|
Server IP : 172.16.15.8 / Your IP : 18.188.76.209 Web Server : Apache System : Linux zeus.vwu.edu 4.18.0-553.27.1.el8_10.x86_64 #1 SMP Wed Nov 6 14:29:02 UTC 2024 x86_64 User : apache ( 48) PHP Version : 7.2.24 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON Directory (0555) : /bin/ |
| [ Home ] | [ C0mmand ] | [ Upload File ] |
|---|
#!/bin/sh
#
# rkhunter -- Scan the system for rootkits and other known security issues.
#
# Copyright (c) 2003-2017, Michael Boelen ( michael AT rootkit DOT nl )
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
#
#
# Unfortunately we must do some O/S checks at the very beginning,
# otherwise SunOS will complain about some of the ksh/bash syntax.
# By default the SunOS root account uses a simple Bourne shell,
# which does not work with RKH. So we exec to use the Bash shell
# if it is present, or the Korn shell which is usually installed
# by default on Solaris systems.
#
BSDOS=0
SUNOS=0
BUSYBOX=0
OPERATING_SYSTEM=`uname 2>/dev/null`
case "${OPERATING_SYSTEM}" in
*BSD|DragonFly)
BSDOS=1
unset CLICOLOR CLICOLOR_FORCE
;;
SunOS)
SUNOS=1
unset CLICOLOR CLICOLOR_FORCE
;;
esac
if [ $SUNOS -eq 1 ]; then
# Simple SunOS test of RANDOM to see if we are now running bash or ksh.
if [ -z "$RANDOM" ]; then
# If the 'which' output contains a space, then it is probably an error.
if [ -n "`which bash 2>/dev/null | grep -v ' '`" ]; then
exec bash $0 $*
elif [ -n "`which ksh 2>/dev/null | grep -v ' '`" ]; then
exec ksh $0 $*
else
echo "Unable to find the bash or ksh shell to run rkhunter."
exit 1
fi
exit 0
fi
fi
#
# Check to see if we are using the '--debug' option. If so, then
# we exec to log everything to the debug file.
#
if [ -n "`echo \"$*\" | grep '\-\-debug'`" ]; then
RKHDEBUGFILE=""
RKHDEBUGBASE="/tmp/rkhunter-debug"
#
# Ensure we create a random file name.
#
if [ -n "`which mktemp 2>/dev/null | grep -v ' '`" ]; then
RKHDEBUGFILE=`mktemp ${RKHDEBUGBASE}.XXXXXXXXXX`
elif [ -n "$RANDOM" ]; then
RKHDEBUGFILE="${RKHDEBUGBASE}.$RANDOM"
elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%N%s%N`"
elif [ -n "`date +%Y%m%d%H%M%S 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%Y%m%d%H%M%S`"
else
RKHDEBUGFILE="${RKHDEBUGBASE}.$$"
fi
if [ -e "${RKHDEBUGFILE}" ]; then
if [ -f "${RKHDEBUGFILE}" -a ! -h "${RKHDEBUGFILE}" ]; then
rm -f "${RKHDEBUGFILE}" >/dev/null 2>&1
else
echo "Cannot use '--debug' option. Debug file \"${RKHDEBUGFILE}\" already exists, but it is not a file."
exit 1
fi
fi
DEBUG_OPT=1
exec 1>"${RKHDEBUGFILE}" 2>&1
chmod 600 "${RKHDEBUGFILE}" >/dev/null 2>&1
set -x
else
DEBUG_OPT=0
fi
#
# Now we must determine if we are using the Korn shell or not. If so,
# then we alias the 'echo' command and set ECHOOPT. For other shells,
# we try and determine the real shell being used, and test to see if
# the 'echo -e' command is valid or not. We set ECHOOPT accordingly.
#
#
# Unfortunately *BSD doesn't seem to allow capturing of unknown commands.
# So we must alias 'print' to something valid, but which will fail.
#
test $BSDOS -eq 1 && alias print=false
if [ "`print "rkh-ksh-string-test" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
alias echo='print'
ECHOOPT="--"
MYSHELL=ksh
elif [ $SUNOS -eq 1 ]; then
# For Solaris, if we are not running ksh, then it must be bash.
MYSHELL=bash
ECHOOPT="-e"
else
#
# We want to get the actual shell used by this program, and
# so we need to test /bin/sh.
#
MYSHELL=/bin/sh
test -h ${MYSHELL} && MYSHELL=`readlink ${MYSHELL} 2>/dev/null`
MYSHELL=`basename ${MYSHELL} 2>/dev/null`
# Assume 'bash' if we have problems finding the real shell.
test -z "${MYSHELL}" && MYSHELL=bash
# Check if we are using BusyBox.
test "${MYSHELL}" = "busybox" && BUSYBOX=1
#
# Now test the 'echo -e' command.
#
if [ "`echo -e \"rkh-ksh\tstring-test\" 2>/dev/null`" = "rkh-ksh string-test" ]; then
ECHOOPT="-e"
else
ECHOOPT=""
fi
fi
#
# We now perform a similar test to see if 'echo -n', or "\c", is valid
# or not. Unfortunately on some systems both '-e' and '-n' are valid,
# but not together. The "\c" option works in these cases. So we set
# ECHON accordingly.
#
if [ "`echo -n -e \"rkh-ksh-string-test\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
ECHON="-n"
elif [ "`echo -e \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
ECHON="c"
elif [ "`echo \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
ECHON="c"
else
ECHON=""
fi
#
# We also need to run a test to see if POSIX grep is being
# used. If it is, then some typical grep tests will fail.
#
if [ "`echo \"rkh-grep-test\" | grep '^\+'`" = "rkh-grep-test" ]; then
alias grep='grep -E'
fi
#
# It seems that the BusyBox 'readlink' command does have
# a '-f' option, but it does not show the true pathname.
# So we only use the option for everyone else.
#
test $BUSYBOX -eq 1 && READLINK_OPT="" || READLINK_OPT="-f"
#
# Finally, we need to test the 'head' and 'tail' commands
# to see if they understand the '-n' option or not.
#
if head -n 1 </dev/null >/dev/null 2>&1; then
HEAD_OPT="-n "
else
HEAD_OPT="-"
fi
if tail -n 1 </dev/null >/dev/null 2>&1; then
TAIL_OPT="-n "
else
TAIL_OPT="-"
fi
######################################################################
#
# Global function definitions
#
######################################################################
display() {
#
# This function is used to display text messages on to the
# users screen, as well as in to the log file. The same
# message is written to both. However, the screen may have
# a coloured result (green for good, red for bad, etc), and
# the log file will have the time prefixed to the message and,
# optionally, additional information messages after the main
# message. All the messages are indexed in the language file.
#
# Syntax: display --to <destination> --type <type>
# [--screen-indent <n>] [--log-indent <n>]
# [--nl [<n>]] [--nl-after] [--log-nl] [--screen-nl] [--nonl]
# [--result <result> --color <colour>]
# <message index> [optional message arguments]
#
# where the destination can be one of SCREEN, LOG or SCREEN+LOG.
# The type can be one of PLAIN, INFO or WARNING.
# The language file will have all the current values.
#
# The --screen-indent and --log-indent options are used to
# forcibly indent a message.
# The --nl option causes a blank-line to be output before the
# message both on the screen and in the log file. A following
# number can be used to indicate how many blank lines should
# be displayed on the screen.
# The --log-nl option outputs a blank line only in the log file.
# The --screen-nl option outputs a blank line on the screen
# regardless of whether SCREEN was specified or not.
# The --nl-after option outputs a blank line on the screen after
# the message.
# The --nonl option is only to be used in special cases where we
# want the output of more than one message to appear on the same
# line. This is currently only used when trying to obtain the
# lock file. It only applies to PLAIN messages, and may not be
# supported on all systems (depending on whether 'echo -n' works
# or not).
#
#
# We first initialize some variables and then
# process the switches used.
#
WARN_MSG=0; NL=0; NLAFTER=0; LOGINDENT=0; SCREENINDENT=0
LOGNL=0; SCREENNL=0
WRITETO=''; TYPE=''; RESULT=''; COLOR=''; MSG=''
LINE1=''; LOGLINE1=''; SPACES=''; NONL=''
#
# The IFS environment variable could be set to a non-default value
# when this function is called. However, we need it to be the default
# value in order to dislay things correctly. So, we record the initial
# value, and then set it to the default. We set it back to the initial
# value whenever we return from this function.
#
ORIG_IFS=$IFS
IFS=$RKHIFS
DISPLAY_LINE="display $*"
if [ $# -le 0 ]; then
echo "Error: Invalid display call - no arguments given"
IFS=$ORIG_IFS
return
fi
while [ $# -ge 1 ]; do
case "$1" in
--to)
case "$2" in
SCREEN|LOG|SCREEN+LOG)
WRITETO=$2
;;
*)
echo "Error: Invalid display destination: $2 Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
;;
esac
shift
;;
--type)
TYPE=`eval echo "\\$MSG_TYPE_$2"`
if [ -z "${TYPE}" -a "$2" != "PLAIN" ]; then
if [ $RKHLANGUPDT -eq 0 ]; then
echo "Error: Invalid display type: $2 Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
fi
fi
test "$2" = "WARNING" && WARN_MSG=1
shift
;;
--result)
RESULT=`eval echo "\\$MSG_RESULT_$2"`
if [ -z "${RESULT}" ]; then
if [ $RKHLANGUPDT -eq 0 ]; then
echo "Error: Invalid display result: $2 Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
fi
fi
shift
;;
--color)
if [ $COLORS -eq 1 ]; then
test -n "$2" && COLOR=`eval "echo \\${$2}"`
if [ -z "${COLOR}" ]; then
echo "Error: Invalid display color: $2 Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
fi
fi
shift
;;
--log-indent)
LOGINDENT=$2
if [ -z "${LOGINDENT}" ]; then
echo "Error: No --log-indent value given. Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
elif [ -z "`echo ${LOGINDENT} | grep '^[0-9]*$'`" ]; then
echo "Error: Invalid '--log-indent' value given: $2 Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
fi
shift
;;
--screen-indent)
SCREENINDENT=$2
if [ -z "${SCREENINDENT}" ]; then
echo "Error: No --screen-indent value given. Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
elif [ -z "`echo ${SCREENINDENT} | grep '^[0-9]*$'`" ]; then
echo "Error: Invalid '--screen-indent' value given: $2 Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
fi
shift
;;
--nl)
NL=1
case "$2" in
[0-9])
NL=$2
shift
;;
esac
;;
--log-nl)
LOGNL=1
;;
--screen-nl)
SCREENNL=1
;;
--nl-after)
NLAFTER=1
;;
--nonl)
NONL=$ECHON
;;
-*)
echo "Error: Invalid display option given: $1 Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
;;
*)
MSG=$1
shift
break
;;
esac
shift
done
#
# Before anything we must record if this is a warning message.
#
test $WARN_MSG -eq 1 && WARNING_COUNT=`expr ${WARNING_COUNT} + 1`
#
# For simplicity we now set variables as to whether the output
# goes to the screen and/or the log file. In some cases we do
# not need to output anything, and so can just return.
#
if [ $NOLOG -eq 1 ]; then
if [ "${WRITETO}" = "LOG" ]; then
IFS=$ORIG_IFS
return
fi
test "${WRITETO}" = "SCREEN+LOG" && WRITETO="SCREEN"
fi
if [ $NOTTY -eq 1 ]; then
if [ "${WRITETO}" = "SCREEN" ]; then
IFS=$ORIG_IFS
return
fi
test "${WRITETO}" = "SCREEN+LOG" && WRITETO="LOG"
fi
test "${WRITETO}" = "SCREEN" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOTTY=1 || WRITETOTTY=0
test "${WRITETO}" = "LOG" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOLOG=1 || WRITETOLOG=0
#
# Now check that the options we have been given make sense.
#
if [ $WRITETOTTY -eq 0 -a $WRITETOLOG -eq 0 ]; then
echo "Error: Invalid display destination: Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
elif [ $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a -n "${RESULT}" -a -z "${COLOR}" ]; then
echo "Error: Invalid display - no color given: Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
fi
#
# We only allow no newline for PLAIN messages.
#
test -n "${TYPE}" && NONL=""
#
# If we want whitelisted results to be shown as white, or
# black for colour set two users, then change the colour now.
#
if [ $WLIST_IS_WHITE -eq 1 -a $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a "${RESULT}" = "${MSG_RESULT_WHITELISTED}" ]; then
COLOR=$WHITE
fi
#
# We set the variable LINE1 to contain the first line of the message.
# For the log file we use the variable LOGLINE1. We also set
# where the language file is located. If a message cannot be found
# in the file, then we look in the English file. This will allow RKH
# to still work even when the language files change.
#
LANG_FILE="${DB_PATH}/i18n/${LANGUAGE}"
if [ -n "${MSG}" ]; then
LINE1=`grep ${GREP_OPT} "^${MSG}:" "${LANG_FILE}" 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-`
if [ $RKHCHKLOCALE -eq 1 ]; then
LINE1=`echo "${LINE1}" | ${ICONV_CMD} -f UTF-8 -t ${RKHCHRMAP} 2>/dev/null`
test $? -ne 0 && LINE1=""
fi
if [ -z "${LINE1}" ]; then
LANG_FILE="${DB_PATH}/i18n/en"
LINE1=`grep ${GREP_OPT} "^${MSG}:" "${LANG_FILE}" 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-`
if [ -z "${LINE1}" ]; then
echo "Error: Invalid display - keyword cannot be found: Display line: ${DISPLAY_LINE}"
IFS=$ORIG_IFS
return
fi
else
LINE1=`echo "${LINE1}" | sed -e 's/\`/\\\\\`/g'`
fi
test -n "${LINE1}" && LINE1=`eval "echo \"${LINE1}\" | sed -e 's/;/\\;/g'"`
fi
#
# At this point LINE1 is the text of the message. We have to
# see if the message is to be indented, and must prefix the
# time to log file messages. We must do the log file first
# because it uses LINE1.
#
if [ $WRITETOLOG -eq 1 ]; then
LOGLINE1=`date '+[%H:%M:%S]'`
test $NL -gt 0 -o $LOGNL -eq 1 && echo "${LOGLINE1}" >>"${RKHLOGFILE}"
if [ -n "${TYPE}" ]; then
LOGLINE1="${LOGLINE1} ${TYPE}: ${LINE1}"
else
test $LOGINDENT -gt 0 && SPACES=`echo "${BLANK_LINE}" | cut -c1-$LOGINDENT`
LOGLINE1="${LOGLINE1} ${SPACES}${LINE1}"
fi
fi
if [ $WRITETOTTY -eq 1 -a $SCREENINDENT -gt 0 ]; then
SPACES=`echo "${BLANK_LINE}" | cut -c1-$SCREENINDENT`
LINE1="${SPACES}${LINE1}"
fi
#
# We now check to see if a result is to be output. If it is,
# then we need to space-out the line and color the result.
#
if [ -n "${RESULT}" ]; then
if [ $WRITETOTTY -eq 1 ]; then
LINE1_NUM=`echo "${LINE1}" | wc -c | tr -d ' '`
NUM_SPACES=`expr 62 - ${LINE1_NUM}`
test $NUM_SPACES -lt 1 && NUM_SPACES=1
if [ $COLORS -eq 0 ]; then
SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`
LINE1="${LINE1}${SPACES}[ ${RESULT} ]"
else
LINE1="${LINE1}\033[${NUM_SPACES}C[ ${COLOR}${RESULT}${NORMAL} ]"
fi
fi
if [ $WRITETOLOG -eq 1 ]; then
LOGLINE1_NUM=`echo "${LOGLINE1}" | wc -c | tr -d ' '`
NUM_SPACES=`expr 62 - ${LOGLINE1_NUM}`
test $NUM_SPACES -lt 1 && NUM_SPACES=1
SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`
LOGLINE1="${LOGLINE1}${SPACES}[ ${RESULT} ]"
fi
elif [ $WRITETOTTY -eq 1 -a -n "${COLOR}" ]; then
LINE1="${COLOR}${LINE1}${NORMAL}"
fi
#
# We can now output the message. We start with any required blank
# lines, and then the first line. If this is a warning message we
# write to the log file any additional lines.
#
if [ $SCREENNL -eq 1 ]; then
test $QUIET -eq 0 -a $SHOWWARNINGSONLY -eq 0 -a $NOTTY -eq 0 && echo ""
fi
if [ $WRITETOTTY -eq 1 ]; then
NLLOOP=$NL
while test $NLLOOP -gt 0; do
echo ""
NLLOOP=`expr ${NLLOOP} - 1`
done
if [ "${NONL}" = "c" ]; then
echo $ECHOOPT "${LINE1}\c"
else
echo $NONL $ECHOOPT "${LINE1}"
fi
fi
if [ $WRITETOLOG -eq 1 ]; then
echo $ECHOOPT "${LOGLINE1}" >>"${RKHLOGFILE}"
if [ $WARN_MSG -eq 1 ]; then
test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2-
LINE1=1
OLDIFS=$IFS
IFS=$IFSNL
for LOGLINE1 in `grep ${GREP_OPT} "^${MSG}:" "${LANG_FILE}" 2>/dev/null | cut -d: -f2-`; do
if [ $LINE1 -eq 1 ]; then
LINE1=0
continue
else
test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT " ${LOGLINE1}"
echo $ECHOOPT " ${LOGLINE1}" >>"${RKHLOGFILE}"
fi
done
IFS=$OLDIFS
elif [ $SHOWWARNINGSONLY -eq 1 -a -n "`echo \"${LOGLINE1}\" | grep '^\[[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\] '`" ]; then
echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2-
fi
fi
#
# Output a final blank line if requested to do so.
#
test $WRITETOTTY -eq 1 -a $NLAFTER -eq 1 && echo ""
IFS=$ORIG_IFS
return
}
name2text() {
#
# This function changes any spaces in a character string to '<SP>',
# tabs to '<TAB>' and any control characters to '?'. This allows
# pathnames to be seen more easily - especially if spaces or tabs
# are used.
#
# Whilst it would be nice to perform this function in 'display', we do
# not want the changes to occur for all messages. So we keep this a
# separate function, and only use it where necessary.
#
# Note that we must ensure that the 'echo' command does not interpret
# any part of the string.
#
echo $ECHOOPT "$*" | sed -e 's/ /<SP>/g; s/ /<TAB>/g' | tr -d '\n' | tr '[:cntrl:]' '?'
