIREFILE}" ]; then
			ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

			if [ -z "`grep ${GREP_OPT} 'Tripwire segment-faulted !' \"${TRIPWIREFILE}\"`" ]; then
				display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
			else
				ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
				display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION_FOUND "${TRIPWIREFILE}" 'Tripwire segment-faulted'
			fi
		else
			if [ -n "`echo \" ${CL_ENABLE_TESTS} \" | grep ' tripwire '`" ]; then
				display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
			else
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
			fi

			display --to LOG --type INFO ROOTKIT_MALWARE_SFW_INTRUSION_SKIP
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST tripwire
	fi


	#
	# Next check for any suspicious directories.
	#

	if `check_test susp_dirs`; then
		FOUND=0
		FOUNDDIRS=""

		ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

		display --to LOG --type INFO --nl STARTING_TEST susp_dirs

		for DIR in ${SUSPICIOUS_DIRS}; do
			if [ -d "${DIR}" ]; then
				FNAMEGREP=`echo "${DIR}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO FILE_PROP_WL_DIR "`name2text \"${DIR}\"`" 'susp_dirs'
					fi
				else
					FOUND=1
					FOUNDDIRS="${FOUNDDIRS} ${DIR}"
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${DIR}\"`"
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${DIR}\"`"
			fi
		done


		#
		# Now display the results.
		#

		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR

			for DIR in ${FOUNDDIRS}; do
				ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

				display --to LOG --type WARNING ROOTKIT_MALWARE_SUSP_DIR_FOUND "`name2text \"${DIR}\"`"
			done
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST susp_dirs
	fi


	#
	# Next we check the System V Shared Memory (Linux only for now).
	#

	if `check_test ipc_shared_mem`; then
		display --to LOG --type INFO --nl STARTING_TEST ipc_shared_mem

		if [ $LINUXOS -eq 1 ]; then
			if [ -n "${IPCS_CMD}" ]; then
				ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

				#
				# Log the minimum segment size we are going to check.
				# If possible, use the human-readable format for the
				# number of bytes.
				#

				IPC_SSIZE_HUMAN=$IPC_SEG_SIZE

				if [ $HAVE_NUMFMT -eq 1 ]; then
					RKHTMPVAR=`${NUMFMT_CMD} --to iec $IPC_SEG_SIZE 2>/dev/null`

					if [ -n "${RKHTMPVAR}" ]; then
						IPC_SSIZE_HUMAN="${RKHTMPVAR}B"
						RKHTMPVAR="$IPC_SEG_SIZE (${IPC_SSIZE_HUMAN})"
					else
						RKHTMPVAR="$IPC_SEG_SIZE"
					fi
				else
					RKHTMPVAR="$IPC_SEG_SIZE"
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO IPC_SEG_SIZE "$RKHTMPVAR"
				fi

				# No bad segments found yet.
				SEGS_FOUND=""

				# No whitelisted entries found yet.
				SHM_WL_LIST_PID=""
				SHM_WL_LIST_PATH=""
				SHM_WL_LIST_USER=""

				RKHTMPVAR=`LC_LANG=C ${IPCS_CMD} -u 2>/dev/null | ${AWK_CMD} -F' ' '/segments allocated/ {print $3}'`
				test -z "${RKHTMPVAR}" && RKHTMPVAR=0

				if [ $RKHTMPVAR -gt 0 ]; then
					#
					# We expand the process whitelist option here to ensure
					# that any wildcard entries are the most recent.
					#

					if [ -n "${ALLOWIPCPROC_OPT}" ]; then
						ALLOWIPCPROC=`expand_paths ALLOWIPCPROC_OPT`
					fi

					IFS=$IFSNL

					for SHM_LINE in `LC_LANG=C ${IPCS_CMD} -m 2>/dev/null | ${AWK_CMD} -v SHM_SIZE="$IPC_SEG_SIZE" '/^0x/ && ($4 == 600 || $4 == 666) && $5 >= SHM_SIZE { print $0 }'`; do
						RKH_SHM_SHMID=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $2 }'`
						RKH_SHM_OWNER=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $3 }'`
						RKH_SHM_SIZE=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $5 }'`
						RKH_SHM_NATTACH=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $6 }'`

						if [ $HAVE_NUMFMT -eq 1 ]; then
							RKH_SHM_SIZE_HUMAN=`${NUMFMT_CMD} --to iec $RKH_SHM_SIZE 2>/dev/null`

							if [ -n "${RKH_SHM_SIZE_HUMAN}" ]; then
								RKH_SHM_SIZE_HUMAN="${RKH_SHM_SIZE_HUMAN}B"
							else
								RKH_SHM_SIZE_HUMAN=$RKH_SHM_SIZE
							fi
						else
							RKH_SHM_SIZE_HUMAN=$RKH_SHM_SIZE
						fi

						for SHM_PID_LINE in `LC_LANG=C ${IPCS_CMD} -p 2>/dev/null | grep "^${RKH_SHM_SHMID} "` ; do
							RKH_SHM_CPID=`echo "${SHM_PID_LINE}" | ${AWK_CMD} '{ print $3 }'`
							RKH_SHM_LPID=`echo "${SHM_PID_LINE}" | ${AWK_CMD} '{ print $4 }'`

							if [ $HAVE_READLINK -eq 1 ]; then
								RKH_SHM_PATH=`${READLINK_CMD} ${READLINK_OPT} /proc/${RKH_SHM_CPID}/exe`
							else
								# Make an attempt to get the pathname using the 'ls' command.
								RKH_SHM_PATH=`ls -l /proc/${RKH_SHM_CPID}/exe | ${AWK_CMD} '{ print $NF }'`
							fi

							# Strip off the '(deleted)' part from the pathname if present.
							RKH_SHM_PATH_STRIPPED=`echo "${RKH_SHM_PATH}" | sed -e 's/ (deleted)$//'`

							#
							# First check to see if this segment is whitelisted.
							#

							FOUND=0

							if [ -n "${RKH_SHM_PATH}" ]; then
								FNAMEGREP=`echo "${RKH_SHM_PATH_STRIPPED}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

								if [ -n "`echo \"${ALLOWIPCPROC}\" | grep \"^${FNAMEGREP}$\"`" ]; then
									FOUND=1
									SHM_WL_LIST_PATH="${SHM_WL_LIST_PATH} `name2text \"${RKH_SHM_PATH_STRIPPED}\"`"
								fi
							fi

							if [ $FOUND -eq 0 -a -n "`echo \"${ALLOWIPCUSER}\" | grep \" ${RKH_SHM_OWNER} \"`" ]; then
								FOUND=1
								SHM_WL_LIST_USER="${SHM_WL_LIST_USER} ${RKH_SHM_OWNER}"
							fi

							if [ $FOUND -eq 0 -a -n "`echo \"${ALLOWIPCPID}\" | grep \" ${RKH_SHM_CPID} \"`" ]; then
								FOUND=1
								SHM_WL_LIST_PID="${SHM_WL_LIST_PID} ${RKH_SHM_CPID}"
							fi

							if [ $FOUND -eq 0 ]; then
								#
								# We have found a suspicious segment. We just add it to a
								# newline-separated list for displaying later on.
								#

								if [ -n "${RKH_SHM_PATH}" ]; then
									RKHTMPVAR2=`name2text "${RKH_SHM_PATH_STRIPPED}"`

									if [ "${RKH_SHM_PATH}" = "${RKH_SHM_PATH_STRIPPED}" ]; then
										SEGS_FOUND="${SEGS_FOUND}
1:${RKHTMPVAR2} ${RKH_SHM_CPID} ${RKH_SHM_OWNER} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
									else
										SEGS_FOUND="${SEGS_FOUND}
2:${RKHTMPVAR2} ${RKH_SHM_CPID} ${RKH_SHM_OWNER} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
									fi
								elif [ -n "${RKH_SHM_OWNER}" -a ${RKH_SHM_CPID} -gt 0 ]; then
									if [ ${RKH_SHM_NATTACH} -eq 0 ]; then
										SEGS_FOUND="${SEGS_FOUND}
3:${RKH_SHM_OWNER} ${RKH_SHM_CPID} ${RKH_SHM_SHMID} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
									else
										SEGS_FOUND="${SEGS_FOUND}
4:${RKH_SHM_OWNER} ${RKH_SHM_SHMID} ${RKH_SHM_NATTACH} ${RKH_SHM_CPID} ${RKH_SHM_LPID} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
									fi
								fi
							fi
						done
					done

					IFS=$RKHIFS
				fi

				#
				# Now display the results.
				#

				if [ -z "${SEGS_FOUND}" ]; then
					display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_IPCS
				else
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_IPCS

					display --to LOG --type WARNING ROOTKIT_MALWARE_IPCS_FOUND

					IFS=$IFSNL
					for SHM_LINE in ${SEGS_FOUND}; do
						test -z "${SHM_LINE}" && continue

						ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

						# We need to do this to ensure the 'set' below works correctly.
						IFS=$RKHIFS

						SHM_TYPE=`echo "${SHM_LINE}" | cut -d: -f1`
						SHM_LINE=`echo "${SHM_LINE}" | cut -d: -f2-`

						case "${SHM_TYPE}" in
						1) # A normal segment.
							set -- ${SHM_LINE}
							# Display $RKH_SHM_PATH, $RKH_SHM_CPID, $RKH_SHM_OWNER, $RKH_SHM_SIZE, $IPC_SEG_SIZE
							display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_DETAILS "$1" "$2" "$3" "$4" "$5"
							;;
						2) # A segment with a deleted pathname.
							set -- ${SHM_LINE}
							# Display $RKH_SHM_PATH, $RKH_SHM_CPID, $RKH_SHM_OWNER, $RKH_SHM_SIZE, $IPC_SEG_SIZE
							display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_DETAILS "$1 (deleted)" "$2" "$3" "$4" "$5"
							;;
						3) # A detached segment with no pathname.
							set -- ${SHM_LINE}
							# Display $RKH_SHM_OWNER, $RKH_SHM_CPID, $RKH_SHM_SHMID, $RKH_SHM_SIZE, $IPC_SEG_SIZE
							display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_DETACHED "$1" "$2" "$3" "$4" "$5"
							;;
						4) # An attached segment, but with no pathname.
							set -- ${SHM_LINE}
							# Display $RKH_SHM_OWNER, $RKH_SHM_SHMID, $RKH_SHM_NATTACH, $RKH_SHM_CPID, $RKH_SHM_LPID, $RKH_SHM_SIZE, $IPC_SEG_SIZE
							display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_ATTACHED "$1" "$2" "$3" "$4" "$5" "$6" "$7"
							;;
						esac

						IFS=$IFSNL
					done
					IFS=$RKHIFS
				fi

				#
				# Finally display any whitelisted segments that were found.
				#

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					FOUND=""
					for FNAME in ${SHM_WL_LIST_PATH}; do
						FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

						if [ -z "`echo \"${FOUND}\" | grep \" ${FNAMEGREP} \"`" ]; then
							FOUND="${FOUND} ${FNAME} "
							display --to LOG --type INFO ROOTKIT_MALWARE_IPCS_WL_PATH "${FNAME}"
						fi
					done

					FOUND=""
					for FNAME in ${SHM_WL_LIST_USER}; do
						if [ -z "`echo \"${FOUND}\" | grep \" ${FNAME} \"`" ]; then
							FOUND="${FOUND} ${FNAME} "
							display --to LOG --type INFO ROOTKIT_MALWARE_IPCS_WL_USER "${FNAME}"
						fi
					done

					FOUND=""
					for FNAME in ${SHM_WL_LIST_PID}; do
						if [ -z "`echo \"${FOUND}\" | grep \" ${FNAME} \"`" ]; then
							FOUND="${FOUND} ${FNAME} "
							display --to LOG --type INFO ROOTKIT_MALWARE_IPCS_WL_PID "${FNAME}"
						fi
					done
				fi
			else
				display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_IPCS

				if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ipcs '`" ]; then
					display --to LOG --type INFO DISABLED_CMD 'ipcs'
				else
					display --to LOG --type INFO NOT_FOUND_CMD 'ipcs'
				fi
			fi
		else
			if [ -n "`echo \" ${CL_ENABLE_TESTS} \" | grep ' ipc_shared_mem '`" ]; then
				display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_IPCS
			else
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_MALWARE_IPCS
			fi

			display --to LOG --type INFO LINUX_ONLY
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST ipc_shared_mem
	fi

	return
}


xinetd_include() {

	#
	# This function handles the xinetd 'include' directive.
	# It is also used to initially process the xinetd.conf
	# file, and to process any files within an 'includedir'
	# directory.
	#
	# Any filename containing a dot or ending in a tilde (~)
	# is ignored. Also absolute pathnames must be used.
	#

	FILENAME=$1

	test -z "${FILENAME}" -o ! -f "${FILENAME}" && return
	test -z "`echo \"${FILENAME}\" | grep '^/'`" && return

	test -n "`echo \"${FILENAME}\" | grep '/[^/]*\.[^/]*$'`" -a "${FILENAME}" != "${XINETD_CONF_PATH}" && return
	test -n "`echo \"${FILENAME}\" | grep '~$'`" && return


	#
	# First see if any defaults have been seen. Only the first instance is used.
	#

	SEEN=0

	if [ $XINETD_DFLTS_SEEN -eq 0 ]; then
		if [ -n "`grep '^defaults' \"${FILENAME}\"`" ]; then
			XINETD_DFLTS_SEEN=1

			IFS=$IFSNL

			# Get the default enabled services.
			for LINE in `egrep '^[ 	]*enabled[ 	]*\+?=' "${FILENAME}"`; do
				SEEN=1

				RKHTMPVAR=`echo "${LINE}" | sed -e 's/^.*=//' | tr -s '	' ' '`

				XINETD_DFLTS_ENABLED="${XINETD_DFLTS_ENABLED} ${RKHTMPVAR}"
			done

			# We must ensure that the enabled default is
			# either the null string or set to something.

			if [ -n "${XINETD_DFLTS_ENABLED}" ]; then
				XINETD_DFLTS_ENABLED=`echo ${XINETD_DFLTS_ENABLED}`
				test -n "${XINETD_DFLTS_ENABLED}" && XINETD_DFLTS_ENABLED=" ${XINETD_DFLTS_ENABLED} "
			fi


			# Get the default disabled services.
			for LINE in `egrep '^[ 	]*disabled[ 	]*\+?=' "${FILENAME}"`; do
				RKHTMPVAR=`echo "${LINE}" | sed -e 's/^.*=//' | tr -s '	' ' '`

				XINETD_DFLTS_DISABLED="${XINETD_DFLTS_DISABLED} ${RKHTMPVAR}"
			done

			# We must ensure that the disabled default is
			# either the null string or set to something.

			if [ -n "${XINETD_DFLTS_DISABLED}" ]; then
				XINETD_DFLTS_DISABLED=`echo ${XINETD_DFLTS_DISABLED}`
				test -n "${XINETD_DFLTS_DISABLED}" && XINETD_DFLTS_DISABLED=" ${XINETD_DFLTS_DISABLED} "
			fi

			IFS=$RKHIFS
		fi
	fi


	#
	# Now check to see if an actual service has been configured.
	#

	if [ -n "`grep '^service' \"${FILENAME}\"`" ]; then
		IFS=$IFSNL

		#
		# We must dig out the service name and its 'id' for each service configured in the file.
		#

		for DATA in `${AWK_CMD} '/^service/, /^[ 	]*\}/ { if ($0 ~ /^[ 	]*(#|$)/) next; printf "%s", $0; if ($0 ~ /\}/) print ""; }' "${FILENAME}"`; do
			# Unfortunately we must jiggle with IFS again to ensure that subsequent commands work.
			IFS=$RKHIFS

			# We 'echo' the configured service to flatten out any whitespace.
			RKHTMPVAR=`echo ${DATA} | cut -d' ' -f2 | sed -e 's/{$//'`
			RKHTMPVAR2=`echo ${DATA} | sed -e 's/^.* id = \([^ ]*\).*$/\1/'`

			if [ -z "${RKHTMPVAR2}" ]; then
				SVCID=" ${RKHTMPVAR} "
			else
				SVCID=" (${RKHTMPVAR}|${RKHTMPVAR2}) "
			fi

			#
			# We now check the service name and id against those listed in the defaults.
			#

			if [ -n "${XINETD_DFLTS_ENABLED}" ]; then
				if [ -n "`echo \"${XINETD_DFLTS_ENABLED}\" | egrep \"${SVCID}\"`" ]; then
					if [ -z "`echo \"${XINETD_DFLTS_DISABLED}\" | egrep \"${SVCID}\"`" ]; then
						SEEN=1
						IFS=$IFSNL
						break
					fi
				fi
			elif [ -n "`echo \"${XINETD_DFLTS_DISABLED}\" | egrep \"${SVCID}\"`" ]; then
				:
			elif [ -z "`echo $DATA | grep 'disable = yes'`" ]; then
				SEEN=1
				IFS=$IFSNL
				break
			fi

			IFS=$IFSNL
		done

		IFS=$RKHIFS
	fi


	if [ $SEEN -eq 1 ]; then
		#
		# See if the file is whitelisted.
		#

		FOUNDWL=0

		for FNAME in ${XINETDALLOWEDSVCS}; do
			if [ "${FNAME}" = "${FILENAME}" ]; then
				FOUNDWL=1
				break
			fi
		done

		if [ $FOUNDWL -eq 0 ]; then
			FOUND=1
			FOUNDFILES="${FOUNDFILES} ${FILENAME}"

			display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "${FILENAME}"
		else
			display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "${FILENAME}"

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${FILENAME}" 'xinetd'
			fi
		fi
	else
		display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "${FILENAME}"
	fi


	#
	# Next we look for any 'include' directives.
	#

	for FNAME in `grep '^[ 	]*include[ 	]' "${FILENAME}" | ${AWK_CMD} '{ print $2 }'`; do
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 6 ROOTKIT_TROJAN_XINETD_INCLUDE "${FNAME}"
		fi

		xinetd_include "${FNAME}"
	done


	#
	# Finally we look for any 'includedir' directives.
	#

	for DIR in `grep '^[ 	]*includedir[ 	]' "${FILENAME}" | ${AWK_CMD} '{ print $2 }'`; do
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 6 ROOTKIT_TROJAN_XINETD_INCLUDEDIR "${DIR}"
		fi

		xinetd_includedir "${DIR}"
	done

	return
}


xinetd_includedir() {

	#
	# This function handles the xinetd 'includedir' directive.
	#
	# Absolute pathnames must be used.
	#

	test -z "$1" -o ! -d "$1" && return
	test -z "`echo \"$1\" | grep '^/'`" && return


	for FNAME in `ls $1`; do
		xinetd_include "$1/${FNAME}"
	done

	return
}


sol10_inetd() {

	#
	# This function handles the Solaris 10, and later, inetd
	# configuration. Because the original inetd.conf file may
	# well exist, we look in there as well for any enabled services.
	#
	# This function sets the FOUNDSTRING variable, which will
	# be used later.
	#

	FOUNDSTRING=`${INETADM_CMD} | grep '^enabled' | cut -d: -f2`

	if [ -f "${INETD_CONF_PATH}" ]; then
		STR=`grep -v '^#' "${INETD_CONF_PATH}" | ${AWK_CMD} '{ print $1 }'`

		#
		# Remove any inetd services which we already know
		# about from inetadm.
		#

		for RKHTMPVAR in ${STR}; do
			if [ -z "`echo \"${FOUNDSTRING}\" | grep \"/${RKHTMPVAR}/\"`" ]; then
				FOUNDSTRING="${FOUNDSTRING} ${RKHTMPVAR}"
			fi
		done
	fi

	return
}


trojan_checks() {

	#
	# This function performs some trojan specific checks.
	#

	#
	# We must first of all remember if the test was named on the command-line.
	#

	test -n "`echo \" ${CL_ENABLE_TESTS} \" | grep ' trojans '`" && CL_TEST=1 || CL_TEST=0

	if `check_test trojans`; then
		display --to LOG --type INFO --nl STARTING_TEST trojans
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST trojans
		fi

		return
	fi


	#
	# We first need to see if we are running Solaris 10 or later.
	# Earlier versions of Solaris used the standard inetd configuration
	# file, but later versions use a different mechanism. The 'inetadm'
	# command can be used on these later Solaris versions.
	#

	if [ $SUNOS -eq 1 ]; then
		INETADM_CMD=`find_cmd inetadm`

		test -n "${INETADM_CMD}" && sol10_inetd
	else
		INETADM_CMD=""
	fi


	if [ $CL_TEST -eq 1 ]; then
		RKHTMPVAR="SCREEN+LOG --screen-nl"
	elif [ -f "${INETD_CONF_PATH}" -o -f "${XINETD_CONF_PATH}" -o -n "${INETADM_CMD}" ]; then
		RKHTMPVAR="SCREEN+LOG"
	else
		RKHTMPVAR="LOG"
	fi

	display --to ${RKHTMPVAR} --type PLAIN --screen-indent 2 ROOTKIT_TROJAN_START


	#
	# We first check the inetd.conf file. This includes the
	# Solaris 10 inetd services as well.
	#

	if [ -f "${INETD_CONF_PATH}" -o -n "${INETADM_CMD}" ]; then
		if [ -z "${INETADM_CMD}" ]; then
			display --to LOG --type INFO CONFIG_XINETD_PATH 'inetd' "${INETD_CONF_PATH}"

			FOUNDSTRING=`grep -v '^#' "${INETD_CONF_PATH}" | ${AWK_CMD} '{ print $1 }'`
		else
			display --to LOG --type INFO CONFIG_SOL10_INETD
		fi

		#
		# We now need to see if any of the services are whitelisted.
		#

		RKHTMPVAR=""

		for STR in ${FOUNDSTRING}; do
			FOUND=0

			for SVC in ${INETDALLOWEDSVCS}; do
				if [ "${STR}" = "${SVC}" ]; then
					FOUND=1

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${SVC}" 'inetd'
					fi

					break
				fi
			done

			if [ $FOUND -eq 0 ]; then
				#
				# We want to change any RPC services into
				# an actual executable name, if we can. The
				# executable is the sixth field. If the
				# sixth field is empty or this is an internal
				# service, then we just use the service name.
				#

				if [ -n "`echo \"${STR}\" | grep '^[0-9/_-]*$'`" ]; then
					EXECNAME=`grep "^${STR}" "${INETD_CONF_PATH}" | ${AWK_CMD} '{ print $6 }'`

					test -z "${EXECNAME}" -o "${EXECNAME}" = "internal" && EXECNAME="${STR}"

					STR="${EXECNAME}"


					#
					# Now check if the executable has been whitelisted.
					#

					for SVC in ${INETDALLOWEDSVCS}; do
						if [ "${STR}" = "${SVC}" ]; then
							FOUND=1

							if [ $VERBOSE_LOGGING -eq 1 ]; then
								display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${SVC}" 'inetd'
							fi

							break
						fi
					done
				fi

				test $FOUND -eq 0 && RKHTMPVAR="${RKHTMPVAR} ${STR}"
			fi
		done

		FOUNDSTRING="${RKHTMPVAR}"


		#
		# Now display the results.
		#

		if [ -z "${FOUNDSTRING}" ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD

			for STR in ${FOUNDSTRING}; do
				display --to LOG --type WARNING ROOTKIT_TROJAN_INETD_FOUND "${STR}"
			done
		fi
	else
		if [ $CL_TEST -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD
		else
			display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_INETD
		fi

		display --to LOG --type INFO ROOTKIT_TROJAN_INETD_SKIP "${INETD_CONF_PATH}"
	fi


	#
	# Next we check the xinetd.conf file.
	#

	FOUND=0
	FOUNDFILES=""

	if [ -f "${XINETD_CONF_PATH}" ]; then
		XINETD_DFLTS_SEEN=0
		XINETD_DFLTS_ENABLED=""
		XINETD_DFLTS_DISABLED=""

		display --to LOG --type INFO CONFIG_XINETD_PATH 'xinetd' "${XINETD_CONF_PATH}"

		xinetd_include "${XINETD_CONF_PATH}"


		#
		# Now display the results.
		#

		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD

			for FNAME in ${FOUNDFILES}; do
				display --to LOG --type WARNING ROOTKIT_TROJAN_XINETD_ENABLED_FOUND "${FNAME}"
			done
		fi
	else
		if [ $CL_TEST -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD
		else
			display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_XINETD
		fi

		display --to LOG --type INFO ROOTKIT_TROJAN_INETD_SKIP "${XINETD_CONF_PATH}"
	fi


	#
	# Finally we check for an Apache backdoor module.
	#

	FOUND=0
	FOUNDFILES=""

	MOD_DIRS="/etc/apache2/mods-enabled /etc/httpd/modules /usr/apache/libexec /usr/lib/modules /usr/local/apache/modules"

	HTTPDDIRS="/usr/local/apache/conf /usr/local/etc/apache /etc/apache /etc/httpd/conf"

	for DIR in ${MOD_DIRS} ${HTTPDDIRS}; do
		if [ -d "${DIR}" ]; then
			FOUND=1

			test -f "${DIR}/mod_rootme.so" && FOUNDFILES="${FOUNDFILES} ${DIR}/mod_rootme.so"
			test -f "${DIR}/mod_rootme2.so" && FOUNDFILES="${FOUNDFILES} ${DIR}/mod_rootme2.so"

			if [ -f "${DIR}/httpd.conf" ]; then
				if [ -n "`egrep 'mod_rootme2?\.so' \"${DIR}/httpd.conf\"`" ]; then
					FOUNDFILES="${FOUNDFILES} ${DIR}/httpd.conf"
				fi
			fi
		fi
	done


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		if [ $CL_TEST -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE
		else
			display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_APACHE
		fi

		display --to LOG --type INFO ROOTKIT_TROJAN_APACHE_SKIPPED
	elif [ -z "${FOUNDFILES}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE

		for FILE in ${FOUNDFILES}; do
			display --to LOG --type WARNING ROOTKIT_TROJAN_APACHE_FOUND "`name2text \"${FILE}\"`"
		done
	fi

	return
}


bsd_specific_checks() {

	#
	# This function performs tests specific to the BSD O/S.
	#

	#
	# We check that the output of sockstat and netstat for
	# local listening sockets is the same.
	#

	SOCKSTAT_CMD=`find_cmd sockstat`

	if [ -n "${SOCKSTAT_CMD}" -a -n "${NETSTAT_CMD}" ]; then
		test "${OPERATING_SYSTEM}" = "NetBSD" && RKHTMPVAR="-n" || RKHTMPVAR=""

		SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | ${AWK_CMD} '$5 ~ /^(tcp|udp)/ { if ($6 == 6) print $7; else print $6 } $4 ~ /^(tcp|udp)/ { if ($5 == 6) print $6; else print $5 }'`

		SOCKSTAT_OUTPUT=`echo "${SOCKSTAT_OUTPUT}" | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`

		NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | ${AWK_CMD} '$1 ~ /^(tcp|udp)/ { print $4 }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`

		if [ "${SOCKSTAT_OUTPUT}" = "${NETSTAT_OUTPUT}" ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET
		else
			SOCKSTAT_OUTPUT=`echo ${SOCKSTAT_OUTPUT}`
			NETSTAT_OUTPUT=`echo ${NETSTAT_OUTPUT}`

			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET

			display --to LOG --type WARNING ROOTKIT_OS_BSD_SOCKNET_FOUND
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_BSD_SOCKNET_OUTPUT 'Sockstat' "${SOCKSTAT_OUTPUT}"
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_BSD_SOCKNET_OUTPUT 'Netstat' "${NETSTAT_OUTPUT}"
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET

		test -z "${SOCKSTAT_CMD}" && display --to LOG --type INFO NOT_FOUND_CMD 'sockstat'

		if [ -z "${NETSTAT_CMD}" ]; then
			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' netstat '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'netstat'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'netstat'
			fi
		fi
	fi

	return
}


freebsd_specific_checks() {

	#
	# This function performs tests specific to the FreeBSD O/S.
	#


	#
	# First we check for KLD backdoors.
	#

	KLDSTAT_CMD=`find_cmd kldstat`

	if [ -n "${KLDSTAT_CMD}" ]; then
		FOUND=0
		FOUNDKEYS=""

		for RKHTMPVAR in ${KLDSTATKEYWORDS}; do
			RKHTMPVAR=`echo ${RKHTMPVAR}`

			KLDKEYWD=`echo ${RKHTMPVAR} | sed -e 's/\./\\\./g'`

			if [ -n "`${KLDSTAT_CMD} -v | grep \"${KLDKEYWD}\"`" ]; then
				FOUND=1
				FOUNDKEYS="${FOUNDKEYS} ${RKHTMPVAR} "
			fi
		done


		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD

			for RKHTMPVAR in ${FOUNDKEYS}; do
				display --to LOG --type WARNING ROOTKIT_OS_FREEBSD_KLD_FOUND "${RKHTMPVAR}"
			done
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD

		display --to LOG --type INFO NOT_FOUND_CMD 'kldstat'
	fi


	#
	# Next we check that the package database is okay.
	#

	if [ "${OPERATING_SYSTEM}" = "DragonFly" ]; then
		PKGDB_CMD=`find_cmd pkg_admin`

		if [ -n "${PKGDB_CMD}" ]; then
			RKHTMPVAR=`${PKGDB_CMD} check 2>&1 >/dev/null`

			if [ -z "${RKHTMPVAR}" ]; then
				display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

				display --to LOG --type WARNING ROOTKIT_OS_DFLY_PKGDB_NOTOK
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

			display --to LOG --type INFO NOT_FOUND_CMD 'pkg_admin'
		fi
	else
		PKGDB_CMD=`find_cmd pkgdb`

		if [ -n "${PKGDB_CMD}" ]; then
			RKHTMPVAR=`${PKGDB_CMD} -Fa -v 2>&1 | grep 'Skipped\.'`

			if [ -z "${RKHTMPVAR}" ]; then
				display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

				display --to LOG --type WARNING ROOTKIT_OS_FREEBSD_PKGDB_NOTOK
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

			display --to LOG --type INFO NOT_FOUND_CMD 'pkgdb'
		fi
	fi

	return
}


linux_loaded_modules() {

	#
	# This test checks the currently loaded kernel modules. It verifies
	# that what is seen by the 'lsmod' command is the same as seen in
	# the /proc/modules directory.
	#

	if ! `check_test loaded_modules`; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST loaded_modules
		fi

		return
	fi


	if [ ! -f "/proc/modules" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

		display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_MOD_MISSING '/proc/modules'
	elif [ -z "${LSMOD_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

		if [ -z "${LSMOD_CMD}" ]; then
			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsmod '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'lsmod'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'lsmod'
			fi
		fi
	else
		PROC_OUTPUT=`cat /proc/modules | cut -d' ' -f1 | sort`
		LSMOD_OUTPUT=`${LSMOD_CMD} | grep -v 'Size *Used *by' | cut -d' ' -f1 | sort`


		if [ -n "${PROC_OUTPUT}" -a -n "${LSMOD_OUTPUT}" ]; then
			if [ "${PROC_OUTPUT}" = "${LSMOD_OUTPUT}" ]; then
				display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

				display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_FOUND
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT '/proc/modules' "${PROC_OUTPUT}"
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT 'lsmod' "${LSMOD_OUTPUT}"
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

			display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_EMPTY
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT '/proc/modules' "${PROC_OUTPUT}"
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT 'lsmod' "${LSMOD_OUTPUT}"
		fi
	fi

	return
}


linux_avail_modules() {

	#
	# This test checks the names of the kernel
	# modules that are available on this system.
	#

	if ! `check_test avail_modules`; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST avail_modules
		fi

		return
	fi


	#
	# First obtain and log where the modules are kept. This can
	# be set in the configuration file, but generally rkhunter
	# will determine the location based on the kernel version.
	#

	FOUND=0
	FOUNDFILES=""

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO ROOTKIT_OS_LINUX_LKMNAMES_PATH "${LKM_PATH}"
	fi


	#
	# Now do the test.
	#

	if [ ! -d "${LKM_PATH}" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

		display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING "${LKM_PATH}"
	elif [ -z "${FIND_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' find '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'find'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'find'
		fi
	elif [ -z "`ls -1 \"${LKM_PATH}\" 2>/dev/null`" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

		display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING "${LKM_PATH}"
	else
		#
		# Reformat the LKM names so we only need to do it once.
		#

		LKM_NAMES=""

		for RKHTMPVAR in ${LKM_BADNAMES}; do
			RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/\./\\\./g'`

			LKM_NAMES="${LKM_NAMES} ${RKHTMPVAR}"
		done

		get_temp_file "${RKHTMPDIR}/modslist"
		${FIND_CMD} "${LKM_PATH}" -type f -a \( -name "*.o" -o -name "*.ko" -o -name "*.ko.xz" \) >"${TEMPFILE}" 2>/dev/null

		for RKHTMPVAR in ${LKM_NAMES}; do
			if [ -n "`egrep \"/${RKHTMPVAR}(\.xz)?$\" "${TEMPFILE}"`" ]; then
				FOUND=1
				FOUNDFILES="${FOUNDFILES} ${RKHTMPVAR}"
			fi
		done

		rm -f "${TEMPFILE}" >/dev/null 2>&1


		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

			for RKHTMPVAR in ${FOUNDFILES}; do
				RKHTMPVAR=`echo "${RKHTMPVAR}" | sed -e 's/\\\././g'`

				display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_FOUND "${LKM_PATH}" "${RKHTMPVAR}"
			done
		fi
	fi

	return
}


linux_specific_checks() {

	#
	# This function performs tests specific to the Linux O/S.
	#

	linux_loaded_modules

	linux_avail_modules

	return
}


os_specific_checks() {

	#
	# This function performs any O/S specific tests.
	#

	if `check_test os_specific`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST os_specific
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST os_specific
		fi

		return
	fi


	#
	# Run the relevant O/S specific tests.
	#

	case "${OPERATING_SYSTEM}" in
	FreeBSD|NetBSD|DragonFly)
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --log-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"

		bsd_specific_checks

		test "${OPERATING_SYSTEM}" = "FreeBSD" -o "${OPERATING_SYSTEM}" = "DragonFly" && freebsd_specific_checks
		;;
	Linux)
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --log-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"

		linux_specific_checks
		;;
	*)
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color YELLOW --result SKIPPED --log-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"
		display --to LOG --type INFO ROOTKIT_OS_SKIPPED
		;;
	esac

	return
}


do_rootkit_checks() {

	#
	# This function carries out a sequence of tests for rootkits.
	# This consists of the default files and directories check,
	# possible rootkit checks, and checks for malware.
	#

	if `check_test rootkits`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST rootkits
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_ROOTKITS
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST rootkits
		fi

		return
	fi


	rootkit_file_dir_checks

	check_test known_rkts || check_test all && keypresspause

	additional_rootkit_checks

	malware_checks

	trojan_checks

	os_specific_checks

	keypresspause

	return
}


check_port_wl() {

	#
	# This function tries to find the PID and command pathname using
	# a given port. It then checks to see if the port is whitelisted.
	#
	# A single parameter indicates if we are in the 'hidden_ports'
	# test or not.
	#

	PID=0
	PID_SEEN=0
	FNAME=""
	FOUND=""

	IN_HIDDEN_PORTS=$1

	if [ -n "${LSOF_CMD}" ]; then
		IFS=$IFSNL

		for LSOFLINE in `${LSOF_CMD} -wnlP -i ${PROTO}:${PORT} 2>/dev/null`; do
			#
			# We must only look at connections using the port on the local host.
			#

			if [ -n "`echo \"${LSOFLINE}\" | grep \" ${PROTO} \*:${PORT} \"`" ]; then
				# Process listening for connections from anywhere.
				PID=`echo "${LSOFLINE}" | ${AWK_CMD} '{ print $2 }'`
			elif [ -n "`echo \"${LSOFLINE}\" | egrep \" ${PROTO} [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:${PORT}[ -]\"`" ]; then
				# Established or listening process using IPv4 address.
				PID=`echo "${LSOFLINE}" | ${AWK_CMD} '{ print $2 }'`
			elif [ -n "`echo \"${LSOFLINE}\" | egrep \" ${PROTO} \[[:0-9a-fA-F]+\]:${PORT}[ -]\"`" ]; then
				# Established or listening process using IPv6 address.
				PID=`echo "${LSOFLINE}" | ${AWK_CMD} '{ print $2 }'`
			else
				# Ignore anything else.
				continue
			fi

			PID_SEEN=1

			#
			# Try and get the running process name.
			#

			if [ $HAVE_READLINK -eq 1 ]; then
				RKHTMPVAR=""

				if [ $SOL_PROC -eq 1 ]; then
					test -h "/proc/${PID}/path/a.out" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/path/a.out"`
				elif [ $SUNOS -eq 0 -o -h "/proc/${PID}/exe" ]; then
					test -h "/proc/${PID}/exe" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/exe"`
				fi

				test -n "${RKHTMPVAR}" && FNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
			fi

			if [ -z "${FNAME}" ]; then
				if [ $SUNOS -eq 1 ]; then
					FNAME=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ 	]txt[ 	][ 	]*VREG[ 	]' 2>/dev/null | head ${HEAD_OPT}1 | ${AWK_CMD} '{ print $NF }'`
				else
					FNAME=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ 	]txt[ 	][ 	]*REG[ 	]' | ${AWK_CMD} '{ print $NF }'`
				fi
			fi

			if [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
				FOUND="${FNAME}"
				break
			fi
		done

		IFS=$RKHIFS

		if [ -z "${FOUND}" -a $PID_SEEN -eq 1 ]; then
			FNAME=""
			FOUND="${PROTO}:${PORT}"
		fi
	elif [ $IN_HIDDEN_PORTS -eq 1 ]; then
		# The 'netstat' command offers us no further information
		# on hidden ports, so we can skip it.
		:
	else
		case "${OPERATING_SYSTEM}" in
		Linux)
			FOUND=`${NETSTAT_CMD} -an | grep -i "^${PROTO}.*:${PORT} " | ${AWK_CMD} '{ print $4 }' | grep ":${PORT}$"`
			;;
		*BSD|Darwin|IRIX*|DragonFly)
			FOUND=`${NETSTAT_CMD} -an | grep -i "^${PROTO}.*\.${PORT} " | ${AWK_CMD} '{ print $4 }' | grep "\.${PORT}$"`
			;;
		AIX)
			if [ "${PROTO}" = "UDP" ]; then
				FOUND=`${NETSTAT_CMD} -an | grep -i "^udp.*\.${PORT} " | ${AWK_CMD} '{ print $4 }' | grep "\.${PORT}$"`
			elif [ "${PROTO}" = "TCP" ]; then
				FOUND=`${NETSTAT_CMD} -an | egrep -i "^tcp.*\.${PORT} .*(BOUND|ESTABLISH|LISTEN)" | ${AWK_CMD} '{ print $4 }' | grep "\.${PORT}$"`
			fi
			;;
		SunOS)
			if [ "${PROTO}" = "UDP" ]; then
				FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^UDP: IPv4/, /^$/ { print $1 }' | grep "\.${PORT}$"`

				if [ -z "${FOUND}" ]; then
					FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^UDP: IPv6/, /^$/ { print $1 }' | grep "\.${PORT}$"`
				fi
			elif [ "${PROTO}" = "TCP" ]; then
				FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^TCP: IPv4/, /^$/ { print $0 }' | egrep 'BOUND|ESTABLISH|LISTEN' | ${AWK_CMD} '{ print $1 }' | grep "\.${PORT}$"`

				if [ -z "${FOUND}" ]; then
					FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^TCP: IPv6/, /^$/ { print $0 }' | egrep 'BOUND|ESTABLISH|LISTEN' | ${AWK_CMD} '{ print $1 }' | grep "\.${PORT}$"`
				fi
			fi
			;;
		esac
	fi


	#
	# If we have found something, then see if it is whitelisted.
	#

	if [ -n "${FOUND}" -o $IN_HIDDEN_PORTS -eq 1 ]; then
		RKHTMPVAR2=0

		if [ -n "${LSOF_CMD}" ]; then
			if [ -n "${FNAME}" ]; then
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ -n "`echo \"${PORT_WHITELIST}\" | grep \"^${FNAMEGREP}:${PROTO}:${PORT}$\"`" ]; then
					RKHTMPVAR2=1
					FOUND="path_whitelisted"
				elif [ -n "`echo \"${PORT_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					RKHTMPVAR2=1
					FOUND="path_whitelisted"
				elif [ $PORT_WHITELIST_ALL_TRUSTED -eq 1 ]; then
					test -n "${BASENAME_CMD}" && RKHTMPVAR=`${BASENAME_CMD} "${FNAME}"` || RKHTMPVAR=`echo "${FNAME}" | sed -e 's:^.*/::'`

					RKHTMPVAR=`IFS=$RKHIFS find_cmd ${RKHTMPVAR}`

					if [ "${RKHTMPVAR}" = "${FNAME}" ]; then
						RKHTMPVAR2=1
						FOUND="trusted_whitelisted"
					fi
				fi
			fi
		fi

		if [ $RKHTMPVAR2 -eq 0 -a -n "`echo \"${PORT_WHITELIST}\" | grep \"^${PROTO}:${PORT}$\"`" ]; then
			FOUND="port_whitelisted"
		fi
	fi

	return
}


do_network_port_checks() {

	#
	# This function will check the network ports to see
	# if any known backdoor ports are being used.
	#

	if `check_test ports || check_test hidden_ports`; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --nl NETWORK_PORTS_START
	fi

	if `check_test ports`; then
		display --to LOG --type INFO STARTING_TEST ports
		display --to LOG --type PLAIN --log-indent 2 NETWORK_PORTS_BACKDOOR_LOG
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST ports
		fi

		return
	fi


	#
	# We must first check to see if we can perform this test.
	#

	if [ -z "${LSOF_CMD}" -a -z "${NETSTAT_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color YELLOW --result SKIPPED NETWORK_PORTS_BACKDOOR
		display --to LOG --type INFO TEST_SKIPPED_OS 'network port checks' 'lsof or netstat command required.'
		return
	fi

	#
	# Check that the backdoor ports data file is usable.
	#

	if [ ! -e "${DB_PATH}/backdoorports.dat" -o ! -s "${DB_PATH}/backdoorports.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
		display --to LOG --type WARNING NETWORK_PORTS_FILE_MISSING "${DB_PATH}/backdoorports.dat"
		return
	elif [ ! -f "${DB_PATH}/backdoorports.dat" -o -h "${DB_PATH}/backdoorports.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
		display --to LOG --type WARNING NETWORK_PORTS_FILE_NOTAFILE "${DB_PATH}/backdoorports.dat"
		return
	fi

	#
	# Next we do some further testing and the initial logging.
	#

	if [ -z "${LSOF_CMD}" ]; then
		case "${OPERATING_SYSTEM}" in
		*BSD|Linux|AIX|SunOS|Darwin|IRIX*|DragonFly)
			;;
		*)
			display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
			display --to LOG --type WARNING NETWORK_PORTS_UNKNOWN_NETSTAT
			return
			;;
		esac
	fi

	if [ $PORT_WHITELIST_ALL_TRUSTED -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO NETWORK_PORTS_ENABLE_TRUSTED
	fi


	#
	# Now do the test.
	#

	FOUNDPORT=0

	IFS=$IFSNL

	for LINE in `cat "${DB_PATH}/backdoorports.dat"`; do
		if [ -z "`echo \"${LINE}\" | grep '^[0-9][0-9]*:'`" ]; then
			continue
		fi

		PORT=`echo "${LINE}" | cut -d: -f1`
		DESCRIPTION=`echo "${LINE}" | cut -d: -f2`
		PROTO=`echo "${LINE}" | cut -d: -f3 | tr '[:lower:]' '[:upper:]'`

		ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`

		if [ -z "`echo \"${PORT}\" | grep '^[1-9][0-9]*$'`" ]; then
			echo "Error: Invalid port in backdoorports.dat file: $LINE"
			continue
		elif [ "${PROTO}" != "UDP" -a "${PROTO}" != "TCP" ]; then
			echo "Error: Invalid protocol in backdoorports.dat file: $LINE"
			continue
		fi

		check_port_wl 0

		# We need to reset IFS because it is set in 'check_port_wl'.
		IFS=$IFSNL

		#
		# Now log the result.
		#

		case "${FOUND}" in
		path_whitelisted)
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO NETWORK_PORTS_PATH_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
				display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			fi
			;;
		trusted_whitelisted)
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO NETWORK_PORTS_TRUSTED_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
				display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			fi
			;;
		port_whitelisted)
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO NETWORK_PORTS_PORT_WHITELIST "${PROTO}" "${PORT}"
				display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			fi
			;;
		"")
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --log-indent 4 --result NOT_FOUND NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			fi
			;;
		*)
			FOUNDPORT=1
			ROOTKIT_FAILED_COUNT=`expr $ROOTKIT_FAILED_COUNT + 1`

			display --to LOG --type PLAIN --log-indent 4 --result FOUND NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"

			test -n "${FNAME}" && FNAME=" by `name2text \"${FNAME}\"`"

			display --to LOG --type WARNING NETWORK_PORTS_BKDOOR_FOUND "${PROTO}" "${PORT}" "${FNAME}" "${DESCRIPTION}"
			;;
		esac
	done

	IFS=$RKHIFS


	#
	# Finally show the overall result on the screen.
	#

	if [ $FOUNDPORT -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color GREEN --result NONE_FOUND NETWORK_PORTS_BACKDOOR
	else
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
	fi

	return
}


do_network_hidden_port_checks() {

	#
	# This function will check the network
	# ports to see if any are being hidden.
	#

	if `check_test hidden_ports`; then
		display --to LOG --type INFO --nl STARTING_TEST hidden_ports
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST hidden_ports
		fi

		return
	fi


	#
	# We must first check to see if we can perform this test.
	#

	UNHIDETCP_CMD=`find_cmd unhide-tcp`

	if [ -n "${UNHIDETCP_CMD}" ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO FOUND_CMD 'unhide-tcp' "${UNHIDETCP_CMD} ${UNHIDETCP_OPTS}"
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NETWORK_HIDDEN_PORTS

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO NOT_FOUND_CMD 'unhide-tcp'
		fi

		return
	fi

	if [ $SUNOS -eq 1 ]; then
		if [ "${AWK_CMD}" = "awk" ]; then
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NETWORK_HIDDEN_PORTS
			display --to LOG --type INFO NOT_FOUND_CMD 'gawk or nawk'
			return
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO FOUND_CMD 'awk' "${AWK_CMD}"
		fi
	fi

	#
	# We don't *need* the 'lsof' command to perform this test, but
	# if it is available then it will be used to find out pathnames.
	#

	if [ $PORT_WHITELIST_ALL_TRUSTED -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO NETWORK_PORTS_ENABLE_TRUSTED
	fi


	#
	# Now perform the test. We must do this in two parts
	# to pick out the TCP ports, and then the UDP ports.
	#

	RKHTMPVAR=`${UNHIDETCP_CMD} ${UNHIDETCP_OPTS} 2>&1`

	TCP_PORTS=`echo "${RKHTMPVAR}" | ${AWK_CMD} '/^(\[\*\])?Starting TCP check/, /^(\[\*\])?Starting UDP check/ { print $0 }' | grep '^Found ' | cut -d: -f2`
	UDP_PORTS=`echo "${RKHTMPVAR}" | ${AWK_CMD} '/^(\[\*\])?Starting UDP check/, 0 { print $0 }' | grep '^Found ' | cut -d: -f2`

	if [ -z "${TCP_PORTS}" -a -z "${UDP_PORTS}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
	else
		FOUND_PORTS=""

		for PROTO in TCP UDP; do
			HIDDEN_PORTS=`eval echo "\\$${PROTO}_PORTS"`

			test -z "${HIDDEN_PORTS}" && continue

			HIDDEN_PORTS=`echo ${HIDDEN_PORTS} | tr ' ' '\n' | sort | uniq`
			HIDDEN_PORTS=`echo ${HIDDEN_PORTS}`

			for PORT in ${HIDDEN_PORTS}; do
				check_port_wl 1

				#
				# Now log the result.
				#

				case "${FOUND}" in
				path_whitelisted)
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO NETWORK_HIDDEN_PORTS_PATH_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
					fi
					;;
				trusted_whitelisted)
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO NETWORK_HIDDEN_PORTS_TRUSTED_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
					fi
					;;
				port_whitelisted)
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO NETWORK_HIDDEN_PORTS_PORT_WHITELIST "${PROTO}" "${PORT}"
					fi
					;;
				*)
					FOUND_PORTS="${FOUND_PORTS}
${PROTO}:${PORT}:${FNAME}"
					;;
				esac
			done
		done

		if [ -z "${FOUND_PORTS}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
			display --to LOG --type WARNING --log-indent 2 NETWORK_HIDDEN_PORTS_FOUND

			IFS=$IFSNL

			FOUND_PORTS=`echo "${FOUND_PORTS}" | sed -e '/^$/d'`

			for RKHTMPVAR in ${FOUND_PORTS}; do
				PROTO=`echo ${RKHTMPVAR} | cut -d: -f1`
				PORT=`echo ${RKHTMPVAR} | cut -d: -f2`
				FNAME=`echo ${RKHTMPVAR} | cut -d: -f3-`

				if [ -z "${FNAME}" ]; then
					display --to LOG --type PLAIN --log-indent 9 NETWORK_HIDDEN_PORTS_CHK "${PROTO}" "${PORT}"
				else
					display --to LOG --type PLAIN --log-indent 9 NETWORK_HIDDEN_PORTS_CHK_NAME "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
				fi
			done

			IFS=$RKHIFS
		fi
	fi

	return
}


do_network_interface_checks() {

	#
	# This function will check the network interfaces to see
	# if any are in promiscuous mode. It will also check to see
	# if there are any applications running which are capturing
	# network interface packets.
	#

	if `check_test promisc || check_test packet_cap_apps`; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --nl NETWORK_INTERFACE_START
	fi

	if `check_test promisc`; then
		display --to LOG --type INFO STARTING_TEST promisc

		if [ -n "${IFCONFIG_CMD}" -o \( $LINUXOS -eq 1 -a -n "${IP_CMD}" \) ]; then
			PROMISCSCAN1=""
			PROMISCSCAN2=""

			if [ -n "${IFCONFIG_CMD}" ]; then
				if [ -n "${IFWLIST}" ]; then
					IFWLIST=`echo ${IFWLIST}`

					display --to LOG --type INFO NETWORK_PROMISC_WLIST "${IFWLIST}"

					IFWLIST=`echo ${IFWLIST} | tr ' ' '|'`
				fi

				case "${OPERATING_SYSTEM}" in
				*BSD|DragonFly)
					if [ -z "${IFWLIST}" ]; then
						PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '$1 !~ /^pflog/ && /PROMISC/ { print }'`
					else
						PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '$1 !~ /^pflog/ && $1 !~ /^('${IFWLIST}'):$/ && /PROMISC/ { print }'`
					fi
					;;
				SunOS|IRIX*|AIX)
					if [ -z "${IFWLIST}" ]; then
						PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '/PROMISC/ { print }'`
					else
						PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '$1 !~ /^('${IFWLIST}'):$/ && /PROMISC/ { print }'`
					fi
					;;
				*)
					if [ -z "${IFWLIST}" ]; then
						PROMISCSCAN1=`${IFCONFIG_CMD} 2>&1 | ${AWK_CMD} 'BEGIN { RS="" }; /PROMISC/ { print }'`
					else
						PROMISCSCAN1=`${IFCONFIG_CMD} 2>&1 | ${AWK_CMD} 'BEGIN { RS="" }; $1 !~ /^('${IFWLIST}'):?$/ && /PROMISC/ { print }'`
					fi
					;;
				esac
			else
				display --to LOG --type INFO NETWORK_PROMISC_NO_CMD ifconfig ip

				if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ifconfig '`" ]; then
					display --to LOG --type INFO DISABLED_CMD 'ifconfig'
				else
					display --to LOG --type INFO NOT_FOUND_CMD 'ifconfig'
				fi
			fi

			if [ $LINUXOS -eq 1 ]; then
				if [ -n "${IP_CMD}" ]; then
					PROMISCSCAN2=`${IP_CMD} link | grep '^[0-9]' | grep -vE "^[0-9][0-9]*: (${IFWLIST}):" | grep 'PROMISC'`
				else
					display --to LOG --type INFO NETWORK_PROMISC_NO_CMD ip ifconfig

					if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ip '`" ]; then
						display --to LOG --type INFO DISABLED_CMD 'ip'
					else
						display --to LOG --type INFO NOT_FOUND_CMD 'ip'
					fi
				fi
			fi


			#
			# Now show the results of the interface check.
			#

			if [ -z "${PROMISCSCAN1}" -a -z "${PROMISCSCAN2}" ]; then
				display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 NETWORK_PROMISC_CHECK
			else
				display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PROMISC_CHECK

				display --to LOG --type WARNING NETWORK_PROMISC_IF


				if [ -n "${PROMISCSCAN1}" ]; then
					display --to LOG --type PLAIN --log-indent 9 NETWORK_PROMISC_IF_1

					PROMISCSCAN1=`echo "${PROMISCSCAN1}" | ${AWK_CMD} '$0 !~ /^ / || /PROMISC/ { print }'`

					IFS=$IFSNL

					for IFACE in ${PROMISCSCAN1}; do
						display --to LOG --type PLAIN --log-indent 13 NAME "${IFACE}"
					done

					IFS=$RKHIFS
				fi


				if [ -n "${PROMISCSCAN2}" ]; then
					display --to LOG --type PLAIN --log-indent 9 NETWORK_PROMISC_IF_2