return
}
keypresspause() {
#
# This function will display a prompt message to the user.
#
if [ $SKIP_KEY_PRESS -eq 0 -a $QUIET -eq 0 ]; then
display --to SCREEN --type PLAIN --nl PRESSENTER
read RKHTMPVAR
test "${RKHTMPVAR}" = "s" -o "${RKHTMPVAR}" = "S" && SKIP_KEY_PRESS=1
fi
return
}
get_option() {
#
# This function is used to process configuration file options.
#
# Syntax: get_option (single | space-list | newline-list) <option name>
#
# The first parameter indicates if the option can occur on one
# or more lines in the configuration files. A 'space-list' is a
# space-separated list, and 'newline-list' is a newline-separated
# list. These will both typically be multiline. The second parameter
# is the configuration file option name.
#
# Single line options are typically numbers, a single word or pathname.
# Multiline options are usually pathnames, and will be a space-separated
# or newline-separated list. Space-separated lists are, obviously, not
# expected to contain any special characters such as a space.
#
# The function will output the final, non-expanded, option value.
# It will also return an error code. A code of zero indicates no
# problem, but a code of one indicates an error.
#
OPTMULTI="$1"
OPTNAME="$2"
if [ -z "${OPTMULTI}" -o -z "${OPTNAME}" ]; then
echo "Error: Missing arguments in get_option function: $*" >&2
return 1
fi
#
# First see if the option is in the configuration files.
#
RKHTMPVAR2=`grep -h "^${OPTNAME}=" ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES}`
if [ -z "${RKHTMPVAR2}" ]; then
echo ""
return 0
fi
#
# We have an option, so process it.
#
case "${OPTMULTI}" in
single)
OPTVAR=`echo "${RKHTMPVAR2}" | tail ${TAIL_OPT}1 | sed -e "s/${OPTNAME}=//"`
# If the option is unset, then just return.
if [ -z "${OPTVAR}" -o "${OPTVAR}" = '""' -o "${OPTVAR}" = "''" ]; then
echo ""
return 0
fi
#
# We must handle any _CMD option specially because they may
# contain quote characters, and we do not want to remove these.
#
case "${OPTNAME}" in
*_CMD|WEBCMD|HASH_FUNC)
;;
*_OPTS)
#
# Rkhunter configuration options which are command options may
# begin with a hyphen ('-'). This can cause problems for the
# 'echo' command. To prevent this, the simplest solution is to
# append a space to the option value.
#
OPTVAR=`echo "${OPTVAR} " | tr -d '" ' | tr -d "'"`
test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "
;;
*)
OPTVAR=`echo "${OPTVAR}" | tr -d '" ' | tr -d "'"`
;;
esac
;;
space-list|newline-list)
#
# We must test whether the last line is set to the null string because
# a multiline option is reset by specifying the last setting as null.
#
RKHTMPVAR3=`echo "${RKHTMPVAR2}" | tail ${TAIL_OPT}1 | sed -e "s/${OPTNAME}=//"`
# If the option is unset, then just return.
if [ -z "${RKHTMPVAR3}" -o "${RKHTMPVAR3}" = '""' -o "${RKHTMPVAR3}" = "''" ]; then
echo ""
return 0
fi
OPTVAR=`echo "${RKHTMPVAR2}" | sed -e "s/${OPTNAME}=//"`
#
# If an option begins with a hyphen, then this will cause problems
# for the 'echo' command. So to prevent the problem we simply add
# a space to the option value. We must repeat this though if the
# variable is set again.
#
test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "
#
# Newline-separated list can contain virtually any character, so
# we leave them alone. But for space-separated lists we can be nice
# and compress spaces and remove quotes.
#
if [ "${OPTMULTI}" = "space-list" ]; then
OPTVAR=`echo "${OPTVAR}" | tr -s ' ' ' '`
OPTVAR=`echo "${OPTVAR}" | sed -e 's/^ *"* *//; s/ *"* *$//' | sed -e "s/^ *'* *//; s/ *'* *$//"`
test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "
#
# We only use the options given after the last blank line (if any).
#
if [ -n "${OPTVAR}" ]; then
RKHLINES=`echo "${OPTVAR}" | wc -l | tr -d ' '`
OPTVAR=`echo "${OPTVAR}" | ${AWK_CMD} -v l="$RKHLINES" '/./ { if (a) { a = a "\n" $0 } else a = $0 }; /^$/ { a = "" }; NR == l { print a }'`
test -n "`echo \"${OPTVAR} \" | grep '^-'`" && OPTVAR="${OPTVAR} "
fi
else
#
# For newline-separated lists, which will be pathnames, we are
# nice to the user and will strip off a leading single or double
# quote character *if* it also ends in the same quote character.
# Since these should be pathnames they should start with the
# '/' character. A quote as the first character implies that the
# user has quoted the pathname.
#
if [ -n "`echo \"${OPTVAR}\" | grep '^\".*\"$'`" ]; then
OPTVAR=`echo "${OPTVAR}" | sed -e 's/^"\(.*\)"$/\1/'`
elif [ -n "`echo \"${OPTVAR}\" | grep \"^'.*'$\"`" ]; then
OPTVAR=`echo "${OPTVAR}" | sed -e "s/^'\(.*\)'$/\1/"`
fi
fi
;;
*)
echo "Error: Invalid argument in get_option function: $*" >&2
return 1
;;
esac
echo "${OPTVAR}"
return 0
}
check_paths() {
#
# This function will check a supplied list of pathnames to
# ensure the files and directories exist. It will also
# check that directories such as '/' (root) are not present,
# nor are pathnames with unwanted characters.
#
# Syntax: check_paths <pathnames> <option_name> "[EXIST] [NOWILD] [NOBROKENLINK]"
#
# The function only checks the pathnames. It is not possible
# to modify the list in any way. The variable ERRCODE will be
# set to one if any pathname fails a check.
#
# The first parameter is the list of pathnames to check. The
# second parameter is the option name to be used in the error
# messages. The third parameter is a space-separated list
# indicating how strict the checks need to be with respect to
# the pathnames existence, whether wildcard characters are
# allowed, and whether symbolic links are allowed. The
# argument is a space-separated list of the words 'EXIST'
# (meaning the pathname must exist), 'NOWILD' (meaning that
# shell wildcard characters are not allowed), and 'NOBROKENLINK'
# (meaning that the pathname must not be a broken link).
# The words may be given in any order.
#
OPT_VALUE_OPT=$1
OPT_NAME=$2
STRICT=$3
test -z "${OPT_NAME}" && OPT_NAME=${OPT_VALUE_OPT}
OPT_VALUE=`eval echo \"\\$${OPT_VALUE_OPT}\"`
ERRCODE=0
MUSTEXIST=0
NOWILD=0
NOBROKENLINK=0
for RKHTMPVAR in ${STRICT}; do
case "${RKHTMPVAR}" in
EXIST)
MUSTEXIST=1
;;
NOWILD)
NOWILD=1
;;
NOBROKENLINK)
NOBROKENLINK=1
;;
*)
echo "Error: Invalid argument in check_paths function: $*" >&2
;;
esac
done
#
# If no option value was given then just return (generally this situation
# should never happen). However, if the file was required to exist, then
# return with an error.
#
if [ -z "${OPT_VALUE}" ]; then
if [ $MUSTEXIST -eq 1 ]; then
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: No filename given, but it must exist."
fi
return
fi
#
# If a pathname begins with a hyphen, then this will cause problems
# for the 'echo' command. Since we generally don't allow plain filenames,
# as opposed to a pathname, and these won't begin with a hyphen, we can
# test and reject these.
#
RKHTMPVAR=`echo "${OPT_VALUE} " | grep '^-'`
if [ -n "${RKHTMPVAR}" ]; then
ERRCODE=1
# We need to get RKHTMPVAR into a single line now, but we can't use a
# straight echo command here because that would expand any wildcards.
RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`
echo "Invalid ${OPT_NAME} configuration option: Pathname begins with a hyphen: ${RKHTMPVAR}"
return
fi
#
# We must check the entry for wildcard characters first
# because the following 'for' command will expand them.
#
if [ $NOWILD -eq 1 ]; then
#
# For the SHARED_LIB_WHITELIST option the pathname may contain
# the '{}' characters (wrapped around variable names). So we do
# not check for these characters for that particular option.
#
if [ "${OPT_NAME}" = "SHARED_LIB_WHITELIST" ]; then
RKHTMPVAR=`echo "${OPT_VALUE}" | egrep '(^|[^\\])[][?*]'`
else
RKHTMPVAR=`echo "${OPT_VALUE}" | egrep '(^|[^\\])[][?*{}]'`
fi
if [ -n "${RKHTMPVAR}" ]; then
ERRCODE=1
# We need to get RKHTMPVAR into a single line now, but we can't use a
# straight echo command here because that would expand the wildcards.
RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`
echo "Invalid ${OPT_NAME} configuration option: Pathname contains wildcard characters: ${RKHTMPVAR}"
return
fi
fi
#
# Now check each pathname in the option.
#
# If this is a newline list option then we need to read a line at a time.
if [ -n "`echo \"${NEWLINE_LIST_OPTS}\" | grep \" ${OPT_NAME} \"`" ]; then
IFS=$IFSNL
fi
for FNAME in ${OPT_VALUE}; do
test -z "${FNAME}" && continue
#
# For some options we may have to remove the leading character.
#
# TODO:
# This is no longer needed since we moved the check_paths for bindir paths.
# The code is left here since we may need something very similar for overloaded options.
# overloaded options - ALLOWPROCDELFILE PORT_PATH_WHITELIST RTKT_FILE_WHITELIST
# if [ "${OPT_NAME}" = "BINDIR" ]; then
# if [ -n "`echo \"${FNAME}\" | grep '^\+'`" ]; then
# FNAME=`echo "${FNAME}" | cut -c2-`
# fi
# fi
#
# First check for anything which contains just dots.
# Also check that '/' has not been set.
#
if [ -n "`echo \"${FNAME}\" | egrep '(^[./]*$)|[;&]|/\.\./'`" ]; then
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: Invalid pathname: ${FNAME}"
continue
fi
#
# Next we check to see if it is a relative pathname. However, for
# the SHARED_LIB_WHITELIST option, the pathname may begin with a
# variable ($ORIGIN, ${LIB} etc). We must ignore these entries.
#
if [ -n "`echo \"${FNAME}\" | grep '^[^/].*/'`" ]; then
if [ "${OPT_NAME}" = "SHARED_LIB_WHITELIST" -a -n "`echo \"${FNAME}\" | grep '^\\$'`" ]; then
continue
else
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: Relative pathname: ${FNAME}"
fi
elif [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
#
# Now we check to see if it is a simple file name.
#
#
# Simple file names are allowed for some options.
#
case "${OPT_NAME}" in
USER_FILEPROP_FILES_DIRS|SHARED_LIB_WHITELIST|*_CMD)
continue
;;
esac
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: Simple filename: ${FNAME}"
else
#
# It's an absolute pathname. This could be a file, a directory,
# some other file type, or a non-existent name.
#
#
# This is as far as we go for some options. These pathnames may,
# or may not exist, or may be things other than just files and
# directories.
#
case "${OPT_NAME}" in
PKGMGR_NO_VRFY|EXISTWHITELIST|ALLOWDEVFILE)
continue
;;
esac
#
# Now test for the different file types.
#
if [ -f "${FNAME}" ]; then
case "${OPT_NAME}" in
ALLOWHIDDENDIR|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|SSH_CONFIG_DIR|SUSPSCAN_DIRS|SUSPSCAN_TEMP|RTKT_DIR_WHITELIST|LOCKDIR)
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: Not a directory: ${FNAME}"
;;
esac
elif [ -d "${FNAME}" ]; then
#
# For the ALLOWHIDDENFILE option we need to allow
# a hidden symbolic link to a directory.
#
test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue
case "${OPT_NAME}" in
ALLOWHIDDENFILE|RTKT_FILE_WHITELIST|WRITEWHITELIST|IMMUTWHITELIST|SCRIPTWHITELIST|LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|MISSING_LOGFILES|EMPTY_LOGFILES|PORT_PATH_WHITELIST|ALLOWIPCPROC|SHARED_LIB_WHITELIST|*_CMD)
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: Not a file: ${FNAME}"
;;
esac
elif [ -h "${FNAME}" ]; then
#
# Generally we will accept broken links since the code will
# simply not be able to use them. However, for some paths
# these are not allowed at all.
#
if [ $NOBROKENLINK -eq 1 ]; then
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: Broken link found: ${FNAME}"
fi
elif [ -e "${FNAME}" ]; then
#
# This is as far as we go for the hidden files. A hidden
# 'file' can actually be anything other than a directory.
# Similarly, a rootkit 'file' could be something other than
# a regular file. So we allow them.
#
test "${OPT_NAME}" = "ALLOWHIDDENFILE" -o "${OPT_NAME}" = "RTKT_FILE_WHITELIST" && continue
ERRCODE=1
case "${OPT_NAME}" in
ALLOWHIDDENDIR|RTKT_DIR_WHITELIST|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|SSH_CONFIG_DIR|SUSPSCAN_DIRS|SUSPSCAN_TEMP|LOCKDIR)
RKHTMPVAR2="directory"
;;
LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|MISSING_LOGFILES|EMPTY_LOGFILES|PORT_PATH_WHITELIST|ALLOWIPCPROC|SHARED_LIB_WHITELIST|*_CMD)
RKHTMPVAR2="file"
;;
*)
RKHTMPVAR2="file or directory"
;;
esac
echo "Invalid ${OPT_NAME} configuration option: Not a ${RKHTMPVAR2}: ${FNAME}"
else
#
# Some pathnames don't need to exist.
#
test $MUSTEXIST -eq 0 && continue
#
# For the SHARED_LIB_WHITELIST option, we cannot test these
# if they contain a variable in the pathname.
#
if [ "${OPT_NAME}" = "SHARED_LIB_WHITELIST" ]; then
if [ -n "`echo \"${FNAME}\" | egrep '\\$\\{?(ORIGIN|LIB|PLATFORM)\\}?'`" ]; then
continue
fi
fi
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: Non-existent pathname: `name2text \"${FNAME}\"`"
fi
fi
fi
done
IFS=$RKHIFS
return
}
expand_paths() {
#
# This function will output an expanded list of pathnames.
#
# The first parameter is the variable name containing the
# newline-separated list of pathnames.
#
PATH_LIST=`eval echo \"\\$${1}\"`
test -z "${PATH_LIST}" && return
LIST=""
IFS=$IFSNL
for FNAME in ${PATH_LIST}; do
test -z "${FNAME}" && continue
LIST="${LIST}
${FNAME}"
done
IFS=$RKHIFS
echo "${LIST}" | sed -e '/^$/d'
return
}
make_space_list() {
#
# This function simply converts its argument into a space-separated list.
#
if [ "${ECHON}" = "c" ]; then
echo $ECHOOPT "${1}\c" | tr '\n' ' ' | tr -s ' ' ' '
else
echo $ECHON $ECHOOPT "${1}" | tr '\n' ' ' | tr -s ' ' ' '
fi
return
}
check_is_digit() {
#
# This function checks to see if an option is a valid
# number or not. Typically it must be 0 or 1.
#
# The first parameter is the variable name to check. The
# second parameter is the option name to be used in the error
# messages. An optional third parameter may be given to specify
# that other values are allowed. If this is set to 'ANY', then
# any positive number is allowed. If it is set to 'ANY1', then
# the number must be greater than zero.
#
OPT_VALUE=$1
OPT_NAME=$2
OTHERS=$3
test -z "${OPT_NAME}" && OPT_NAME=${OPT_VALUE}
test -z "${OTHERS}" && OTHERS=0
RKHTMPVAR=`eval echo "\"\\$${OPT_VALUE}\""`
ERRCODE=0
test -z "${RKHTMPVAR}" && return
#
# If ANY1 is given, then 0 is not a valid number.
#
if [ "${RKHTMPVAR}" = "0" -a "${OTHERS}" = "ANY1" ]; then
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: not a valid number: ${RKHTMPVAR}"
elif [ "${RKHTMPVAR}" != "0" -a "${RKHTMPVAR}" != "1" ]; then
#
# Some options may allow a slightly different value.
#
if [ -n "${OTHERS}" ]; then
if [ "${OTHERS}" = "ANY" -a -n "`echo \"${RKHTMPVAR}\" | grep '^[0-9][0-9]*$'`" ]; then
return
elif [ "${OTHERS}" = "ANY1" -a -n "`echo \"${RKHTMPVAR}\" | grep '^[1-9][0-9]*$'`" ]; then
return
elif [ "${RKHTMPVAR}" = "${OTHERS}" ]; then
return
fi
fi
ERRCODE=1
echo "Invalid ${OPT_NAME} configuration option: not a valid number: ${RKHTMPVAR}"
fi
return
}
get_temp_file() {
#
# This function will find a unique pathname which can be
# used as a temporary file.
#
# It takes one parameter which is the pathname for the file,
# excluding the suffix. The function will return the pathname
# in TEMPFILE. The pathname itself is not created.
#
TEMPFILE=""
TEMPFILE_BASE=$1
if [ -n "${MKTEMP_CMD}" ]; then
TEMPFILE=`${MKTEMP_CMD} "${TEMPFILE_BASE}.XXXXXXXXXX"`
elif [ -n "$RANDOM" ]; then
TEMPFILE="${TEMPFILE_BASE}.$RANDOM"
elif [ $BSDOS -eq 1 ]; then
TEMPFILE="${TEMPFILE_BASE}.`date +%s`"
elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
TEMPFILE="${TEMPFILE_BASE}.`date +%N%s%N`"
else
TEMPFILE="${TEMPFILE_BASE}.`date +%Y%m%d%H%M%S`"
fi
#
# Remove the file just in case it already exists!
#
rm -f "${TEMPFILE}" >/dev/null 2>&1
return
}
suckit_extra_checks() {
#
# This function carries out some extra checks of the suckit rootkit.
# There are 3 extra checks, but we only display the result after
# all the checks have completed. As such we store the result of
# each check in a variable, and display the final result based on
# the value of those variables.
#
display --to LOG --type PLAIN --log-indent 2 --nl ROOTKIT_ADD_SUCKIT_LOG
#
# The first check tests the link count of the '/sbin/init' file.
# We use the NLINKS variable to indicate the test result:
# -1 means that no 'stat' command was available
# 0 means that the 'stat' command gave an error
# 1 is okay
# >1 means that suckit may be installed
#
NLINKS=-1
if [ -n "${STAT_CMD}" ]; then
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
NLINKS=`${STAT_CMD} --nlink /sbin/init 2>/dev/null`
else
NLINKS=`${STAT_CMD} -c %h /sbin/init 2>/dev/null`
fi
test -z "${NLINKS}" && NLINKS=0
if [ $NLINKS -eq 0 ]; then
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'
elif [ $NLINKS -eq 1 ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'
fi
else
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'
fi
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_LINK_COUNT '/sbin/init'
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'stat'
else
display --to LOG --type INFO NOT_FOUND_CMD 'stat'
fi
fi
#
# The next test checks to see if certain files are being
# hidden. These files have the '.xrk' or '.mem' suffix.
# The HIDDEN variable will be used to indicate the result:
# <null> is okay
# 'xrk' means that the 'xrk' suffix is hidden
# 'mem' means that the 'mem' suffix is hidden
#
HIDDEN=""
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
for EXT in xrk mem; do
get_temp_file "${RKHTMPDIR}/suckitexttest"
touch "${TEMPFILE}"
rm -f "${TEMPFILE}.${EXT}" >/dev/null 2>&1
mv "${TEMPFILE}" "${TEMPFILE}.${EXT}"
if [ ! -f "${TEMPFILE}.${EXT}" ]; then
if [ -n "${HIDDEN}" ]; then
HIDDEN="${HIDDEN} and ${EXT}"
else
HIDDEN=${EXT}
fi
fi
rm -f "${TEMPFILE}.${EXT}" >/dev/null 2>&1
done
if [ -z "${HIDDEN}" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
fi
else
display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
fi
#
# Finally we perform a check using the skdet command, if it
# is present. The SKDET variable will be used to indicate
# the result:
# -1 means that skdet is not available
# 0 means that skdet found nothing
# 1 means that skdet found something
# 2 means that the version of skdet is unknown
#
# The variable SKDET_OUTPUT will contain any output from
# the command.
#
SKDET=-1
SKDET_OUTPUT=""
SKDET_CMD=`find_cmd skdet`
if [ -n "${SKDET_CMD}" ]; then
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FOUND_CMD 'skdet' "${SKDET_CMD}"
fi
#
# We need to check the skdet version first.
#
SKDET=0
SKDETOPT=""
SKDETVER=`${SKDET_CMD} -v 2>&1 | grep '^skdet.v' | ${AWK_CMD} -F'.' '{ print $1 }'`
case "${SKDETVER}" in
*v0)
SKDETOPT="-a"
;;
*v1)
SKDETOPT="-c"
;;
*)
SKDET=2
SKDET_OUTPUT=`${SKDET_CMD} -v 2>&1`
;;
esac
if [ $SKDET -eq 0 ]; then
SKDET_OUTPUT=`${SKDET_CMD} ${SKDETOPT} 2>&1 | tr -s ' ' | grep -i 'invis'`
test -n "${SKDET_OUTPUT}" && SKDET=1
fi
if [ $SKDET -eq 0 ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
fi
else
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
fi
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
display --to LOG --type INFO NOT_FOUND_CMD 'skdet'
fi
#
# Now we can display the results.
#
if [ \( $NLINKS -eq 1 -o $NLINKS -eq -1 \) -a -z "${HIDDEN}" -a $SKDET -le 0 ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}Suckit Rootkit (additional checks), "
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT
if [ $NLINKS -eq -1 ]; then
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_DISABLED
else
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_NOCMD
fi
elif [ $NLINKS -eq 0 ]; then
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_LINK_COUNT_CMDERR "${STAT_CMD}" '/sbin/init'
elif [ $NLINKS -gt 1 ]; then
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_FOUND "$NLINKS"
fi
if [ -n "${HIDDEN}" ]; then
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_EXT_FOUND "${HIDDEN}"
fi
if [ $SKDET -eq 1 ]; then
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_FOUND "${SKDET_OUTPUT}"
elif [ $SKDET -eq 2 ]; then
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_VER "${SKDET_OUTPUT}"
fi
fi
return
}
scanrootkit() {
#
# This function performs the actual check for a rootkit.
# It uses the variables SCAN_ROOTKIT, SCAN_FILES, SCAN_DIRS
# and SCAN_KSYMS. These will have been set before the
# function is called.
#
SCAN_STATUS=0
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
#
# First check to see if any of the known files exist.
#
FILE_FOUND=""
for RKHTMPVAR2 in ${SCAN_FILES}; do
RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`
#
# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
# will search (on a per rootkit basis) for filenames in all of the directories (as defined
# by the result of running 'find / -xdev'). While still not optimal, as it
# still searches for only file names as opposed to file contents, this is one step away
# from the rigidity of searching in known (evidence) or default (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough investigation which
# should be based on relevant best practices and procedures.
# Apart from ameliorating the case with respect to functionality (e.g. reporting) this feature does not
# concern itself with efficiency so asking for improvements like whitelisting, de-duping or false-positives is
# out of the question.
#
# Enabling this feature implies you have the knowledge to interpret the results properly.
#
case "${SCANROOTKITMODE}" in
THOROUGH) # Search the whole filesystem
test -n "${BASENAME_CMD}" && FNAME=`${BASENAME_CMD} "${RKHTMPVAR}"` || FNAME=`echo "${RKHTMPVAR}" | sed -e 's:^.*/::'`
FILENAMES=`${FIND_CMD} / -xdev -name "${FNAME}"`
if [ -z "${FILENAMES}" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
fi
else
FOUND=0
IFS=$IFSNL
for FNAME in ${FILENAMES}; do
if [ \( -f "${FNAME}" -a -s "${FNAME}" \) -o -b "${FNAME}" -o -c "${FNAME}" -o -h "${FNAME}" -o -p "${FNAME}" -o -S "${FNAME}" ]; then
FOUND=1
SCAN_STATUS=1
FILE_FOUND="${FILE_FOUND}
${FNAME}"
fi
done
IFS=$RKHIFS
if [ $VERBOSE_LOGGING -eq 1 ]; then
test $FOUND -eq 0 && FOUND="NOT_FOUND" || FOUND="FOUND"
display --to LOG --type PLAIN --result ${FOUND} --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
fi
fi
;;
*) # Scan the old way
if [ -f "${RKHTMPVAR}" ]; then
#
# We first check to see if the file is whitelisted. Note that we use
# the un-translated file name. This allows us to check for filenames
# with spaces, but without causing problems for our space-delimited test.
#
FNAMEGREP=`echo "${RKHTMPVAR2}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${RKHTMPVAR}\"`" 'known_rkts'
fi
else
SCAN_STATUS=1
FILE_FOUND="${FILE_FOUND}
${RKHTMPVAR}"
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "`name2text \"${RKHTMPVAR}\"`"
fi
;;
esac
done
#
# Next check to see if any of the directories exist.
#
DIR_FOUND=""
for RKHTMPVAR2 in ${SCAN_DIRS}; do
RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`
if [ -d "${RKHTMPVAR}" ]; then
#
# We first check to see if the directory is whitelisted. Note that we use
# the un-translated directory name. This allows us to check for directory
# names with spaces, but without causing problems for our space-delimited test.
#
FNAMEGREP=`echo "${RKHTMPVAR2}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL_DIR "`name2text \"${RKHTMPVAR}\"`" 'known_rkts'
fi
else
SCAN_STATUS=1
DIR_FOUND="${DIR_FOUND}
${RKHTMPVAR}"
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "`name2text \"${RKHTMPVAR}\"`"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "`name2text \"${RKHTMPVAR}\"`"
fi
done
#
# Finally check the kernel symbols file.
#
KSYM_FOUND=""
if [ -n "${SCAN_KSYMS}" ]; then
for KS in ${SCAN_KSYMS}; do
if [ -n "${KSYMS_FILE}" ]; then
FNAMEGREP=`echo "${KS}" | sed -e 's/\./\\\./g'`
if [ -n "`grep ${GREP_OPT} \"${FNAMEGREP}\" \"${KSYMS_FILE}\"`" ]; then
SCAN_STATUS=1
KSYM_FOUND="${KSYM_FOUND}
${KS}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
fi
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
fi
done
fi
#
# Now display the results.
#
if [ $SCAN_STATUS -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
#
# Log any files, directories or kernel symbols found.
#
IFS=$IFSNL
FILE_FOUND=`echo "${FILE_FOUND}" | sed -e '/^$/d'`
for RKHTMPVAR in ${FILE_FOUND}; do
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_FILE_FOUND "`name2text \"${RKHTMPVAR}\"`"
done
DIR_FOUND=`echo "${DIR_FOUND}" | sed -e '/^$/d'`
for RKHTMPVAR in ${DIR_FOUND}; do
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_DIR_FOUND "`name2text \"${RKHTMPVAR}\"`"
done
KSYM_FOUND=`echo "${KSYM_FOUND}" | sed -e '/^$/d'`
for RKHTMPVAR in ${KSYM_FOUND}; do
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_KSYM_FOUND "${RKHTMPVAR}"
done
IFS=$RKHIFS
fi
return
}
check_required_commands() {
#
# This function checks that the required commands are present
# on the system. The function is called twice: initially to check
# that we can at least start running rkhunter; and the second
# time after we have processed BINDIR to ensure that all the
# required commands are present. It takes one parameter used
# to indicate which list of commands to check.
#
LEAVE=0
if [ $1 -eq 1 ]; then
CMDDIR="${RKHROOTPATH}"
CMDNAMES="${ABSOLUTELY_REQUIRED_CMDS}"
else
CMDDIR="${BINPATHS}"
CMDNAMES="${REQCMDS}"
fi
for CMD in ${CMDNAMES}; do
SEEN=0
for DIR in ${CMDDIR}; do
if [ -f "${DIR}/${CMD}" -a -x "${DIR}/${CMD}" ]; then
SEEN=1
break
fi
done
if [ $SEEN -eq 0 ]; then
LEAVE=1
echo "The command '${CMD}' must be present on the system in order to run rkhunter."
fi
done
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
check_commands() {
#
# We check for some commands used in the tests. If the command
# is found then a variable including the command name is set.
# These commands are not 'required', so nothing happens if the
# command is not found. The commands can be defined in the
# configuration file, and a value of 'DISABLED' will cause a
# command to not exist. A value of 'BUILTIN' may be used for
# the 'stat' and 'readlink' commands, to indicate that the
# supplied scripts should be used. We have to handle the 'stat'
# command in a special way so that the perl module does not get
# used if the command is to be disabled.
#
LEAVE=0
ERRCODE=0
for CMD in ${CMDLIST}; do
CMDNAME=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
CMDNAME="${CMDNAME}_CMD"
#
# See if the user has defined the command in
# the configuration file.
#
CFG_CMD=`get_option single "${CMDNAME}"` || exit $?
if [ -n "${CFG_CMD}" ]; then
if [ "${CFG_CMD}" = "DISABLED" -o "${CFG_CMD}" = "BUILTIN" ]; then
eval ${CMDNAME}=\"${CFG_CMD}\"
else
MCMD=`echo "${CFG_CMD}" | cut -d' ' -f1`
#
# We must first check that the command name is valid.
# The user may have included globbing characters, or
# used multiple dots, and we do not allow that.
#
check_paths MCMD "${CMDNAME}" "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 1 ]; then
LEAVE=1
continue
fi
#
# Check that the command is executable.
#
if [ -n "`find_cmd ${MCMD}`" ]; then
eval ${CMDNAME}=\"${CFG_CMD}\"
else
CFG_CMD=""
fi
fi
fi
#
# If the command has not been predefined, or is not
# executable, then go find the command to use.
#
test -z "${CFG_CMD}" && eval ${CMDNAME}=`find_cmd ${CMD}`
done
#
# We can only go this far really if there has been an error.
#
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
return
fi
fi
#
# If we cannot find a 'stat' command, or the supplied script is to
# be used, then we must check to see if perl is available. If it is,
# then the supplied 'stat' script can be used.
#
if [ -n "${PERL_CMD}" -a "${PERL_CMD}" != "DISABLED" ]; then
if [ -z "${STAT_CMD}" -o "${STAT_CMD}" = "BUILTIN" ]; then
if [ -r "${SCRIPT_PATH}/check_modules.pl" ]; then
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" File::stat Getopt::Long 2>/dev/null | grep 'NOT installed'`
else
MOD_INSTALLED="module not found"
fi
if [ -z "${MOD_INSTALLED}" -a -r "${SCRIPT_PATH}/stat.pl" ]; then
STAT_CMD="${PERL_CMD} ${SCRIPT_PATH}/stat.pl"
else
STAT_CMD=""
fi
fi
elif [ "${STAT_CMD}" = "BUILTIN" ]; then
STAT_CMD=""
fi
#
# If the readlink command cannot be found, or it does not support
# the '-f' option, then we must use the supplied shell script.
#
if [ "${READLINK_CMD}" != "DISABLED" ]; then
if [ -z "${READLINK_CMD}" -o "${READLINK_CMD}" = "BUILTIN" ]; then
test -x "${SCRIPT_PATH}/readlink.sh" && READLINK_CMD="${SCRIPT_PATH}/readlink.sh" || READLINK_CMD=""
elif [ -n "`${READLINK_CMD} -f \"${SCRIPT_PATH}/readlink.sh\" 2>&1 >/dev/null`" ]; then
test -x "${SCRIPT_PATH}/readlink.sh" && READLINK_CMD="${SCRIPT_PATH}/readlink.sh" || READLINK_CMD=""
fi
fi
#
# For Solaris systems we should use the 'gstrings' command
# rather than 'strings', if it is available. Similarly we
# should use 'gawk' or 'nawk' if it is available rather
# than 'awk'.
#
if [ $SUNOS -eq 1 ]; then
if [ "${STRINGS_CMD}" != "DISABLED" ]; then
RKHTMPVAR=`find_cmd gstrings`
test -n "${RKHTMPVAR}" && STRINGS_CMD="${RKHTMPVAR}"
fi
AWK_CMD=`find_cmd gawk`
if [ -z "${AWK_CMD}" ]; then
AWK_CMD=`find_cmd nawk`
if [ -z "${AWK_CMD}" ]; then
AWK_CMD=`find_cmd /usr/xpg4/bin/awk`
if [ -z "${AWK_CMD}" ]; then
AWK_CMD='awk'
fi
fi
fi
else
AWK_CMD='awk'
fi
#
# For OSX systems we should use the 'gnumfmt' command
# rather than 'numfmt', if it is available.
#
if [ $MACOSX -eq 1 ]; then
if [ "${NUMFMT_CMD}" != "DISABLED" ]; then
RKHTMPVAR=`find_cmd gnumfmt`
test -n "${RKHTMPVAR}" && NUMFMT_CMD="${RKHTMPVAR}"
fi
fi
#
# Now remove all the DISABLED commands.
#
for CMD in ${CMDLIST}; do
RKHTMPVAR=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
RKHTMPVAR="${RKHTMPVAR}_CMD"
RKHTMPVAR2=`eval echo "\\$${RKHTMPVAR}"`
if [ "${RKHTMPVAR2}" = "DISABLED" -o "${RKHTMPVAR2}" = "BUILTIN" ]; then
eval ${RKHTMPVAR}=\"\"
test "${RKHTMPVAR2}" = "DISABLED" && DISABLED_CMDS="${DISABLED_CMDS} ${CMD}"
fi
done
test -n "${DISABLED_CMDS}" && DISABLED_CMDS=" ${DISABLED_CMDS} "
#
# Finally we can set some variables based on
# whether the commands exist or not.
#
test -n "${NUMFMT_CMD}" && HAVE_NUMFMT=1
test -n "${READLINK_CMD}" && HAVE_READLINK=1
return
}
get_installdir_option() {
#
# This function obtains the RKH installation directory. It must
# be set by the installer script, and has no default.
#
LEAVE=0
ERRCODE=0
RKHINSTALLDIR=`get_option single INSTALLDIR` || exit $?
if [ -z "${RKHINSTALLDIR}" ]; then
LEAVE=1
echo "Invalid INSTALLDIR configuration option - no installation directory specified."
elif [ ! -d "${RKHINSTALLDIR}" ]; then
LEAVE=1
echo "Installation directory does not exist: ${RKHINSTALLDIR}"
elif [ ! -r "${RKHINSTALLDIR}" ]; then
LEAVE=1
echo "Installation directory is not readable: ${RKHINSTALLDIR}"
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_language_option() {
#
# First get the option from the command-line or the
# configuration file, and do a simple check on whether
# it is empty or a space.
#
LEAVE=0
ERRCODE=0
if [ -n "${LANGUAGE}" ]; then
LANGUAGE=`echo "${LANGUAGE}" | tr -d '" ' | tr -d "'"`
if [ -z "${LANGUAGE}" ]; then
LEAVE=1
echo "Invalid '--language' option - no language given."
fi
else
LANGUAGE=`get_option single LANGUAGE` || exit $?
fi
#
# If no language has been set, then use English.
#
test -z "${LANGUAGE}" && LANGUAGE="en"
#
# Now check that the language is available.
#
if [ ! -d "${DB_PATH}/i18n" ]; then
LEAVE=1
echo "The internationalisation directory does not exist: ${DB_PATH}/i18n"
fi
#
# If we are using the '--update' option, then the language files
# will be installed if they are missing. As such, we cannot check
# them here.
#
if [ $LEAVE -eq 0 ]; then
if [ ! -s "${DB_PATH}/i18n/${LANGUAGE}" -a "${LANGUAGE}" != "en" ]; then
if [ $UPDATE_ONLY -eq 1 ]; then
RKHLANGUPDT=1
else
LEAVE=1
echo "The language specified is not available: ${LANGUAGE}"
echo "Use the command 'rkhunter --lang en --list languages' to see the list of available languages."
fi
elif [ ! -s "${DB_PATH}/i18n/en" ]; then
if [ $UPDATE_ONLY -eq 1 ]; then
RKHLANGUPDT=1
else
LEAVE=1
echo "The English language file must be present: ${DB_PATH}/i18n/en"
echo "If it has been deleted, then you will need to run 'rkhunter --update' with no other options."
fi
fi
fi
#
# Next sort out the locale used if the language is German.
#
if [ "${LANGUAGE}" = "de" ]; then
ICONV_CMD=`find_cmd iconv`
LOCALE_CMD=`find_cmd locale`
if [ -n "${ICONV_CMD}" -a -n "${LOCALE_CMD}" ]; then
RKHCHRMAP=`${LOCALE_CMD} charmap 2>/dev/null`
test -n "${RKHCHRMAP}" && RKHCHKLOCALE=1
fi
fi
#
# Finally, find out what languages the user wants to be updated.
# We add in the default language, and 'en', if they have not
# been specified.
#
if [ $UPDATE -eq 1 ]; then
UPDATE_LANG=`get_option space-list UPDATE_LANG` || exit $?
if [ -n "${UPDATE_LANG}" ]; then
UPDATE_LANG=`echo ${UPDATE_LANG}`
if [ -z "`echo \" ${UPDATE_LANG} \" | grep \" ${LANGUAGE} \"`" ]; then
UPDATE_LANG="${UPDATE_LANG} ${LANGUAGE}"
fi
if [ -z "`echo \" ${UPDATE_LANG} \" | grep ' en '`" ]; then
UPDATE_LANG="${UPDATE_LANG} en"
fi
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_logfile_option() {
#
# First get the option from the command-line or the
# configuration file, and do a simple check on whether
# it is empty or a space.
#
LEAVE=0
ERRCODE=0
if [ -n "${RKHLOGFILE}" ]; then
RKHLOGFILE=`echo "${RKHLOGFILE}" | tr -d '" ' | tr -d "'"`
if [ -z "${RKHLOGFILE}" ]; then
LEAVE=1
echo "Invalid '--logfile' option - no logfile name given."
fi
else
RKHLOGFILE=`get_option single LOGFILE` || exit $?
check_paths RKHLOGFILE LOGFILE "NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
if [ -z "${RKHLOGFILE}" ]; then
RET_CODE=1
RKHLOGFILE="${DFLT_LOGFILE}"
echo "The default logfile will be used: ${RKHLOGFILE}"
fi
else
LEAVE=1
fi
fi
#
# Now check that the given option is usable.
#
if [ $LEAVE -eq 1 ]; then
:
elif [ "${RKHLOGFILE}" = "/dev/null" ]; then
APPEND_LOG=0
else
LOGDIR=`echo "${RKHLOGFILE}" | sed -e 's:/[^/][^/]*$::'`
if [ -z "`echo \"${LOGDIR}\" | grep '/'`" ]; then
LOGDIR="."
fi
if [ "${LOGDIR}" = "${RKHLOGFILE}" ]; then
LEAVE=1
echo "No log filename given: ${RKHLOGFILE}"
elif [ ! -e "${LOGDIR}" ]; then
LEAVE=1
echo "Logfile directory does not exist: ${RKHLOGFILE}"
elif [ ! -d "${LOGDIR}" ]; then
LEAVE=1
echo "Logfile directory is not a directory: ${RKHLOGFILE}"
elif [ ! -w "${LOGDIR}" ]; then
LEAVE=1
echo "Logfile directory is not writable: ${RKHLOGFILE}"
elif [ ! -r "${LOGDIR}" ]; then
LEAVE=1
echo "Logfile directory is not readable: ${RKHLOGFILE}"
elif [ -h "${RKHLOGFILE}" ]; then
LEAVE=1
echo "Logfile is a symbolic link: ${RKHLOGFILE}"
echo "This is a security problem. The link points to another file, and that file is about to be modified by rkhunter."
elif [ -e "${RKHLOGFILE}" -a ! -f "${RKHLOGFILE}" ]; then
LEAVE=1
echo "Logfile already exists but it is not a file: ${RKHLOGFILE}"
fi
fi
#
# Now check whether we should append to the logfile
# or overwrite it. We check the configuration file
# option, if it is given, and ensure that it is valid.
#
if [ $APPEND_OPT -eq 0 ]; then
ERRCODE=0
APPEND_LOG=`get_option single APPEND_LOG` || exit $?
if [ -n "${APPEND_LOG}" ]; then
check_is_digit APPEND_LOG
test $ERRCODE -eq 1 && LEAVE=1
else
APPEND_LOG=0
fi
fi
#
# Finally, check if the logfile should be copied if
# there were any errors or warnings. Obviously no
# copy is done if no logfile is used.
#
ERRCODE=0
RKHTMPVAR=`get_option single COPY_LOG_ON_ERROR` || exit $?
if [ -n "${RKHTMPVAR}" ]; then
check_is_digit RKHTMPVAR COPY_LOG_ON_ERROR
if [ $ERRCODE -eq 0 ]; then
COPY_LOG_ON_ERROR=$RKHTMPVAR
else
LEAVE=1
fi
else
COPY_LOG_ON_ERROR=0
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_tmpdir_option() {
#
# First get the option from the command-line or the
# configuration file, and do a simple check on whether
# it is empty or a space.
#
LEAVE=0
ERRCODE=0
if [ -n "${RKHTMPDIR}" ]; then
RKHTMPDIR=`echo "${RKHTMPDIR}" | tr -d '" ' | tr -d "'"`
if [ -z "${RKHTMPDIR}" ]; then
LEAVE=1
echo "Invalid '--tmpdir' option - no directory name given."
fi
else
RKHTMPDIR=`get_option single TMPDIR` || exit $?
check_paths RKHTMPDIR TMPDIR "NOWILD NOBROKENLINK EXIST"
if [ $ERRCODE -eq 0 ]; then
if [ -z "${RKHTMPDIR}" ]; then
RET_CODE=1
RKHTMPDIR="${RKHINSTALLDIR}/lib/rkhunter/tmp"
echo "The default temporary directory will be used: ${RKHTMPDIR}"
fi
else
LEAVE=1
fi
fi
#
# Now check that the given option is usable.
#
if [ $LEAVE -eq 1 ]; then
:
elif [ ! -e "${RKHTMPDIR}" ]; then
LEAVE=1
echo "Temporary directory does not exist: ${RKHTMPDIR}"
elif [ ! -d "${RKHTMPDIR}" ]; then
LEAVE=1
echo "Temporary directory is not a directory: ${RKHTMPDIR}"
elif [ ! -w "${RKHTMPDIR}" ]; then
LEAVE=1
echo "Temporary directory is not writable: ${RKHTMPDIR}"
elif [ ! -r "${RKHTMPDIR}" ]; then
LEAVE=1
echo "Temporary directory is not readable: ${RKHTMPDIR}"
elif [ "${RKHTMPDIR}" = "/tmp" -o "${RKHTMPDIR}" = "/var/tmp" ]; then
LEAVE=1
echo "Do not use ${RKHTMPDIR} as the temporary directory."
echo "This directory will be used by rkhunter to contain system files, so the directory must be secure."
elif [ "${RKHTMPDIR}" = "/etc" ]; then
LEAVE=1
echo "Do not use ${RKHTMPDIR} as the temporary directory."
echo "This directory will be used by rkhunter to copy and delete certain system files."