					PROMISCSCAN2=`echo "${PROMISCSCAN2}" | cut -d: -f2-`

					IFS=$IFSNL

					# Only indent by 12 spaces here because the output starts with a space.
					for IFACE in ${PROMISCSCAN2}; do
						display --to LOG --type PLAIN --log-indent 12 NAME "${IFACE}"
					done

					IFS=$RKHIFS
				fi
			fi
		else
			display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --screen-indent 4 NETWORK_PROMISC_CHECK
			display --to LOG --type INFO NETWORK_PROMISC_NO_IFCONF_IP

			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ifconfig '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'ifconfig'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'ifconfig'
			fi

			if [ $LINUXOS -eq 1 ]; then
				if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ip '`" ]; then
					display --to LOG --type INFO DISABLED_CMD 'ip'
				else
					display --to LOG --type INFO NOT_FOUND_CMD 'ip'
				fi
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST promisc
	fi


	#
	# For the packet capturing check, we must first see if we
	# are able to run the test. We let the user know if the test
	# was disabled, or if the lsof command is not present.
	#

	if `check_test packet_cap_apps`; then
		display --to LOG --type INFO --nl STARTING_TEST packet_cap_apps
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST packet_cap_apps
		fi

		return
	fi

	if [ $LINUXOS -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
		display --to LOG --type INFO TEST_SKIPPED_OS 'packet_cap_apps' '/proc/net/packet required.'
		return
	elif [ ! -f "/proc/net/packet" ]; then
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
		display --to LOG --type WARNING NETWORK_PACKET_CAP_CHECK_NO_FILE '/proc/net/packet'
		return
	elif [ -z "${LSOF_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsof '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'lsof'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'lsof'
		fi

		return
	fi


	#
	# Now run the test.
	#

	FOUND=0

	WHITEPROC=""
	BLACKPROC=""

	LIBPCAPRES=`egrep -v '(^sk | 888e )' /proc/net/packet 2>/dev/null | head ${HEAD_OPT}1`

	if [ -n "${LIBPCAPRES}" ]; then
		ALLOWPROCLISTENERS=""

		#
		# We expand the whitelist option here to ensure
		# that any wildcard entries are the most recent.
		#

		if [ -n "${ALLOWPROCLIST_OPT}" ]; then
			ALLOWPROCLISTENERS=`expand_paths ALLOWPROCLIST_OPT`
		fi

		INODE_LIST=""

		for INODE in `egrep -v '(^sk | 888e )' /proc/net/packet | ${AWK_CMD} '{ print $9 }'`; do
			INODE_LIST="${INODE_LIST}|$INODE"
		done

		INODE_LIST=`echo "${INODE_LIST}" | sed -e 's/^|//'`
		test -z "${INODE_LIST}" && INODE_LIST="RKHunterPktCapture"


		for PID in `${LSOF_CMD} -lMnPw -d 1-20 2>/dev/null | egrep "[ 	](pack[ 	]+(${INODE_LIST})|sock[ 	]+[^ 	]+[ 	]+[^ 	]+[ 	]+(${INODE_LIST}))[ 	]" | ${AWK_CMD} '{ print $2 }'`; do
			NAME=""

			if [ -h "/proc/$PID/exe" -a $HAVE_READLINK -eq 1 ]; then
				NAME=`${READLINK_CMD} ${READLINK_OPT} "/proc/$PID/exe" | cut -d' ' -f1`
			elif [ -f "/proc/$PID/status" ]; then
				NAME=`grep '^Name:.' /proc/$PID/status | sed -e 's/^Name:.//'`
			fi


			test -z "${NAME}" && continue

			FNAMEGREP=`echo "${NAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			if [ -n "`echo \"${ALLOWPROCLISTENERS}\" | grep \"^${FNAMEGREP}$\"`" ]; then
				if [ -z "`echo \"${WHITEPROC}\" | grep \"^${FNAMEGREP}$\"`" ]; then
					WHITEPROC="${WHITEPROC}
${NAME}"
				fi
			else
				FOUND=1
				BLACKPROC="${BLACKPROC}
${PID}:${NAME}"
			fi
		done
	fi


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK


		IFS=$IFSNL

		for RKHTMPVAR in ${BLACKPROC}; do
			test -z "${RKHTMPVAR}" && continue

			PID=`echo "${RKHTMPVAR}" | cut -d: -f1`
			NAME=`echo "${RKHTMPVAR}" | cut -d: -f2-`

			display --to LOG --type WARNING NETWORK_PACKET_CAP_FOUND "`name2text \"${NAME}\"`" "${PID}"
		done

		IFS=$RKHIFS
	fi


	#
	# Log any whitelisted entries.
	#

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		IFS=$IFSNL

		for NAME in ${WHITEPROC}; do
			test -z "${NAME}" && continue

			display --to LOG --type INFO NETWORK_PACKET_CAP_WL "`name2text \"${NAME}\"`"
		done
	fi

	IFS=$RKHIFS


	return
}


do_network_checks() {

	#
	# This function carries out some network checks. This consists
	# of port checks, and some interface checks.
	#

	if `check_test network`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST network
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_NETWORK
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST network
		fi

		return
	fi


	do_network_port_checks
	do_network_hidden_port_checks

	do_network_interface_checks

	return
}


do_system_startup_file_checks() {

	#
	# This function carries out checks on the system startup files.
	#

	if `check_test startup_files`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST startup_files
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 STARTUP_FILES_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST startup_files
		fi

		return
	fi

	#
	# First we check that the local host name has been set.
	#

	if [ -n "${HOST_NAME}" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 STARTUP_HOSTNAME
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_HOSTNAME
		display --to LOG --type WARNING STARTUP_NO_HOSTNAME
	fi


	#
	# Check that the startup file malware checks are to be done.
	#

	if `check_test startup_malware`; then
		display --to LOG --type INFO --nl STARTING_TEST startup_malware
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST startup_malware
		fi

		return
	fi

	#
	# First check to see that we can run the test.
	#

	if [ "${STARTUP_PATHS}" = "NONE" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result SKIPPED --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
		display --to LOG --type INFO STARTUP_NONE_GIVEN
		return
	fi


	#
	# Now get and check that the system startup files are okay.
	#

	get_rc_paths

	if [ -n "${RC_PATHS}" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
		display --to LOG --type WARNING STARTUP_CHECK_NO_RC_FILES
		return
	fi


	#
	# Next we check all the startup files for any suspicious
	# strings in them.
	#

	FOUND=0
	FOUNDSTRINGS=""

	#
	# Since we are going to be checking a lot of files
	# for strings that are static, we may as well do
	# some pre-processing of the string, and then we
	# only need to spend time if a string is found.
	#

	RCSTRINGS=""

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	IFS=$IFSNL

	for RKHTMPVAR in ${RCLOCAL_STRINGS}; do
		RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ 	]*//'`

		STRING=`echo ${RKHTMPVAR} | cut -d: -f1 | sed -e 's/\./\\\./g'`
		INFO=`echo ${RKHTMPVAR} | cut -d: -f2`

		RCSTRINGS="${RCSTRINGS}
${STRING}:${INFO}"
	done

	IFS=$RKHIFS

	RCSTRINGS=`echo "${RCSTRINGS}" | sed -e '/^$/d'`


	for FNAME in ${RC_PATHS}; do
		IFS=$IFSNL

		FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

		for STR in ${RCSTRINGS}; do
			STRING=`echo ${STR} | cut -d: -f1`

			RKHTMPVAR=`grep "${STRING}" "${FNAME}"`

			if [ -n "${RKHTMPVAR}" ]; then
				test -z "`echo \"${RKHTMPVAR}\" | egrep -v '^[ 	]*#'`" && continue

				if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:${STRING}$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						STRING=`echo ${STRING} | sed -e 's/\\\//g'`
						display --to LOG --type INFO FILE_PROP_WL_STR "`name2text \"${FNAME}\"`" "${STRING}" 'startup_malware'
					fi
				elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:$\"`" ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'startup_malware'
					fi
				else
					FOUND=1

					STRING=`echo ${STRING} | sed -e 's/\\\//g'`
					INFO=`echo ${STR} | cut -d: -f2`

					FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${STRING}:${INFO}"
				fi
			fi
		done

		IFS=$RKHIFS
	done


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_MALWARE
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`

		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_MALWARE

		IFS=$IFSNL

		FOUNDSTRINGS=`echo "${FOUNDSTRINGS}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDSTRINGS}; do
			FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
			STRING=`echo "${RKHTMPVAR}" | cut -d: -f2`
			INFO=`echo "${RKHTMPVAR}" | cut -d: -f3`

			display --to LOG --type WARNING ROOTKIT_POSS_STRINGS_FOUND "${STRING}" "`name2text \"${FNAME}\"`" "${INFO}"
		done

		IFS=$RKHIFS
	fi

	return
}


pwdgrp_changes() {

	#
	# This function checks the changes made to the passwd and group files.
	#

	FNAME=$1
	LINES=$2

	SEEN_IDS=""

	IFS=$IFSNL

	for LINE in ${LINES}; do
		#
		# First we need to check if we have already dealt with
		# this id. If we have, then just get the next line.
		#

		PWDGRPID=`echo "${LINE}" | cut -d: -f1 | cut -c3-`
		IDGREP=`echo "${PWDGRPID}" | sed -e 's/\./\\\./g'`

		RKHTMPVAR=`echo "${SEEN_IDS}" | grep " ${IDGREP} "`

		test -n "${RKHTMPVAR}" && continue


		#
		# This id hasn't been seen before, so we record it.
		#

		SEEN_IDS="${SEEN_IDS} ${PWDGRPID} "

		#
		# Next we see if the id has just been added or removed.
		# To do this we simply see if it appears more than once.
		#

		RKHTMPVAR=`echo "${LINES}" | grep "^> ${IDGREP}:"`
		RKHTMPVAR2=`echo "${LINES}" | grep "^< ${IDGREP}:"`

		if [ \( -n "${RKHTMPVAR}" -a -z "${RKHTMPVAR2}" \) -o \( -z "${RKHTMPVAR}" -a -n "${RKHTMPVAR2}" \) ]; then
			if [ -n "${RKHTMPVAR}" ]; then
				if [ "${FNAME}" = "passwd" ]; then
					display --to LOG --type WARNING --log-indent 4 PWD_CHANGES_IDREM "${PWDGRPID}"
				else
					display --to LOG --type WARNING --log-indent 4 GROUP_CHANGES_IDREM "${PWDGRPID}"
				fi
			else
				if [ "${FNAME}" = "passwd" ]; then
					display --to LOG --type WARNING --log-indent 4 PWD_CHANGES_IDADD "${PWDGRPID}"
				else
					display --to LOG --type WARNING --log-indent 4 GROUP_CHANGES_IDADD "${PWDGRPID}"
				fi
			fi

			continue
		fi


		#
		# The id has changed in some way. We now need to
		# go through the fields and see what has changed.
		#

		FIELD_IDX=1

		OLD_LINE=`echo "${RKHTMPVAR}" | cut -d: -f2-`
		NEW_LINE=`echo "${RKHTMPVAR2}" | cut -d: -f2-`

		STR=${OLD_LINE}

		if [ "${FNAME}" = "passwd" ]; then
			display --to LOG --type WARNING PWD_CHANGES_FOUND "${PWDGRPID}"
		else
			display --to LOG --type WARNING GROUP_CHANGES_FOUND "${PWDGRPID}"
		fi

		while test -n "${STR}"; do
			OLD_FIELD=`echo "${OLD_LINE}" | cut -d: -f$FIELD_IDX`
			NEW_FIELD=`echo "${NEW_LINE}" | cut -d: -f$FIELD_IDX`

			if [ "${OLD_FIELD}" != "${NEW_FIELD}" ]; then
				if [ "${FNAME}" = "passwd" ]; then
					case $FIELD_IDX in
					1)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_PWD "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					2)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_UID "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					3)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_GID "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					4)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_COMM "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					5)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_HOME "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					6)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_SHL "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					*)
						display --to LOG --type PLAIN --log-indent 9 PWDGRP_CHANGES_UNK "${FNAME}" "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					esac
				else
					case $FIELD_IDX in
					1)
						display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_PWD "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					2)
						display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GID "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					3)
						OLD_GRPUSRS=" `echo ${OLD_FIELD} | tr ',' ' '` "
						NEW_GRPUSRS=" `echo ${NEW_FIELD} | tr ',' ' '` "

						IFS=$RKHIFS

						for GRPUSR in ${OLD_GRPUSRS} ${NEW_GRPUSRS}; do
							RKHTMPVAR=`echo ${GRPUSR} | sed -e 's/\./\\\./g'`
							RKHTMPVAR2=`echo "${OLD_GRPUSRS}" | grep " ${RKHTMPVAR} "`
							RKHTMPVAR3=`echo "${NEW_GRPUSRS}" | grep " ${RKHTMPVAR} "`

							if [ -n "${RKHTMPVAR2}" -a -z "${RKHTMPVAR3}" ]; then
								display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GRPREM "${GRPUSR}"
							elif [ -z "${RKHTMPVAR2}" -a -n "${RKHTMPVAR3}" ]; then
								display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GRPADD "${GRPUSR}"
							fi
						done

						IFS=$IFSNL
						;;
					*)
						display --to LOG --type PLAIN --log-indent 9 PWDGRP_CHANGES_UNK "${FNAME}" "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					esac
				fi
			fi

			FIELD_IDX=`expr $FIELD_IDX + 1`

			RKHTMPVAR=`echo "${STR}" | cut -d: -f2-`

			#
			# For the group file the last field may be
			# empty, so we need to cater for this.
			#

			if [ -z "${RKHTMPVAR}" ]; then
				if [ \( "${FNAME}" = "passwd" -a $FIELD_IDX -eq 6 \) -o \( "${FNAME}" = "group" -a $FIELD_IDX -eq 3 \) ]; then
						STR=""
						RKHTMPVAR="x"
				fi
			fi

			test "${RKHTMPVAR}" = "${STR}" && STR="" || STR=${RKHTMPVAR}
		done
	done

	IFS=$RKHIFS

	return
}


do_group_accounts_check() {

	#
	# This function carries out checks on the /etc/passwd and
	# /etc/group files.
	#

	if `check_test group_accounts`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST group_accounts
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ACCOUNTS_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST group_accounts
		fi

		return
	fi

	#
	# First check that /etc/passwd exists.
	#

	if [ -s "/etc/passwd" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 ACCOUNTS_PWD_FILE_CHECK

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO ACCOUNTS_FOUND_PWD_FILE '/etc/passwd'
		fi
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 ACCOUNTS_PWD_FILE_CHECK
		display --to LOG --type WARNING ACCOUNTS_NO_PWD_FILE '/etc/passwd'
	fi


	#
	# Next, check for root equivalent accounts. These will have
	# a UID of zero.
	#

	if [ -s "/etc/passwd" ]; then
		UID_LIST=""
		RKHTMPVAR2=""

		if [ $MACOSX -eq 1 ]; then
			DSCL_CMD=`find_cmd dscl`

			if [ -n "${DSCL_CMD}" ]; then
				display --to LOG --type INFO FOUND_CMD 'dscl' "${DSCL_CMD}"

				RKHTMPVAR2=`${DSCL_CMD} . search /Users uid 0 | egrep '^[^ 	)]' | cut -d'	' -f1`
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'dscl'
			fi
		fi


		IFS=$IFSNL

		for RKHTMPVAR in `grep '^[^:]*:[^:]*:0:' /etc/passwd | cut -d: -f1` ${RKHTMPVAR2}; do
			test -z "${RKHTMPVAR}" && continue
			test "${RKHTMPVAR}" = "root" && continue

			RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`

			#
			# We will ignore any whitelisted UID 0 accounts.
			#

			if [ -z "`echo \"${UID0_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
				UID_LIST="${UID_LIST}
${RKHTMPVAR}"
			else
				display --to LOG --type INFO ACCOUNTS_UID0_WL "${RKHTMPVAR}"
			fi
		done

		IFS=$RKHIFS


		#
		# Now display the results.
		#

		if [ -z "${UID_LIST}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ACCOUNTS_UID0
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ACCOUNTS_UID0

			IFS=$IFSNL

			for RKHTMPVAR in ${UID_LIST}; do
				test -z "${RKHTMPVAR}" && continue
				display --to LOG --type WARNING ACCOUNTS_UID0_FOUND "${RKHTMPVAR}"
			done

			IFS=$RKHIFS
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ACCOUNTS_UID0
		display --to LOG --type INFO ACCOUNTS_NO_PWD_FILE '/etc/passwd'
	fi


	#
	# Now check for any passwordless accounts. We do this in two steps.
	# The first is to check the shadow file, and for TCB shadow files we
	# have to loop through all the shadow files in the /etc/tcb directory.
	# Then we check the /etc/passwd file for any passwordless accounts.
	# Finally we display the overall result. We ignore any whitelisted
	# passwordless accounts.
	#

	WL_SEEN=""
	PWD_PWDLESS_LIST=""
	SHAD_PWDLESS_LIST=""


	#
	# Check for passwordless accounts in the shadow file(s).
	#

	if [ -n "${SHADOW_FILE}" -o $HAVE_TCB_SHADOW -eq 1 ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			if [ -n "${SHADOW_FILE}" ]; then
				display --to LOG --type INFO ACCOUNTS_SHADOW_FILE "${SHADOW_FILE}"
			else
				display --to LOG --type INFO ACCOUNTS_SHADOW_TCB '/etc/tcb'
			fi
		fi

		#
		# We have do a bit of a kludge here. We need a loop in order to
		# cater for TCB shadow files in /etc/tcb. But at the same time
		# we only want to execute the loop once for non-TCB systems. To
		# do this we loop through either /etc or /etc/tcb. However, for
		# /etc we only execute the loop once because the grep statement
		# will have the exact shadow filename in SHADOW_FILE. For TCB
		# systems, SHADOW_FILE is set for each individual shadow file as
		# it pass round the loop.
		#

		if [ $HAVE_TCB_SHADOW -eq 1 ]; then
			RKHTMPVAR2="/etc/tcb"
		else
			RKHTMPVAR2="/etc"
		fi

		IFS=$IFSNL

		for DIR in ${RKHTMPVAR2}/*; do
			if [ $HAVE_TCB_SHADOW -eq 1 ]; then
				if [ -f "${DIR}/shadow" ]; then
					SHADOW_FILE="${DIR}/shadow"
				else
					continue
				fi
			fi

			for RKHTMPVAR in `grep '^[^:]*::' "${SHADOW_FILE}" | cut -d: -f1`; do
				# Ignore any NIS/YP entries
				test "${RKHTMPVAR}" = "+" && continue

				RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`

				if [ -z "`echo \"${PWD_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
					SHAD_PWDLESS_LIST="${SHAD_PWDLESS_LIST}
${RKHTMPVAR}"
					test $HAVE_TCB_SHADOW -eq 1 && SHAD_PWDLESS_LIST="${SHAD_PWDLESS_LIST} (${SHADOW_FILE})"
				else
					WL_SEEN="${WL_SEEN} ${RKHTMPVAR} "

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO ACCOUNTS_PWDLESS_WL "${RKHTMPVAR}"
					fi
				fi
			done

			test $HAVE_TCB_SHADOW -eq 0 && break
		done

		IFS=$RKHIFS
	else
		#
		# No shadow file found.
		#

		SHAD_PWDLESS_LIST="RKH:No shadow file"
	fi


	#
	# Check for passwordless accounts in /etc/passwd.
	#

	if [ -s "/etc/passwd" ]; then
		IFS=$IFSNL

		for RKHTMPVAR in `grep '^[^:]*::' /etc/passwd | cut -d: -f1`; do
			# Ignore any NIS/YP entries
			test "${RKHTMPVAR}" = "+" && continue

			RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`

			if [ -z "`echo \"${PWD_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
				PWD_PWDLESS_LIST="${PWD_PWDLESS_LIST}
${RKHTMPVAR}"
			elif [ -z "`echo \"${WL_SEEN}\" | grep \" ${RKHUSERID} \"`" ]; then
				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO ACCOUNTS_PWDLESS_WL "${RKHTMPVAR}"
				fi
			fi
		done

		IFS=$RKHIFS
	fi


	#
	# Now display the results.
	#

	if [ -z "${SHAD_PWDLESS_LIST}" -a -z "${PWD_PWDLESS_LIST}" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 ACCOUNTS_PWDLESS
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 ACCOUNTS_PWDLESS

		#
		# Log the shadow file results.
		#

		if [ "${SHAD_PWDLESS_LIST}" = "RKH:No shadow file" ]; then
			display --to LOG --type WARNING ACCOUNTS_NO_SHADOW_FILE
		else
			IFS=$IFSNL

			for RKHTMPVAR in ${SHAD_PWDLESS_LIST}; do
				test -z "${RKHTMPVAR}" && continue
				display --to LOG --type WARNING ACCOUNTS_PWDLESS_FOUND 'shadow' "${RKHTMPVAR}"
			done
		fi

		#
		# Log the passwd file results.
		#

		IFS=$IFSNL

		for RKHTMPVAR in ${PWD_PWDLESS_LIST}; do
			test -z "${RKHTMPVAR}" && continue
			display --to LOG --type WARNING ACCOUNTS_PWDLESS_FOUND 'passwd' "${RKHTMPVAR}"
		done

		IFS=$RKHIFS
	fi


	#
	# Now we check for any changes that have occurred to the passwd
	# file since rkhunter was last run.
	#

	DIFF_CMD=`find_cmd diff`

	if `check_test passwd_changes`; then
		RKHTMPVAR=0
		display --to LOG --type INFO --nl STARTING_TEST passwd_changes
	else
		RKHTMPVAR=1
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST passwd_changes
		fi
	fi

	if [ $RKHTMPVAR -eq 1 ]; then
		:
	elif [ ! -f "/etc/passwd" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 PASSWD_CHANGES
		display --to LOG --type INFO ACCOUNTS_NO_PWD_FILE '/etc/passwd'
	elif [ -z "${DIFF_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 PASSWD_CHANGES

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' diff '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'diff'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'diff'
		fi

		cp -f -p /etc/passwd "${RKHTMPDIR}/passwd"
	elif [ ! -f "${RKHTMPDIR}/passwd" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 PASSWD_CHANGES
		display --to LOG --type WARNING PASSWD_CHANGES_NO_TMP

		cp -f -p /etc/passwd "${RKHTMPDIR}/passwd"
	else
		DIFFS=`${DIFF_CMD} /etc/passwd "${RKHTMPDIR}/passwd" 2>/dev/null | grep '^[<>]'`

		if [ -z "${DIFFS}" ]; then
			display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 PASSWD_CHANGES
		else
			display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 PASSWD_CHANGES

			pwdgrp_changes "passwd" "${DIFFS}"

			#
			# Finally, move the current copy of the passwd file out
			# of the way, and take a new copy of the passwd file.
			# This allows the user to look back to see what the
			# last changes were, even if RKH is run again.
			#

			mv -f "${RKHTMPDIR}/passwd" "${RKHTMPDIR}/passwd.old" >/dev/null 2>&1
			cp -f -p /etc/passwd "${RKHTMPDIR}/passwd"
		fi
	fi

	test -f "${RKHTMPDIR}/passwd" && chmod 600 "${RKHTMPDIR}/passwd"


	#
	# Next check for any changes that have occurred to the group
	# file since rkhunter was last run.
	#

	if `check_test group_changes`; then
		RKHTMPVAR=0
		display --to LOG --type INFO --nl STARTING_TEST group_changes
	else
		RKHTMPVAR=1
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST group_changes
		fi
	fi

	if [ $RKHTMPVAR -eq 1 ]; then
		:
	elif [ ! -f "/etc/group" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 GROUP_CHANGES
		display --to LOG --type WARNING GROUP_CHANGES_NO_FILE '/etc/group'
	elif [ -z "${DIFF_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 GROUP_CHANGES

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' diff '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'diff'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'diff'
		fi

		cp -f -p /etc/group "${RKHTMPDIR}/group"
	elif [ ! -f "${RKHTMPDIR}/group" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 GROUP_CHANGES
		display --to LOG --type WARNING GROUP_CHANGES_NO_TMP

		cp -f -p /etc/group "${RKHTMPDIR}/group"
	else
		DIFFS=`${DIFF_CMD} /etc/group "${RKHTMPDIR}/group" 2>/dev/null | grep '^[<>]'`

		if [ -z "${DIFFS}" ]; then
			display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 GROUP_CHANGES
		else
			display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 GROUP_CHANGES

			pwdgrp_changes "group" "${DIFFS}"

			#
			# Finally, move the current copy of the group file out
			# of the way, and take a new copy of the group file.
			# This allows the user to look back to see what the
			# last changes were, even if RKH is run again.
			#

			mv -f "${RKHTMPDIR}/group" "${RKHTMPDIR}/group.old" >/dev/null 2>&1
			cp -f -p /etc/group "${RKHTMPDIR}/group"
		fi
	fi

	test -f "${RKHTMPDIR}/group" && chmod 600 "${RKHTMPDIR}/group"


	#
	# Finally we do a check on the root account shell history files.
	# We check for bash, Korn, C-shell and zsh history files.
	#

	FOUND=0
	FOUNDFILES=""

	if [ -f "/root/.bash_history" ]; then
		FOUND=1

		if [ -h "/root/.bash_history" ]; then
			FOUNDFILES="${FOUNDFILES} bash:/root/.bash_history"
		fi
	fi

	if [ -f "/root/.sh_history" ]; then
		FOUND=1

		if [ -h "/root/.sh_history" ]; then
			FOUNDFILES="${FOUNDFILES} Korn:/root/.sh_history"
		fi
	fi

	if [ -f "/root/.history" ]; then
		FOUND=1

		if [ -h "/root/.history" ]; then
			FOUNDFILES="${FOUNDFILES} C-shell:/root/.history"
		fi
	fi

	if [ -f "/root/.zhistory" ]; then
		FOUND=1

		if [ -h "/root/.zhistory" ]; then
			FOUNDFILES="${FOUNDFILES} zsh:/root/.zhistory"
		fi
	fi


	#
	# Now display the results.
	#

	if [ -z "${FOUNDFILES}" ]; then
		test $FOUND -eq 1 && RKHTMPVAR="OK" || RKHTMPVAR="NONE_FOUND"

		display --to SCREEN+LOG --type PLAIN --color GREEN --result ${RKHTMPVAR} --log-indent 2 --screen-indent 4 HISTORY_CHECK
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 HISTORY_CHECK

		for RKHTMPVAR in ${FOUNDFILES}; do
			SHELLNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
			FILENAME=`echo "${RKHTMPVAR}" | cut -d: -f2`

			display --to LOG --type WARNING HISTORY_CHECK_FOUND "`name2text \"${SHELLNAME}\"`" "`name2text \"${FILENAME}\"`"
		done
	fi

	return
}


do_system_config_files_check() {

	#
	# This function carries out checks on some of the system
	# software configurations. At present this checks the SSH
	# and system logging configurations.
	#

	if `check_test system_configs`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST system_configs
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 SYSTEM_CONFIGS_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST system_configs
		fi

		return
	fi


	if `check_test system_configs_ssh`; then
		display --to LOG --type INFO --nl STARTING_TEST system_configs_ssh