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_dbdir_option() {
#
# First get the option from the command-line or the
# configuration file, and do a simple check on whether
# it is empty or a space.
#
LEAVE=0
ERRCODE=0
if [ -n "${DB_PATH}" ]; then
DB_PATH=`echo "${DB_PATH}" | tr -d '" ' | tr -d "'"`
if [ -z "${DB_PATH}" ]; then
LEAVE=1
echo "Invalid '--dbdir' option - no directory name given."
fi
else
DB_PATH=`get_option single DBDIR` || exit $?
check_paths DB_PATH DBDIR "NOWILD EXIST NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
if [ -z "${DB_PATH}" ]; then
RET_CODE=1
DB_PATH="${RKHINSTALLDIR}/lib/rkhunter/db"
echo "The default database directory will be used: ${DB_PATH}"
fi
else
LEAVE=1
fi
fi
#
# Now check that the given option is usable.
#
if [ $LEAVE -eq 1 ]; then
:
elif [ ! -e "${DB_PATH}" ]; then
LEAVE=1
echo "Database directory does not exist: ${DB_PATH}"
elif [ ! -d "${DB_PATH}" ]; then
LEAVE=1
echo "Database directory is not a directory: ${DB_PATH}"
elif [ ! -r "${DB_PATH}" ]; then
LEAVE=1
echo "Database directory is not readable: ${DB_PATH}"
elif [ $PROP_UPDATE -eq 1 -o $UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
if [ ! -w "${DB_PATH}" ]; then
LEAVE=1
echo "Database directory is not writable: ${DB_PATH}"
fi
fi
if [ $LEAVE -eq 0 ]; then
RKHDAT_FILE="${DB_PATH}/rkhunter.dat"
RKH_FILEPROP_LIST="${DB_PATH}/rkhunter_prop_list.dat"
else
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
add_extra_dirs() {
#
# This functions takes care of any additional directories
# that may exist on some systems. After the function is called
# the value of EXTRA_DIRS must be added to whatever variable
# is being used.
#
EXTRA_DIRS=""
if [ $SUNOS -eq 1 ]; then
#
# Add in some other directories, and those which
# contain the Solaris 'companion' software.
#
test -d /usr/gnu && EXTRA_DIRS="${EXTRA_DIRS} /usr/gnu/bin /usr/gnu/sbin /usr/gnu/libexec"
test -d /usr/sfw && EXTRA_DIRS="${EXTRA_DIRS} /usr/sfw/bin /usr/sfw/sbin /usr/sfw/libexec"
test -d /opt/sfw && EXTRA_DIRS="${EXTRA_DIRS} /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec"
test -d /usr/xpg4/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/xpg4/bin"
test -d /usr/ccs/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/ccs/bin"
test -d /usr/5bin -a ! -h /usr/5bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/5bin"
test -d /usr/ucb && EXTRA_DIRS="${EXTRA_DIRS} /usr/ucb"
#
# OpenSolaris distributions (e.g. BeleniX) may use
# other directories.
#
test -d /usr/foss && EXTRA_DIRS="${EXTRA_DIRS} /usr/foss/bin /usr/foss/sbin /usr/foss/libexec"
elif [ $BSDOS -eq 1 ]; then
test -d /usr/pkg && EXTRA_DIRS="${EXTRA_DIRS} /usr/pkg/bin /usr/pkg/sbin /usr/pkg/libexec"
elif [ $MACOSX -eq 1 ]; then
#
# Cater for Fink (Mac OS X) additional software.
#
test -d /sw && EXTRA_DIRS="${EXTRA_DIRS} /sw/bin /sw/sbin"
elif [ $IRIXOS -eq 1 ]; then
test -d /usr/ucb && EXTRA_DIRS="${EXTRA_DIRS} /usr/ucb"
test -d /usr/freeware && EXTRA_DIRS="${EXTRA_DIRS} /usr/freeware/bin /usr/freeware/sbin"
test -d /usr/xpg4/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/xpg4/bin"
elif [ -f "/etc/GoboLinuxVersion" ]; then
#
# We have no other easy way of detecting GoboLinux.
# It has a peculiar filesystem layout, so we need to
# add in this little bit of support to help it work
# with RKH.
#
test -d "/System/Links/Executables" && EXTRA_DIRS="${EXTRA_DIRS} /System/Links/Executables"
fi
#
# Finally check if there are any optional
# bin and sbin directories present.
#
test -d /opt && EXTRA_DIRS="${EXTRA_DIRS} /opt/bin /opt/sbin"
test -d /usr/opt && EXTRA_DIRS="${EXTRA_DIRS} /usr/opt/bin /usr/opt/sbin"
return
}
get_bindir_option() {
#
# First get the option from the command-line or the
# configuration file, and do a simple check on whether
# it is empty or a space.
#
LEAVE=0
ERRCODE=0
if [ $BINDIR_OPT -eq 1 ]; then
BINPATHS=`echo "${BINPATHS}" | tr -d '"' | tr -d "'" | tr -s ' ' ' '`
if [ "${BINPATHS}" = " " ]; then
LEAVE=1
echo "Invalid '--bindir' option - no directory names given."
fi
else
BINPATHS=`get_option space-list BINDIR` || exit $?
if [ -z "${BINPATHS}" ]; then
BINPATHS="${DFLT_BINPATHS}"
#
# Under some OS's /bin is a link to /usr/bin, so
# there is no need to look in it.
#
if [ $SUNOS -eq 1 -o $IRIXOS -eq 1 -o "${OPERATING_SYSTEM}" = "AIX" ]; then
if [ -h "/bin" ]; then
RKHTMPVAR=""
for DIR in ${BINPATHS}; do
test "${DIR}" != "/bin" && RKHTMPVAR="${RKHTMPVAR} ${DIR}"
done
BINPATHS=`echo ${RKHTMPVAR}`
fi
fi
add_extra_dirs
BINPATHS="${BINPATHS}${EXTRA_DIRS}"
fi
fi
#
# The BINPATHS list is prepended with the root PATH. However,
# any specified BINDIR directories beginning with a '+' will
# be prepended before the root PATH.
#
# Once that has been done, we check that each directory begins
# with a '/'. We remove any non-existent directories, but we do
# not flag this as an error. We also remove any duplicate directories.
#
if [ $LEAVE -eq 0 ]; then
RKHTMPVAR=""
PREPEND_PATHS=""
for DIR in ${BINPATHS}; do
if [ -n "`echo ${DIR} | grep '^\+'`" ]; then
DIR=`echo ${DIR} | cut -c2-`
PREPEND_PATHS="${PREPEND_PATHS} ${DIR}"
fi
done
PREPEND_PATHS=`echo ${PREPEND_PATHS}`
for DIR in ${PREPEND_PATHS} ${RKHROOTPATH} ${BINPATHS}; do
if [ -n "`echo ${DIR} | grep '^\+'`" ]; then
# These will already be in PREPEND_PATHS.
continue
elif [ -z "`echo ${DIR} | grep '^/'`" ]; then
LEAVE=1
test $BINDIR_OPT -eq 1 && RKHTMPVAR2="'--bindir'" || RKHTMPVAR2="BINDIR configuration"
echo "Invalid ${RKHTMPVAR2} option: Invalid directory found: ${DIR}"
elif [ -e "${DIR}" ]; then
if [ -d "${DIR}" ]; then
test -h "${DIR}" && BINISLINK=1
DIR=`echo "${DIR}" | tr -s '/' | sed -e 's:/$::'`
if [ -z "`echo \" ${RKHTMPVAR} \" | grep \" ${DIR} \"`" ]; then
RKHTMPVAR="${RKHTMPVAR} ${DIR}"
fi
else
LEAVE=1
test $BINDIR_OPT -eq 1 && RKHTMPVAR2="'--bindir'" || RKHTMPVAR2="BINDIR configuration"
echo "Invalid ${RKHTMPVAR2} option: Not a directory: ${DIR}"
fi
fi
done
if [ $LEAVE -eq 0 ]; then
BINPATHS=`echo ${RKHTMPVAR}`
test $BINDIR_OPT -eq 1 && RKHTMPVAR="--bindir" || RKHTMPVAR="BINDIR"
check_paths BINPATHS "${RKHTMPVAR}" "NOWILD"
test $ERRCODE -eq 1 && LEAVE=1
else
# We need to set something for the remaining checks.
BINPATHS="${DFLT_BINPATHS}"
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_scriptdir_option() {
#
# Get the value from the configuration file, and do a simple
# check on whether it is empty or a space.
#
# Note: The installer will set this option. As such there
# is no default.
#
LEAVE=0
ERRCODE=0
SCRIPT_PATH=`get_option single SCRIPTDIR` || exit $?
check_paths SCRIPT_PATH SCRIPTDIR "NOWILD EXIST NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
if [ -z "${SCRIPT_PATH}" ]; then
LEAVE=1
echo "The SCRIPTDIR configuration option has not been set by the installer."
fi
else
LEAVE=1
fi
#
# Now check that the given option is usable.
#
if [ $LEAVE -eq 1 ]; then
:
elif [ ! -r "${SCRIPT_PATH}" ]; then
LEAVE=1
echo "Script directory is not readable: ${SCRIPT_PATH}"
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
find_cmd() {
#
# This function performs a search of the BINPATHS directories
# looking for the requested command. The full pathname is
# returned if the command is found.
#
# If a full pathname is provided then we simply check that
# it is executable.
#
CMD=$1
test -z "${CMD}" && return
if [ -n "`echo ${CMD} | grep '/'`" ]; then
test -f "${CMD}" -a -x "${CMD}" && echo "${CMD}"
else
for CMDDIR in ${BINPATHS}; do
if [ -f "${CMDDIR}/${CMD}" -a -x "${CMDDIR}/${CMD}" ]; then
echo "${CMDDIR}/${CMD}"
return
fi
done
fi
return
}
get_rootdir_option() {
RKHTMPVAR=`get_option single ROOTDIR` || exit $?
if [ -n "${RKHTMPVAR}" ]; then
echo "The ROOTDIR configuration option is now deprecated."
fi
return
}
get_existwl_option() {
#
# This function gets the configuration option used to whitelist
# files and directories from existing on the system. That is, they
# may or may not exist at the time of checking, but either way it
# will not cause an error.
#
# This option must be processed before other options because it will
# be used to whitelist some subsequent configuration option pathnames.
#
LEAVE=0
ERRCODE=0
EXISTWL_OPT=`get_option newline-list EXISTWHITELIST` || exit $?
if [ -n "${EXISTWL_OPT}" ]; then
EXISTWHITELIST=`expand_paths EXISTWL_OPT`
check_paths EXISTWHITELIST EXISTWHITELIST
test $ERRCODE -eq 1 && LEAVE=1
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_mailonwarn_option() {
#
# Get the option from the configuration file. If it is set,
# then we get the MAIL_CMD option as well.
#
LEAVE=0
ERRCODE=0
MAILONWARNING=`get_option space-list MAIL-ON-WARNING` || exit $?
if [ -n "${MAILONWARNING}" ]; then
MAILONWARNING=`echo ${MAILONWARNING}`
#
# If an email address is configured, then we need
# to check the email command option as well.
#
MAIL_CMD=`get_option single MAIL_CMD` || exit $?
test -z "${MAIL_CMD}" && MAIL_CMD="mail -s \"[rkhunter] Warnings found for \${HOST_NAME}\""
MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f1`
check_paths MCMD MAIL_CMD "NOWILD EXIST NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
#
# Check that the mail command is executable.
#
MC=`find_cmd ${MCMD}`
if [ -n "${MC}" ]; then
#
# We rebuild the command to use the full pathname.
#
MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f2-`
if [ -z "${MCMD}" -o "${MCMD}" = "${MAIL_CMD}" ]; then
MAIL_CMD=$MC
else
MAIL_CMD="${MC} ${MCMD}"
fi
else
LEAVE=1
echo "Invalid MAIL_CMD configuration option: command is non-existent or not executable: ${MCMD}"
fi
else
LEAVE=1
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_webcmd_option() {
#
# Get the option from the configuration file. If it is set,
# then we set the RKHWEBCMD_OPTS option as well if necessary.
#
# For backwards compatability we will also check for WEBCMD.
#
LEAVE=0
ERRCODE=0
RKHWEBCMD=`get_option single WEB_CMD` || exit $?
if [ -z "${RKHWEBCMD}" ]; then
RKHWEBCMD=`get_option single WEBCMD` || exit $?
fi
if [ -n "${RKHWEBCMD}" ]; then
WCMD=`echo "${RKHWEBCMD}" | cut -d' ' -f1`
check_paths WCMD WEB_CMD "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
#
# Check that the command is executable.
#
WC=`find_cmd ${WCMD}`
if [ -n "${WC}" ]; then
#
# We find if there any command options, and set
# the command to use the full pathname.
#
RKHWEBCMD_OPTS=`echo "${RKHWEBCMD}" | cut -d' ' -f2-`
test "${RKHWEBCMD_OPTS}" = "${RKHWEBCMD}" && RKHWEBCMD_OPTS=""
RKHWEBCMD="${WC}"
test -n "${BASENAME_CMD}" && RKHWEBCMD_BASE=`${BASENAME_CMD} "${WC}"` || RKHWEBCMD_BASE=`echo "${WC}" | sed -e 's:^.*/::'`
else
LEAVE=1
echo "Invalid WEB_CMD configuration option: command is non-existent or not executable: ${WCMD}"
fi
else
LEAVE=1
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_syslog_option() {
#
# First see if we want to use syslog or not from the command-line
# or configuration file.
#
LEAVE=0
ERRCODE=0
if [ -n "${USE_SYSLOG}" ]; then
USE_SYSLOG=`echo "${USE_SYSLOG}" | tr -d '" ' | tr -d "'"`
if [ -z "${USE_SYSLOG}" ]; then
LEAVE=1
echo "Invalid '--syslog' option - no facility/priority names given."
fi
else
USE_SYSLOG=`get_option single USE_SYSLOG` || exit $?
fi
#
# If we are to use syslog, then get the facility and priority levels.
# Additionally, test that they are valid.
#
if [ $LEAVE -eq 0 ]; then
if [ -n "${USE_SYSLOG}" ]; then
USE_SYSLOG=`echo "${USE_SYSLOG}" | tr '[:upper:]' '[:lower:]'`
if [ "${USE_SYSLOG}" = "none" ]; then
# The value of 'none' will be processed later on.
:
elif [ -z "`echo \"${USE_SYSLOG}\" | grep '^[a-z][a-z0-7]*\.[a-z][a-z]*$'`" ]; then
LEAVE=1
echo "Invalid syslog facility/priority value: ${USE_SYSLOG}"
fi
if [ $LEAVE -eq 0 -a "${USE_SYSLOG}" != "none" ]; then
FOUND=0
SYSLOG_F=`echo "${USE_SYSLOG}" | cut -d. -f1`
SYSLOG_P=`echo "${USE_SYSLOG}" | cut -d. -f2`
for RKHTMPVAR in auth authpriv cron daemon kern user local0 local1 local2 local3 local4 local5 local6 local7; do
if [ "${SYSLOG_F}" = "${RKHTMPVAR}" ]; then
FOUND=1
break
fi
done
if [ $FOUND -eq 0 ]; then
LEAVE=1
echo "Invalid syslog facility name: ${SYSLOG_F}"
fi
FOUND=0
for RKHTMPVAR in debug info notice warning err crit alert emerg; do
if [ "${SYSLOG_P}" = "${RKHTMPVAR}" ]; then
FOUND=1
break
fi
done
if [ $FOUND -eq 0 ]; then
LEAVE=1
echo "Invalid syslog priority name: ${SYSLOG_P}"
fi
fi
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_ssh_options() {
#
# We check some SSH options in this function. They can only
# be set in the configuration file.
#
#
# See if the ALLOW_SSH_ROOT_USER option is specified in the
# configuration file. The value should match what has been set
# in the SSH configuration file for the PermitRootLogin option.
# As such it's value is not just zero or one.
#
LEAVE=0
ERRCODE=0
ALLOW_SSH_ROOT_USER=`get_option single ALLOW_SSH_ROOT_USER` || exit $?
if [ -n "${ALLOW_SSH_ROOT_USER}" ]; then
ALLOW_SSH_ROOT_USER=`echo "${ALLOW_SSH_ROOT_USER}" | tr '[:upper:]' '[:lower:]'`
else
#
# By default SSH tends to allow root access. However, we
# do not. By setting this option to 'no', the user will
# receive a warning unless they set the options the same.
#
ALLOW_SSH_ROOT_USER="no"
fi
#
# See if the ALLOW_SSH_PROT_V1 option is specified in the
# configuration file.
#
ALLOW_SSH_PROT_V1=`get_option single ALLOW_SSH_PROT_V1` || exit $?
if [ -n "${ALLOW_SSH_PROT_V1}" ]; then
check_is_digit ALLOW_SSH_PROT_V1 ALLOW_SSH_PROT_V1 2
test $ERRCODE -eq 1 && LEAVE=1
else
ALLOW_SSH_PROT_V1=0
fi
#
# See if the directory of the SSH configuration file has been set.
#
SSH_CONFIG_DIR=`get_option single SSH_CONFIG_DIR` || exit $?
if [ -n "${SSH_CONFIG_DIR}" ]; then
check_paths SSH_CONFIG_DIR SSH_CONFIG_DIR "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
if [ ! -r "${SSH_CONFIG_DIR}" ]; then
LEAVE=1
echo "The SSH configuration file directory is not readable: ${SSH_CONFIG_DIR}"
fi
else
LEAVE=1
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_syslog_config_options() {
#
# We check some syslog configuration options in this function.
# They can only be set in the configuration file.
#
#
# See if the ALLOW_SYSLOG_REMOTE_LOGGING option is specified
# in the configuration file.
#
LEAVE=0
ERRCODE=0
ALLOW_SYSLOG_REMOTE_LOGGING=`get_option single ALLOW_SYSLOG_REMOTE_LOGGING` || exit $?
if [ -n "${ALLOW_SYSLOG_REMOTE_LOGGING}" ]; then
check_is_digit ALLOW_SYSLOG_REMOTE_LOGGING
test $ERRCODE -eq 1 && LEAVE=1
else
ALLOW_SYSLOG_REMOTE_LOGGING=0
fi
#
# See if the pathname to the syslog configuration file has been set.
#
SYSLOG_CONFIG_FILE=`get_option space-list SYSLOG_CONFIG_FILE` || exit $?
if [ -n "${SYSLOG_CONFIG_FILE}" ]; then
if [ -n "`echo \"${SYSLOG_CONFIG_FILE}\" | grep -i '^none$'`" ]; then
SYSLOG_CONFIG_FILE="NONE"
else
check_paths SYSLOG_CONFIG_FILE SYSLOG_CONFIG_FILE "EXIST NOWILD NOBROKENLINK"
test $ERRCODE -eq 1 && LEAVE=1
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_auto_x_option() {
#
# For the second colour set we first see if the auto X detect option
# has been set. If it is set, and X is in use, then the second colour
# set is used. If X is not in use, or the auto detect option is not
# set, then we only use the second colour set if the command-line
# option is used or it is configured in the configuration file.
#
LEAVE=0
ERRCODE=0
if [ $AUTO_X_OPT -eq 0 ]; then
AUTO_X_DTCT=`get_option single AUTO_X_DETECT` || exit $?
if [ -n "${AUTO_X_DTCT}" ]; then
check_is_digit AUTO_X_DTCT AUTO_X_DETECT
test $ERRCODE -eq 1 && LEAVE=1
else
AUTO_X_DTCT=0
fi
fi
if [ $AUTO_X_DTCT -eq 1 -a -n "$DISPLAY" ]; then
CLRSET2=1
fi
if [ $CLRSET2 -eq 0 ]; then
CLRSET2=`get_option single COLOR_SET2` || exit $?