		#
		# First find out where the SSH configuration file is located.
		#

		SSH_CONFIG_FILE=""

		if [ -n "${SSH_CONFIG_DIR}" ]; then
			RKHTMPVAR="${SSH_CONFIG_DIR}"
		else
			RKHTMPVAR="/etc /etc/ssh /usr/local/etc /usr/local/etc/ssh"
		fi

		for DIR in ${RKHTMPVAR}; do
			if [ -f "${DIR}/sshd_config" ]; then
				SSH_CONFIG_FILE="${DIR}/sshd_config"
				break
			fi
		done

		if [ -n "${SSH_CONFIG_FILE}" ]; then
			display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE_SSH

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND 'an' 'SSH' "${SSH_CONFIG_FILE}"

				display --to LOG --type INFO CONFIG_SSH_ROOT "${ALLOW_SSH_ROOT_USER}"
				display --to LOG --type INFO CONFIG_SSH_PROTV1 $ALLOW_SSH_PROT_V1
			fi


			#
			# Now we check some of the configuration options.
			#
			# First we check for allowed root access.
			#

			RKHTMPVAR=`grep -i '^[ 	]*PermitRootLogin[ 	=]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`

			if [ -n "${RKHTMPVAR}" ]; then
				#
				# Get the value that has been set.
				#

				RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ 	=]*[ 	]*=*[ 	]*\([^ 	#]*\).*$/\1/' | tr '[:upper:]' '[:lower:]'`

				if [ "${RKHTMPVAR2}" = "${ALLOW_SSH_ROOT_USER}" ]; then
					test "${RKHTMPVAR2}" = "no" && RKHTMPVAR="NOT_ALLOWED" || RKHTMPVAR="ALLOWED"
					display --to SCREEN+LOG --type PLAIN --result ${RKHTMPVAR} --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
				else
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT

					display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_FOUND
					display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_ROOT_FOUND1 "${RKHTMPVAR2}"
					display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_ROOT_FOUND2 "${ALLOW_SSH_ROOT_USER}"
				fi
			elif [ "${ALLOW_SSH_ROOT_USER}" = "unset" ]; then
				display --to SCREEN+LOG --type PLAIN --result UNSET --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
				display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND
			fi


			#
			# Next we check to see if protocol version 1 is allowed.
			#

			RKHTMPVAR=`grep -i '^[ 	]*Protocol[ 	=]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`

			if [ -n "${RKHTMPVAR}" ]; then
				#
				# See if the set protocol versions includes '1'.
				#

				RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ 	=]*[ 	]*=*[ 	]*\([^ 	#]*\).*$/\1/'`
				RKHTMPVAR3=`echo "${RKHTMPVAR2}" | grep '1'`

				if [ -z "${RKHTMPVAR3}" -a $ALLOW_SSH_PROT_V1 -eq 0 ]; then
					display --to SCREEN+LOG --type PLAIN --result NOT_ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
				elif [ -n "${RKHTMPVAR3}" -a \( $ALLOW_SSH_PROT_V1 -eq 1 -o $ALLOW_SSH_PROT_V1 -eq 2 \) ]; then
					display --to SCREEN+LOG --type PLAIN --result ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
				else
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO

					display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_FOUND
					display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_PROTO_DIFF1 "${RKHTMPVAR2}"
					display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_PROTO_DIFF2 "${ALLOW_SSH_PROT_V1}"
				fi
			elif [ $ALLOW_SSH_PROT_V1 -eq 2 ]; then
				display --to SCREEN+LOG --type PLAIN --result UNSET --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
				display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND
			fi


			#
			# Finally we check for any other known suspicious configuration settings.
			#

			FOUND=0
			FOUNDNAMES=""

			#
			# First check for the Ebury backdoor.
			#

			RKHTMPVAR=`grep -i '^[ 	]*AuthorizedKeysFile[ 	=]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`

			if [ -n "${RKHTMPVAR}" ]; then
				RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ 	=]*[ 	]*=*[ 	]*\([^ 	#]*\).*$/\1/'`

				if [ "${RKHTMPVAR2}" = "/proc/self/environ" ]; then
					FOUND=1
					FOUNDNAMES="${FOUNDNAMES} ebury"
				fi
			fi

			#
			# Now display the results.
			#

			if [ $FOUND -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_EXTRA
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_EXTRA

				for RKHTMPVAR in ${FOUNDNAMES}; do
					case "${RKHTMPVAR}" in
					ebury)
						display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_EBURY
						;;
					esac
				done
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE_SSH
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST system_configs_ssh
	fi


	if `check_test system_configs_syslog`; then
		display --to LOG --type INFO --nl STARTING_TEST system_configs_syslog

		#
		# Next we find out if a system logging daemon is running.
		#

		TITLE_SHOWN=0
		SYSLOG_SEEN=0; SYSTEMD_SEEN=0
		METALOG_SEEN=0; SOCKLOG_SEEN=0

		if [ -n "${PS_CMD}" ]; then
			PS_ARGS="ax"

			test $SUNOS -eq 1 -o $IRIXOS -eq 1 && PS_ARGS="-ef"

			RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep '(syslogd|syslog-ng)( |$)' | grep -v 'egrep'`

			if [ -n "${RKHTMPVAR}" ]; then
				SYSLOG_SEEN=1

				test $TITLE_SHOWN -eq 0 && display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					if [ -n "`echo \"${RKHTMPVAR}\" | grep 'rsyslog'`" ]; then
						display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'rsyslog'
					elif [ -n "`echo \"${RKHTMPVAR}\" | grep 'syslog-ng'`" ]; then
						display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'syslog-ng'
					else
						display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'syslog'
					fi
				fi

				TITLE_SHOWN=1
			fi

			RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'systemd-journald( |$)' | grep -v 'egrep'`

			if [ -n "${RKHTMPVAR}" ]; then
				SYSTEMD_SEEN=1

				if [ $TITLE_SHOWN -eq 0 ]; then
					display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'systemd-journald'
				fi

				TITLE_SHOWN=1
			fi

			RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'metalog( |$)' | grep -v 'egrep'`

			if [ -n "${RKHTMPVAR}" ]; then
				METALOG_SEEN=1

				if [ $TITLE_SHOWN -eq 0 ]; then
					display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'metalog'
				fi

				TITLE_SHOWN=1
			fi

			RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'socklog( |$)' | grep -v 'egrep'`

			if [ -n "${RKHTMPVAR}" ]; then
				SOCKLOG_SEEN=1

				if [ $TITLE_SHOWN -eq 0 ]; then
					display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'socklog'
				fi

				TITLE_SHOWN=1
			fi

			if [ $TITLE_SHOWN -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
				display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG

			if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ps '`" ]; then
				display --to LOG --type INFO DISABLED_CMD 'ps'
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'ps'
			fi
		fi


		#
		# Now loop through the system logging configuration files.
		#

		if [ -z "${SYSLOG_CONFIG_FILE}" ]; then
			SYSLOG_CONFIG_FILE="/etc/syslog.conf /etc/rsyslog.conf /etc/syslog-ng/syslog-ng.conf /etc/systemd/journald.conf /etc/systemd/systemd-journald.conf"
		fi

		if [ "${SYSLOG_CONFIG_FILE}" = "NONE" ]; then
			display --to SCREEN+LOG --type PLAIN --result WHITELISTED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
		else
			FILEFOUND=""
			REM_LOGGING_FOUND=0

			if [ $ALLOW_SYSLOG_REMOTE_LOGGING -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED
			fi

			for FNAME in ${SYSLOG_CONFIG_FILE}; do
				test ! -f "${FNAME}" && continue

				# First, log where the configuration file is located.

				RKHTMPVAR="a"

				if [ -n "`echo \"${FNAME}\" | grep '/rsyslog\.conf$'`" ]; then
					FTYPE="rsyslog"
					RKHTMPVAR="an"
				elif [ -n "`echo \"${FNAME}\" | grep '/syslog-ng\.conf$'`" ]; then
					FTYPE="syslog-ng"
				elif [ -n "`echo \"${FNAME}\" | egrep '/(systemd-)?journald\.conf$'`" ]; then
					FTYPE="systemd"
				else
					FTYPE="syslog"
				fi

				FILEFOUND="${FILEFOUND} ${FTYPE} "

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND "${RKHTMPVAR}" "${FTYPE}" "`name2text \"${FNAME}\"`"
				fi


				# Next see if the configuration file allows remote logging.

				if [ "${FTYPE}" != "systemd" ]; then
					RKHTMPVAR=""

					if [ -n "`echo \"${FNAME}\" | egrep '/r?syslog\.conf$'`" ]; then
						RKHTMPVAR=`egrep -i '^[^#].*[ 	](@|:omrelp:).' "${FNAME}" | egrep -i -v '(@|:omrelp:)127\.'`
					else
						#
						# For syslog-ng we must look for a destination
						# block which uses TCP or UDP.
						#

						RKHTMPVAR=`${AWK_CMD} '/^[ 	]*destination( |	|$)/, /}/ { print $0 }' "${FNAME}" | egrep -i '( |	|\{|^)(tcp|udp)6?( |	|\(|$)' | egrep -v -i '(tcp|udp)6?[ 	]*\([ 	]*("[ 	]*)?127\.'`
					fi

					if [ -n "${RKHTMPVAR}" ]; then
						REM_LOGGING_FOUND=1
						display --to LOG --type INFO SYSTEM_CONFIGS_SYSLOG_REMOTE_LOG "${FTYPE}" "${RKHTMPVAR}"
					fi
				fi
			done


			#
			# Now display the results. We need to rank these so
			# that the warnings are shown before anything else.
			#

			if [ $SYSLOG_SEEN -eq 1 -a -z "`echo \"${FILEFOUND}\" | egrep ' (syslog|rsyslog|syslog-ng) '`" ]; then
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
				display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NO_FILE 'syslog'
			elif [ $SYSTEMD_SEEN -eq 1 -a -z "`echo \"${FILEFOUND}\" | grep ' systemd '`" ]; then
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
				display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NO_FILE 'systemd-journald'
			elif [ -n "${FILEFOUND}" ]; then
				display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
			else
				display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
			fi

			#
			# We only display the remote logging result if a configuration file was found.
			#

			if [ -n "`echo \"${FILEFOUND}\" | egrep ' (syslog|rsyslog|syslog-ng) '`" ]; then
				if [ $ALLOW_SYSLOG_REMOTE_LOGGING -eq 1 ]; then
					display --to SCREEN+LOG --type PLAIN --result ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
				elif [ $REM_LOGGING_FOUND -eq 0 ]; then
					display --to SCREEN+LOG --type PLAIN --result NOT_ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
				else
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
				fi
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST system_configs_syslog
	fi


	return
}


do_dev_whitelist_check() {

	#
	# The check of /dev files has two methods. One uses a simple
	# top-level file check, the other is more thorough and does a
	# complete 'find' on the /dev directory. However, the check on
	# whether the given file is whitelisted is the same for both
	# methods. As such, it makes sense to use a function rather than
	# repeating the code for each method.
	#


	FTYPE=`${FILE_CMD} "${RKHTMPVAR}" 2>&1 | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`

	if [ $MACOSX -eq 1 -a -n "`echo \"${FTYPE}\" | grep 'universal binary'`" ]; then
		FTYPE=`echo "${FTYPE}" | tail ${TAIL_OPT}1`
	fi

	if [ -z "`echo \"${FTYPE}\" | egrep -v '(character special|block special|socket|fifo \(named pipe\)|symbolic link to|empty|directory|/MAKEDEV:)'`" ]; then
		return
	fi

	#
	# Not sure why but '?' doesn't seem to need to be escaped. Neither do parentheses or braces.
	# Also, cannot get the '[]' characters to work in the bracket expression. So these are handled individually.
	#

	FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

	if [ -n "`echo \"${ALLOWDEVFILES}\" | grep \"^${FNAMEGREP}$\"`" ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO FILESYSTEM_DEV_FILE_WL "`name2text \"${RKHTMPVAR}\"`"
		fi
	else
		FOUNDFILES="${FOUNDFILES}
${RKHTMPVAR}: ${FTYPE}"
	fi

	return
}


do_filesystem_check() {

	#
	# This function carries out various checks on the local filesystem.
	#

	if `check_test filesystem`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST filesystem
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 FILESYSTEM_START
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST filesystem
		fi

		return
	fi


	if [ ! -d "/dev" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
		display --to LOG --type WARNING FILESYSTEM_DEV_CHECK_NO_DEV
	elif [ -z "${FILE_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'file'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'file'
		fi
	elif [ "${SCAN_MODE_DEV}" = "THOROUGH" -a -z "${FIND_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' find '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'find'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'find'
		fi
	else
		#
		# Now we can run the check on /dev.
		#

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO CONFIG_SCAN_MODE_DEV "${SCAN_MODE_DEV}"
		fi


		#
		# First we expand the whitelist option to ensure
		# that any wildcard entries are the most recent.
		#

		if [ -n "${ALLOWDEVFILE_OPT}" ]; then
			ALLOWDEVFILES=`expand_paths ALLOWDEVFILE_OPT`
		fi

		#
		# Note: We do not look for hidden files here - that is,
		# those beginning with a dot. Any hidden files will be
		# picked up in the next check.
		# Note2: Filenames can contain a colon (:), so we need to
		# be careful in separating the filename from the file type.
		# Note3: We have to cater for *BSD systems which may have
		# fdesc/fdescfs mounted. If it is, then we must skip over
		# any detected file descriptors.
		#

		FDESCFS=0
		FOUNDFILES=""

		if [ $BSDOS -eq 1 ]; then
			RKHTMPVAR=`find_cmd mount`

			if [ -n "${RKHTMPVAR}" ]; then
				test -n "`${RKHTMPVAR} 2>/dev/null | egrep '^fdesc(fs)? .*(type fdesc|\(fdescfs\))'`" && FDESCFS=1
			else
				display --to LOG --type INFO NOT_FOUND_CMD 'mount'
			fi
		fi


		if [ "${SCAN_MODE_DEV}" = "LAZY" ]; then
			for RKHTMPVAR in /dev/*; do
				test -d "${RKHTMPVAR}" -o -h "${RKHTMPVAR}" && continue

				if [ $FDESCFS -eq 1 ]; then
					test -n "`echo \"${RKHTMPVAR}/\" | grep '^/dev/fd/[0-9][0-9]*'`" && continue
				fi

				do_dev_whitelist_check
			done
		else
			IFS=$IFSNL

			for RKHTMPVAR in `${FIND_CMD} /dev ! -type d -a ! -type l 2>/dev/null`; do
				if [ $FDESCFS -eq 1 ]; then
					test -n "`echo \"${RKHTMPVAR}/\" | grep '^/dev/fd/[0-9][0-9]*'`" && continue
				fi

				test -z "`echo \"${RKHTMPVAR}\" | grep '/\.[^/]*$'`" && do_dev_whitelist_check
			done

			IFS=$RKHIFS
		fi


		#
		# Now display the results.
		#

		FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`

		if [ -z "${FOUNDFILES}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK

			display --to LOG --type WARNING FILESYSTEM_DEV_FILE_FOUND '/dev'

			IFS=$IFSNL

			for RKHTMPVAR in ${FOUNDFILES}; do
				FTYPE=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
				FNAME=`echo "${RKHTMPVAR}" | sed -e 's/: [^:]*$//'`

				display --to LOG --type PLAIN --log-indent 9 NAME "`name2text \"${FNAME}\"`: ${FTYPE}"
			done

			IFS=$RKHIFS
		fi
	fi


	#
	# Now we check various directories for hidden files and
	# directories. We must have the 'file' command for this
	# test to run.
	#
	# First we look in two sets of directories. One set we search
	# recursively, using 'find', the other set we only search to
	# one-level. If we have no 'find' command, then all the
	# directories are only searched to one-level.
	#

	if [ -z "${FILE_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK

		if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
			display --to LOG --type INFO DISABLED_CMD 'file'
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'file'
		fi

		return
	fi


	FOUNDDIRS=""
	FOUNDFILES=""
	LOOKINDIRS=""

	SHORTSEARCHDIRS="/usr /etc"

	LONGSEARCHDIRS="/dev /bin /usr/man /usr/share/man /usr/bin /usr/sbin /sbin"

	if [ -z "${FIND_CMD}" ]; then
		SHORTSEARCHDIRS="${SHORTSEARCHDIRS} ${LONGSEARCHDIRS}"
		LONGSEARCHDIRS=""
	fi

	for DIR in ${SHORTSEARCHDIRS}; do
		if [ -d "${DIR}" ]; then
			RKHTMPVAR=`ls -1d ${DIR}/.* 2>/dev/null | egrep -v '/\.\.?$'`
			test -n "${RKHTMPVAR}" && LOOKINDIRS="${LOOKINDIRS}
${RKHTMPVAR}"
		fi
	done

	for DIR in ${LONGSEARCHDIRS}; do
		if [ -d "${DIR}" ]; then
			RKHTMPVAR=`${FIND_CMD} "${DIR}" -name ".*" 2>/dev/null`
			test -n "${RKHTMPVAR}" && LOOKINDIRS="${LOOKINDIRS}
${RKHTMPVAR}"
		fi
	done


	#
	# We expand the whitelisting options to ensure that any
	# wildcard entries are the most recent.
	#

	if [ -n "${ALLOWHIDDENFILE_OPT}" ]; then
		ALLOWHIDDENFILES=`expand_paths ALLOWHIDDENFILE_OPT`
	fi

	if [ -n "${ALLOWHIDDENDIR_OPT}" ]; then
		ALLOWHIDDENDIRS=`expand_paths ALLOWHIDDENDIR_OPT`
	fi

	#
	# Next we look for any whitelisted files and directories. We also
	# exclude certain types of files.
	#

	IFS=$IFSNL

	for FNAME in ${LOOKINDIRS}; do
		if [ $FDESCFS -eq 1 ]; then
			test -n "`echo \"${FNAME}/\" | grep '^/dev/fd/[0-9][0-9]*'`" && continue
		fi

		FTYPE=`${FILE_CMD} "${FNAME}" 2>&1 | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`

		test -n "`echo \"${FTYPE}\" | egrep 'character special|block special|empty'`" && continue

		FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

		if [ -n "`echo \"${FTYPE}\" | grep 'directory'`" ]; then
			if [ -n "`echo \"${ALLOWHIDDENDIRS}\" | grep \"^${FNAMEGREP}$\"`" ]; then
				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO FILESYSTEM_HIDDEN_DIR_WL "`name2text \"${FNAME}\"`"
				fi
			else
				FOUNDDIRS="${FOUNDDIRS}
${FNAME}: ${FTYPE}"
			fi
		else
			if [ -n "`echo \"${ALLOWHIDDENFILES}\" | grep \"^${FNAMEGREP}$\"`" ]; then
				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO FILESYSTEM_HIDDEN_FILE_WL "`name2text \"${FNAME}\"`"
				fi
			else
				FOUNDFILES="${FOUNDFILES}
${FNAME}: ${FTYPE}"
			fi
		fi
	done

	IFS=$RKHIFS

	FOUNDDIRS=`echo "${FOUNDDIRS}" | sed -e '/^$/d'`
	FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`


	#
	# Now display the results.
	#

	if [ -z "${FOUNDDIRS}" -a -z "${FOUNDFILES}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK

		IFS=$IFSNL

		for RKHTMPVAR in ${FOUNDDIRS}; do
			FTYPE=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
			FNAME=`echo "${RKHTMPVAR}" | sed -e 's/: [^:]*$//'`

			if [ "${FTYPE}" = "directory" ]; then
				display --to LOG --type WARNING FILESYSTEM_HIDDEN_DIR_FOUND "`name2text \"${FNAME}\"`"
			else
				display --to LOG --type WARNING FILESYSTEM_HIDDEN_DIR_FOUND "`name2text \"${FNAME}\"`: ${FTYPE}"
			fi
		done

		for RKHTMPVAR in ${FOUNDFILES}; do
			FTYPE=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
			FNAME=`echo "${RKHTMPVAR}" | sed -e 's/: [^:]*$//'`

			display --to LOG --type WARNING FILESYSTEM_HIDDEN_FILE_FOUND "`name2text \"${FNAME}\"`: ${FTYPE}"
		done

		IFS=$RKHIFS
	fi


	#
	# Next check if any configured log files are missing.
	#

	FOUNDFILES=""

	if [ -n "${LOGFILE_MISSING}" ]; then
		MISSINGFILES=""

		for FNAME in ${LOGFILE_MISSING}; do
			if [ ! -f "${FNAME}" ]; then
				MISSINGFILES="${MISSINGFILES}
${FNAME}"
			fi
		done

		#
		# Now show the results.
		#

		MISSINGFILES=`echo "${MISSINGFILES}" | sed -e '/^$/d'`

		if [ -z "${MISSINGFILES}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_MISSING --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_MISSING
		else
			FOUNDFILES="${MISSINGFILES}"

			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_MISSING

			IFS=$IFSNL

			for FNAME in ${MISSINGFILES}; do
				display --to LOG --type WARNING FILESYSTEM_LOGFILE_MISSING_FOUND "`name2text \"${FNAME}\"`"
			done

			IFS=$RKHIFS
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --result SKIPPED --log-indent 2 FILESYSTEM_LOGFILE_MISSING
		display --to LOG --type INFO  FILESYSTEM_LOGFILE_MISS_DISABLED
	fi


	#
	# Next check if any configured log files are empty or missing.
	#

	if [ -n "${LOGFILE_EMPTY}" ]; then
		EMPTYFILES=""
		MISSINGFILES=""

		for FNAME in ${LOGFILE_EMPTY}; do
			if [ ! -f "${FNAME}" ]; then
				#
				# Only record a missing log file if the previous
				# missing log file test didn't check it.
				#

				if [ -z "`echo \"${FOUNDFILES}\" | grep \"^${FNAME}$\"`" ]; then
					MISSINGFILES="${MISSINGFILES}
${FNAME}"
				fi
			elif [ ! -s "${FNAME}" ]; then
				EMPTYFILES="${EMPTYFILES}
${FNAME}"
			fi
		done

		#
		# Now show the results.
		#

		EMPTYFILES=`echo "${EMPTYFILES}" | sed -e '/^$/d'`
		MISSINGFILES=`echo "${MISSINGFILES}" | sed -e '/^$/d'`

		if [ -z "${EMPTYFILES}" -a -z "${MISSINGFILES}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_EMPTY
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_EMPTY

			IFS=$IFSNL

			for FNAME in ${EMPTYFILES}; do
				display --to LOG --type WARNING FILESYSTEM_LOGFILE_EMPTY_FOUND "`name2text \"${FNAME}\"`"
			done

			for FNAME in ${MISSINGFILES}; do
				display --to LOG --type WARNING FILESYSTEM_LOGFILE_MISSING_FOUND "`name2text \"${FNAME}\"`"
			done

			IFS=$RKHIFS
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --result SKIPPED --log-indent 2 FILESYSTEM_LOGFILE_EMPTY
		display --to LOG --type INFO  FILESYSTEM_LOGFILE_EMPTY_DISABLED
	fi


	return
}


do_local_host_checks() {

	#
	# This function carries out a sequence of tests on the local
	# host.
	#

	if `check_test local_host`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST local_host
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_LOCALHOST
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST local_host
		fi

		return
	fi


	#
	# We start by performing checks on the startup files.
	#

	do_system_startup_file_checks


	#
	# Now we check the /etc/passwd file, and run some checks
	# on the accounts and groups.
	#

	do_group_accounts_check


	#
	# Next check some of the system configuration files.
	#

	do_system_config_files_check


	#
	# Finally check the filesystem for hidden files, directories etc.
	#

	do_filesystem_check

	keypresspause

	return
}


do_app_checks() {

	#
	# This function carries out a sequence of application checks.
	#

	if `check_test apps`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST apps
	else
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO --nl USER_DISABLED_TEST apps
		fi

		return
	fi


	#
	# First we check that our apps data file is usable.
	#

	if [ ! -e "${DB_PATH}/programs_bad.dat" -o ! -s "${DB_PATH}/programs_bad.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING CHECK_APPS
		display --to LOG --type WARNING APPS_DAT_MISSING "${DB_PATH}/programs_bad.dat"
		return
	elif [ ! -f "${DB_PATH}/programs_bad.dat" -o -h "${DB_PATH}/programs_bad.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING CHECK_APPS
		display --to LOG --type WARNING APPS_DAT_NOTAFILE "${DB_PATH}/programs_bad.dat"
		return
	fi

	display --to SCREEN+LOG --type PLAIN --color YELLOW --nl-after CHECK_APPS


	#
	# We loop through the applications and obtain the version number.
	# This is then checked against the file of known bad versions.
	# We build up a list of application names, the version number,
	# and whether it is known to be bad or not. When this has all
	# been done, we then display the results.
	#
	# The results line for each application is made up of percent (%)
	# delimited fields. They are:
	#
	#   application%description%version%if known bad%whole version number
	#
	# A 'version' number of '-1' means the application was not found.
	#
	# An 'if known bad' number of:
	#
	#	'-1' means a specific version of the application is whitelisted,
	#	'-2' means the application is whitelisted, regardless of version.
	#

	APPS_COUNT=0
	APP_RESULTS=""

	APP_NAMES="exim:Exim MTA
		   gpg:GnuPG
		   httpd:Apache
		   named:Bind DNS
		   openssl:OpenSSL
		   php:PHP
		   procmail:Procmail MTA
		   proftpd:ProFTPD
		   sshd:OpenSSH"

	APPS_TOTAL_COUNT=`echo "${APP_NAMES}" | wc -l | tr -d ' '`


	IFS=$IFSNL

	for APP in ${APP_NAMES}; do
		APP=`echo ${APP} | sed -e 's/^[ 	]*//'`

		APPLICATION=`echo ${APP} | cut -d: -f1`
		APPLICATION_DESC=`echo ${APP} | cut -d: -f2-`

		IFS=$RKHIFS
		APP_CMD_FOUND=`find_cmd ${APPLICATION}`
		IFS=$IFSNL

		if [ -z "${APP_CMD_FOUND}" ]; then
			APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%-1"
			continue
		fi


		#
		# Find out the version of the application.
		#

		APPS_COUNT=`expr ${APPS_COUNT} + 1`

		VERSION=""
		WHOLE_VERSION=""

		#
		# Applications which are whitelisted completely (no specific
		# version number), are handled first.
		#

		if [ -n "`echo \"${APP_WHITELIST}\" | grep \" ${APPLICATION} \"`" ]; then
			APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%0%-2"
		else
			case "${APPLICATION}" in
			exim)
				WHOLE_VERSION=`${APP_CMD_FOUND} -bV 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^Exim version [0-9]' | ${AWK_CMD} '{ print $3 }'`
				;;
			gpg)
				WHOLE_VERSION=`${APP_CMD_FOUND} --version --homedir / 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep 'GnuPG' | ${AWK_CMD} '{ print $3 }'`
				;;
			httpd)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep -i '^Server version:[ 	][ 	]*Apache/[0-9]' | cut -d' ' -f3 | cut -d'/' -f2`
				;;
			named)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | egrep '^(named|BIND)[ 	][ 	]*[0-9]' | grep -v '/' | ${AWK_CMD} '{ print $2 }'`

				if [ -n "`echo \"${VERSION}\" | grep '^[^-]*\.[0-9][0-9]*-P[^-]*-'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'-' -f1-2`
				elif [ -n "`echo \"${VERSION}\" | grep '^[^-]*\.[0-9][0-9]*-[^P]'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'-' -f1`
				fi

				if [ -z "${VERSION}" ]; then
					VERSION=`${APP_CMD_FOUND} -v | ${AWK_CMD} '{ print $2 }'`
				fi
				;;
			openssl)
				WHOLE_VERSION=`${APP_CMD_FOUND} version 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^OpenSSL[ 	][ 	]*[0-9]' | cut -d' ' -f2`

				if [ -n "`echo \"${VERSION}\" | grep '^[^-]*-fips'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'-' -f1`
				fi
				;;
			php)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^PHP[ 	][ 	]*[0-9]' | ${AWK_CMD} '{ print $2 }' | cut -d'-' -f1`
				;;
			procmail)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>&1`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^procmail[ 	][ 	]*v[0-9]' | ${AWK_CMD} '{ print $2 }' | sed -e 's/^v//'`
				;;
			proftpd)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>&1`
				VERSION=`echo "${WHOLE_VERSION}" | sed -e 's/^.*\(ProFTPD.*\)$/\1/' | grep '^ProFTPD[ 	][ 	]*Version[ 	][ 	]*[0-9]' | ${AWK_CMD} '{ print $3 }'`
				;;
			sshd)
				WHOLE_VERSION=`${APP_CMD_FOUND} -t -d 2>&1`
				VERSION=`echo "${WHOLE_VERSION}" | grep 'sshd version OpenSSH' | sed -e 's/^.*sshd version OpenSSH_//' | cut -d' ' -f1`

				if [ -n "`echo \"${VERSION}\" | grep '+'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'+' -f1`
				fi
				;;
			esac


			VERSION=`echo "${VERSION}" | tr -d '\r'`
			WHOLE_VERSION=`echo "${WHOLE_VERSION}" | tr -d '\r'`

			if [ -z "${VERSION}" ]; then
				WHOLE_VERSION=`echo "${WHOLE_VERSION}" | tr '\n' '%'`

				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%%0%${WHOLE_VERSION}"
				continue
			fi


			#
			# Now see if the application version is known to be bad.
			#

			RKHTMPVAR=`echo "${VERSION}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${APP_WHITELIST}\" | grep -i \" ${APPLICATION}:${RKHTMPVAR} \"`" ]; then
				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%-1"
			elif [ -n "`egrep -i \"^${APPLICATION}:.* ${RKHTMPVAR}( |$)\" \"${DB_PATH}/programs_bad.dat\" 2>&1`" ]; then
				APPS_FAILED_COUNT=`expr ${APPS_FAILED_COUNT} + 1`

				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%1"
			else
				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%0"
			fi
		fi
	done

	IFS=$RKHIFS


	#
	# Now display the results.
	#

	if [ $APPS_COUNT -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color YELLOW --nl --result SKIPPED CHECK_APPS
		display --to LOG --type INFO APPS_NONE_FOUND
	else
		IFS=$IFSNL

		for RKHTMPVAR in ${APP_RESULTS}; do
			APPLICATION=`echo "${RKHTMPVAR}" | cut -d% -f1`
			APPLICATION_DESC=`echo "${RKHTMPVAR}" | cut -d% -f2`
			VERSION=`echo "${RKHTMPVAR}" | cut -d% -f3`

			if [ -z "${VERSION}" ]; then
				WHOLE_VERSION=`echo "${RKHTMPVAR}" | cut -d% -f5- | tr '%' '\n'`

				display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"

				if [ -n "${WHOLE_VERSION}" ]; then
					display --to LOG --type INFO APPS_CHECK_WHOLE_VERSION_USED "${APPLICATION}" "${WHOLE_VERSION}"
				else
					display --to LOG --type INFO APPS_CHECK_VERSION_UNKNOWN "${APPLICATION}"
				fi
			elif [ "${VERSION}" = "-1" ]; then
				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO APPS_NOT_FOUND "${APPLICATION}"
				fi
			else
				ISBAD=`echo "${RKHTMPVAR}" | cut -d% -f4`

				if [ -n "`echo $ECHOOPT \"${ISBAD}\" | grep '[^-0-9]'`" ]; then
					display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
					display --to LOG --type INFO APPS_CHECK_VERSION_UNKNOWN "${APPLICATION}"
				elif [ $ISBAD -eq -2 ]; then
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO APPS_CHECK_WL "${APPLICATION}"
					fi
				elif [ $ISBAD -eq -1 ]; then
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO APPS_CHECK_VERSION_WL "${APPLICATION}" "${VERSION}"
					fi
				elif [ $ISBAD -eq 1 ]; then
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
					display --to LOG --type WARNING APPS_CHECK_FOUND "${APPLICATION}" "${VERSION}"
				else
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type INFO APPS_CHECK_VERSION_FOUND "${APPLICATION}" "${VERSION}"
					fi
				fi
			fi
		done

		IFS=$RKHIFS
	fi


	display --to LOG --type INFO APPS_TOTAL_COUNT $APPS_COUNT $APPS_TOTAL_COUNT

	return
}


display_check_summary() {

	#
	# This function displays a short summary of some of the
	# groups of checks performed.
	#

	if [ $QUIET -eq 0 -o \( $SHOWWARNINGSONLY -eq 1 -a $WARNING_COUNT -gt 0 \) ]; then
		RKHTMPVAR=2
	else
		RKHTMPVAR=1
	fi

	display --to SCREEN+LOG --type PLAIN --nl ${RKHTMPVAR} SUMMARY_TITLE1
	display --to SCREEN+LOG --type PLAIN SUMMARY_TITLE2


	#
	# Do file properties summary.
	#

	display --to SCREEN+LOG --type PLAIN --nl SUMMARY_PROP_SCAN

	if `check_test properties`; then
		if [ $SUMMARY_PROP_REQCMDS -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_REQCMDS
		fi

		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_COUNT $PROP_FILE_LIST_COUNT
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_FAILED $PROP_FAILED_COUNT
	else
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
	fi


	#
	# Do rootkit checks summary.
	#

	display --to SCREEN+LOG --type PLAIN --nl SUMMARY_RKT_SCAN

	if `check_test rootkits || check_test startup_files` || test $ROOTKIT_COUNT -gt 0; then
		RKHTMPVAR2=""

		if [ -n "${ROOTKIT_FAILED_NAMES}" ]; then
			ROOTKIT_FAILED_NAMES=`echo "${ROOTKIT_FAILED_NAMES}" | sed -e 's/, */,/g; s/,$//'`

			IFS=","

			for RTKT_NAME in ${ROOTKIT_FAILED_NAMES}; do
				if [ -z "`echo \" ${RKHTMPVAR2},\" | grep \" ${RTKT_NAME},\"`" ]; then
					RKHTMPVAR2="${RKHTMPVAR2}${RTKT_NAME}, "
				else
					ROOTKIT_FAILED_COUNT=`expr $ROOTKIT_FAILED_COUNT - 1`
				fi
			done

			IFS=$RKHIFS
			RKHTMPVAR2=`echo "${RKHTMPVAR2}" | sed -e 's/, $//'`
		fi

		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_COUNT $ROOTKIT_COUNT
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_FAILED $ROOTKIT_FAILED_COUNT

		test -n "${RKHTMPVAR2}" && display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_NAMES "${RKHTMPVAR2}"
	else
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
	fi


	#
	# Do application check summary.
	#

	display --to SCREEN+LOG --type PLAIN --nl SUMMARY_APPS_SCAN

	if `check_test apps`; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_APPS_COUNT $APPS_COUNT
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_APPS_FAILED $APPS_FAILED_COUNT
	else
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
	fi


	#
	# Display the amount of time the system check took.
	#

	if [ $SHOW_SUMMARY_TIME -gt 0 ]; then
		if [ $SHOW_SUMMARY_TIME -eq 1 ]; then
			RKHTMPVAR="SCREEN"
		elif [ $SHOW_SUMMARY_TIME -eq 2 ]; then
			RKHTMPVAR="LOG"
		else
			RKHTMPVAR="SCREEN+LOG"
		fi

		if [ $BEGINTIME -eq 0 ]; then
			display --to ${RKHTMPVAR} --type PLAIN --nl SUMMARY_NO_SCAN_TIME
		else
			display --to ${RKHTMPVAR} --type PLAIN --nl SUMMARY_SCAN_TIME "${TOTAL_SCANTIME}"
		fi
	fi


	#
	# Display where the log file is located, if there is one.
	#

	if [ $NOLOG -eq 0 ]; then
		display --to SCREEN --type PLAIN --nl --nl-after SUMMARY_LOGFILE "${RKHLOGFILE}"
	else
		display --to SCREEN --type PLAIN --nl --nl-after SUMMARY_NO_LOGFILE
	fi

	return
}


do_system_check() {

	#
	# This function performs the various rootkit and security checks
	# for the program. We start by initialising variables used for
	# the rootkit checks.
	#

	display --to LOG --type PLAIN --nl CHECK_START

	do_system_check_initialisation


	#
	# Next, for Solaris we see if we are running Solaris 10 or not.
	# This can be useful to know in some of the tests since we will
	# use different mechanisms on Solaris 10 from those on Solaris
	# 9 and before.
	#

	SOL_PROC=0
	SOLARISX=""

	if [ $SUNOS -eq 1 ]; then
		#
		# If we are running Solaris 10, then see if we have the
		# command pathname available.
		#
		# Solaris 10 and above should have the 'a.out' file
		# present. We use the PID of 1 here since it should exist
		# on all systems.
		#
		# If we are running Solaris 10 (or above), then we add
		# the '-X' option to the 'lsof' command in order to get
		# the deleted files.
		#

		if [ -h "/proc/1/path/a.out" ]; then
			SOLARISX='-X'
			test $HAVE_READLINK -eq 1 && SOL_PROC=1
		fi
	fi


	#
	# Record the start time if we can. The total time taken for
	# scanning will only be calculated and displayed if the
	# start time can be set.
	#

	BEGINTIME=0
	ENDTIME=0

	if [ -n "$SECONDS" ]; then
		BEGINTIME=`echo $SECONDS | cut -d. -f1`
	elif [ $BSDOS -eq 1 -o $BUSYBOX -eq 1 ]; then
		BEGINTIME=`date +%s`
	elif [ -n "${PERL_CMD}" ]; then
		BEGINTIME=`${PERL_CMD} -e 'printf "%d\n", time;'`
	fi


	#
	# Send a start message to syslog if the user requested that.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		${LOGGER_CMD} -t "${LOGGER_TAG}" -p ${USE_SYSLOG} "Rootkit hunter check started (version ${PROGRAM_version})"
	fi


	#
	# We start with checks of some of the commands (binaries) and 
	# libraries on the system, to make sure that they have not
	# been tampered with.
	#

	do_system_commands_checks


	#
	# Next are the rootkit checks.
	#

	do_rootkit_checks


	#
	# Next are some network port, and interface checks.
	#

	do_network_checks


	#
	# Next are checks of the files for the local host.
	#

	do_local_host_checks


	#
	# Next are checks on specific applications.
	#

	do_app_checks


	#
	# Now record the end time.
	#

	if [ $BEGINTIME -ne 0 ]; then
		if [ -n "$SECONDS" ]; then
			ENDTIME=`echo $SECONDS | cut -d. -f1`
		elif [ $BSDOS -eq 1 -o $BUSYBOX -eq 1 ]; then
			ENDTIME=`date +%s`
		else
			ENDTIME=`${PERL_CMD} -e 'printf "%d\n", time;'`
		fi

		TOTAL_SCANTIME=`expr ${ENDTIME} - ${BEGINTIME}`
		TOTALMINS=`expr ${TOTAL_SCANTIME} / 60`
		TOTALSECS=`expr ${TOTAL_SCANTIME} % 60`

		if [ $TOTALMINS -gt 0 ]; then
			if [ $TOTALMINS -eq 1 ]; then
				TOTAL_SCANTIME="${TOTALMINS} minute and "
			else
				TOTAL_SCANTIME="${TOTALMINS} minutes and "
			fi
		else
			TOTAL_SCANTIME=""
		fi

		if [ $TOTALSECS -eq 1 ]; then
			TOTAL_SCANTIME="${TOTAL_SCANTIME}${TOTALSECS} second"
		else
			TOTAL_SCANTIME="${TOTAL_SCANTIME}${TOTALSECS} seconds"
		fi
	fi


	#
	# Display the summary of the results.
	#

	RKH_WARN_DISPLYD=0

	if [ $SHOW_SUMMARY -eq 1 ]; then
		#
		# Unfortunately we need to do a kludge here!
		# The user may have used the '--quiet' option,
		# so we need to force the summary to be displayed.
		# By resetting the NOTTY variable we can get
		# the output shown.
		#

		OLD_NOTTY=$NOTTY
		test $SHOW_SUMMARY_OPT -eq 1 && NOTTY=0

		display_check_summary

		if [ $SHOW_SUMMARY_WARNINGS_NUMBER -eq 0 ]; then
			if [ $WARNING_COUNT -eq 0 ]; then
				display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_NOT_FOUND
			else
				RKH_WARN_DISPLYD=1

				display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND
			fi
		else
			if [ $WARNING_COUNT -eq 0 ]; then
				display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_NOT_FOUND0
			else
				RKH_WARN_DISPLYD=1

				if [ $WARNING_COUNT -eq 1 ]; then
					display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_NUMBER1
				else
					display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_NUMBER "$WARNING_COUNT"
				fi
			fi
		fi

		if [ $WARNING_COUNT -gt 0 ]; then
			if [ $NOLOG -eq 1 ]; then
				display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_FOUND_RERUN
			else
				display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
			fi
		fi

		NOTTY=$OLD_NOTTY
	fi


	#
	# Send a finish message to syslog if the user requested that.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		${LOGGER_CMD} -t "${LOGGER_TAG}" -p ${USE_SYSLOG} "Scanning took ${TOTAL_SCANTIME}"
	fi


	#
	# If some warning or error has been seen, then make sure the
	# user is told about it. We also set the return code, to allow
	# the user to detect it being non-zero.
	#

	if [ $WARNING_COUNT -gt 0 ]; then
		if [ $SHOWWARNINGSONLY -eq 1 -a $RKH_WARN_DISPLYD -eq 0 ]; then
			#
			# Unfortunately we need to do a kludge again!
			# By requesting that only warnings are shown,
			# the following output would not normally be
			# displayed (because they are not warnings).
			#

			OLD_NOTTY=$NOTTY
			NOTTY=0

			if [ $SHOW_SUMMARY_WARNINGS_NUMBER -eq 0 ]; then
				display --to SCREEN --type PLAIN --nl CHECK_WARNINGS_FOUND
			else
				if [ $WARNING_COUNT -eq 1 ]; then
					display --to SCREEN --type PLAIN --nl CHECK_WARNINGS_FOUND_NUMBER1
				else
					display --to SCREEN --type PLAIN --nl CHECK_WARNINGS_FOUND_NUMBER "$WARNING_COUNT"
				fi
			fi

			if [ $NOLOG -eq 1 ]; then
				display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_RERUN
			else
				display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
			fi

			NOTTY=$OLD_NOTTY
		fi


		if [ -n "${USE_SYSLOG}" ]; then
			${LOGGER_CMD} -t "${LOGGER_TAG}" -p ${USE_SYSLOG} "Please inspect this machine, because it may be infected."
		fi


		if [ -n "${MAILONWARNING}" ]; then
			eval "echo 'Please inspect this machine, because it may be infected.' | ${MAIL_CMD} ${MAILONWARNING}"
		fi

		RET_CODE=1
	fi

	return
}


check_os_info() {

	#
	# This function checks the current O/S information against
	# that stored in the rkhunter.dat file. Any change could
	# mean that the file properties checks could give several
	# false-positive answers. As such we warn users that
	# a change has occurred.
	#

	OS_CHANGED=0

	display --to LOG --type PLAIN --nl OSINFO_START

	#
	# First check if the host name has changed.
	#

	if [ $WARN_ON_OS_CHANGE -eq 1 ]; then
		IND_COUNT=9
		OSINFO_WARNING="WARNING"
	else
		IND_COUNT=6
		OSINFO_WARNING="INFO"

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO FILE_PROP_NO_OS_WARNING
		fi
	fi

	OLD_HOST=`grep '^Host:' "${RKHDAT_FILE}" | cut -d: -f2-`

	if [ "${HOST_NAME}" != "${OLD_HOST}" ]; then
		OS_CHANGED=1
		display --to LOG --type "${OSINFO_WARNING}" OSINFO_HOST_CHANGE1
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_HOST_CHANGE2 "${OLD_HOST}" "${HOST_NAME}"
	fi


	#
	# Next check if the O/S name has changed.
	#

	OLD_OSNAME=`grep '^OS:' "${RKHDAT_FILE}" | cut -d: -f2-`

	if [ "${OSNAME}" != "${OLD_OSNAME}" ]; then
		OS_CHANGED=1
		display --to LOG --type "${OSINFO_WARNING}" OSINFO_OSVER_CHANGE1
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_OSVER_CHANGE2 "${OLD_OSNAME}" "${OSNAME}"
	fi


	#
	# Check if the prelinking status has changed.
	#

	if [ -z "`grep '^Prelinked:Yes' \"${RKHDAT_FILE}\"`" ]; then
		OLD_PRELINK=0
	else
		OLD_PRELINK=1
	fi

	if [ $PRELINKED -ne $OLD_PRELINK ]; then
		OS_CHANGED=1
		if [ $PRELINKED -eq 1 ]; then
			display --to LOG --type "${OSINFO_WARNING}" OSINFO_PRELINK_CHANGE ''
		else
			display --to LOG --type "${OSINFO_WARNING}" OSINFO_PRELINK_CHANGE 'not '
		fi
	fi


	#
	# Check if the system architecture has changed. We treat
	# the i386-type architectures as the same. We also treat
	# the sun-type archictures the same as 'sparc'.
	#

	OLD_ARCH=`grep '^Arch:' "${RKHDAT_FILE}" | cut -d: -f2-`

	if [ -n "`echo ${OLD_ARCH} | grep 'i[0-9]86'`" ]; then
		OLD_ARCH_TYPE="i386"
	elif [ -n "`echo ${OLD_ARCH} | grep 'sun[0-9][a-z]'`" -o -n "`echo ${OLD_ARCH} | grep 'sparc'`" ]; then
		OLD_ARCH_TYPE="sparc"
	else
		OLD_ARCH_TYPE=$OLD_ARCH
	fi

	if [ -n "`echo ${ARCH} | grep 'i[0-9]86'`" ]; then
		ARCH_TYPE="i386"
	elif [ -n "`echo ${ARCH} | grep 'sun[0-9][a-z]'`" -o -n "`echo ${ARCH} | grep 'sparc'`" ]; then
		ARCH_TYPE="sparc"
	else
		ARCH_TYPE=$ARCH
	fi

	if [ "${OLD_ARCH_TYPE}" != "${ARCH_TYPE}" ]; then
		OS_CHANGED=1
		display --to LOG --type "${OSINFO_WARNING}" OSINFO_ARCH_CHANGE1
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_ARCH_CHANGE2 "${OLD_ARCH}" "${ARCH}"
	fi

	if [ $OS_CHANGED -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_MSG1

		if [ $UPDT_ON_OS_CHANGE -eq 0 ]; then
			display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_MSG2

			test $WARN_ON_OS_CHANGE -eq 1 && display --to LOG --type WARNING --nl PROPUPD_WARN
		else
			PROP_UPDATE=1
			display --to LOG --type INFO OSINFO_DO_UPDT
		fi
	else
		display --to LOG --type INFO OSINFO_END
	fi

	return
}


set_file_prop_dirs_files() {

	#
	# This function sets up the list of directories we look in,
	# and the list of files we look for, in order to perform
	# the file properties checks.
	#
	# Any non-existent files are simply left in for the checks
	# to skip over. However, any symbolic links are expanded and
	# the result of the link is added to the list. This avoids
	# any attempt to simply replace a link, and avoid it being
	# detected by the file hash value check.
	#
	# We also check to see if any of the directories are links.
	# If it is then we add the link target directory.
	#

	PROP_DIR_LIST=""

	#
	# We have to change BINDIR to a newline-separated list here
	# because USER_DIR_LIST is one. If USER_DIR_LIST contained
	# a space anywhere, then the directories would not be searched.
	#

	BINPS=`echo ${BINPATHS} | tr ' ' '\n'`

	IFS=$IFSNL

	for DIR in ${BINPS} ${USER_DIR_LIST}; do
		test ! -d "${DIR}" && continue

		if [ -h "${DIR}" -a $HAVE_READLINK -eq 1 ]; then
			LINKDIR=`${READLINK_CMD} ${READLINK_OPT} "${DIR}"`
		else
			LINKDIR="${DIR}"
		fi

		if [ -z "`echo \"${PROP_DIR_LIST}\" | grep \"^${LINKDIR}$\"`" ]; then
			PROP_DIR_LIST="${PROP_DIR_LIST}
${LINKDIR}"
		fi
	done

	IFS=$RKHIFS

	PROP_FILE_LIST="adduser amd awk basename bash bget cat chattr checkproc
	    chkconfig chmod chown chroot cp cron csh curl cut date depmod df
	    diff dirname dmesg dpkg dpkg-query du echo ed egrep elinks env fgrep
	    file find fsck fuser GET grep groupadd groupdel groupmod groups grpck head id
	    ifconfig ifdown ifstatus ifup inetd init insmod ip ipcs kallsyms kill
	    killall ksyms kudzu last lastlog ldd less links locate logger login
	    ls lsattr lsmod lsof lynx mail md5 md5sum mktemp mlocate modinfo
	    modload modprobe modstat modunload more mount mv netstat newgrp
	    newsyslog nologin passwd perl pgrep ping pkg pkgdb pkg_info pkill prelink ps pstree
	    pwck pwd readlink rkhunter rmmod route rpm rsyslogd runcon runlevel sed sestatus sh
	    sha1 sha1sum sha224 sha224sum sha256 sha256sum sha384 sha384sum sha512
	    sha512sum size skdet slocate sockstat sort ssh sshd stat strace strings su sudo
	    sulogin sysctl syslogd systat tail tcpd telnet test top touch tr uname
	    uniq useradd userdel usermod users vipw vmstat w watch wc wget whatis
	    whereis which who whoami xinetd"

	#
	# We add in some extra commands to check depending on the O/S.
	#

	case "${OPERATING_SYSTEM}" in
	SunOS)
		PROP_FILE_LIST="${PROP_FILE_LIST} gawk gbasename gcat gchmod gchown
				gcksum gcp gcut gdate gdiff gdiff3 gdirname gdu gecho
				gegrep genv gfile gfind ggrep ggroups ghead gid glocate
				gls gmd5sum gmv gpwd gsed gsize gsort gstrings gsum
				gtail gtest gtouch guname guniq gusers gwc gwho gwhoami
				inetadm nawk truss unhide unhide-posix unhide-tcp"
		;;
	FreeBSD|DragonFly)
		PROP_FILE_LIST="${PROP_FILE_LIST} fstat kldload kldstat kldunload procstat
				unhide unhide-posix unhide-tcp"
		;;
	*BSD)
		PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-posix unhide-tcp"
		;;
	Linux)
		PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-linux unhide-posix unhide-tcp numfmt"

		if [ -n "`echo \"${UNAME_R}\" | grep '^2\.6'`" ]; then
			PROP_FILE_LIST="${PROP_FILE_LIST} unhide-linux26"
		fi
		;;
	Darwin)
		PROP_FILE_LIST="${PROP_FILE_LIST} shasum launchctl dscl gnumfmt"
		;;
	esac


	#
	# Next we quickly loop through the user supplied list of files,
	# and ignore any that are already in the builtin list. At this
	# point we also change PROP_FILE_LIST from a space-separated
	# list to a newline-separated one. We have to do this because
	# we are about to add in the user-supplied pathnames.
	#

	PROP_FILE_LIST=`echo ${PROP_FILE_LIST} | tr ' ' '\n'`

	if [ -n "${USER_SIMPLE_FILE_LIST}" ]; then
		RKHTMPVAR=""

		IFS=$IFSNL

		for FNAME in ${USER_SIMPLE_FILE_LIST}; do
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

			test -z "`echo \"${PROP_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" && RKHTMPVAR="${RKHTMPVAR}
${FNAME}"
		done

		IFS=$RKHIFS

		USER_SIMPLE_FILE_LIST=`echo "${RKHTMPVAR}" | sed -e '/^$/d'`

		if [ -n "${USER_SIMPLE_FILE_LIST}" ]; then
			PROP_FILE_LIST="${PROP_FILE_LIST}
${USER_SIMPLE_FILE_LIST}"
		fi
	fi


	#
	# Now loop through the file list and look for any
	# symbolic links. If a link is found, then add on
	# the file and directory that the link points to.
	#

	if [ $HAVE_READLINK -eq 1 ]; then
		EXTRA_DIRS=""
		EXTRA_FILES=""

		IFS=$IFSNL

		for DIR in ${PROP_DIR_LIST}; do
			for FNAME in ${PROP_FILE_LIST}; do
				if [ -h "${DIR}/${FNAME}" ]; then
					RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "${DIR}/${FNAME}"`

					test ! -f "${RKHTMPVAR}" && continue

					#
					# Get the link target directory name.
					#

					test -n "${DIRNAME_CMD}" && LINKDIR=`${DIRNAME_CMD} "${RKHTMPVAR}"` || LINKDIR=`echo "${RKHTMPVAR}" | sed -e 's:/[^/]*$::'`

					#
					# Now see if we already have the directory listed.
					# If not, then we add it on.
					#

					RKHTMPVAR3="${PROP_DIR_LIST}
${EXTRA_DIRS}"

					if [ -z "`echo \"${RKHTMPVAR3}\" | grep \"^${LINKDIR}$\"`" ]; then
						EXTRA_DIRS="${EXTRA_DIRS}
${LINKDIR}"
					fi