if [ -n "${CLRSET2}" ]; then
check_is_digit CLRSET2 COLOR_SET2
test $ERRCODE -eq 1 && LEAVE=1
else
CLRSET2=0
fi
fi
#
# Finally, we get the option to see if whitelisted
# results are to be shown as white rather than green.
#
WLIST_IS_WHITE=`get_option single WHITELISTED_IS_WHITE` || exit $?
if [ -n "${WLIST_IS_WHITE}" ]; then
check_is_digit WLIST_IS_WHITE WHITELISTED_IS_WHITE
test $ERRCODE -eq 1 && LEAVE=1
else
WLIST_IS_WHITE=0
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_locking_options() {
#
# This function gets the configuration options to see if locking
# should be used when RKH is run. The mechanism for locking uses
# a simple timer, and will display some basic messages while RKH
# is trying to get the lock.
#
# All of these options can only be set in the configuration file.
#
LEAVE=0
ERRCODE=0
USE_LOCKING=`get_option single USE_LOCKING` || exit $?
if [ -n "${USE_LOCKING}" ]; then
check_is_digit USE_LOCKING
test $ERRCODE -eq 1 && LEAVE=1
else
USE_LOCKING=0
fi
#
# Now get the lock directory to use. If this is unset, then
# we need to look for a suitable directory.
#
LOCKDIR=`get_option single LOCKDIR` || exit $?
if [ -n "${LOCKDIR}" ]; then
check_paths LOCKDIR LOCKDIR "NOWILD EXIST NOBROKENLINK"
test $ERRCODE -eq 1 && LEAVE=1
else
PATHNAMES="/run/lock /var/lock /var/run/lock /run /var/run ${RKHTMPDIR}"
for DIR in ${PATHNAMES}; do
# Check for read/write capability before accepting a default directory.
if [ -d "${DIR}" -a -w "${DIR}" -a -r "${DIR}" ]; then
LOCKDIR="${DIR}"
break
fi
done
if [ -z "${LOCKDIR}" ]; then
LEAVE=1
echo "No suitable directory found for LOCKDIR configuration option."
echo "Locking directories checked: ${PATHNAMES}"
fi
fi
#
# Check that the directory we have is usable.
#
if [ $LEAVE -eq 1 ]; then
:
elif [ ! -w "${LOCKDIR}" ]; then
LEAVE=1
echo "The LOCKDIR directory is not writable: `name2text \"${LOCKDIR}\"`"
elif [ ! -r "${LOCKDIR}" ]; then
LEAVE=1
echo "The LOCKDIR directory is not readable: `name2text \"${LOCKDIR}\"`"
fi
#
# Now get the lock timeout value. This must be a positive integer.
# The default value is 300 seconds (5 minutes).
#
LOCK_TIMEOUT=`get_option single LOCK_TIMEOUT` || exit $?
if [ -n "${LOCK_TIMEOUT}" ]; then
check_is_digit LOCK_TIMEOUT LOCK_TIMEOUT ANY1
test $ERRCODE -eq 1 && LEAVE=1
else
LOCK_TIMEOUT=300
fi
#
# Finally, we get the option to see if any lock messages should
# be shown or not. If the user has used the '--quiet' option,
# then we cannot display the lock messages. Otherwise, these are
# only shown on the screen, and not logged anywhere. The default
# is to show the messages.
#
if [ $QUIET -eq 0 ]; then
SHOW_LOCK_MSGS=`get_option single SHOW_LOCK_MSGS` || exit $?
if [ -n "${SHOW_LOCK_MSGS}" ]; then
check_is_digit SHOW_LOCK_MSGS
test $ERRCODE -eq 1 && LEAVE=1
else
SHOW_LOCK_MSGS=1
fi
else
SHOW_LOCK_MSGS=0
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_scanmode_option() {
#
# This function gets the SCANROOTKITMODE configuration option.
#
LEAVE=0
ERRCODE=0
SCANROOTKITMODE=`get_option single SCANROOTKITMODE` || exit $?
if [ -n "${SCANROOTKITMODE}" ]; then
SCANROOTKITMODE=`echo "${SCANROOTKITMODE}" | tr '[:lower:]' '[:upper:]'`
if [ "${SCANROOTKITMODE}" != "THOROUGH" ]; then
LEAVE=1
echo "Invalid SCANROOTKITMODE configuration option: ${SCANROOTKITMODE}"
fi
else
SCANROOTKITMODE=""
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_shell_options() {
#
# This function gets any specific shell configuration options.
#
LEAVE=0
ERRCODE=0
#
# This option will set the shell's globstar option.
#
GLOBSTAR=`get_option single GLOBSTAR` || exit $?
if [ -n "${GLOBSTAR}" ]; then
check_is_digit GLOBSTAR
test $ERRCODE -eq 1 && LEAVE=1
else
GLOBSTAR=0
fi
#
# To ensure that any further options which may include wildcarded paths
# are handled correctly, we need to set the 'globstar' option immediately.
#
if [ $GLOBSTAR -eq 1 ]; then
if [ "${MYSHELL}" = "ksh" ]; then
set -o globstar
else
shopt -s globstar
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
sort_test_lists() {
#
# This function is used to sort the list of test names for
# enabled and disabled tests. The first parameter determines
# which list is to be sorted:
#
# 1: enabled tests
# 2: disabled tests
#
RKHTMPVAR=$1
test $RKHTMPVAR -eq 1 && ENABLE_TESTS=`echo ${ENABLE_TESTS} | tr ' ' '\n' | sort | uniq`
test $RKHTMPVAR -eq 2 && DISABLE_TESTS=`echo ${DISABLE_TESTS} | tr ' ' '\n' | sort | uniq`
ENABLE_TESTS=`echo ${ENABLE_TESTS}`
DISABLE_TESTS=`echo ${DISABLE_TESTS}`
#
# Finally, test to see if the current lists are the same.
#
if [ "${ENABLE_TESTS}" = "${DISABLE_TESTS}" ]; then
test $ENDIS_OPT -eq 0 && RKHTMPVAR=" configured" || RKHTMPVAR=""
echo "The${RKHTMPVAR} enabled and disabled tests are the same."
if [ $ENDIS_OPT -eq 1 -o $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
check_test_options() {
#
# This function is called after we have obtained the enabled and
# disabled test names. It will check that the test names are valid,
# and remove any enabled test names from the disabled list.
#
#
# First we loop through the enabled and disabled test names, and see
# if the special names of 'all' or 'none' are used. If so, then these
# will either override all the other test names in the list, or be an
# error. We also look for any invalid test names.
#
SEEN=0
LEAVE=0
RKHTMPVAR=" `echo ${KNOWN_TESTS}` "
for TEST_NAME in ${ENABLE_TESTS}; do
if [ "${TEST_NAME}" = "all" ]; then
SEEN=1
elif [ "${TEST_NAME}" = "none" ]; then
if [ $ENABLE_OPT -eq 1 ]; then
LEAVE=1
echo "'none' cannot be used in the enabled test list."
else
LEAVE=1
echo "'none' cannot be used in the configured enabled test list."
fi
elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
LEAVE=1
echo "Unknown enabled test name given: ${TEST_NAME}"
fi
done
test $SEEN -eq 1 && ENABLE_TESTS="all"
#
# For the disabled tests we need to loop through the
# command-line and configuration file test names separately.
#
SEEN=0
for TEST_NAME in ${CL_DISABLE_TESTS}; do
if [ "${TEST_NAME}" = "none" ]; then
SEEN=1
elif [ "${TEST_NAME}" = "all" ]; then
LEAVE=1
echo "'all' cannot be used in the disabled test list."
elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
LEAVE=1
echo "Unknown disabled test name given: ${TEST_NAME}"
fi
done
if [ $USECF -eq 1 ]; then
for TEST_NAME in ${CONFIG_DISABLE_TESTS}; do
if [ "${TEST_NAME}" = "none" ]; then
SEEN=1
elif [ "${TEST_NAME}" = "all" ]; then
LEAVE=1
echo "'all' cannot be used in the configured disabled test list."
elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
LEAVE=1
echo "Unknown disabled test name in the configuration file: ${TEST_NAME}"
fi
done
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
return
fi
fi
test $SEEN -eq 1 && DISABLE_TESTS="none"
#
# If we are to run all the tests, then we use whatever
# disabled tests the user has given us.
#
test "${ENABLE_TESTS}" = "all" && return
#
# Now we can loop through the command-line enabled specific test names,
# and remove them from the disabled list. We need to do this otherwise
# the tests would not run. We don't bother to do this for the configuration
# file enabled tests because we assume the user has already checked this.
#
if [ $ENABLE_OPT -eq 1 -a "${DISABLE_TESTS}" != "none" ]; then
#
# First get a list of just the group test names.
#
GROUP_TEST_NAMES=""
for RKHTMPVAR in ${GROUPED_TESTS}; do
GROUP_TEST_NAMES="${GROUP_TEST_NAMES} `echo "${RKHTMPVAR}" | cut -d: -f1`"
done
GROUP_TEST_NAMES=" `echo ${GROUP_TEST_NAMES}` "
#
# Now loop through the specific test names.
#
DISABLE_TESTS=" ${DISABLE_TESTS} "
for TEST_NAME in ${ENABLE_TESTS}; do
if [ -z "`echo \"${GROUP_TEST_NAMES}\" | grep \" ${TEST_NAME} \"`" ]; then
if [ -n "`echo \"${DISABLE_TESTS}\" | grep \" ${TEST_NAME} \"`" ]; then
DISABLE_TESTS=`echo "${DISABLE_TESTS}" | sed -e "s/ ${TEST_NAME} / /"`
fi
fi
done
DISABLE_TESTS=`echo ${DISABLE_TESTS}`
if [ -z "${DISABLE_TESTS}" ]; then
DISABLE_TESTS="none"
else
sort_test_lists 2
fi
fi
#
# Next we expand the enabled test group names. This will leave us
# with a list of specific test names, and their associated group test
# names. We also need to check if a given test name is part of a
# group. If it is, then we must add the group name.
#
for TEST_NAME in ${ENABLE_TESTS}; do
for RKHTMPVAR in ${GROUPED_TESTS}; do
GROUP_NAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
if [ -n "`echo \"${RKHTMPVAR}\" | grep ':'`" ]; then
GROUP_TESTS=`echo "${RKHTMPVAR}" | cut -d: -f2-`
else
GROUP_TESTS=""
fi
if [ "${TEST_NAME}" = "${GROUP_NAME}" ]; then
ENABLE_TESTS="${ENABLE_TESTS} `echo \"${GROUP_TESTS}\" | tr ':' ' '`"
break
elif [ -z "${GROUP_TESTS}" ]; then
continue
elif [ -n "`echo \":${GROUP_TESTS}:\" | grep \":${TEST_NAME}:\"`" ]; then
ENABLE_TESTS="${ENABLE_TESTS} ${GROUP_NAME}"
fi
done
done
ENABLE_TESTS=`echo ${ENABLE_TESTS}`
sort_test_lists 1
#
# Finally, we temporarily expand the disabled test names and temporarily
# remove any matching names from the enabled test list. Although these
# tests would never run, we need to do this in order to see if the user
# has given us an invalid list of tests.
#
if [ "${DISABLE_TESTS}" != "none" ]; then
TEMP_EN_TESTS="${ENABLE_TESTS}"
TEMP_DIS_TESTS="${DISABLE_TESTS}"
for TEST_NAME in ${TEMP_DIS_TESTS}; do
for RKHTMPVAR in ${GROUPED_TESTS}; do
GROUP_NAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
if [ -n "`echo \"${RKHTMPVAR}\" | grep ':'`" ]; then
GROUP_TESTS=`echo "${RKHTMPVAR}" | cut -d: -f2-`
else
GROUP_TESTS=""
fi
if [ "${TEST_NAME}" = "${GROUP_NAME}" ]; then
TEMP_DIS_TESTS="${TEMP_DIS_TESTS} `echo \"${GROUP_TESTS}\" | tr ':' ' '`"
break
elif [ -z "${GROUP_TESTS}" ]; then
continue
elif [ -n "`echo \":${GROUP_TESTS}:\" | grep \":${TEST_NAME}:\"`" ]; then
TEMP_DIS_TESTS="${TEMP_DIS_TESTS} ${GROUP_NAME}"
fi
done
done
TEMP_DIS_TESTS=" `echo ${TEMP_DIS_TESTS}` "
#
# Now loop through the enabled tests and remove any matches.
#
for TEST_NAME in ${TEMP_EN_TESTS}; do
if [ -n "`echo \"${TEMP_DIS_TESTS}\" | grep \" ${TEST_NAME} \"`" ]; then
TEMP_EN_TESTS=`echo " ${TEMP_EN_TESTS} " | sed -e "s/ ${TEST_NAME} / /"`
fi
done
TEMP_EN_TESTS=`echo ${TEMP_EN_TESTS}`
if [ -z "${TEMP_EN_TESTS}" ]; then
LEAVE=0
if [ $ENABLE_OPT -eq 1 ]; then
LEAVE=1
echo "Invalid enabled test list - no tests to run."
else
LEAVE=1
echo "Invalid configured enabled test list - no tests to run."
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
fi
fi
return
}
get_enable_option() {
#
# This function gets the enabled test names from the command-line
# or the configuration file as required. The test names will be
# checked later on. By default all tests are enabled.
#
#
# Get the command-line test names. These override
# the configuration file enabled test names.
#
LEAVE=0
ERRCODE=0
if [ $ENABLE_OPT -eq 1 ]; then
ENABLE_TESTS=`make_space_list "${CL_ENABLE_TESTS}"`
ENABLE_TESTS=`echo ${ENABLE_TESTS}`
if [ -z "${ENABLE_TESTS}" ]; then
LEAVE=1
echo "Invalid '--enable' option - no test names given."
fi
#
# We do a simple test here to see if just one test was enabled.
# If it was then we skip the key press feature since it is most
# likely that the user doesn't want that. The test name cannot be
# 'all'.
#
if [ "${ENABLE_TESTS}" != "all" -a -z "`echo \"${ENABLE_TESTS}\" | grep ' '`" ]; then
SKIP_KEY_PRESS=1
fi
else
#
# We get the configuration file entries by default.
#
ENABLE_TESTS=`get_option space-list ENABLE_TESTS` || exit $?
if [ -n "${ENABLE_TESTS}" ]; then
ENABLE_TESTS=`make_space_list "${ENABLE_TESTS}"`
ENABLE_TESTS=`echo ${ENABLE_TESTS}`
if [ -n "${ENABLE_TESTS}" ]; then
ENABLE_TESTS=`echo "${ENABLE_TESTS}" | tr '[:upper:]' '[:lower:]'`
else
# The system default.
ENABLE_TESTS="all"
fi
else
# The system default.
ENABLE_TESTS="all"
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_disable_option() {
#
# This function gets the disabled test names from the command-line
# and the configuration file if required. The test names will be
# checked later on. By default no tests are disabled.
#
# Note: disabled tests are always compared against the list
# of enabled tests. Hence, if we used
# 'rkhunter -c --enable system_commands --disable apps'
# then only the system command tests are run. Any other test is
# not run because it is not in the '--enable' list. As such
# the '--disable' option in the example above is not necessary.
#
#
# Get the command-line test names.
#
LEAVE=0
if [ -n "${CL_DISABLE_TESTS}" ]; then
CL_DISABLE_TESTS=`make_space_list "${CL_DISABLE_TESTS}"`
CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS}`
if [ -z "${CL_DISABLE_TESTS}" ]; then
LEAVE=1
echo "Invalid '--disable' option - no test names given."
fi
fi
#
# Get the configuration file test names
# unless specifically requested not to do so.
#
if [ $USECF -eq 1 ]; then
CONFIG_DISABLE_TESTS=`get_option space-list DISABLE_TESTS` || exit $?
if [ -n "${CONFIG_DISABLE_TESTS}" ]; then
CONFIG_DISABLE_TESTS=`make_space_list "${CONFIG_DISABLE_TESTS}"`
CONFIG_DISABLE_TESTS=`echo ${CONFIG_DISABLE_TESTS}`
if [ -n "${CONFIG_DISABLE_TESTS}" ]; then
CONFIG_DISABLE_TESTS=`echo ${CONFIG_DISABLE_TESTS} | tr '[:upper:]' '[:lower:]'`
fi
fi
fi
if [ $LEAVE -eq 0 ]; then
DISABLE_TESTS="${CL_DISABLE_TESTS} ${CONFIG_DISABLE_TESTS}"
DISABLE_TESTS=`echo ${DISABLE_TESTS}`
if [ -z "${DISABLE_TESTS}" ]; then
# The system default.
DISABLE_TESTS="none"
fi
else
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_xinetd_option() {
#
# This function obtains the inetd and xinetd configuration
# file pathnames from the config file. It also get the
# whitelisted services.
#
LEAVE=0
ERRCODE=0
FNAME=`get_option single INETD_CONF_PATH` || exit $?
if [ -n "${FNAME}" ]; then
check_paths FNAME INETD_CONF_PATH "NOWILD EXIST NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
INETD_CONF_PATH="${FNAME}"
else
LEAVE=1
fi
fi
INETDALLOWEDSVCS=`get_option space-list INETD_ALLOWED_SVC` || exit $?
#
# Now do the same for xinetd.
#
FNAME=`get_option single XINETD_CONF_PATH` || exit $?
if [ -n "${FNAME}" ]; then
check_paths FNAME XINETD_CONF_PATH "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
XINETD_CONF_PATH="${FNAME}"
else
LEAVE=1
fi
fi
XINETDALLOWEDSVCS=`get_option space-list XINETD_ALLOWED_SVC` || exit $?
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_port_options() {
#
# This function will get the various PORT configuration options, and
# build up PORT_WHITELIST as a newline-separated list.
#
# First get the PORT_WHITELIST option from the configuration file.
#
LEAVE=0
ERRCODE=0
PORT_WHITELIST=""
RKHTMPVAR=`get_option space-list PORT_WHITELIST` || exit $?
if [ -n "${RKHTMPVAR}" ]; then
#
# Loop through the list checking that it all looks okay.
#
for RKHTMPVAR2 in ${RKHTMPVAR}; do
if [ -n "`echo \"${RKHTMPVAR2}\" | egrep -i '^(TCP|UDP):[1-9][0-9]*$'`" ]; then
PROTO=`echo ${RKHTMPVAR2} | cut -d: -f1 | tr '[:lower:]' '[:upper:]'`
PORT=`echo ${RKHTMPVAR2} | cut -d: -f2`
if [ $PORT -gt 65535 ]; then
LEAVE=1
echo "Invalid PORT_WHITELIST configuration option - invalid port specified: `name2text \"${RKHTMPVAR2}\"`"
fi
PORT_WHITELIST="${PORT_WHITELIST}
${PROTO}:${PORT}"
elif [ "${RKHTMPVAR2}" = "*" ]; then
if [ -n "${LSOF_CMD}" ]; then
PORT_WHITELIST_ALL_TRUSTED=1
else
LEAVE=1
echo "Invalid PORT_WHITELIST configuration option - '*' requires the 'lsof' command."
fi
else
LEAVE=1
echo "Invalid entry specified in PORT_WHITELIST configuration option: `name2text \"${RKHTMPVAR2}\"`"
fi
done
fi
#
# Now get the PORT_PATH_WHITELIST option from the configuration file.
#
RKHTMPVAR=`get_option newline-list PORT_PATH_WHITELIST` || exit $?
if [ -z "${LSOF_CMD}" ]; then
if [ -n "${RKHTMPVAR}" ]; then
LEAVE=1
echo "Invalid PORT_PATH_WHITELIST configuration option - the 'lsof' command is required."
fi
elif [ -n "${RKHTMPVAR}" ]; then
#
# Loop through the list checking that it all looks okay.
#
IFS=$IFSNL
for RKHTMPVAR2 in ${RKHTMPVAR}; do
if [ -n "`echo \"${RKHTMPVAR2}\" | grep '^/'`" ]; then
PORT=0
FNAME=""
PROTO=""
# Dig out the protocol and port number, if present.
if [ -n "`echo \"${RKHTMPVAR2}\" | egrep -i '.:(TCP|UDP):[1-9][0-9]*$'`" ]; then
PROTO=`echo "${RKHTMPVAR2}" | sed -e 's/^.*:\([a-zA-Z]*\):[1-9][0-9]*$/\1/'`
PORT=`echo "${RKHTMPVAR2}" | sed -e 's/^.*:\([1-9][0-9]*\)$/\1/'`
if [ $PORT -gt 65535 ]; then
LEAVE=1
echo "Invalid PORT_PATH_WHITELIST configuration option - invalid port specified: `name2text \"${RKHTMPVAR2}\"`"
fi
PROTO=`echo ${PROTO} | tr '[:lower:]' '[:upper:]'`
fi
# Dig out the pathname.
if [ $PORT -gt 0 ]; then
FNAME=`echo "${RKHTMPVAR2}" | sed -e 's/^\(.*\):[a-zA-Z]*:[1-9][0-9]*$/\1/'`
else
FNAME="${RKHTMPVAR2}"
fi
IFS=$RKHIFS
check_paths FNAME PORT_PATH_WHITELIST "EXIST NOWILD NOBROKENLINK"
IFS=$IFSNL
if [ $ERRCODE -eq 1 ]; then
LEAVE=1
else
if [ $PORT -gt 0 ]; then
PORT_WHITELIST="${PORT_WHITELIST}
${FNAME}:${PROTO}:${PORT}"
else
PORT_WHITELIST="${PORT_WHITELIST}
${FNAME}"
fi
fi
else
LEAVE=1
echo "Invalid entry specified in PORT_PATH_WHITELIST configuration option: `name2text \"${RKHTMPVAR2}\"`"
fi
done
IFS=$RKHIFS
fi
if [ -n "${PORT_WHITELIST}" ]; then
PORT_WHITELIST=`echo "${PORT_WHITELIST}" | sed -e '/^$/d'`
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_groups_accounts_options() {
#
# Get the location of the password/shadow file. We also cater
# for cases such as BSD systems and users of TCB shadow files.
# If the shadow file itself does not exist, then we look in
# the password file itself to see if it contains the passwords.
#
LEAVE=0
ERRCODE=0
SHADOW_FILE=`get_option single PASSWORD_FILE` || exit $?
if [ -n "${SHADOW_FILE}" ]; then
check_paths SHADOW_FILE PASSWORD_FILE "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
if [ -s "${SHADOW_FILE}" ]; then
SHADOW_FILE="${SHADOW_FILE}"
else
SHADOW_FILE=""
fi
else
LEAVE=1
fi
elif [ -s "/etc/shadow" ]; then
SHADOW_FILE="/etc/shadow"
elif [ \( $BSDOS -eq 1 -o $MACOSX -eq 1 \) -a -s "/etc/master.passwd" ]; then
SHADOW_FILE="/etc/master.passwd"
elif [ -f "/etc/tcb/root/shadow" ]; then
HAVE_TCB_SHADOW=1
elif [ -s "/etc/passwd" ]; then
#
# If the passwords are stored in the passwd file, then
# it should contain at least 3 non-colon characters in the
# second field. Checking for 3 characters allows for normal
# shadow entries such as 'x', '!!' or '*'. It is assumed
# that at least one account will have a password.
#
if [ -n "`grep '^[^:]*:[^:][^:][^:]' /etc/passwd`" ]; then
SHADOW_FILE="/etc/passwd"
fi
fi
#
# Now get the passwordless account whitelist option.
#
PWD_WHITELIST=`get_option space-list PWDLESS_ACCOUNTS` || exit $?
test -n "${PWD_WHITELIST}" && PWD_WHITELIST=" `echo ${PWD_WHITELIST}` "
#
# Next get any root-equivalent whitelisted account names.
#
UID0_WHITELIST=`get_option space-list UID0_ACCOUNTS` || exit $?
# By default we allow the root account.
UID0_WHITELIST=" root `echo ${UID0_WHITELIST}` "
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
test_epoch_cmd() {
#
# This function simply checks if the supplied command
# can process epoch second times. We do this by using
# the '%s' formatting option, and the 'seconds ago'
# time format. If the command understands both of these
# then we can use it for the epoch date.
#
RKHTMPVAR=$1
if [ -n "`${RKHTMPVAR} --date '5 seconds ago' '+%s' 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
EPOCH_DATE_CMD="${RKHTMPVAR}"
fi
return
}
get_epoch_date_cmd_option() {
#
# Get the option from the configuration file, or work out
# if the 'date' command is suitable.
#
LEAVE=0
ERRCODE=0
EPOCH_DATE_CMD=`get_option single EPOCH_DATE_CMD` || exit $?
#
# Check the type of config file option we have. They user may have
# specified a command to use or 'NONE', in which case we return.
# If they specified 'PERL' then check we have a 'perl' command,
# and then return.
#
if [ "${EPOCH_DATE_CMD}" = "PERL" ]; then
EPOCH_DATE_CMD=""
test -z "${PERL_CMD}" && EPOCH_DATE_CMD="NONE"
return
elif [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
return
elif [ -n "${EPOCH_DATE_CMD}" ]; then
RKHTMPVAR=`echo "${EPOCH_DATE_CMD}" | cut -d' ' -f1`
check_paths RKHTMPVAR EPOCH_DATE_CMD "EXIST NOWILD NOBROKENLINK"
#
# Check that the command exists and is executable.
#
if [ $ERRCODE -eq 0 ]; then
FNAME=`find_cmd ${RKHTMPVAR}`
if [ -n "${FNAME}" ]; then
RKHTMPVAR2=`echo "${EPOCH_DATE_CMD}" | cut -d' ' -f2-`
if [ -z "${RKHTMPVAR2}" -o "${RKHTMPVAR2}" = "${EPOCH_DATE_CMD}" ]; then
EPOCH_DATE_CMD="${FNAME}"
else
EPOCH_DATE_CMD="${FNAME} ${RKHTMPVAR2}"
fi
else
EPOCH_DATE_CMD="NONE"
fi
else
LEAVE=1
fi
fi
if [ $LEAVE -eq 0 ]; then
#
# Now we test if the 'date' command supports processing epoch seconds.
#
test_epoch_cmd "date"
test -n "${EPOCH_DATE_CMD}" && return
#
# For SunOS systems we need to check some other 'date' commands.
#
if [ $SUNOS -eq 1 ]; then
for RKHTMPVAR2 in `find_cmd gdate` /opt/sfw/bin/date; do
test_epoch_cmd "${RKHTMPVAR2}"
test -n "${EPOCH_DATE_CMD}" && break
done
fi
else
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_phalanx2_option() {
#
# This is a specific function to get the PHALANX2_DIRTEST
# option. It must be a digit, and can only be tested for
# on Linux systems.
#
test $LINUXOS -eq 0 && return
LEAVE=0
ERRCODE=0
ROOTKIT_PHALANX2_DIRTESTVAL=`get_option single PHALANX2_DIRTEST` || exit $?
if [ -n "${ROOTKIT_PHALANX2_DIRTESTVAL}" ]; then
check_is_digit ROOTKIT_PHALANX2_DIRTESTVAL
test $ERRCODE -eq 1 && LEAVE=1
else
ROOTKIT_PHALANX2_DIRTESTVAL=0
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_dev_options() {
#
# This function processes the ALLOWDEVFILE option which is
# used to whitelist files allowed in the '/dev' directory.
#
LEAVE=0
ERRCODE=0
ALLOWDEVFILES=""
ALLOWDEVFILE_OPT=`get_option newline-list ALLOWDEVFILE` || exit $?
if [ -n "${ALLOWDEVFILE_OPT}" ]; then
# Note that we do not get the expanded list of pathnames at
# this point. That will be done when the test actually runs.
ALLOWDEVFILES=${ALLOWDEVFILE_OPT}
check_paths ALLOWDEVFILES ALLOWDEVFILE
test $ERRCODE -eq 1 && LEAVE=1
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_hidden_options() {
#
# This function processes the ALLOWHIDDENFILE and ALLOWHIDDENDIR
# options which are used to whitelist hidden files and directories.
#
LEAVE=0
ERRCODE=0
ALLOWHIDDENFILES=""
ALLOWHIDDENFILE_OPT=`get_option newline-list ALLOWHIDDENFILE` || exit $?
if [ -n "${ALLOWHIDDENFILE_OPT}" ]; then
# Note that we do not get the expanded list of pathnames at
# this point. That will be done when the test actually runs.
ALLOWHIDDENFILES=${ALLOWHIDDENFILE_OPT}
check_paths ALLOWHIDDENFILES ALLOWHIDDENFILE
test $ERRCODE -eq 1 && LEAVE=1
fi
ALLOWHIDDENDIRS=""
ALLOWHIDDENDIR_OPT=`get_option newline-list ALLOWHIDDENDIR` || exit $?
if [ -n "${ALLOWHIDDENDIR_OPT}" ]; then
ALLOWHIDDENDIRS=${ALLOWHIDDENDIR_OPT}
check_paths ALLOWHIDDENDIRS ALLOWHIDDENDIR
test $ERRCODE -eq 1 && LEAVE=1
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_missing_file_options() {
#
# This function processes the options used to detect missing or
# empty files. Note that we do not use the 'EXIST' option for
# 'check_paths' despite the fact that the files should exist.
# However, if they are missing then that is exactly what we want
# the test to report.
#
LEAVE=0
ERRCODE=0
LOGFILE_MISSING=`get_option space-list MISSING_LOGFILES` || exit $?
if [ -n "${LOGFILE_MISSING}" ]; then
check_paths LOGFILE_MISSING MISSING_LOGFILES "NOWILD"
test $ERRCODE -eq 1 && LEAVE=1
fi
LOGFILE_EMPTY=`get_option space-list EMPTY_LOGFILES` || exit $?
if [ -n "${LOGFILE_EMPTY}" ]; then
check_paths LOGFILE_EMPTY EMPTY_LOGFILES "NOWILD"
test $ERRCODE -eq 1 && LEAVE=1
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_unhide_options() {
#
# This function processes the configuration options used
# by the unhide command in the 'hidden_procs' test.
#
LEAVE=0
ERRCODE=0
UNHIDE_TESTS=`get_option space-list UNHIDE_TESTS` || exit $?
if [ -n "${UNHIDE_TESTS}" ]; then
# We need to include a space to avoid the problem with hyphens.
UNHIDE_TESTS=" `echo ${UNHIDE_TESTS}`"
else
UNHIDE_TESTS="sys"
fi
if [ -z "`echo \" ${UNHIDE_TESTS}\" | grep ' [a-zA-Z]'`" ]; then
LEAVE=1
echo "Invalid UNHIDE_TESTS configuration option - no tests specified: ${UNHIDE_TESTS}"
fi
UNHIDETCP_OPTS=""
RKHTMPVAR=`get_option space-list UNHIDETCP_OPTS` || exit $?
if [ -n "${RKHTMPVAR}" ]; then
for RKHTMPVAR2 in ${RKHTMPVAR}; do
#
# For options we need to add a space to the variable
# to avoid problems with the 'echo' command.
#
if [ -z "`echo \"${RKHTMPVAR2} \" | grep '^-'`" ]; then
# Options must begin with a '-'.
LEAVE=1
echo "Invalid UNHIDETCP_OPTS configuration option - not a valid option: ${RKHTMPVAR}"
elif [ "${RKHTMPVAR2}" = "-V" -o "${RKHTMPVAR2}" = "-h" ]; then
# Ignore obvious invalid options.
continue
else
UNHIDETCP_OPTS="${UNHIDETCP_OPTS} ${RKHTMPVAR2}"
fi
done
# Add a space to avoid the 'echo' problem with options.
UNHIDETCP_OPTS=`echo "${UNHIDETCP_OPTS} " | sed -e 's/^ *//'`
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_process_options() {
#
# Get any options used by checks on processes.
#
#
# We do no testing of this option because if the user gets it wrong,
# then the processes will show up as warnings. The user should (!)
# then check the configuration file to make sure it is correct.
#
LEAVE=0
ERRCODE=0
ALLOWPROCDELFILES=`get_option newline-list ALLOWPROCDELFILE` || exit $?
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_suspscan_options() {
#
# This function processes all the options
# required for the suspscan test.
#
LEAVE=0
ERRCODE=0
#
# Get the directories to scan.
#
SUSPSCAN_DIRS=`get_option space-list SUSPSCAN_DIRS` || exit $?
if [ -z "${SUSPSCAN_DIRS}" ]; then
SUSPSCAN_DIRS="${SUSPSCAN_DFLT_DIRS}"
fi
check_paths SUSPSCAN_DIRS SUSPSCAN_DIRS "EXIST NOBROKENLINK NOWILD"
if [ $ERRCODE -eq 0 ]; then
SUSPSCAN_DIRS=`echo ${SUSPSCAN_DIRS}`
else
LEAVE=1
fi
#
# Get the tempdir to use. It should be a /dev/shm type.
#
SUSPSCAN_TEMP=`get_option single SUSPSCAN_TEMP` || exit $?
if [ -z "${SUSPSCAN_TEMP}" ]; then
SUSPSCAN_TEMP="${SUSPSCAN_DFLT_TMP}"
fi
check_paths SUSPSCAN_TEMP SUSPSCAN_TEMP "EXIST NOBROKENLINK NOWILD"
if [ $ERRCODE -eq 0 ]; then
if [ ! -w "${SUSPSCAN_TEMP}" ]; then
LEAVE=1
echo "The suspscan temporary directory is not writable: ${SUSPSCAN_TEMP}"
fi
else
LEAVE=1
fi
#
# Get the maximum file size to handle.
#
SUSPSCAN_MAXSIZE=`get_option single SUSPSCAN_MAXSIZE` || exit $?
if [ -n "${SUSPSCAN_MAXSIZE}" ]; then
check_is_digit SUSPSCAN_MAXSIZE SUSPSCAN_MAXSIZE ANY1
test $ERRCODE -eq 1 && LEAVE=1
else
SUSPSCAN_MAXSIZE=$SUSPSCAN_DFLT_MAXSIZE
fi
#
# Get the score threshold, 200 seems sensible.
#
SUSPSCAN_THRESH=`get_option single SUSPSCAN_THRESH` || exit $?
if [ -n "${SUSPSCAN_THRESH}" ]; then
check_is_digit SUSPSCAN_THRESH SUSPSCAN_THRESH ANY1
test $ERRCODE -eq 1 && LEAVE=1
else
SUSPSCAN_THRESH=$SUSPSCAN_DFLT_THRESH
fi
#
# Get the line threshold. This exists purely for performance reasons. 3000 seems sensible as
# Linux Kernel Modules don't exceed 2000 lines and for example most binaries in /bin don't exceed 3000 lines.
# Note this configuration option will remain unlisted in both the documentation and configuration file.
#
SUSPSCAN_LINETHRESH=`get_option single SUSPSCAN_LINETHRESH` || exit $?
if [ -n "${SUSPSCAN_LINETHRESH}" ]; then
check_is_digit SUSPSCAN_LINETHRESH SUSPSCAN_LINETHRESH ANY1
test $ERRCODE -eq 1 && LEAVE=1
else
SUSPSCAN_LINETHRESH=3000
fi
#
# Get the debug flag value (defaults to 0). Setting this to 1 will cause verbose messages to be displayed
# which will result in more warnings than you will want. Changing the SUSPSCAN_DEBUG default value implies
# that you know what you are doing and that you don't need help "fixing" things afterwards.
#
SUSPSCAN_DEBUG=`get_option single SUSPSCAN_DEBUG` || exit $?
if [ -n "${SUSPSCAN_DEBUG}" ]; then
check_is_digit SUSPSCAN_DEBUG
test $ERRCODE -eq 1 && LEAVE=1
else
SUSPSCAN_DEBUG=0
fi
#
# Get any whitelisted file pathnames.
#
SUSPSCAN_WL_OPT=`get_option newline-list SUSPSCAN_WHITELIST` || exit $?
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_ipc_options() {
#
# This function processes the configuration options which
# are used during the shared memory segments checks.
#
LEAVE=0
ERRCODE=0
ALLOWIPCPID=""
ALLOWIPCPROC=""
ALLOWIPCUSER=""
#
# First see if any segment PIDs have been whitelisted.
#
ALLOWIPCPID=`get_option space-list ALLOWIPCPID` || exit $?
if [ -n "${ALLOWIPCPID}" ]; then
for RKHTMPVAR in ${ALLOWIPCPID}; do
check_is_digit RKHTMPVAR ALLOWIPCPID ANY1
test $ERRCODE -eq 1 && LEAVE=1
done
ALLOWIPCPID=" `echo ${ALLOWIPCPID}` "
fi
#
# Next we check for any whitelisted process names.
#
ALLOWIPCPROC_OPT=`get_option newline-list ALLOWIPCPROC` || exit $?
if [ -n "${ALLOWIPCPROC_OPT}" ]; then
# Note that we do not get the expanded list of pathnames at
# this point. That will be done when the test actually runs.
ALLOWIPCPROC=${ALLOWIPCPROC_OPT}
check_paths ALLOWIPCPROC ALLOWIPCPROC
test $ERRCODE -eq 1 && LEAVE=1
fi
#
# Now check if any usernames have been whitelisted.
#
ALLOWIPCUSER=`get_option space-list ALLOWIPCUSER` || exit $?
if [ -n "${ALLOWIPCUSER}" ]; then
ALLOWIPCUSER=" `echo ${ALLOWIPCUSER}` "
fi
#
# Finally, we check for the configured minimum segment size.
# Any segment above this size is considered to be suspicious.
#
IPC_SEG_SIZE=`get_option single IPC_SEG_SIZE` || exit $?
if [ -n "${IPC_SEG_SIZE}" ]; then
check_is_digit IPC_SEG_SIZE IPC_SEG_SIZE ANY1
test $ERRCODE -eq 1 && LEAVE=1
else
IPC_SEG_SIZE=$DFLT_SEG_SIZE
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_if_prelinked() {
#
# A prelinked system is defined here as one which has a 'prelink'
# command, and the '/etc/prelink.cache' file exists.
#
if [ -f "/etc/prelink.cache" ]; then
#
# Check that we have a 'prelink' command. If it
# doesn't exist, then we cannot use prelinking.
#
PRELINK_CMD=`find_cmd prelink`
test -z "${PRELINK_CMD}" && return
#
# We test (twice) for the existence of Libsafe since this seems to
# riddle prelink test results with "dependency cycle" errors.
# Don't test for existence of /lib/libsafe since it may be
# installed elsewhere. If Libsafe is found, then we'll skip the
# file properties hash test.
#
LIBSAFE_TEST1=""
LIBSAFE_TEST2=""
if [ -f "/etc/ld.so.preload" ]; then
LIBSAFE_TEST1=`grep 'libsafe' /etc/ld.so.preload 2>&1`
fi
if [ -z "${LIBSAFE_TEST1}" ]; then
LIBSAFE_TEST1=`echo "$LD_PRELOAD" | grep 'libsafe' 2>&1`
fi
if [ -n "${LDD_CMD}" ]; then
if [ -f /lib/libdl.so.? ]; then
LIBSAFE_TEST2=`${LDD_CMD} /lib/libdl.so.? | grep 'libsafe' 2>&1`
fi
if [ -z "${LIBSAFE_TEST2}" -a -f /lib64/libdl.so.? ]; then
LIBSAFE_TEST2=`${LDD_CMD} /lib64/libdl.so.? | grep 'libsafe' 2>&1`
fi
fi
if [ -z "${LIBSAFE_TEST1}" -a -z "${LIBSAFE_TEST2}" ]; then
PRELINKED=1
#
# Only use 'runcon' if SELinux is enabled.
#
SESTATUS_CMD=`find_cmd sestatus`
if [ -n "${SESTATUS_CMD}" ]; then
if [ -n "`${SESTATUS_CMD} 2>/dev/null | grep ' status: *enabled$'`" ]; then
SELINUX_ENABLED=1
RUNCON_CMD=`find_cmd runcon`
test -n "${RUNCON_CMD}" && USE_RUNCON=1
fi
fi
elif [ -n "${LIBSAFE_TEST1}" -a -n "${LIBSAFE_TEST2}" ]; then
SKIP_HASH_MSG=2
fi
fi
return
}
get_md5_hash_function() {
#
# This is a short function to try and locate
# an MD5 hash function command.
#
if [ $PRELINKED -eq 1 ]; then
if [ $USE_RUNCON -eq 1 ]; then
echo "${RUNCON_CMD} -u root -- ${PRELINK_CMD} --verify --md5"
else
echo "${PRELINK_CMD} --verify --md5"
fi
else
HFUNC=`find_cmd md5sum`
test -z "${HFUNC}" && HFUNC=`find_cmd md5`
if [ -z "${HFUNC}" -a -n "${PERL_CMD}" ]; then
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::MD5 2>/dev/null | grep 'Digest::MD5 installed'`
test -n "${MOD_INSTALLED}" && echo "${PERL_CMD} ${SCRIPT_PATH}/filehashsha.pl Digest::MD5 0"
else
echo "${HFUNC}"
fi
fi
return
}
get_sha_hash_function() {
#
# This is a short function to try and locate
# a SHA hash function command.
#
# The function takes one argument which is the
# SHA bit size.
#
SHA_SIZE=$1
check_is_digit SHA_SIZE HASH_CMD ANY1
if [ $ERRCODE -eq 1 ]; then
echo "Error: Invalid argument to get_sha_hash_function function: $*" >&2
return
fi
HFUNC=`find_cmd sha${SHA_SIZE}sum`
if [ -z "${HFUNC}" ]; then
HFUNC=`find_cmd sha${SHA_SIZE}`
if [ -z "${HFUNC}" -a $MACOSX -eq 1 ]; then
HFUNC=`find_cmd shasum`
test -n "${HFUNC}" && HFUNC="${HFUNC} -a $SHA_SIZE"
fi
fi
if [ -z "${HFUNC}" -a -n "${PERL_CMD}" ]; then
MOD_INSTALLED=""
if [ $SHA_SIZE -eq 1 ]; then
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::SHA Digest::SHA1 Digest::SHA::PurePerl 2>/dev/null`
elif [ $SHA_SIZE -eq 224 ]; then
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::SHA Digest::SHA::PurePerl 2>/dev/null`
else
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::SHA Digest::SHA256 Digest::SHA::PurePerl 2>/dev/null`
fi
USE_MOD=`echo "${MOD_INSTALLED}" | grep -v 'NOT installed' 2>/dev/null | head ${HEAD_OPT}1 | cut -d' ' -f1`
if [ -n "${USE_MOD}" ]; then
HFUNC="${PERL_CMD} "${SCRIPT_PATH}/filehashsha.pl" ${USE_MOD} $SHA_SIZE"
fi
fi
echo "${HFUNC}"
return
}
get_hash_function() {
#
# Get the option from the configuration file, and do a simple
# check on whether it is empty or a space.
#
LEAVE=0
ERRCODE=0
if [ $HASH_OPT -eq 1 ]; then
HASH_FUNC=`echo "${HASH_FUNC}" | tr -d '"' | tr -d "'" | tr -s ' ' ' '`
HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`
# Stop globbing from being expanded.
if [ -z "`echo \"${HASH_CMD}\" | grep '[][*?{}]'`" ]; then
HASH_FUNC=`echo ${HASH_FUNC}`
else
LEAVE=1
HASH_FUNC="NONE"
echo "Invalid '--hash' option: invalid pathname: ${HASH_CMD}"
fi
if [ -z "${HASH_FUNC}" ]; then
LEAVE=1
HASH_FUNC="NONE"
echo "Invalid '--hash' option: no hash function given."