					#
					# Now get the link target file name.
					#

					LINKFNAME=`echo "${RKHTMPVAR}" | sed -e 's:^.*/::'`

					FNAMEGREP=`echo "${LINKFNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

					#
					# And finally check if we already have it listed.
					#

					RKHTMPVAR3="${PROP_FILE_LIST}
${EXTRA_FILES}"

					if [ -z "`echo \"${RKHTMPVAR3}\" | grep \"^${FNAMEGREP}$\"`" ]; then
						EXTRA_FILES="${EXTRA_FILES}
${LINKFNAME}"
					fi
				fi
			done
		done

		IFS=$RKHIFS

		EXTRA_DIRS=`echo "${EXTRA_DIRS}" | sed -e '/^$/d'`
		EXTRA_FILES=`echo "${EXTRA_FILES}" | sed -e '/^$/d'`

		test -n "${EXTRA_DIRS}" && PROP_DIR_LIST="${PROP_DIR_LIST}
${EXTRA_DIRS}"
		test -n "${EXTRA_FILES}" && PROP_FILE_LIST="${PROP_FILE_LIST}
${EXTRA_FILES}"
	fi

	PROP_FILE_LIST_TOTAL=`echo "${PROP_FILE_LIST}" | wc -l | tr -d ' '`

	return
}


check_test() {

	#
	# This function will check whether a given test name should
	# be run or not. It returns 0 if the test is to be run,
	# and 1 if it is not.
	#

	if [ "${ENABLE_TESTS}" = "all" -o -n "`echo \" ${ENABLE_TESTS} \" | grep \" $1 \"`" ]; then
		if [ "${DISABLE_TESTS}" = "none" -o -z "`echo \" ${DISABLE_TESTS} \" | grep \" $1 \"`" ]; then
			return 0
		fi
	fi

	return 1
}


display_tests() {

	#
	# This function is used to simply output all the available
	# tests and test group names. If a group name itself contains
	# a group name, then that second group name is omitted. It
	# could be confusing if it was included.
	#

	RKHTMPVAR2=`echo "all none ${KNOWN_TESTS}" | tr ' ' '\n' | sort | tr '\n' ' '`
	GROUPED_TESTS=`echo "${GROUPED_TESTS}" | tr ' ' '\n' | sort | tr '\n' ' '`


	display --to SCREEN --type PLAIN --nl LIST_TESTS

	while test -n "${RKHTMPVAR2}"; do
		STR=`echo ${RKHTMPVAR2} | cut -d' ' -f1-6`
		RKHTMPVAR2=`echo ${RKHTMPVAR2} | cut -d' ' -f7-`

		echo "    ${STR}"

		test "${STR}" = "${RKHTMPVAR2}" && RKHTMPVAR2=""
	done


	display --to SCREEN --type PLAIN --nl LIST_GROUPED_TESTS

	#
	# Sort out the maximum group name length, so we can do some
	# simple formatting of the output.
	#

	MAX=0

	for STR in ${GROUPED_TESTS}; do
		LEN=`echo "${STR}" | cut -d: -f1 | wc -c | tr -d ' '`
		test $LEN -gt $MAX && MAX=$LEN
	done


	#
	# Now loop through the group names.
	#

	RKHTMPVAR2=" `echo ${GROUPED_TESTS}`"

	for STR in ${GROUPED_TESTS}; do
		TEST_NAMES=""
		GROUP_NAME=`echo "${STR}" | cut -d: -f1`

		#
		# Add on spaces to expand the group name to the maximum.
		#

		LEN=`echo "${GROUP_NAME}" | wc -c | tr -d ' '`
		LEN=`expr $MAX - $LEN`

		test $LEN -gt 0 && GROUP_NAME="${GROUP_NAME} `echo \"${BLANK_LINE}\" | cut -d' ' -f1-$LEN`"


		#
		# Check through the list of tests for this group name.
		# If the test name is a group name itself, then go to
		# the next test name, otherwise add it to our list of
		# test names.
		#

		for TEST in `echo "${STR}" | cut -d: -f2- | tr ':' ' '`; do
			RKHTMPVAR=`echo "${RKHTMPVAR2}" | grep " ${TEST}:"`

			if [ -z "${RKHTMPVAR}" ]; then
				TEST_NAMES="${TEST_NAMES}:${TEST}"
			else
				continue
			fi
		done


		#
		# Finally, sort our list of test names and display them.
		#

		TEST_NAMES=`echo "${TEST_NAMES}" | sed -e 's/^://' | tr ':' '\n' | sort | tr '\n' ' '`

		echo "    ${GROUP_NAME} => ${TEST_NAMES}"
	done

	return
}


display_languages() {

	#
	# This function is used to simply output all the available
	# languages in a basic format of 10 per line.
	#

	KNOWN_LANGS=`ls -1 ${DB_PATH}/i18n 2>/dev/null | sort`


	display --to SCREEN --type PLAIN --nl LIST_LANGS

	while test -n "${KNOWN_LANGS}"; do
		STR=`echo ${KNOWN_LANGS} | cut -d' ' -f1-10`
		KNOWN_LANGS=`echo ${KNOWN_LANGS} | cut -d' ' -f11-`

		echo "    ${STR}"

		test "${STR}" = "${KNOWN_LANGS}" && KNOWN_LANGS=""
	done

	return
}


display_perl_modules() {

	#
	# This function is used to display the status of
	# the installed perl modules which may be required.
	#

	display --to SCREEN --type PLAIN --nl LIST_PERL

	for MODNAME in perl ${LIST_MODULES}; do
		if [ "${MODNAME}" = "perl" ]; then
			MODNAME="perl command"

			test -n "${PERL_CMD}" && MOD_INSTALLED="" || MOD_INSTALLED="NOT installed"
		else
			MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" ${MODNAME} 2>/dev/null | grep 'NOT installed'`
		fi

		MODLEN=`echo "${MODNAME}" | wc -c | tr -d ' '`
		NUM_SPACES=`expr 28 - ${MODLEN}`
		test $NUM_SPACES -lt 1 && NUM_SPACES=1
		SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`

		if [ -z "${MOD_INSTALLED}" ]; then
			echo $ECHOOPT "    ${MODNAME}${SPACES}Installed"
		else
			echo $ECHOOPT "    ${MODNAME}${SPACES} MISSING"
		fi

		test "${MODNAME}" = "perl command" -a -z "${PERL_CMD}" && break
	done

	return
}


display_propfiles() {

	#
	# This function is used to display the list of files which
	# would be searched for when using the '--propupd' function.
	#

	# Get any user-supplied files and directories.
	get_user_fileprop_list

	# Get the builtin list of files and directories.
	set_file_prop_dirs_files

	# Create the file of entries used by the '--propupd' function.
	create_rkh_file_prop_list

	# Finally just dump out the list of file names.
	${AWK_CMD} -F'/' '{ print $NF }' "${RKH_FILEPROP_LIST}" | sort | uniq

	return
}


display_rootkits() {

	#
	# This function is used to simply output all the rootkit
	# names which rkhunter will check for.
	#

	RKHTMPVAR2=`echo ${KNOWN_ROOTKITS} | sed -e 's/^,*//; s/,$//'`


	display --to SCREEN --type PLAIN --nl LIST_RTKTS

	while test -n "${RKHTMPVAR2}"; do
		STR=`echo ${RKHTMPVAR2} | cut -d',' -f1-6`
		RKHTMPVAR2=`echo ${RKHTMPVAR2} | cut -d',' -f7-`

		if [ "${STR}" = "${RKHTMPVAR2}" -o -z "${RKHTMPVAR2}" ]; then
			RKHTMPVAR2=""
		else
			STR="${STR},"
		fi

		echo "    ${STR}"
	done

	return
}


get_lock() {

	#
	# This function attempts to get the lock file. If it cannot
	# get the lock then it waits for 10 seconds, and then tries
	# again. It repeats this until the timeout has passed.
	#
	# We cannot log anything at this time, but we can use
	# 'display' to display messages on the users screen.
	#

	RKHTMPVAR=0

	while test $RKHTMPVAR -lt $LOCK_TIMEOUT; do
		if [ -f "${LOCKDIR}/rkhunter.LCK" ]; then
			test $SHOW_LOCK_MSGS -eq 1 -a $RKHTMPVAR -eq 0 && display --to SCREEN --type PLAIN --nonl LOCK_WAIT

			sleep 10;

			RKHTMPVAR=`expr ${RKHTMPVAR} + 10`

			test $SHOW_LOCK_MSGS -eq 1 && display --to SCREEN --type PLAIN --nonl NAME "..${RKHTMPVAR}"
		else
			break
		fi
	done

	if [ $RKHTMPVAR -lt $LOCK_TIMEOUT -o ! -f "${LOCKDIR}/rkhunter.LCK" ]; then
		echo "$$" >"${LOCKDIR}/rkhunter.LCK"

		test $SHOW_LOCK_MSGS -eq 1 -a $RKHTMPVAR -gt 0 -a $NOTTY -eq 0 && echo ""

		#
		# We handle any subsequent exit conditions by setting a trap.
		#

		trap "rm -f \"${LOCKDIR}/rkhunter.LCK\" >/dev/null 2>&1" 0 >/dev/null 2>&1
	else
		#
		# We need to be careful here. We do not want to display the message if the user
		# has explicitly requested not to, but we must display it if the user has set
		# the '--report-warnings-only' option (we treat it as a warning), or the
		# '--cronjob' option. If we did not, then the user may think that rkhunter has
		# run and that there were no warnings. If the user used the '--quiet' option,
		# then this message won't be displayed. However, that is okay because they
		# should be checking the return-code.
		#

		if [ $SHOWWARNINGSONLY -eq 1 -o $CRONJOB -eq 1 ]; then
			NOTTY=0
			RKHTMPVAR=""
		else
			RKHTMPVAR="--nl"
		fi

		test $SHOW_LOCK_MSGS -eq 1 -o $NOTTY -eq 0 && display --to SCREEN --type PLAIN ${RKHTMPVAR} LOCK_FAIL

		exit 1
	fi

	return
}


help() {

	#
	# This function outputs the help menu.
	#

	echo $ECHOOPT ""
	echo $ECHOOPT "Usage: rkhunter {--check | --unlock | --update | --versioncheck |"
	echo $ECHOOPT "                 --propupd [{filename | directory | package name},...] |"
	echo $ECHOOPT "                 --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |"
	echo $ECHOOPT "                 --config-check | --version | --help} [options]"
	echo $ECHOOPT ""

	echo $ECHOOPT "Current options are:"
	echo $ECHOOPT "         --append-log                  Append to the logfile, do not overwrite"
	echo $ECHOOPT "         --bindir <directory>...       Use the specified command directories"
	echo $ECHOOPT "     -c, --check                       Check the local system"
	echo $ECHOOPT "     -C, --config-check                Check the configuration file(s), then exit"
	echo $ECHOOPT "  --cs2, --color-set2                  Use the second color set for output"
	echo $ECHOOPT "         --configfile <file>           Use the specified configuration file"
	echo $ECHOOPT "         --cronjob                     Run as a cron job"
	echo $ECHOOPT "                                       (implies -c, --sk and --nocolors options)"
	echo $ECHOOPT "         --dbdir <directory>           Use the specified database directory"
	echo $ECHOOPT "         --debug                       Debug mode"
	echo $ECHOOPT "                                       (Do not use unless asked to do so)"
	echo $ECHOOPT "         --disable <test>[,<test>...]  Disable specific tests"
	echo $ECHOOPT "                                       (Default is to disable no tests)"
	echo $ECHOOPT "         --display-logfile             Display the logfile at the end"
	echo $ECHOOPT "         --enable  <test>[,<test>...]  Enable specific tests"
	echo $ECHOOPT "                                       (Default is to enable all tests)"
	echo $ECHOOPT "         --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |"
	echo $ECHOOPT "                 NONE | <command>}     Use the specified file hash function"
	echo $ECHOOPT "                                       (Default is SHA256)"
	echo $ECHOOPT "     -h, --help                        Display this help menu, then exit"
	echo $ECHOOPT " --lang, --language <language>         Specify the language to use"
	echo $ECHOOPT "                                       (Default is English)"
	echo $ECHOOPT "         --list [tests | languages |   List the available test names, languages,"
	echo $ECHOOPT "                 rootkits | perl |     rootkit names, perl module status"
	echo $ECHOOPT "                 propfiles]            or file properties database, then exit"
	echo $ECHOOPT "     -l, --logfile [file]              Write to a logfile"
	echo $ECHOOPT "                                       (Default is $DFLT_LOGFILE)"
	echo $ECHOOPT "         --noappend-log                Do not append to the logfile, overwrite it"
	echo $ECHOOPT "         --nocf                        Do not use the configuration file entries"
	echo $ECHOOPT "                                       for disabled tests (only valid with --disable)"
	echo $ECHOOPT "         --nocolors                    Use black and white output"
	echo $ECHOOPT "         --nolog                       Do not write to a logfile"
	echo $ECHOOPT "--nomow, --no-mail-on-warning          Do not send a message if warnings occur"
	echo $ECHOOPT "   --ns, --nosummary                   Do not show the summary of check results"
	echo $ECHOOPT " --novl, --no-verbose-logging          No verbose logging"
	echo $ECHOOPT "         --pkgmgr {RPM | DPKG | BSD |  Use the specified package manager to obtain"
	echo $ECHOOPT "                   BSDng | SOLARIS |   or verify file property values."
	echo $ECHOOPT "                   NONE}               (Default is NONE)"
	echo $ECHOOPT "         --propupd [file | directory | Update the entire file properties database,"
	echo $ECHOOPT "                    package]...        or just for the specified entries"
	echo $ECHOOPT "     -q, --quiet                       Quiet mode (no output at all)"
	echo $ECHOOPT "  --rwo, --report-warnings-only        Show only warning messages"
	echo $ECHOOPT "   --sk, --skip-keypress               Don't wait for a keypress after each test"
	echo $ECHOOPT "         --summary                     Show the summary of system check results"
	echo $ECHOOPT "                                       (This is the default)"
	echo $ECHOOPT "         --syslog [facility.priority]  Log the check start and finish times to syslog"
	echo $ECHOOPT "                                       (Default level is $SYSLOG_DFLT_PRIO)"
	echo $ECHOOPT "         --tmpdir <directory>          Use the specified temporary directory"
	echo $ECHOOPT "         --unlock                      Unlock (remove) the lock file"
	echo $ECHOOPT "         --update                      Check for updates to database files"
	echo $ECHOOPT "   --vl, --verbose-logging             Use verbose logging (on by default)"
	echo $ECHOOPT "     -V, --version                     Display the version number, then exit"
	echo $ECHOOPT "         --versioncheck                Check for latest version of program"
	echo $ECHOOPT "     -x, --autox                       Automatically detect if X is in use"
	echo $ECHOOPT "     -X, --no-autox                    Do not automatically detect if X is in use"
	echo $ECHOOPT ""

	return
}


######################################################################
#
# Initialisation
#
######################################################################


#
# Unfortunately, for the Korn shell if we are debugging then
# we need to enable tracing in each of the functions.
#

if [ $DEBUG_OPT -eq 1 -a "${MYSHELL}" = "ksh" ]; then
	RKHTMPVAR=`typeset +f`

	for RKHTMPVAR2 in ${RKHTMPVAR}; do
		typeset -ft ${RKHTMPVAR2}
	done
fi

#
# We reset the SIGPIPE signal to its default
# to try and avoid any output write errors.
#

trap - 13 >/dev/null 2>&1


#
# Initialise the variables used throughout the program.
#
RKH_VER_MAJ="1"
RKH_VER_MIN="4"

PROGRAM_NAME="Rootkit Hunter"
PROGRAM_version="${RKH_VER_MAJ}.${RKH_VER_MIN}.6"
PROGRAM_copyright_owner="Michael Boelen"
PROGRAM_copyright="Copyright (c) 2003-2018, ${PROGRAM_copyright_owner}"
PROGRAM_blurb="
This software was developed by the ${PROGRAM_NAME} project team.
Please review your rkhunter configuration files before using.
Please review the documentation before posting bug reports or questions.
To report bugs, provide patches or comments, please go to:
http://rkhunter.sourceforge.net

To ask questions about rkhunter, please use the rkhunter-users mailing list.
Note this is a moderated list: please subscribe before posting.

${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the
terms of the GNU General Public License. See the LICENSE file for details.
"
PROGRAM_license="
${PROGRAM_NAME} ${PROGRAM_version}, ${PROGRAM_copyright}
${PROGRAM_blurb}
"

LOGGER_TAG="rkhunter"

LEAVE=0
ERRCODE=0

# Set to run as a cron job.
CRONJOB=0
CHECK=0

# Set to display the logfile at the end.
CATLOGFILE=0

NOLOG=0
RKHLOGFILE=""
DFLT_LOGFILE="/var/log/rkhunter.log"

# Set to have the logfile appended to rather than overwritten.
APPEND_LOG=0
APPEND_OPT=0

# Set to have the logfile copied if there was an error.
COPY_LOG_ON_ERROR=0

# Set to have rkhunter start/finish messages, and warnings,
# logged to syslog. The priority/severity can be set on the
# command-line or in the configuration file.
USE_SYSLOG=""
SYSLOG_DFLT_PRIO="authpriv.notice"

# By default do not send a mail-on-warning message.
NOMOW=0
MAILONWARNING=""

HASH_FUNC=""
OLD_HASH_FUNC=""
PKGMGR=""
OLD_PKGMGR=""
OLD_ATTRUPD=""
HASH_OPT=0
SHA_SIZE=0
HASH_FLD_IDX=1
PROP_DIR_LIST=""
PROP_FILE_LIST=""
PROP_FILE_LIST_COUNT=0
PROP_FILE_LIST_TOTAL=0

PRELINKED=0
PRELINK_CMD=""
PRELINK_HASH=""
PKGMGR_MD5_HASH=""
PKGMGR_SHA_HASH=""
MD5_CMD=""
EPOCH_DATE_CMD=""
PKGMGRNOVRFY=""

UPDATE=0
PROP_UPDATE=0
PROPUPD_OPT=""
VERSIONCHECK=0

# By default use coloured output.
COLORS=1
CLRSET2=0

# Are whitelisted results to be shown as white?
WLIST_IS_WHITE=0

# Set to automatically detect if X is in use, and
# hence use the second colour set.
AUTO_X_DTCT=0
AUTO_X_OPT=0

# Set to be quiet. No output, but the return code will be set.
QUIET=0

# Set to only show warnings.
SHOWWARNINGSONLY=0

# This will be set if the file properties hash value check
# or the file attributes check is to be performed.
HASH_CHECK_ENABLED=0
SKIP_HASH_MSG=0

# Users can reset this to a new temporary directory.
RKHTMPDIR=""

# Users can reset this to a new database directory.
DB_PATH=""

# Users can reset this to a new configuration file.
CONFIGFILE=""

# Users cannnot reset this. The local config file must
# be in the same directory as the main config file.
LOCALCONFIGFILE=""

# Users cannot reset this. The rkhunter.d directory must
# be in the same directory as the main config file.
LOCALCONFIGDIR=""

# Users cannot reset this. The rkhunter.d config files
# can only be stored in the local config directory.
LOCALCONFDIRCOUNT=0
LOCALCONFDIRFILES=""

# This will be set similar to the current root PATH. Users can
# include new command directories to use as well.
BINPATHS=""
DFLT_BINPATHS="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
BINDIR_OPT=0

# This will be set if any of the command directories is a symbolic link.
BINISLINK=0

# Default 'id' and 'awk' commands. Solaris may reset these.
ID_CMD='id'
AWK_CMD='awk'

# Set if we don't want to wait for a keypress after each test.
SKIP_KEY_PRESS=0

# Does 'grep' need an extra option to check binary files?
GREP_OPT=""

# Set the O/S type if necessary.
BSDOS=0
SUNOS=0
IRIXOS=0
MACOSX=0
LINUXOS=0

case "${OPERATING_SYSTEM}" in
Linux)
	LINUXOS=1
	GREP_OPT="-a"
	;;
*BSD|DragonFly)
	BSDOS=1
	HASH_FLD_IDX=4
	GREP_OPT="-a"
	;;
SunOS)
	SUNOS=1
	;;
IRIX*)
	IRIXOS=1
	;;
Darwin)
	MACOSX=1
	;;
esac

# This will be set if the local host or O/S has changed in some way.
OS_CHANGED=0

# By default we want a warning if the O/S has changed.
WARN_ON_OS_CHANGE=1

# If set, then automatically perform a properties update if the O/S changes.
UPDT_ON_OS_CHANGE=0

# These SSH options can only be set in the configuration file.
ALLOW_SSH_PROT_V1=0
ALLOW_SSH_ROOT_USER=""
SSH_CONFIG_DIR=""

# These syslog options can only be set in the configuration file.
ALLOW_SYSLOG_REMOTE_LOGGING=0
SYSLOG_CONFIG_FILE=""

# Set check counters to be used by the summary.
ROOTKIT_COUNT=0
ROOTKIT_FAILED_COUNT=0
ROOTKIT_FAILED_NAMES=""

PROP_FAILED_COUNT=0
SUMMARY_PROP_REQCMDS=0

APPS_COUNT=0
APPS_TOTAL_COUNT=0
APPS_FAILED_COUNT=0

# Timers for the system check.
BEGINTIME=0
TOTAL_SCANTIME=""

# This will be set if a warning message is logged.
WARNING_COUNT=0

# This will be set to the kernel symbols file used in some checks.
KSYMS_FILE=""

# Record for logging the command-line being used.
CMD_LINE="$0 $*"

# Create a spaced-separated PATH variable.
RKHROOTPATH=`echo ${PATH} | tr ':' ' '`

# List of commands used during RKH. If a command does not exist, then
# the code may use an alternative method.
CMDLIST="basename diff dirname file find ifconfig ip ipcs ldd lsattr lsmod lsof mktemp netstat numfmt perl pgrep ps pwd readlink stat strings"

# Commands that are required to exist for RKH to run. The absolutely
# required commands are tested early on using just the root PATH. Then
# BINDIR is checked, and finally the rest of the commands are then
# checked using the new PATH from BINDIR.
ABSOLUTELY_REQUIRED_CMDS="cut egrep grep sed tail tr"
REQCMDS="awk cat chmod chown cp cut date egrep grep head ls mv sed sort tail touch tr uname uniq wc"

# This will be set to a list of commands that have been disabled.
DISABLED_CMDS=""

# List of commands used to download files from the web. This list is 
# used by the '--update' and '--versioncheck' options. Preferred commands
# are listed first. This can be overridden by the config file.
WEBCMDLIST="wget curl elinks links lynx bget GET"

RKHWEBCMD=""
RKHWEBCMD_OPTS=""
RKHWEBCMD_BASE=""

HOST_NAME=""

# This is the return code for the program actions - update, check, etc.
# Its value may either be 0 (no error) or 1 (an error occurred).
# The '--versioncheck' option may set the return code to 2 to
# indicate that an update is available.
# The '--update' option may set the return code to 2 to
# indicate that an update occurred.
RET_CODE=0

# Initially there is no language, this will be set later.
LANGUAGE=""
UPDATE_LANG=""

LOCALE_CMD=""
ICONV_CMD=""
RKHCHRMAP=""
RKHCHKLOCALE=0

# A space-separated list of test names we recognise.
KNOWN_TESTS="strings properties hashes scripts immutable attributes
	     deleted_files packet_cap_apps apps rootkits known_rkts
	     additional_rkts malware local_host network passwd_changes
	     group_changes possible_rkt_files possible_rkt_strings
	     system_commands shared_libs shared_libs_path running_procs
	     hidden_procs trojans os_specific startup_malware
	     startup_files group_accounts system_configs system_configs_ssh
	     system_configs_syslog filesystem suspscan ports hidden_ports
	     promisc loaded_modules avail_modules login_backdoors
	     sniffer_logs tripwire susp_dirs ipc_shared_mem"

# A space-separated list of test 'group names'. This list allows test
# names to be grouped together. For example, 'system_commands' can include
# the specific tests of 'strings' and 'hashes'. Both test
# group names, and specific test names, can be used with the test
# enable/disable options. In this list group names are colon-separated
# from the specific test names.
#
GROUPED_TESTS="system_commands:properties:strings:hashes:scripts:shared_libs:shared_libs_path:immutable:attributes
	       properties:hashes:scripts:immutable:attributes
	       shared_libs:shared_libs_path
	       rootkits:known_rkts:additional_rkts:possible_rkt_files:possible_rkt_strings:malware:running_procs:hidden_procs:deleted_files:trojans:os_specific:suspscan:loaded_modules:avail_modules:login_backdoors:sniffer_logs:tripwire:susp_dirs:ipc_shared_mem
	       additional_rkts:possible_rkt_files:possible_rkt_strings
	       network:packet_cap_apps:ports:hidden_ports:promisc
	       malware:running_procs:hidden_procs:deleted_files:suspscan:login_backdoors:sniffer_logs:tripwire:susp_dirs:ipc_shared_mem
	       local_host:startup_files:passwd_changes:group_changes:startup_malware:group_accounts:system_configs:filesystem:system_configs_ssh:system_configs_syslog
	       startup_files:startup_malware
	       os_specific:loaded_modules:avail_modules
	       group_accounts:passwd_changes:group_changes
	       system_configs:system_configs_ssh:system_configs_syslog"

# A comma-separated list of rootkits we check for.
# NOTE: This is a COMMA separated list. Any single quotes need to be handled specially - i.e.
# put between double-quotes.
KNOWN_ROOTKITS='55808 Trojan - Variant A, AjaKit, aPa Kit, Adore, Apache Worm, Ambient (ark),
  Balaur, BeastKit, beX2, BOBKit, Boonana (Koobface.A), cb, CiNIK Worm (Slapper.B variant), CX,
  Danny-Boy'"'"'s Abuse Kit, Devil, Diamorphine LKM, Dica, Dreams, Duarawkz, Ebury, Enye LKM, Flea Linux, FreeBSD, Fu,
  Fuck`it, GasKit, Heroin LKM, HjC Kit, ignoKit, iLLogiC, Inqtana-A, Inqtana-B, Inqtana-C,
  IntoXonia-NG, Irix, Jynx, Jynx2, KBeast, Keydnap, Kitko, Knark, Komplex, ld-linuxv.so, Li0n Worm, Lockit/LJK2, Mokes,
  Mood-NT, MRK, Ni0, Ohhara, Optic Kit (Tux), OSXRK, Oz, Phalanx, Phalanx2, Portacelo, Proton, R3dstorm Toolkit,
  RH-Sharpe'"'"'s, RSHA'"'"'s, Scalper Worm, Shutdown, SHV4, SHV5, Sin, SInAR, Slapper,
  Sneakin, Solaris Wanuk, Spanish, Suckit, SunOS / NSDAP, SunOS Rootkit, Superkit, TBD (Telnet BackDoor),
  TeLeKiT, Togroot, T0rn, trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire, VcKit, Volc, w00tkit,
  weaponX, Xzibit, X-Org SunOS, zaRwT.KiT, ZK'