fi
else
HASH_FUNC=`get_option single HASH_CMD` || exit $?
if [ -z "${HASH_FUNC}" ]; then
HASH_FUNC=`get_option single HASH_FUNC` || exit $?
fi
fi
#
# Test to ensure that globbing and other invalid
# pathnames have not been given.
#
if [ -n "${HASH_FUNC}" ]; then
HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`
check_paths HASH_CMD HASH_CMD "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 1 ]; then
LEAVE=1
HASH_FUNC="NONE"
fi
fi
if [ -n "`echo \"${HASH_FUNC}\" | egrep -i '^(MD5|SHA1|SHA224|SHA256|SHA384|SHA512|RIPEMD160|WHIRLPOOL|NONE)$'`" ]; then
HASH_FUNC=`echo "${HASH_FUNC}" | tr '[:lower:]' '[:upper:]'`
fi
#
# At this point we have either been given a specific hash function
# command, the reserved word 'NONE', one of the SHA or other functions,
# or nothing. For the SHA and MD5 reserved words we must find the SHA
# or MD5 command, or use the supplied perl scripts. For the RIPEMD160
# and WHIRLPOOL reserved words, we only use the perl scripts.
#
SHA_SIZE=0
if [ -z "${HASH_FUNC}" ]; then
test $PRELINKED -eq 1 && HASH_FUNC="SHA1" || HASH_FUNC="SHA256"
fi
case "${HASH_FUNC}" in
SHA1) SHA_SIZE=1
;;
SHA224) SHA_SIZE=224
;;
SHA256) SHA_SIZE=256
;;
SHA384) SHA_SIZE=384
;;
SHA512) SHA_SIZE=512
;;
esac
if [ $SHA_SIZE -eq 1 -a $PRELINKED -eq 1 ]; then
PRELINK_HASH="SHA1"
if [ $USE_RUNCON -eq 1 ]; then
HASH_FUNC="${RUNCON_CMD} -u root -- ${PRELINK_CMD} --verify --sha"
else
HASH_FUNC="${PRELINK_CMD} --verify --sha"
fi
elif [ $SHA_SIZE -ge 1 ]; then
HASH_FUNC=`get_sha_hash_function $SHA_SIZE`
elif [ "${HASH_FUNC}" = "MD5" ]; then
HF=`get_md5_hash_function`
test -n "${HF}" && HASH_FUNC="${HF}"
if [ $PRELINKED -eq 1 ]; then
PRELINK_HASH="MD5"
elif [ -z "`echo \"${HF}\" | grep '/filehashsha\.pl Digest::MD5'`" ]; then
MD5_CMD="${HF}"
fi
elif [ "${HASH_FUNC}" = "RIPEMD160" ]; then
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Crypt::RIPEMD160 2>/dev/null`
if [ -n "`echo \"${MOD_INSTALLED}\" | grep 'Crypt::RIPEMD160 installed'`" ]; then
HASH_FUNC="${PERL_CMD} "${SCRIPT_PATH}/filehashsha.pl" Crypt::RIPEMD160 0"
fi
elif [ "${HASH_FUNC}" = "WHIRLPOOL" ]; then
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Digest::Whirlpool 2>/dev/null`
if [ -n "`echo \"${MOD_INSTALLED}\" | grep 'Digest::Whirlpool installed'`" ]; then
HASH_FUNC="${PERL_CMD} "${SCRIPT_PATH}/filehashsha.pl" Digest::Whirlpool 0"
fi
fi
#
# A final check that the command is actually executable.
# This will ensure that the perl scripts have been installed
# correctly, should they be needed.
#
if [ "${HASH_FUNC}" = "NONE" ]; then
:
elif [ "${HASH_FUNC}" = "MD5" ]; then
LEAVE=1
if [ $HASH_OPT -eq 1 ]; then
echo "Invalid '--hash' option: no usable hash command or perl module for MD5 could be found."
else
echo "Invalid HASH_CMD configuration option: no usable hash command or perl module for MD5 could be found."
fi
elif [ "${HASH_FUNC}" = "RIPEMD160" -o "${HASH_FUNC}" = "WHIRLPOOL" ]; then
LEAVE=1
if [ $HASH_OPT -eq 1 ]; then
echo "Invalid '--hash' option: no perl module for ${HASH_FUNC} could be found."
else
echo "Invalid HASH_CMD configuration option: no perl module for ${HASH_FUNC} could be found."
fi
elif [ -n "${HASH_FUNC}" ]; then
HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`
HF=`find_cmd ${HASH_CMD}`
if [ -n "${HF}" ]; then
#
# We rebuild the command to use the full pathname.
#
HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f2-`
if [ -z "${HASH_CMD}" -o "${HASH_CMD}" = "${HASH_FUNC}" ]; then
HASH_FUNC=$HF
else
HASH_FUNC="${HF} ${HASH_CMD}"
fi
elif [ $HASH_OPT -eq 1 ]; then
LEAVE=1
echo "Invalid '--hash' option: command is non-existent or not executable: ${HASH_CMD}"
else
LEAVE=1
echo "Invalid HASH_CMD configuration option: command is non-existent or not executable: ${HASH_CMD}"
fi
elif [ $HASH_OPT -eq 1 ]; then
LEAVE=1
echo "Invalid '--hash' option: no usable hash command or perl module could be found."
elif [ $SHA_SIZE -ge 1 ]; then
LEAVE=1
echo "Invalid HASH_CMD configuration option: no usable hash command or perl module for SHA${SHA_SIZE} could be found."
else
LEAVE=1
echo "Invalid HASH_CMD configuration option: no usable hash command or perl module could be found."
fi
#
# Now we get the hash field index. We will assume a field value
# of one, but this value must be configurable since we allow
# the user to specify the hash function to use.
#
RKHTMPVAR=`get_option single HASH_FLD_IDX` || exit $?
if [ -n "${RKHTMPVAR}" ]; then
check_is_digit RKHTMPVAR HASH_FLD_IDX ANY1
if [ $ERRCODE -eq 0 ]; then
HASH_FLD_IDX=${RKHTMPVAR}
else
LEAVE=1
fi
fi
#
# Next we get the package manager to use for the file
# properties hash check and update. If a file is not owned
# as part of a package, the hash function defined above
# will be used instead.
#
if [ -n "${PKGMGR}" ]; then
PKGMGR=`echo "${PKGMGR}" | tr -d '" ' | tr -d "'"`
if [ -z "${PKGMGR}" ]; then
LEAVE=1
echo "Invalid '--pkgmgr' option: no package manager given."
fi
else
PKGMGR=`get_option single PKGMGR` || exit $?
fi
PKGMGR=`echo "${PKGMGR}" | tr '[:lower:]' '[:upper:]'`
test "${PKGMGR}" = "NONE" && PKGMGR=""
#
# Now check that the package manager we have been given is valid.
#
case "${PKGMGR}" in
"")
;;
RPM)
RPM_CMD=`find_cmd rpm`
if [ -z "${RPM_CMD}" ]; then
LEAVE=1
echo "Unable to find the 'rpm' command for package manager 'RPM'."
fi
;;
DPKG)
DPKG_CMD=`find_cmd dpkg-query`
test -z "${DPKG_CMD}" && DPKG_CMD=`find_cmd dpkg`
if [ -z "${DPKG_CMD}" ]; then
LEAVE=1
echo "Unable to find 'dpkg-query' or 'dpkg' commands for package manager 'DPKG'."
elif [ ! -d "/var/lib/dpkg/info" ]; then
LEAVE=1
echo "Unable to find the package database directory (/var/lib/dpkg/info) for package manager 'DPKG'."
fi
if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
PKGMGR_MD5_HASH=`get_md5_hash_function`
if [ -z "${PKGMGR_MD5_HASH}" ]; then
LEAVE=1
echo "Unable to find an MD5 hash function command to assist package manager 'DPKG'."
fi
fi
;;
BSD)
PKG_CMD=`find_cmd pkg_info`
if [ -z "${PKG_CMD}" ]; then
LEAVE=1
echo "Unable to find the 'pkg_info' command for package manager 'BSD'."
elif [ ! -d "/var/db/pkg" ]; then
LEAVE=1
echo "Unable to find the package database directory (/var/db/pkg) for package manager 'BSD'."
fi
if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
PKGMGR_MD5_HASH=`get_md5_hash_function`
if [ -z "${PKGMGR_MD5_HASH}" ]; then
LEAVE=1
echo "Unable to find an MD5 hash function command to assist package manager 'BSD'."
fi
fi
;;
BSDNG)
PKG_CMD=`find_cmd pkg`
if [ -z "${PKG_CMD}" ]; then
LEAVE=1
echo "Unable to find the 'pkg' command for package manager 'BSDng'."
else
${PKG_CMD} -N >/dev/null 2>&1
ERRCODE=$?
if [ $ERRCODE -ne 0 ]; then
LEAVE=1
echo "System not set up for use with package manager 'BSDng'."
fi
fi
if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
PKGMGR_SHA_HASH=`get_sha_hash_function 256`
if [ -z "${PKGMGR_SHA_HASH}" ]; then
LEAVE=1
echo "Unable to find a SHA256 hash function command to assist package manager 'BSDng'."
fi
fi
;;
SOLARIS)
#
# For the Solaris package manager, see if we want
# to use the stored 16-bit checksum or not.
#
USE_SUNSUM=`get_option single USE_SUNSUM` || exit $?
if [ -n "${USE_SUNSUM}" ]; then
check_is_digit USE_SUNSUM
if [ $ERRCODE -eq 0 ]; then
SUM_CMD=`find_cmd sum`
if [ -z "${SUM_CMD}" ]; then
LEAVE=1
echo "Unable to find the 'sum' command for package manager 'SOLARIS'."
fi
else
LEAVE=1
fi
else
USE_SUNSUM=0
fi
if [ ! -f "/var/sadm/install/contents" ]; then
LEAVE=1
echo "Unable to find the package database file (/var/sadm/install/contents) for package manager 'SOLARIS'."
fi
;;
*)
LEAVE=1
echo "Invalid package manager given: ${PKGMGR}"
;;
esac
#
# Finally we see if any files are to be exempt from the
# package manager verification. These will go through the
# usual commands to get the file info, so they will still
# be tested.
#
PKGMGRNOVRFY=`get_option newline-list PKGMGR_NO_VRFY` || exit $?
if [ -n "${PKGMGRNOVRFY}" ]; then
check_paths PKGMGRNOVRFY PKGMGR_NO_VRFY "EXIST NOWILD NOBROKENLINK"
test $ERRCODE -eq 1 && LEAVE=1
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_scan_mode_dev_option() {
#
# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
# The two allowed values are "THOROUGH" or "LAZY". If the option
# is commented out, the default, then we do a THOROUGH scan, which
# will increase the runtime of rkhunter.
#
#
# See if the option is specified in the configuration file.
#
LEAVE=0
ERRCODE=0
SCAN_MODE_DEV=`get_option single SCAN_MODE_DEV` || exit $?
if [ -n "${SCAN_MODE_DEV}" ]; then
SCAN_MODE_DEV=`echo "${SCAN_MODE_DEV}" | tr '[:lower:]' '[:upper:]'`
case "${SCAN_MODE_DEV}" in
THOROUGH|LAZY)
;;
*) # Don't make this fatal.
echo "Invalid SCAN_MODE_DEV configuration option: ${SCAN_MODE_DEV}"
echo "Defaulting to THOROUGH mode."
SCAN_MODE_DEV="THOROUGH"
;;
esac
else
SCAN_MODE_DEV="THOROUGH"
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_startup_paths_option() {
#
# This function gets the system startup files and directories
# from the configuration file. There are no defaults.
#
LEAVE=0
ERRCODE=0
STARTUP_PATHS=`get_option space-list STARTUP_PATHS` || exit $?
if [ -n "${STARTUP_PATHS}" ]; then
#
# First see if we have any startup files or not.
#
if [ -n "`echo \"${STARTUP_PATHS}\" | grep -i '^none$'`" ]; then
STARTUP_PATHS="NONE"
else
#
# Check that the given files and directories are usable.
#
check_paths STARTUP_PATHS STARTUP_PATHS "EXIST"
if [ $ERRCODE -eq 0 ]; then
for FNAME in ${STARTUP_PATHS}; do
test -f "${FNAME}" && RKHTMPVAR="file" || RKHTMPVAR="directory"
if [ -h "${FNAME}" ]; then
LEAVE=1
echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is a link: ${FNAME}"
elif [ ! -r "${FNAME}" ]; then
LEAVE=1
echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is not readable: ${FNAME}"
elif [ ! -s "${FNAME}" ]; then
LEAVE=1
echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is empty: ${FNAME}"
fi
done
else
LEAVE=1
fi
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_rtkt_whitelist_options() {
#
# This function gets any whitelisted rootkit files
# and directories from the configuration file.
# There are no defaults.
#
LEAVE=0
ERRCODE=0
RTKT_FILE_WHITELIST=`get_option newline-list RTKT_FILE_WHITELIST` || exit $?
if [ -n "${RTKT_FILE_WHITELIST}" ]; then
#
# Check that the given files are usable. But we must
# first strip off any trailing text from the end if
# it is present.
#
IFS=$IFSNL
RKHTMPVAR=""
for RKHTMPVAR2 in ${RTKT_FILE_WHITELIST}; do
FNAME=`echo "${RKHTMPVAR2}" | sed -e 's/^\(.*\):[^:]*$/\1/'`
RKHTMPVAR="${RKHTMPVAR}
${FNAME}"
done
IFS=$RKHIFS
RKHTMPVAR=`echo "${RKHTMPVAR}" | sed -e '/^$/d'`
check_paths RKHTMPVAR RTKT_FILE_WHITELIST "EXIST NOWILD NOBROKENLINK"
test $ERRCODE -eq 1 && LEAVE=1
fi
RTKT_DIR_WHITELIST=`get_option newline-list RTKT_DIR_WHITELIST` || exit $?
if [ -n "${RTKT_DIR_WHITELIST}" ]; then
#
# Check that the given directories are usable.
#
check_paths RTKT_DIR_WHITELIST RTKT_DIR_WHITELIST "EXIST NOWILD NOBROKENLINK"
test $ERRCODE -eq 1 && LEAVE=1
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_shared_lib_whitelist_option() {
#
# This function gets any whitelisted shared library files
# from the configuration file. There are no defaults.
#
LEAVE=0
ERRCODE=0
SHARED_LIB_WHITELIST=`get_option space-list SHARED_LIB_WHITELIST` || exit $?
if [ -n "${SHARED_LIB_WHITELIST}" ]; then
check_paths SHARED_LIB_WHITELIST SHARED_LIB_WHITELIST "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
SHARED_LIB_WHITELIST=" `echo ${SHARED_LIB_WHITELIST}` "
else
LEAVE=1
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_mirror_options() {
#
# This function gets the mirrors file options.
#
#
# First we see if the mirrors.dat file
# should be rotated when it is used.
#
LEAVE=0
ERRCODE=0
ROTATE_MIRRORS=`get_option single ROTATE_MIRRORS` || exit $?
if [ -n "${ROTATE_MIRRORS}" ]; then
check_is_digit ROTATE_MIRRORS
test $ERRCODE -eq 1 && LEAVE=1
else
ROTATE_MIRRORS=1
fi
#
# Now check that the mirrors file is usable.
#
if [ -e "${DB_PATH}/mirrors.dat" -a \( ! -f "${DB_PATH}/mirrors.dat" -o -h "${DB_PATH}/mirrors.dat" \) ]; then
LEAVE=1
echo "The mirrors file is not a file: ${DB_PATH}/mirrors.dat"
fi
if [ $LEAVE -eq 0 -a $VERSIONCHECK -eq 1 ]; then
if [ $ROTATE_MIRRORS -eq 0 ]; then
# The mirrors file only needs to be readable.
if [ ! -e "${DB_PATH}/mirrors.dat" -o ! -s "${DB_PATH}/mirrors.dat" ]; then
LEAVE=1
echo "The mirrors file does not exist or is empty: ${DB_PATH}/mirrors.dat"
echo "Run 'rkhunter --update'" to restore the default mirrors file.
echo "The default mirror will be used."
fi
else
# The mirrors file needs to be writable.
if [ ! -e "${DB_PATH}/mirrors.dat" -o ! -s "${DB_PATH}/mirrors.dat" ]; then
LEAVE=1
echo "The mirrors file does not exist or is empty: ${DB_PATH}/mirrors.dat"
echo "Run 'rkhunter --update'" to restore the default mirrors file.
elif [ ! -w "${DB_PATH}/mirrors.dat" ]; then
LEAVE=1
echo "The mirrors file is not writable: ${DB_PATH}/mirrors.dat"
fi
fi
fi
#
# Next we see if the mirrors file is to be updated when
# we use the '--update' option.
#
if [ $UPDATE -eq 1 ]; then
UPDATE_MIRRORS=`get_option single UPDATE_MIRRORS` || exit $?
if [ -n "${UPDATE_MIRRORS}" ]; then
check_is_digit UPDATE_MIRRORS
test $ERRCODE -eq 1 && LEAVE=1
else
UPDATE_MIRRORS=1
fi
fi
#
# Finally, we see which mirrors are to be used.
#
MIRRORS_MODE=`get_option single MIRRORS_MODE` || exit $?
if [ -n "${MIRRORS_MODE}" ]; then
check_is_digit MIRRORS_MODE MIRRORS_MODE 2
test $ERRCODE -eq 1 && LEAVE=1
else
MIRRORS_MODE=0
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_os_info_options() {
#
# This function gets configuration options relating
# to obtaining information about the O/S.
#
# The first part gets the 'release' file pathname
# from the configuration file. There is no default.
#
LEAVE=0
ERRCODE=0
OS_VERSION_FILE=`get_option single OS_VERSION_FILE` || exit $?