# A space-separated list of perl modules that may be required.
LIST_MODULES="File::stat Getopt::Long Crypt::RIPEMD160 Digest::MD5 Digest::SHA Digest::SHA1 Digest::SHA256
	      Digest::SHA::PurePerl Digest::Whirlpool LWP URI HTTP::Status HTTP::Date Socket Carp"

# A list of configuration options which are space-separated lists.
SPACE_LIST_OPTS="ALLOWIPCPID ALLOWIPCUSER ALLOWPROMISCIF APP_WHITELIST BINDIR DISABLE_TESTS EMPTY_LOGFILES
		 ENABLE_TESTS IGNORE_PRELINK_DEP_ERR INETD_ALLOWED_SVC MAIL-ON-WARNING MISSING_LOGFILES
		 PORT_WHITELIST PWDLESS_ACCOUNTS SHARED_LIB_WHITELIST STARTUP_PATHS SUSPSCAN_DIRS
		 SYSLOG_CONFIG_FILE UID0_ACCOUNTS UNHIDE_TESTS UNHIDETCP_OPTS UPDATE_LANG
		 XINETD_ALLOWED_SVC"
SPACE_LIST_OPTS=" `echo ${SPACE_LIST_OPTS}` "

# A list of configuration options which are newline-separated lists.
NEWLINE_LIST_OPTS="ALLOWDEVFILE ALLOWHIDDENDIR ALLOWHIDDENFILE ALLOWPROCDELFILE ALLOWIPCPROC
		   ALLOWPROCLISTEN ATTRWHITELIST EXCLUDE_USER_FILEPROP_FILES_DIRS EXISTWHITELIST
		   IMMUTWHITELIST PKGMGR_NO_VRFY PORT_PATH_WHITELIST RTKT_DIR_WHITELIST
		   RTKT_FILE_WHITELIST SCRIPTWHITELIST SUSPSCAN_WHITELIST USER_FILEPROP_FILES_DIRS
		   WRITEWHITELIST"
NEWLINE_LIST_OPTS=" `echo ${NEWLINE_LIST_OPTS}` "

# The program defaults of which tests to perform will be set later.
ENABLE_TESTS=""
DISABLE_TESTS=""
CL_ENABLE_TESTS=""
CL_DISABLE_TESTS=""
CONFIG_DISABLE_TESTS=""

# These get set if the '--enable' or '--disable' command-line options have been used.
ENDIS_OPT=0
ENABLE_OPT=0

# This gets set to zero if the '--nocf' command-line option is used.
USECF=1

# This gets set if the '--list' command-line option is used.
LIST_OPT=""

# Space-filled line used for the display function.
BLANK_LINE="                                                              "

# Initially say that we are connected to a terminal.
NOTTY=0

# By default show the system check summary.
SHOW_SUMMARY=1
SHOW_SUMMARY_OPT=0
SHOW_SUMMARY_TIME=3
SHOW_SUMMARY_WARNINGS_NUMBER=0

# By default log most things that are checked.
VERBOSE_LOGGING=1

# We copy the original IFS value, and set RKHIFS to space, tab, newline.
# IFSNL is set to just a newline.
ORIGIFS=$IFS
RKHIFS=" 	
"
IFSNL="
"
IFS=$RKHIFS

# No default set for the system startup files and directories.
STARTUP_PATHS=""
STARTUP_PATHS_LOGGED=0

# Set a default for the inetd configuration file.
INETD_CONF_PATH="/etc/inetd.conf"
INETDALLOWEDSVCS=""

# Set a default for the xinetd configuration file.
XINETD_CONF_PATH="/etc/xinetd.conf"
XINETDALLOWEDSVCS=""

# Set if only the '--update' option is used.
UPDATE_ONLY=0

# Set if UPDATE_ONLY is set, and some language files are missing.
RKHLANGUPDT=0

# By default we rotate the mirrors in the mirrors.dat file,
# and we update the file when the '--update' option is used.
# The default MIRRORS_MODE is set such that we use both local
# and remote mirrors.
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0

# Set the default suspscan settings.
SUSPSCAN_DEBUG=0
SUSPSCAN_DFLT_DIRS="/tmp /var/tmp"
SUSPSCAN_DFLT_TMP="/dev/shm"
SUSPSCAN_DFLT_THRESH=200
SUSPSCAN_DFLT_MAXSIZE=1024000
SUSPSCAN_WL_OPT=""

# SELinux runcon usage as determined by get_if_prelinked.
USE_RUNCON=0
SELINUX_ENABLED=0

# These get set if any network ports are to be whitelisted.
PORT_WHITELIST=""
PORT_PATH_WHITELIST=""
PORT_WHITELIST_ALL_TRUSTED=0

# This will be set to the shadow file location if required.
SHADOW_FILE=""
HAVE_TCB_SHADOW=0

# The O/S 'release' file location.
OS_VERSION_FILE=""

# By default no rootkit files or directories are whitelisted.
RTKT_DIR_WHITELIST=""
RTKT_FILE_WHITELIST=""

# The full pathname of the 'rkhunter.dat' file.
RKHDAT_FILE=""

# The full pathname of the 'rkhunter_prop_list.dat' file.
RKH_FILEPROP_LIST=""

# This gets set if we have a working readlink command.
HAVE_READLINK=0

# By default no commands are to be exempt from dependency errors.
PRELINK_DEP_ERR_CMDS=""

# User provided files/dirs for the file properties check.
USER_FILE_LIST=""
USER_SIMPLE_FILE_LIST=""
USER_DIR_LIST=""
USER_EXCLUDE_PROP=""

# This gets set if any shared libraries are to be whitelisted.
SHARED_LIB_WHITELIST=""

# If used, these lock values must be set in the config file.
USE_LOCKING=0
LOCKDIR=""
LOCK_TIMEOUT=0
SHOW_LOCK_MSGS=1

# This gets set if the '--unlock' command-line option is used.
UNLOCK=0

# This gets set if any files or directories need
# whitelisting from 'existence' checks.
EXISTWHITELIST=""

# This will be set if we are just doing a config file check.
CONFIG_CHECK=0

# Network interface whitelist.
IFWLIST=""

# This will be set to any allowed processes listening on the network.
ALLOWPROCLIST_OPT=""

# This option will be set if the shell globstar option is to be set.
GLOBSTAR=0

# The default value for the minimum shared memory segement size.
DFLT_SEG_SIZE=1048576

# This gets set if we have the numfmt command.
HAVE_NUMFMT=0

# Record the running kernel release.
UNAME_R=`uname -r 2>/dev/null`


######################################################################
#
# Command-line option processing
#
######################################################################


#
# Display the help menu if no options were given.
#

if [ $# -eq 0 ]; then
	help
	exit 0
fi


#
# Check the command-line options. If set, these will override the
# configuration file options.
#

while [ $# -ge 1 ]; do
	case "$1" in
	--append-log | --appendlog)
		APPEND_LOG=1
		APPEND_OPT=1
		;;
	--bindir)
		RKHTMPVAR="$2"

		case "${RKHTMPVAR}" in
		"")
			;;
		-*)
			RKHTMPVAR=""
			;;
		*)
			shift
			BINPATHS="${BINPATHS} ${RKHTMPVAR}"
			BINDIR_OPT=1
			;;
		esac

		if [ -z "${RKHTMPVAR}" ]; then
			echo "No command directories specified with '--bindir' option."
			exit 1
		fi
		;;
	-c | --check | --checkall | --check-all)
		CHECK=1
		;;
	-C | --config-check | --configcheck | --check-config | --checkconfig)
		CONFIG_CHECK=1
		;;
	--configfile)
		CONFIGFILE=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			CONFIGFILE="$1"
			;;
		esac

		if [ -z "${CONFIGFILE}" ]; then
			echo "No configuration file specified with '--configfile' option."
			exit 1
		fi
		;;
	--cronjob)
		CHECK=1
		CRONJOB=1
		COLORS=0
		SKIP_KEY_PRESS=1
		;;
	--cs2 | --colorset2 | --color-set2)
		CLRSET2=1
		;;
	--dbdir)
		DB_PATH=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			DB_PATH="$1"
			;;
		esac

		if [ -z "${DB_PATH}" ]; then
			echo "No database directory specified with '--dbdir' option."
			exit 1
		fi
		;;
	--debug)
		SKIP_KEY_PRESS=1
		;;
	--display-logfile | --displaylogfile | --display-log | --displaylog | --showlog)
		CATLOGFILE=1
		;;
	--disable)
		RKHTMPVAR="$2"

		case "${RKHTMPVAR}" in
		"")
			;;
		-*)
			RKHTMPVAR=""
			;;
		*)
			shift
			CHECK=1
			ENDIS_OPT=1
			CL_DISABLE_TESTS="${CL_DISABLE_TESTS} ${RKHTMPVAR}"
			;;
		esac

		if [ -z "${RKHTMPVAR}" ]; then
			echo "No tests specified with '--disable' option."
			exit 1
		fi
		;;
	--enable)
		RKHTMPVAR="$2"

		case "${RKHTMPVAR}" in
		"")
			;;
		-*)
			RKHTMPVAR=""
			;;
		*)
			shift
			CHECK=1
			ENDIS_OPT=1
			ENABLE_OPT=1
			CL_ENABLE_TESTS="${CL_ENABLE_TESTS} ${RKHTMPVAR}"
			;;
		esac

		if [ -z "${RKHTMPVAR}" ]; then
			echo "No tests specified with '--enable' option."
			exit 1
		fi
		;;
	--hash)
		HASH_FUNC=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			HASH_FUNC="$1"
			HASH_OPT=1
			;;
		esac

		if [ -z "${HASH_FUNC}" ]; then
			echo "No hash function specified with '--hash' option."
			exit 1
		fi
		;;
	-h | --help)
		help
		exit 0
		;;
	-l | --log | --logfile | --createlogfile | --createlog | --create-log | --create-logfile)
		RKHLOGFILE="${DFLT_LOGFILE}"

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			RKHLOGFILE="$1"
			;;
		esac
		;;
	--lang | --language)
		LANGUAGE=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			LANGUAGE="$1"
			;;
		esac

		if [ -z "${LANGUAGE}" ]; then
			echo "No language specified with '$1' option."
			exit 1
		fi
		;;
	--list)
		case "$2" in
		test | tests | check | checks)
			shift
			LIST_OPT="${LIST_OPT} tests "
			;;
		lang | langs | language | languages)
			shift
			LIST_OPT="${LIST_OPT} languages "
			;;
		rootkit | rootkits)
			shift
			LIST_OPT="${LIST_OPT} rootkits "
			;;
		perl | modules)
			shift
			LIST_OPT="${LIST_OPT} perl "
			;;
		propfiles)
			shift
			LIST_OPT="${LIST_OPT} propfiles "
			;;
		"")
			LIST_OPT="${LIST_OPT} tests languages rootkits perl "
			;;
		*)
			echo "Invalid '--list' option specified: $2"
			exit 1
			;;
		esac
		;;
	--noappend-log | --no-append-log | --noappendlog)
		APPEND_LOG=0
		APPEND_OPT=1
		;;
	--nocf)
		USECF=0
		;;
	--nocolors | --no-colors | --nocolor | --no-color)
		COLORS=0
		;;
	--nolog | --no-log)
		RKHLOGFILE="/dev/null"
		;;
	--nomow | --no-mow | --no-mailonwarning | --no-mail-on-warning)
		NOMOW=1
		;;
	--novl | --noverboselogging | --no-verbose-logging)
		VERBOSE_LOGGING=0
		;;
	--ns | --nosummary | --no-summary)
		SHOW_SUMMARY=0
		SHOW_SUMMARY_OPT=1
		;;
	--pkgmgr)
		PKGMGR=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			PKGMGR="$1"
			;;
		esac

		if [ -z "${PKGMGR}" ]; then
			echo "No package manager specified with '--pkgmgr' option."
			exit 1
		fi
		;;
	--propupd | --prop-update | --propupdate | --properties-update | --hashupd)
		PROP_UPDATE=1
		PROPUPD_OPT=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			PROPUPD_OPT="$1"
			;;
		esac
		;;
	-q | --quiet)
		QUIET=1
		;;
	--rwo | --swo | --report-warnings-only | --show-warnings-only)
		QUIET=1
		SHOWWARNINGSONLY=1
		;;
	-r | --rootdir)
		echo "The '$1' option is now deprecated."
		shift
		;;
	-sk | --sk | --skip-keypress | --skipkeypress)
		SKIP_KEY_PRESS=1
		;;
	--summary)
		SHOW_SUMMARY=1
		SHOW_SUMMARY_OPT=1
		;;
	--syslog)
		USE_SYSLOG="${SYSLOG_DFLT_PRIO}"

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			USE_SYSLOG="$1"
			;;
		esac
		;;
	--tmpdir)
		RKHTMPDIR=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			RKHTMPDIR="$1"
			;;
		esac

		if [ -z "${RKHTMPDIR}" ]; then
			echo "No temporary directory specified with '--tmpdir' option."
			exit 1
		fi
		;;
	--unlock)
		UNLOCK=1
		;;
	--update)
		UPDATE=1
		;;
	--vl | --verboselogging | --verbose-logging)
		VERBOSE_LOGGING=1
		;;
	-V | --version)
		echo "${PROGRAM_NAME} ${PROGRAM_version}"
		echo "${PROGRAM_blurb}"
		exit 0
		;;
	--versioncheck | --version-check)
		VERSIONCHECK=1
		;;
	-x | --autox)
		AUTO_X_OPT=1
		AUTO_X_DTCT=1
		;;
	-X | --no-autox)
		AUTO_X_OPT=1
		AUTO_X_DTCT=0
		;;
	*)
		echo "Invalid option specified: $1"
		exit 1
		;;
	esac

	shift
done


#
# We check that we are root. If we are not, then only the
# help and version command-line options are valid.
#

if [ $SUNOS -eq 1 ]; then
	test -x /usr/xpg4/bin/id && ID_CMD="/usr/xpg4/bin/id"

	#
	# Unfortunately we need the AWK_CMD set this early on so
	# that the option processing works. As such this is a bit
	# of a hack. AWK_CMD will be set properly later on.
	#

	RKHTMPVAR=`which gawk 2>/dev/null | grep -v ' '`
	if [ -n "${RKHTMPVAR}" ]; then
		AWK_CMD="${RKHTMPVAR}"
	else
		RKHTMPVAR=`which nawk 2>/dev/null | grep -v ' '`
		if [ -n "${RKHTMPVAR}" ]; then
			AWK_CMD="${RKHTMPVAR}"
		elif [ -x "/usr/xpg4/bin/awk" ]; then
				AWK_CMD="/usr/xpg4/bin/awk"
		fi
	fi
fi

RKHTMPVAR=`${ID_CMD} -u 2>/dev/null`

if [ -z "${RKHTMPVAR}" ]; then
	RKHTMPVAR=`whoami 2>/dev/null`

	if [ -z "${RKHTMPVAR}" ]; then
		RKHTMPVAR=`who am i 2>/dev/null | cut -d' ' -f1`

		if [ -z "${RKHTMPVAR}" ]; then
			RKHTMPVAR=`who -m 2>/dev/null | cut -d' ' -f1`
		fi
	fi
fi

if [ -z "${RKHTMPVAR}" ]; then
	echo "Unable to determine if you are root."
	exit 1
elif [ "${RKHTMPVAR}" != "0" -a "${RKHTMPVAR}" != "root" ]; then
	echo "You must be the root user to run this program."
	exit 1
fi


#
# We need to see if we are to run a check before we get to the
# configuration file processing code. Basically if either of the
# '--enable' or '--disable' options are used, then we will do a
# check.
#

if [ $ENDIS_OPT -eq 1 ]; then
	CL_ENABLE_TESTS=`echo ${CL_ENABLE_TESTS} | tr -d '"' | tr -d "'" | tr ',' ' ' | tr '[:upper:]' '[:lower:]'`

	CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS} | tr -d '"' | tr -d "'" | tr ',' ' ' | tr '[:upper:]' '[:lower:]'`
	CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS}`

	# The '--nocf' option is only for disabled tests.
	test -z "${CL_DISABLE_TESTS}" && USECF=1
else
	USECF=1
fi


#
# See if only the '--update' option has been used.
#

test $UPDATE -eq 1 -a $CHECK -eq 0 -a $PROP_UPDATE -eq 0 -a $VERSIONCHECK -eq 0 && UPDATE_ONLY=1


#
# Before going too much further we need to ensure that some basic
# commands are present on the system. We cannot do this using
# the BINDIR option because that requires processing the configuration
# file, which in turn requires the commands we want to check on. As
# such we use the default command directory list. We do not assign
# these commands to variables, but will do for other commands which we
# look for later on.
#

check_required_commands 1


######################################################################
#
# Configuration file processing
#
######################################################################


#
# Now we check for the configuration file. We then see if there is a
# local configuration file, and/or a local directory, present in the
# same directory, and finally check the various options within them.
#
# NOTE: Do not change the format of the following 'if' statement.
# The installer script will modify it directly during installation.
#

if [ -z "${CONFIGFILE}" ]; then
	if [ -f /etc/rkhunter.conf ]; then
		CONFIGFILE="/etc/rkhunter.conf"
	else
		CONFIGFILE="/usr/local/etc/rkhunter.conf"
	fi
fi

if [ ! -f "${CONFIGFILE}" ]; then
	echo "Unable to find configuration file: ${CONFIGFILE}"
	exit 1
elif [ ! -r "${CONFIGFILE}" ]; then
	echo "Configuration file is not readable: ${CONFIGFILE}"
	exit 1
elif [ ! -s "${CONFIGFILE}" ]; then
	echo "Configuration file is empty: ${CONFIGFILE}"
	exit 1
fi

RKHTMPVAR=`echo "${CONFIGFILE}" | sed -e 's:/[^/]*$::'`

test -f "${RKHTMPVAR}/rkhunter.conf.local" -a ! -h "${RKHTMPVAR}/rkhunter.conf.local" -a -r "${RKHTMPVAR}/rkhunter.conf.local" && LOCALCONFIGFILE="${RKHTMPVAR}/rkhunter.conf.local"

if [ -d "${RKHTMPVAR}/rkhunter.d" ]; then
	LOCALCONFIGDIR="${RKHTMPVAR}/rkhunter.d"

	for FNAME in ${LOCALCONFIGDIR}/*.conf; do
		test ! -f "${FNAME}" -o -h "${FNAME}" -o ! -r "${FNAME}" && continue

		LOCALCONFDIRCOUNT=`expr ${LOCALCONFDIRCOUNT} + 1`
		LOCALCONFDIRFILES="${LOCALCONFDIRFILES} ${FNAME}"
	done
fi

get_configfile_options

#
# If we are doing a configuration file
# check, then this is as far as we go.
#

if [ $CONFIG_CHECK -eq 1 ]; then
	do_config_file_check
	exit $RET_CODE
fi


######################################################################
#
# Option processing
#
######################################################################


#
# Next we check some of the options to make sure we can proceed. We
# also set up some final variables based on the combination of options
# we have been given.
#

#
# First we process the '--list' option if it has been given.
#

if [ -n "${LIST_OPT}" ]; then
	for RKHTMPVAR in ${LIST_OPT}; do
		case "${RKHTMPVAR}" in
		tests)
			display_tests
			;;
		languages)
			display_languages
			;;
		perl)
			display_perl_modules
			;;
		propfiles)
			display_propfiles
			;;
		*)
			display_rootkits
			;;
		esac
	done

	exit 0
fi


#
# Next we must see if we are doing an update only, and if there were
# some language file problems. If so, then we must not log or display
# anything.
#

if [ $RKHLANGUPDT -eq 1 ]; then
	QUIET=1
	COLORS=0
	RKHLOGFILE="/dev/null"
fi


#
# If the logfile has been disabled, then we cannot let the
# program run when certain options are used. If we did, the user
# would see no output and might assume that all was well.
#

if [ "${RKHLOGFILE}" = "/dev/null" ]; then
	NOLOG=1
	VERBOSE_LOGGING=0
	COPY_LOG_ON_ERROR=0

	if [ $SHOWWARNINGSONLY -eq 1 ]; then
		echo "The logfile has been disabled - unable to report warnings."
		exit 1
	elif [ $CATLOGFILE -eq 1 ]; then
		echo "The logfile has been disabled - unable to display the log file."
		exit 1
	fi
fi


#
# Set up the colors to be used.
#

if [ $COLORS -eq 1 ]; then
	NORMAL=""		# Foreground colour to default

	if [ $CLRSET2 -eq 0 ]; then
		RED=""		# Bright red
		GREEN=""	# Bright green
		YELLOW=""	# Bright yellow
		WHITE=""	# White
	else
		RED=""		# Bright red
		GREEN=""	# Green
		YELLOW=""	# Purple
		WHITE=""	# Black
	fi
fi


if [ $CHECK -eq 1 ]; then
	#
	# Check if we have a kernel symbols file.
	#

	if [ -f "/proc/ksyms" ]; then
		KSYMS_FILE="/proc/ksyms"
	elif [ -f "/proc/kallsyms" ]; then
		KSYMS_FILE="/proc/kallsyms"
	elif [ -f "/boot/System.map-${UNAME_R}" ]; then
		KSYMS_FILE="/boot/System.map-${UNAME_R}"
	fi
fi


if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 ]; then
	if [ -e "${RKHDAT_FILE}" ]; then
		if [ -h "${RKHDAT_FILE}" ]; then
			echo "The rkhunter.dat file is a symbolic link: ${RKHDAT_FILE}"
			echo "This is a security problem. The link points to another file, and that file may be modified by rkhunter."
			exit 1
		elif [ ! -f "${RKHDAT_FILE}" ]; then
			echo "The rkhunter.dat file is not a file: ${RKHDAT_FILE}"
			exit 1
		fi
	fi

	if [ -e "${RKH_FILEPROP_LIST}" ]; then
		if [ -h "${RKH_FILEPROP_LIST}" ]; then
			echo "The rkhunter_prop_list.dat file is a symbolic link: ${RKH_FILEPROP_LIST}"
			echo "This is a security problem. The link points to another file, and that file may be modified by rkhunter."
			exit 1
		elif [ ! -f "${RKH_FILEPROP_LIST}" ]; then
			echo "The rkhunter_prop_list.dat file is not a file: ${RKH_FILEPROP_LIST}"
			exit 1
		fi
	fi


	#
	# Check if the file properties option has been set. If so, then
	# check that the files and directories are valid. Once that has
	# been done, we can then set up the file properties check directories
	# and file names.
	#

	if [ -n "${PROPUPD_OPT}" ]; then
		if [ ! -f "${RKHDAT_FILE}" ]; then
			echo "The file properties file does not exist: ${RKHDAT_FILE}"
			exit 1
		fi

		#
		# We need the current 'rkhunter.dat' file format.
		#

		FMTVERSION=`grep '^FormatVersion:' "${RKHDAT_FILE}" | cut -d: -f2`

		test -z "${FMTVERSION}" && FMTVERSION=0


		LEAVE=0
		RKHTMPVAR=""

		PROPUPD_OPT=`echo "${PROPUPD_OPT}" | tr ',' "\n" | sed -e '/^$/d'`

		test "${PROPUPD_OPT}" = "/" && PROPUPD_OPT=""

		IFS=$IFSNL

		for FNAME in ${PROPUPD_OPT}; do
			if [ -n "`echo \"${FNAME}\" | grep '^[^/].*/'`" ]; then
				# Filename is relative
				LEAVE=1
				echo "Relative file or directory name specified: ${FNAME}"
			elif [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
				# Filename is absolute
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ $FMTVERSION -eq 0 ]; then
					RKHTMPVAR2=`grep "^File:${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
				else
					COLON_COUNT=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`

					RKHTMPVAR2=`grep "^File:${COLON_COUNT}:${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null`
					test -n "${RKHTMPVAR2}" && RKHTMPVAR2="${FNAME}"
				fi

				if [ -z "${RKHTMPVAR2}" ]; then
					if [ -d "${FNAME}" ]; then
						# Filename is a directory
						if [ $FMTVERSION -eq 0 ]; then
							RKHTMPVAR2=`grep "^File:${FNAMEGREP}/[^:]*:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
						else
							PATHS=""

							IFS=$IFSNL

							for RKHLINE in `grep "^File:[0-9]*:${FNAMEGREP}/" "${RKHDAT_FILE}"`; do
								COLON_COUNT=`echo "${RKHLINE}" | cut -d: -f2`
								COLON_COUNT=`expr 3 + $COLON_COUNT`

								PATHNAME=`echo "${RKHLINE}" | cut -d: -f3-$COLON_COUNT`

								PATHS="${PATHS}
${PATHNAME}"
							done

							IFS=$RKHIFS

							RKHTMPVAR2=`echo "${PATHS}" | sed -e '/^$/d'`
						fi

						if [ -n "${RKHTMPVAR2}" ]; then
							RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
						else
							LEAVE=1
							echo "Directory is not in the \"rkhunter.dat\" file: ${FNAME}"
						fi
					else
						LEAVE=1
						echo "Filename is not in the \"rkhunter.dat\" file: ${FNAME}"
					fi
				else
					RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
				fi
			else
				#
				# Filename could be a package name.
				# The package names are currently in field 11 in the 'rkhunter.dat' file.
				#

				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`

				if [ $FMTVERSION -eq 0 ]; then
					RKHTMPVAR2=`grep "^File:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
				else
					PATHS=""

					IFS=$IFSNL

					for RKHLINE in `grep "^File:[0-9]*:.*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:${FNAMEGREP}:" "${RKHDAT_FILE}"`; do
						COLON_COUNT=`echo "${RKHLINE}" | cut -d: -f2`
						COLON_COUNT=`expr 3 + $COLON_COUNT`

						PATHNAME=`echo "${RKHLINE}" | cut -d: -f3-$COLON_COUNT`

						PATHS="${PATHS}
${PATHNAME}"
					done

					IFS=$RKHIFS

					RKHTMPVAR2=`echo "${PATHS}" | sed -e '/^$/d'`
				fi

				if [ -z "${RKHTMPVAR2}" ]; then
					# Filename is just a plain filename
					if [ $FMTVERSION -eq 0 ]; then
						RKHTMPVAR2=`grep "^File:[^:]*/${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
					else
						PATHS=""

						IFS=$IFSNL

						for RKHLINE in `grep "^File:[0-9]*:.*/${FNAMEGREP}:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:" "${RKHDAT_FILE}"`; do
							COLON_COUNT=`echo "${RKHLINE}" | cut -d: -f2`
							COLON_COUNT=`expr 3 + $COLON_COUNT`

							PATHNAME=`echo "${RKHLINE}" | cut -d: -f3-$COLON_COUNT`

							PATHS="${PATHS}
${PATHNAME}"
						done

						IFS=$RKHIFS

						RKHTMPVAR2=`echo "${PATHS}" | sed -e '/^$/d'`
					fi

					if [ -n "${RKHTMPVAR2}" ]; then
						RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
					else
						LEAVE=1
						echo "File or package name is not in the \"rkhunter.dat\" file: ${FNAME}"
					fi
				else
					RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
				fi
			fi
		done

		IFS=$RKHIFS

		if [ $LEAVE -eq 0 ]; then
			PROPUPD_OPT=`echo "${RKHTMPVAR}" | sed -e '/^$/d'`
		else
			exit 1
		fi
	fi

	if `check_test properties` || test $PROP_UPDATE -eq 1; then
		set_file_prop_dirs_files
	fi


	#
	# We need to record the previously used
	# hash function and package manager.
	#

	get_old_prop_attrs "${RKHDAT_FILE}"
fi


if [ $PROP_UPDATE -eq 1 -a $PRELINKED -eq 1 -a -z "${PKGMGR}" -a "${HASH_FUNC}" != "NONE" ]; then
	#
	# For a hash update on a prelinked system, we must have
	# a valid hash function to use.
	#

	if [ -z "${PRELINK_HASH}" ]; then
		if [ -z "`echo \"${HASH_FUNC}\" | egrep '(/filehashsha\.pl Digest::MD5|/filehashsha\.pl .* 1$|shasum -a 1$)'`" ]; then
			RKHTMPVAR=`echo "${HASH_FUNC}" | cut -d' ' -f1`

			if [ -z "`echo ${RKHTMPVAR} | egrep -i 'sha1|md5'`" ]; then
				if [ $HASH_OPT -eq 1 ]; then
					echo "This system uses prelinking, but the '--hash' option (${HASH_FUNC}) does not look like SHA1 or MD5."
				else
					echo "This system uses prelinking, but the hash function (${HASH_FUNC}) does not look like SHA1 or MD5."
				fi

				exit 1
			fi
		fi
	fi
fi


#
# For the update and versioncheck options, we need to make sure
# we have a command capable of downloading files from the web.
# The first command found is used, unless it has been set in
# the configuration file.
#

if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 ]; then
	if [ -z "${RKHWEBCMD}" ]; then
		FOUND=0

		for CMD in ${WEBCMDLIST}; do
			#
			# Ignore perl commands if perl is not present, or if
			# certain modules are not present.
			#

			if [ "${CMD}" = "GET" ]; then
				test -z "${PERL_CMD}" && continue

				RKHTMPVAR=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" LWP URI HTTP::Status HTTP::Date Getopt::Long 2>&1 | grep 'NOT'`

				test -n "${RKHTMPVAR}" && continue
			elif [ "${CMD}" = "bget" ]; then
				test -z "${PERL_CMD}" && continue

				RKHTMPVAR=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Socket Carp 2>&1 | grep 'NOT'`

				test -n "${RKHTMPVAR}" && continue
			fi


			RKHTMPVAR=`find_cmd ${CMD}`

			if [ -n "${RKHTMPVAR}" ]; then
				FOUND=1
				RKHWEBCMD="${RKHTMPVAR}"
				RKHWEBCMD_BASE="${CMD}"
				break
			fi
		done

		if [ $FOUND -eq 0 ]; then
			echo "The '--update' and '--versioncheck' options require a command able to"
			echo "download files from the web. No such command can be found on the system."
			echo "Examples of commands that could be used are: ${WEBCMDLIST}"
			exit 1
		fi
	fi
fi


#
# If no option is given for the program to action, then say so and exit.
#

if [ $CHECK -eq 0 -a $VERSIONCHECK -eq 0 -a $UPDATE -eq 0 -a $PROP_UPDATE -eq 0 -a $UNLOCK -eq 0 ]; then
	echo "You must enter an option for the program to perform."
	echo "Type in 'rkhunter --help' to see the available options,"
	echo "or read the rkhunter man page."
	exit 1
fi


#
# Handle any locking straight away.
#

if [ $UNLOCK -eq 1 ]; then
	rm -f "${LOCKDIR}/rkhunter.LCK" >/dev/null 2>&1

	# If we are just unlocking the lock file, then exit.
	test $CHECK -eq 0 -a $VERSIONCHECK -eq 0 -a $UPDATE -eq 0 -a $PROP_UPDATE -eq 0 && exit 0
fi


#
# Before writing anything to the screen or log file, we need to
# set some variables.
#
# First we set whether we should be displaying anything on the
# screen or not.
#
test $CRONJOB -eq 1 -o $QUIET -eq 1 && NOTTY=1

#
# Next we get the message types and results from the language file,
# and set them to variables. We have to look in the English file since
# that is the definitive one. We then look for the corresponding keyword
# in the actual language file. This allows the language files to work
# even if we add or remove any of the TYPE or RESULT keywords.
#
IFS=$IFSNL

for LINE in `egrep '^MSG_(TYPE|RESULT)_' "${DB_PATH}/i18n/en" 2>/dev/null`; do
	TYPE=`echo "${LINE}" | cut -d: -f1`

	if [ "${LANGUAGE}" != "en" ]; then
		RKHTMPVAR=`grep ${GREP_OPT} "^${TYPE}:" "${DB_PATH}/i18n/${LANGUAGE}" 2>/dev/null`
		test -n "${RKHTMPVAR}" && LINE=`echo "${RKHTMPVAR}" | sed -e 's/\`/\\\\\`/g'`
	fi

	RKHTMPVAR=`echo "${LINE}" | cut -d: -f2-`

	eval $TYPE=\"${RKHTMPVAR}\"
done

IFS=$RKHIFS


#
# Before we touch the log file we must see if locking is being used.
#

if [ $USE_LOCKING -eq 1 ]; then
	get_lock
fi

#
# Sort out the logfile before we write to it.
#

if [ $NOLOG -eq 0 ]; then
	if [ $APPEND_LOG -eq 0 ]; then
		if [ -f "${RKHLOGFILE}" ]; then
			cp -f -p "${RKHLOGFILE}" "${RKHLOGFILE}.old" >/dev/null 2>&1

			# Overwrite the log file with a null string.
			if [ "${ECHON}" = "c" ]; then
				echo $ECHOOPT "\c" >"${RKHLOGFILE}"
			else
				echo $ECHON $ECHOOPT "" >"${RKHLOGFILE}"
			fi
		else
			# Create a new log file.
			touch "${RKHLOGFILE}" >/dev/null 2>&1
			chmod 600 "${RKHLOGFILE}" >/dev/null 2>&1
		fi
	else
		if [ ! -f "${RKHLOGFILE}" ]; then
			# Create a new log file.
			touch "${RKHLOGFILE}" >/dev/null 2>&1
			chmod 600 "${RKHLOGFILE}" >/dev/null 2>&1
		fi

		echo "" >>"${RKHLOGFILE}"
		echo "" >>"${RKHLOGFILE}"
	fi
fi


#
# Record the hostname. This will be used at several points
# throughout the program. A specific test will specify if
# a hostname has been found or not, so we don't need to
# do anything special here.
#

HOST_NAME=`hostname 2>/dev/null`
test -z "${HOST_NAME}" && HOST_NAME=`uname -n 2>/dev/null`
test -z "${HOST_NAME}" && HOST_NAME="${HOSTNAME}"
HOST_NAME=`echo ${HOST_NAME} | cut -d. -f1`


######################################################################
#
# Initial logging
#
######################################################################


#
# Write out various information messages to the logfile. The first
# set of messages can be skipped if no logfile is to be created.
#

display --to SCREEN --type PLAIN VERSIONLINE "${PROGRAM_NAME}" "${PROGRAM_version}"

if [ $NOLOG -eq 0 ]; then
	if [ -n "${HOST_NAME}" ]; then
		display --to LOG --type PLAIN VERSIONLINE2 "${PROGRAM_NAME}" "${PROGRAM_version}" "${HOST_NAME}"
	else
		display --to LOG --type PLAIN VERSIONLINE3 "${PROGRAM_NAME}" "${PROGRAM_version}"
	fi

	display --to LOG --type INFO --nl RKH_STARTDATE "`date`"

	display --to LOG --type PLAIN --nl CONFIG_CHECK_START

	display --to LOG --type INFO OPSYS "${OPERATING_SYSTEM}"

	if [ -s "${RKHDAT_FILE}" ]; then
		RKHTMPVAR=`grep '^OS:' "${RKHDAT_FILE}" 2>/dev/null | sed -e 's/^OS://'`

		if [ -n "${RKHTMPVAR}" ]; then
			display --to LOG --type INFO PROPUPD_OSNAME_FOUND "${RKHTMPVAR}"
		else
			display --to LOG --type INFO UNAME "`uname -a`"
		fi
	else
		display --to LOG --type INFO UNAME "`uname -a`"
	fi

	display --to LOG --type INFO CONFIG_CMDLINE "${CMD_LINE}"

	test $DEBUG_OPT -eq 1 && display --to LOG --type INFO CONFIG_DEBUGFILE "${RKHDEBUGFILE}"

	display --to LOG --type INFO CONFIG_ENVSHELL "${SHELL}" "${MYSHELL}"

	display --to LOG --type INFO CONFIG_CONFIGFILE "${CONFIGFILE}"

	test -n "${LOCALCONFIGFILE}" && display --to LOG --type INFO CONFIG_LOCALCONFIGFILE "${LOCALCONFIGFILE}"

	if [ -n "${LOCALCONFIGDIR}" ]; then
		test $LOCALCONFDIRCOUNT -eq 1 && RKHTMPVAR="" || RKHTMPVAR="s"
		display --to LOG --type INFO CONFIG_LOCALCONFIGDIR "${LOCALCONFIGDIR}" $LOCALCONFDIRCOUNT "${RKHTMPVAR}"
	fi

	display --to LOG --type INFO CONFIG_INSTALLDIR "${RKHINSTALLDIR}"

	display --to LOG --type INFO CONFIG_LANGUAGE "${LANGUAGE}"

	display --to LOG --type INFO CONFIG_DBDIR "${DB_PATH}"

	display --to LOG --type INFO CONFIG_SCRIPTDIR "${SCRIPT_PATH}"

	display --to LOG --type INFO CONFIG_BINDIR "${BINPATHS}"

	display --to LOG --type INFO CONFIG_TMPDIR "${RKHTMPDIR}"

	if [ $CHECK -eq 1 ]; then
		if [ $NOMOW -eq 1 ]; then
			display --to LOG --type INFO CONFIG_MOW_DISABLED
		elif [ -z "${MAILONWARNING}" ]; then
			display --to LOG --type INFO CONFIG_NO_MAIL_ON_WARN
		else
			display --to LOG --type INFO CONFIG_MAIL_ON_WARN "${MAILONWARNING}" "${MAIL_CMD}"
		fi
	fi

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		test $AUTO_X_DTCT -eq 1 && display --to LOG --type INFO CONFIG_X_AUTO
		test $CLRSET2 -eq 1 && display --to LOG --type INFO CONFIG_CLRSET2

		for CMD in ${CMDLIST}; do
			RKHTMPVAR=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
			RKHTMPVAR=`eval echo "\\$${RKHTMPVAR}_CMD"`

			if [ -n "${RKHTMPVAR}" ]; then
				display --to LOG --type INFO FOUND_CMD "${CMD}" "${RKHTMPVAR}"
			elif [ -n "`echo \"${DISABLED_CMDS}\" | grep \" ${CMD} \"`" ]; then
				display --to LOG --type INFO DISABLED_CMD "${CMD}"
			else
				display --to LOG --type INFO NOT_FOUND_CMD "${CMD}"
			fi
		done

		test -n "${RKHWEBCMD}" && display --to LOG --type INFO FOUND_CMD "${RKHWEBCMD_BASE}" "${RKHWEBCMD}"
	fi
fi

if [ $PROP_UPDATE -eq 1 -o $HASH_CHECK_ENABLED -eq 1 ]; then
	if [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then
		HASH_CHECK_ENABLED=0
		DISABLE_TESTS="${DISABLE_TESTS} hashes"
		display --to LOG --type INFO HASH_FUNC_DISABLED
	fi

	if [ $PRELINKED -eq 1 ]; then
		display --to LOG --type INFO SYS_PRELINK

		display --to LOG --type INFO FOUND_CMD 'prelink' "${PRELINK_CMD}"

		if [ -n "${SESTATUS_CMD}" ]; then
			display --to LOG --type INFO FOUND_CMD 'sestatus' "${SESTATUS_CMD}"

			if [ $SELINUX_ENABLED -eq 1 ]; then
				display --to LOG --type INFO SYS_SELINUX

				if [ $USE_RUNCON -eq 1 ]; then
					display --to LOG --type INFO FOUND_CMD 'runcon' "${RUNCON_CMD}"
				else
					display --to LOG --type INFO NOT_FOUND_CMD 'runcon'
				fi
			else
				display --to LOG --type INFO SYS_NO_SELINUX
			fi
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'sestatus'
		fi

		if [ "${HASH_FUNC}" = "NONE" ]; then
			if [ -n "${PKGMGR}" ]; then
				display --to LOG --type INFO HASH_FUNC_NONE_PKGMGR
			else
				display --to LOG --type INFO HASH_FUNC_NONE
			fi
		elif [ -n "${PRELINK_HASH}" ]; then
			display --to LOG --type INFO HASH_FUNC_PRELINK "${PRELINK_HASH}"
		elif [ -z "`echo \"${HASH_FUNC}\" | egrep -i 'sha1|md5'`" ]; then
			SKIP_HASH_MSG=1
		else
			display --to LOG --type INFO HASH_FUNC "${HASH_FUNC}"
		fi
	else
		display --to LOG --type INFO SYS_NO_PRELINK

		if [ "${HASH_FUNC}" = "NONE" ]; then
			if [ -n "${PKGMGR}" ]; then
				display --to LOG --type INFO HASH_FUNC_NONE_PKGMGR
			else
				display --to LOG --type INFO HASH_FUNC_NONE
			fi
		elif [ -n "`echo \"${HASH_FUNC}\" | grep '/filehashsha\.pl '`" ]; then
			RKHTMPVAR=`echo "${HASH_FUNC}" | cut -d' ' -f3`

			if [ $SHA_SIZE -eq 0 ]; then
				display --to LOG --type INFO HASH_FUNC_PERL "${RKHTMPVAR}"
			else
				display --to LOG --type INFO HASH_FUNC_PERL_SHA "${RKHTMPVAR}" "SHA${SHA_SIZE}"
			fi
		else
			display --to LOG --type INFO HASH_FUNC "${HASH_FUNC}"
		fi
	fi

	if [ -s "${RKHDAT_FILE}" ]; then
		if [ "${OLD_HASH_FUNC}" = "Disabled" ]; then
			display --to LOG --type INFO HASH_FUNC_OLD_DISABLED
		else
			display --to LOG --type INFO HASH_FUNC_OLD "${OLD_HASH_FUNC}"
		fi

		if [ -z "${OLD_PKGMGR}" ]; then
			display --to LOG --type INFO HASH_PKGMGR_OLD_UNSET
		else
			display --to LOG --type INFO HASH_PKGMGR_OLD "${OLD_PKGMGR}"
		fi
	fi

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO HASH_FIELD_INDEX "$HASH_FLD_IDX"
	fi

	if [ $PROP_UPDATE -eq 1 ]; then
		if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
			display --to LOG --type INFO HASHUPD_DISABLED
		elif [ -z "${PKGMGR}" ]; then
			if [ $PRELINKED -eq 1 ]; then
				if [ -n "${PRELINK_HASH}" ]; then
					display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC_PRELINKED "${PRELINK_HASH}"
				else
					display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC "${HASH_FUNC}"
				fi
			else
				display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC "${HASH_FUNC}"
			fi
		else
			display --to LOG --type INFO HASHUPD_PKGMGR "${PKGMGR}"

			case "${PKGMGR}" in
			RPM)
				display --to LOG --type INFO FOUND_CMD 'rpm' "${RPM_CMD}"
				;;
			DPKG)
				if [ -z "`echo \"${DPKG_CMD}\" | grep '/dpkg$'`" ]; then
					display --to LOG --type INFO FOUND_CMD 'dpkg-query' "${DPKG_CMD}"
				else
					display --to LOG --type INFO FOUND_CMD 'dpkg' "${DPKG_CMD}"
				fi
				;;
			BSD)
				display --to LOG --type INFO FOUND_CMD 'pkg_info' "${PKG_CMD}"
				;;
			BSDNG)
				display --to LOG --type INFO FOUND_CMD 'pkg' "${PKG_CMD}"
				;;
			SOLARIS)
				if [ $USE_SUNSUM -eq 1 ]; then
					display --to LOG --type INFO HASH_PKGMGR_SUM
					display --to LOG --type INFO FOUND_CMD 'sum' "${SUM_CMD}"
				fi
				;;
			esac
		fi
	fi

	if [ $HASH_CHECK_ENABLED -eq 1 ]; then
		if [ -z "${PKGMGR}" ]; then
			if [ $PRELINKED -eq 1 ]; then
				if [ -n "${PRELINK_HASH}" ]; then
					display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC_PRELINKED "${PRELINK_HASH}"
				else
					display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC "${HASH_FUNC}"
				fi
			else
				display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC "${HASH_FUNC}"
			fi
		else
			display --to LOG --type INFO HASH_PKGMGR "${PKGMGR}"

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				case "${PKGMGR}" in
				RPM)
					display --to LOG --type INFO FOUND_CMD 'rpm' "${RPM_CMD}"
					;;
				DPKG)
					if [ -z "`echo \"${DPKG_CMD}\" | grep '/dpkg$'`" ]; then
						display --to LOG --type INFO FOUND_CMD 'dpkg-query' "${DPKG_CMD}"
					else
						display --to LOG --type INFO FOUND_CMD 'dpkg' "${DPKG_CMD}"
					fi

					display --to LOG --type INFO HASH_PKGMGR_MD5 "${PKGMGR_MD5_HASH}"
					;;
				BSD)
					display --to LOG --type INFO FOUND_CMD 'pkg_info' "${PKG_CMD}"
					display --to LOG --type INFO HASH_PKGMGR_MD5 "${PKGMGR_MD5_HASH}"
					;;
				BSDNG)
					display --to LOG --type INFO FOUND_CMD 'pkg' "${PKG_CMD}"
					display --to LOG --type INFO HASH_PKGMGR_SHA "${PKGMGR_SHA_HASH}"
					;;
				SOLARIS)
					if [ $USE_SUNSUM -eq 1 ]; then
						display --to LOG --type INFO HASH_PKGMGR_SUM
						display --to LOG --type INFO FOUND_CMD 'sum' "${SUM_CMD}"
					fi
					;;
				esac
			fi
		fi
	fi
fi

RKHTMPVAR=0
test $CHECK -eq 1 && `check_test attributes` && RKHTMPVAR=1

if [ $RKHTMPVAR -eq 1 ]; then
	if [ "${OLD_ATTRUPD}" = "Disabled" ]; then
		display --to LOG --type INFO ATTRUPD_OLD_DISABLED
	elif [ "${OLD_ATTRUPD}" = "Nostatcmd" ]; then
		display --to LOG --type INFO ATTRUPD_OLD_NOSTATCMD
	else
		display --to LOG --type INFO ATTRUPD_OLD_OK
	fi
fi

if [ $PROP_UPDATE -eq 1 ]; then
	if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
		display --to LOG --type INFO ATTRUPD_DISABLED
	elif [ -z "${STAT_CMD}" ]; then
		display --to LOG --type INFO ATTRUPD_NOSTATCMD
	else
		display --to LOG --type INFO ATTRUPD_OK
	fi
fi

if [ $CHECK -eq 1 ]; then
	display --to LOG --type INFO ENABLED_TESTS "${ENABLE_TESTS}"
	display --to LOG --type INFO DISABLED_TESTS "${DISABLE_TESTS}"
fi

if `check_test properties` || test $PROP_UPDATE -eq 1; then
	if [ $VERBOSE_LOGGING -eq 1 ]; then
		if [ -n "${USER_FILE_LIST}" ]; then
			display --to LOG --type INFO USER_FILE_LIST

			IFS=$IFSNL

			for FNAME in ${USER_FILE_LIST}; do
				display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
			done

			IFS=$RKHIFS
		fi

		if [ $VERBOSE_LOGGING -eq 1 -a -n "${USER_SIMPLE_FILE_LIST}" ]; then
			display --to LOG --type INFO USER_CMD_LIST

			IFS=$IFSNL

			for FNAME in ${USER_SIMPLE_FILE_LIST}; do
				display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
			done

			IFS=$RKHIFS
		fi

		if [ $VERBOSE_LOGGING -eq 1 -a -n "${USER_DIR_LIST}" ]; then
			display --to LOG --type INFO USER_DIR_LIST

			IFS=$IFSNL

			for FNAME in ${USER_DIR_LIST}; do
				display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
			done

			IFS=$RKHIFS
		fi

		if [ -n "${USER_EXCLUDE_PROP}" ]; then
			display --to LOG --type INFO USER_EXCLUDE_PROP

			IFS=$IFSNL

			for FNAME in ${USER_EXCLUDE_PROP}; do
				display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
			done

			IFS=$RKHIFS
		fi
	fi
fi

if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 ]; then
	if [ $VERBOSE_LOGGING -eq 1 ]; then
		if [ $ROTATE_MIRRORS -eq 0 ]; then
			display --to LOG --type INFO CONFIG_NO_ROTATE_MIRRORS
		else
			display --to LOG --type INFO CONFIG_ROTATE_MIRRORS
		fi

		if [ $MIRRORS_MODE -eq 0 ]; then
			display --to LOG --type INFO CONFIG_MIRRORS_MODE0
		elif [ $MIRRORS_MODE -eq 1 ]; then
			display --to LOG --type INFO CONFIG_MIRRORS_MODE1
		else
			display --to LOG --type INFO CONFIG_MIRRORS_MODE2
		fi

		if [ $UPDATE -eq 1 ]; then
			if [ $UPDATE_MIRRORS -eq 0 ]; then
				display --to LOG --type INFO CONFIG_NO_UPDATE_MIRRORS
			else
				display --to LOG --type INFO CONFIG_UPDATE_MIRRORS
			fi
		fi
	fi
fi

if [ $NOLOG -eq 0 ]; then
	test $CHECK -eq 0 -o $SHOW_SUMMARY -eq 0 && display --to LOG --type INFO CONFIG_LOG_FILE "${RKHLOGFILE}"

	if [ $VERBOSE_LOGGING -eq 0 ]; then
		display --to LOG --type INFO CONFIG_NO_VL
	else
		test $APPEND_LOG -eq 1 && display --to LOG --type INFO CONFIG_APPEND_LOG
		test $COPY_LOG_ON_ERROR -eq 1 && display --to LOG --type INFO CONFIG_COPY_LOG
	fi
fi

if [ $CHECK -eq 1 ]; then
	if [ -n "${KSYMS_FILE}" ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type INFO KSYMS_FOUND "${KSYMS_FILE}"
		fi

		if [ ! -r "${KSYMS_FILE}" ]; then
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO KSYMS_UNAVAIL "${KSYMS_FILE}"
			fi

			KSYMS_FILE=""
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO KSYMS_MISSING
	fi

	if [ $SHOW_SUMMARY -eq 0 -a $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type INFO CONFIG_NO_SHOW_SUMMARY
	fi


	#
	# To use syslog we must have the logger command present.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		if [ "${USE_SYSLOG}" = "none" ]; then
			USE_SYSLOG=""

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type INFO SYSLOG_DISABLED
			fi
		else
			LOGGER_CMD=`find_cmd logger`

			if [ -n "${LOGGER_CMD}" ]; then
				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO SYSLOG_ENABLED "${USE_SYSLOG}"
					display --to LOG --type INFO FOUND_CMD 'logger' "${LOGGER_CMD}"
				fi
			else
				USE_SYSLOG=""
				display --to LOG --type INFO SYSLOG_NO_LOGGER
			fi
		fi
	fi


	if [ $VERBOSE_LOGGING -eq 1 ]; then
		if [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
			:
		elif [ -n "${EPOCH_DATE_CMD}" ]; then
			display --to LOG --type INFO FILE_PROP_EPOCH_DATE_CMD "${EPOCH_DATE_CMD}"
		elif [ -n "${PERL_CMD}" ]; then
			display --to LOG --type INFO FILE_PROP_EPOCH_DATE_CMD "${PERL_CMD}"
		fi
	fi


	#
	# If the user wants to run the file properties checks, and the
	# rkhunter.dat file exists, then check the O/S info. If the
	# rkhunter.dat file does not exist, then this will be logged
	# later on.
	#

	if `check_test properties`; then
		if [ -s "${RKHDAT_FILE}" ]; then
			#
			# We perform a simple check on some of the stored
			# O/S information, and compare it to the current
			# info. Basically we are just seeing if the system
			# has changed at all because it could affect the
			# file properties checks.
			#

			rkh_dat_get_os_info

			check_os_info
		fi
	fi
fi

if [ $VERBOSE_LOGGING -eq 1 ]; then
	if [ $USE_LOCKING -eq 1 ]; then
		display --to LOG --type INFO LOCK_USED "$LOCK_TIMEOUT"
		display --to LOG --type INFO LOCK_DIR "${LOCKDIR}"
	else
		display --to LOG --type INFO LOCK_UNUSED
	fi
fi


######################################################################
#
# Start of program actions and checks
#
######################################################################


#
# We can now start to run the actions the user has requested on
# the command-line. We run the update type commands first before
# doing any full system check.
#


#
# The user wants to update the O/S and the file properties data.
#

test $PROP_UPDATE -eq 1 && do_prop_update


#
# The user wants to update the supplied RKH *.dat files.
#

test $UPDATE -eq 1 && do_update


#
# The user wants to check for the latest program version.
#

test $VERSIONCHECK -eq 1 && do_versioncheck


#
# The user wants to check the local system for anomalies.
#

test $CHECK -eq 1 -o $ENDIS_OPT -eq 1 && do_system_check


#
# If there were errors or warnings, and the
# log file is to be copied, then log it.
#

COPIEDLOG=""

if [ $RET_CODE -gt 0 -o $WARNING_COUNT -gt 0 ]; then
	if [ $COPY_LOG_ON_ERROR -eq 1 -a $NOLOG -eq 0 ]; then
		COPIEDLOG="${RKHLOGFILE}.`date +%Y-%m-%d_%H:%M:%S`"

		display --to LOG --type INFO --nl SUMMARY_LOGFILE_COPIED "${COPIEDLOG}"
	fi
fi

display --to LOG --type INFO --nl RKH_ENDDATE "`date`"


#
# Now actually copy the log file.
#

test -n "${COPIEDLOG}" && cp -p "${RKHLOGFILE}" "${COPIEDLOG}"


#
# If the user asked to see the logfile, then show it.
#

test $CATLOGFILE -eq 1 && cat "${RKHLOGFILE}"


IFS=$ORIGIFS

exit $RET_CODE

Stv3n404 - 2023