if [ -n "${OS_VERSION_FILE}" ]; then
#
# We must have a real pathname for this option. So, if it is a link,
# then we get its real pathname before any further tests.
#
if [ $HAVE_READLINK -eq 1 -a -h "${OS_VERSION_FILE}" ]; then
OS_VERSION_FILE=`${READLINK_CMD} ${READLINK_OPT} "${OS_VERSION_FILE}"`
fi
#
# Check that the given file is usable.
#
check_paths OS_VERSION_FILE OS_VERSION_FILE "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
if [ ! -r "${OS_VERSION_FILE}" ]; then
LEAVE=1
echo "Invalid OS_VERSION_FILE configuration option: File is not readable: ${OS_VERSION_FILE}"
elif [ ! -s "${OS_VERSION_FILE}" ]; then
LEAVE=1
echo "Invalid OS_VERSION_FILE configuration option: File is empty: ${OS_VERSION_FILE}"
fi
else
LEAVE=1
fi
fi
#
# Next we get the option as to whether we should
# issue a warning when the O/S info changes or not.
#
WARN_ON_OS_CHANGE=`get_option single WARN_ON_OS_CHANGE` || exit $?
if [ -n "${WARN_ON_OS_CHANGE}" ]; then
check_is_digit WARN_ON_OS_CHANGE
test $ERRCODE -eq 1 && LEAVE=1
else
WARN_ON_OS_CHANGE=1
fi
#
# Now get the option as to whether we should automatically run
# a properties update ('--propupd') if the O/S has changed.
#
UPDT_ON_OS_CHANGE=`get_option single UPDT_ON_OS_CHANGE` || exit $?
if [ -n "${UPDT_ON_OS_CHANGE}" ]; then
check_is_digit UPDT_ON_OS_CHANGE
test $ERRCODE -eq 1 && LEAVE=1
else
UPDT_ON_OS_CHANGE=0
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_user_fileprop_list() {
#
# This function gets any user supplied files and directories
# for the file properties check and the properties file update.
# It stores the different types of files and directories
# found in different variables. Only basic syntax checking is
# done here, further checking will be done later on.
#
# The configuration options can have three basic values:
#
# 1) A simple file (command) name - for example, 'top'
# 2) A directory - for example, '/usr/local/sbin'
# 3) A full file pathname - for example, '/usr/local/sbin/backup'
#
# The first two are simply added to the internal lists of files
# and directories. These are then used to build the file properties
# file list. The third type is added directly to the end of the file.
#
# The second and third types may be wildcarded. They may also be
# excluded from the checks by including them in the
# EXCLUDE_USER_FILEPROP_FILES_DIRS option. Only files and directories
# matching user added ones can be excluded. This prevents users from
# excluding anything in the internal list.
# For example: USER_FILEPROP_FILES_DIRS=/opt/b*
# EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/backup
#
LEAVE=0
ERRCODE=0
for WHICH_OPT in USER_FILEPROP_FILES_DIRS EXCLUDE_USER_FILEPROP_FILES_DIRS; do
FILENAMES=`get_option newline-list ${WHICH_OPT}` || exit $?
test -z "${FILENAMES}" && continue
#
# We must first check to see if any of the names are
# simple names but with wildcard characters included.
#
RKHTMPVAR=`echo "${FILENAMES}" | grep '^[^/]*[][?*{}]'`
if [ -n "${RKHTMPVAR}" ]; then
LEAVE=1
# Make a space-separated list but without expanding the wildcards.
RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`
echo "Invalid ${WHICH_OPT} configuration option: Invalid pathname(s): ${RKHTMPVAR}"
fi
#
# Next check the pathnames to ensure they are basically valid.
#
check_paths FILENAMES ${WHICH_OPT} "EXIST"
if [ $ERRCODE -eq 1 ]; then
LEAVE=1
continue
fi
#
# Now expand any wildcards.
#
FNAMES=`expand_paths FILENAMES`
#
# Now we loop through the entries and check them again. They
# are then added to the relevant variable used to build the
# file properties file list.
#
IFS=$IFSNL
for FNAME in ${FNAMES}; do
#
# First check for any files or directories to be excluded.
# We ignore any real checks on the pathnames since it is
# safer if they fail (the relevant files/directories will
# then be included in the file properties checks).
#
if [ "${WHICH_OPT}" = "EXCLUDE_USER_FILEPROP_FILES_DIRS" ]; then
test -z "${USER_EXCLUDE_PROP}" && USER_EXCLUDE_PROP="${FNAME}" || USER_EXCLUDE_PROP="${USER_EXCLUDE_PROP}
${FNAME}"
continue
fi
#
# Now check to see if it is a simple file name.
#
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
# Check that the file name hasn't already been set. If it has, then we just ignore it.
if [ -z "`echo \"${USER_SIMPLE_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
test -z "${USER_SIMPLE_FILE_LIST}" && USER_SIMPLE_FILE_LIST="${FNAME}" || USER_SIMPLE_FILE_LIST="${USER_SIMPLE_FILE_LIST}
${FNAME}"
fi
else
# It's an absolute pathname. This could be a file or a directory.
if [ -f "${FNAME}" -o -h "${FNAME}" ]; then
# Check that it hasn't already been set. If it has, then we just ignore it.
test -n "`echo \"${USER_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" && continue
if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
if [ -n "${RKHTMPVAR}" ]; then
FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`echo \"${USER_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
FNAME="${FNAME}
${RKHTMPVAR}"
fi
elif [ -z "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
LEAVE=1
echo "Invalid ${WHICH_OPT} configuration option: Broken link found: ${FNAME}"
continue
fi
fi
#
# Now add the file name.
#
test -z "${USER_FILE_LIST}" && USER_FILE_LIST="${FNAME}" || USER_FILE_LIST="${USER_FILE_LIST}
${FNAME}"
elif [ -d "${FNAME}" ]; then
if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
if [ -z "${RKHTMPVAR}" ]; then
if [ -z "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
LEAVE=1
echo "Invalid ${WHICH_OPT} configuration option: Broken link found: `name2text \"${FNAME}\"`"
continue
fi
elif [ "${RKHTMPVAR}" = "/" ]; then
LEAVE=1
echo "Invalid ${WHICH_OPT} configuration option: Invalid pathname: `name2text \"${FNAME}\"` -> /"
continue
fi
FNAME="${RKHTMPVAR}"
fi
#
# Check that the name hasn't already been set. If it has, then we just ignore it.
#
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`echo \"${USER_DIR_LIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
test -z "${USER_DIR_LIST}" && USER_DIR_LIST="${FNAME}" || USER_DIR_LIST="${USER_DIR_LIST}
${FNAME}"
fi
fi
fi
done
IFS=$RKHIFS
done
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_properties_options() {
#
# This function gets any configuration options required for
# the file properties check and the properties file update.
#
# For options where filenames are specified, the existence
# of the filename is checked.
#
check_test hashes && HASH_CHECK_ENABLED=1
check_test attributes && HASH_CHECK_ENABLED=1
LEAVE=0
ERRCODE=0
ATTRWHITELIST=""
ATTRWL_OPT=`get_option newline-list ATTRWHITELIST` || exit $?
if [ -n "${ATTRWL_OPT}" ]; then
ATTRWHITELIST=`expand_paths ATTRWL_OPT`
check_paths ATTRWHITELIST ATTRWHITELIST "EXIST"
test $ERRCODE -eq 1 && LEAVE=1
fi
WRITEWHITELIST=""
WRITEWL_OPT=`get_option newline-list WRITEWHITELIST` || exit $?
if [ -n "${WRITEWL_OPT}" ]; then
WRITEWHITELIST=`expand_paths WRITEWL_OPT`
check_paths WRITEWHITELIST WRITEWHITELIST "EXIST"
test $ERRCODE -eq 1 && LEAVE=1
fi
IMMUTWHITELIST=""
IMMUTWL_OPT=`get_option newline-list IMMUTWHITELIST` || exit $?
if [ -n "${IMMUTWL_OPT}" ]; then
IMMUTWHITELIST=`expand_paths IMMUTWL_OPT`
check_paths IMMUTWHITELIST IMMUTWHITELIST "EXIST"
test $ERRCODE -eq 1 && LEAVE=1
fi
IMMUTABLE_SET=`get_option single IMMUTABLE_SET` || exit $?
if [ -n "${IMMUTABLE_SET}" ]; then
check_is_digit IMMUTABLE_SET
test $ERRCODE -eq 1 && LEAVE=1
else
IMMUTABLE_SET=0
fi
SCRIPTWHITELIST=""
SCRIPTWL_OPT=`get_option newline-list SCRIPTWHITELIST` || exit $?
if [ -n "${SCRIPTWL_OPT}" ]; then
SCRIPTWHITELIST=`expand_paths SCRIPTWL_OPT`
check_paths SCRIPTWHITELIST SCRIPTWHITELIST "EXIST"
test $ERRCODE -eq 1 && LEAVE=1
fi
SKIP_INODE_CHECK=`get_option single SKIP_INODE_CHECK` || exit $?
if [ -n "${SKIP_INODE_CHECK}" ]; then
check_is_digit SKIP_INODE_CHECK
test $ERRCODE -eq 1 && LEAVE=1
else
SKIP_INODE_CHECK=0
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_prelink_dep_option() {
#
# This function gets the prelink dependency error option.
# This option is a workaround for any files which persistently
# give a prelinking dependency error.
#
LEAVE=0
ERRCODE=0
RKHTMPVAR=`get_option space-list IGNORE_PRELINK_DEP_ERR` || exit $?
if [ -n "${RKHTMPVAR}" ]; then
RKHTMPVAR=`make_space_list "${RKHTMPVAR}"`
check_paths RKHTMPVAR IGNORE_PRELINK_DEP_ERR "EXIST NOWILD NOBROKENLINK"
if [ $ERRCODE -eq 0 ]; then
PRELINK_DEP_ERR_CMDS=" ${RKHTMPVAR} "
else
LEAVE=1
fi
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_summary_options() {
#
# Get the configuration options for the summary.
#
#
# Get the option to see if we are to show the
# actual number of warnings in the summary.
#
LEAVE=0
ERRCODE=0
SHOW_SUMMARY_WARNINGS_NUMBER=`get_option single SHOW_SUMMARY_WARNINGS_NUMBER` || exit $?
if [ -n "${SHOW_SUMMARY_WARNINGS_NUMBER}" ]; then
check_is_digit SHOW_SUMMARY_WARNINGS_NUMBER
test $ERRCODE -eq 1 && LEAVE=1
else
SHOW_SUMMARY_WARNINGS_NUMBER=0
fi
#
# Get the option to see where, if at all,
# we are to show the summary scan time.
#
SHOW_SUMMARY_TIME=`get_option single SHOW_SUMMARY_TIME` || exit $?
if [ -n "${SHOW_SUMMARY_TIME}" ]; then
check_is_digit SHOW_SUMMARY_TIME SHOW_SUMMARY_TIME ANY
if [ $ERRCODE -eq 0 ]; then
if [ $SHOW_SUMMARY_TIME -gt 3 ]; then
LEAVE=1
echo "Invalid SHOW_SUMMARY_TIME configuration option: not a valid number: ${SHOW_SUMMARY_TIME}"
fi
else
LEAVE=1
fi
else
SHOW_SUMMARY_TIME=3
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_network_options() {
#
# Get any options used for network tests.
#
LEAVE=0
ERRCODE=0
IFWLIST=`get_option space-list ALLOWPROMISCIF` || exit $?
ALLOWPROCLIST_OPT=`get_option newline-list ALLOWPROCLISTEN` || exit $?
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_os_specific_options() {
#
# Get any O/S specific options.
#
LEAVE=0
ERRCODE=0
if [ $LINUXOS -eq 1 ]; then
LKM_PATH=`get_option single MODULES_DIR` || exit $?
if [ -z "${LKM_PATH}" ]; then
LKM_PATH="/lib/modules/${UNAME_R}"
test ! -d "${LKM_PATH}" && LKM_PATH="/lib/modules"
fi
check_paths LKM_PATH MODULES_DIR "NOBROKENLINK NOWILD"
test $ERRCODE -eq 1 && LEAVE=1
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_app_options() {
#
# Get any options used for the application check.
#
LEAVE=0
ERRCODE=0
APP_WHITELIST=""
RKHTMPVAR=`get_option space-list APP_WHITELIST` || exit $?
if [ -n "${RKHTMPVAR}" ]; then
RKHTMPVAR=`echo ${RKHTMPVAR}`
APP_WHITELIST=`echo " ${RKHTMPVAR} " | tr '[:upper:]' '[:lower:]'`
fi
if [ $LEAVE -eq 1 ]; then
if [ $CONFIG_CHECK -eq 0 ]; then
exit 1
else
RET_CODE=1
fi
fi
return
}
get_configfile_options() {
#
# We call separate functions to process each option. The option
# is checked first to see if it has been given on the command-line,
# and, if not, then if it is specified in the configuration file.
# Note that some of these functions are in a specific order. If you
# change them around, then make sure the functions still work
# correctly.
#
get_bindir_option
get_scriptdir_option
#
# Now that we have processed BINDIR, we will recheck the required
# commands.
#
# Before proceeding too far we also check that we have certain
# commands available. Typically these are commands which might
# not have been installed as part of the core system, but are
# used by RKH. These commands are not 'required' though.
#
check_required_commands 2
check_commands
get_installdir_option
get_rootdir_option
get_logfile_option
get_tmpdir_option
get_dbdir_option
get_language_option
get_auto_x_option
get_locking_options
get_shell_options
#
# Some options are only required when checking the system.
#
if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
#
# See if we are only to perform specific tests.
#
get_enable_option
get_disable_option
check_test_options
get_existwl_option
fi
if [ $CHECK -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
get_scanmode_option
get_syslog_option
get_startup_paths_option
get_rtkt_whitelist_options
get_epoch_date_cmd_option
get_phalanx2_option
get_summary_options
get_ipc_options
test $NOMOW -eq 0 && get_mailonwarn_option
if `check_test system_configs`; then
get_ssh_options
get_syslog_config_options
fi
if `check_test filesystem`; then
get_scan_mode_dev_option
get_missing_file_options
get_hidden_options
get_dev_options
fi
check_test trojans && get_xinetd_option
check_test ports || check_test hidden_ports && get_port_options
check_test group_accounts && get_groups_accounts_options
check_test shared_libs && get_shared_lib_whitelist_option
check_test hidden_procs || check_test hidden_ports && get_unhide_options
check_test deleted_files && get_process_options
check_test suspscan && get_suspscan_options
check_test network && get_network_options
check_test os_specific && get_os_specific_options
check_test apps && get_app_options
fi
#
# We only need the hash function option if we are going
# to be checking the system or updating the file
# properties database.
#
if `check_test properties` || test $PROP_UPDATE -eq 1 || test $CONFIG_CHECK -eq 1; then
#
# For the file properties check we need to find out if
# we are a prelinked system, and if so, then find out
# which hash function to use. Secondly, we need to find
# the 'stat' command. Finally, we need to see if the
# user has specified any files or directories for the
# file properties check.
#
get_if_prelinked
get_hash_function
get_os_info_options
get_user_fileprop_list
get_properties_options
fi
#
# If we are doing a file properties update, then we need to
# see if we should be ignoring prelink errors for any files.
#
if [ $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
get_prelink_dep_option
fi
#
# Get any set options when doing an update or version check.
#
if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
get_mirror_options
get_webcmd_option
fi
return
}
get_readable_date() {
#
# This function returns a given epoch second time as a
# human-readable date and time. It sets the READABLE_DATE
# variable.
#
EPOCH_SECS=$1
READABLE_DATE=""
if [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
:
elif [ -n "${EPOCH_DATE_CMD}" ]; then
EPOCH_NOW=`${EPOCH_DATE_CMD} '+%s'`
EPOCH_SECS=`expr $EPOCH_NOW - $EPOCH_SECS`
READABLE_DATE=`${EPOCH_DATE_CMD} --date "$EPOCH_SECS seconds ago" '+%d-%b-%Y %H:%M:%S' 2>/dev/null`
elif [ -n "${PERL_CMD}" ]; then
READABLE_DATE=`${PERL_CMD} -e "@a=split(' ',scalar(localtime($EPOCH_SECS))); printf \"%d-%s-%d %s\",\\$a[2],\\$a[1],\\$a[4],\\$a[3];" 2>/dev/null`
fi
return
}
rkh_dat_set_version() {
#
# This function calculates and writes out the 'Version:' value
# for the rkhunter.dat file. It looks for an old value, and adds
# one to it. If there is no value then simply start at zero.
#
# Note that the new temporary rkhunter.dat file is used.
#
TODAY=`date +%Y%m%d 2>/dev/null`
OLDVER=`grep '^[Vv]ersion:' "${RKHDAT_FILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`
if [ -n "${OLDVER}" ]; then
OLDDATE=`echo "${OLDVER}" | cut -c1-8`
OLDVER=`echo "${OLDVER}" | cut -c9-10`
if [ "${OLDVER}" = "99" -o "${OLDDATE}" != "${TODAY}" -o -z "${OLDVER}" -o -n "`echo \"${OLDVER}\" | grep '[^0-9]'`" ]; then
NEWVER="00"
else
NEWVER=`expr ${OLDVER} + 1`
test $NEWVER -lt 10 && NEWVER="0${NEWVER}"
fi
else
NEWVER="00"
fi
echo "Version:${TODAY}${NEWVER}" >>"${RKHDAT_TMPFILE}"
return
}
rkh_dat_get_os_info() {
#
# This function obtains information about the local computer
# system. This is then written into the rkhunter.dat file
# using a simple 'keyword:<value>' format. The OSNAME and
# ARCH values are not important, but are simply used to check
# whether they have changed since RKH was last run.
#
# Obtaining the OSNAME is somewhat tricky. There is no sure
# way of finding the information, so we have to use some tricks
# to locate the correct file. First we look for certain specific
# O/S release files, and then at the /etc/release file, but not
# if it is a link. Next we look for a generic /etc/*-release
# file, again not as a link. This should find most O/S versions.
# Overall this should also save users having to ask us to support
# their O/S. In other cases, we will have to ask what file does
# contain their O/S release information.
#
ARCH=""
OSNAME=""
RELEASE=""
UNAME_S=`uname -s 2>/dev/null`
UNAME_M=`uname -m 2>/dev/null`
if [ -n "${OS_VERSION_FILE}" ]; then
REL_FILES="${OS_VERSION_FILE}"
else
REL_FILES="/etc/system-release /etc/os-release /usr/lib/os-release /etc/lsb-release /etc/debian_version /etc/devuan_version /etc/slackware-version /var/ipcop/general-functions.pl /etc/lunar.release /etc/ROCK-VERSION /etc/GoboLinuxVersion /etc/kanotix-version /etc/sidux-version /etc/knoppix-version /etc/zenwalk-version /etc/release /etc/*-release"
fi
RKH_LSB_SEEN=0
for FNAME in ${REL_FILES}; do
test ! -f "${FNAME}" && continue
if [ "${FNAME}" = "/etc/system-release" ]; then
RKH_IN_LSB=0
RELEASE=$FNAME
OSNAME=`cat "${FNAME}"`
break
elif [ ! -h "${FNAME}" ]; then
RELEASE=$FNAME
RKH_IN_LSB=0
case "${RELEASE}" in
/etc/os-release|/usr/lib/os-release)
OSNAME=`grep '^PRETTY_NAME=' "${RELEASE}" | sed -e 's/PRETTY_NAME=//' | tr -d '"'`
if [ -z "${OSNAME}" ]; then
RKHTMPVAR=`grep '^NAME=' "${RELEASE}" | sed -e 's/NAME=//'`;
RKHTMPVAR2=`grep '^VERSION=' "${RELEASE}" | sed -e 's/VERSION=//' | tr -d '"'`;
if [ -z "${RKHTMPVAR2}" ]; then
RKHTMPVAR2=`grep '^VERSION_ID=' "${RELEASE}" | sed -e 's/VERSION_ID=//' | tr -d '"'`;
fi
OSNAME="${RKHTMPVAR} ${RKHTMPVAR2}"
fi
;;
/etc/lsb-release)
RKH_IN_LSB=1
RKH_LSB_SEEN=1
OSNAME=`grep '^DISTRIB_DESCRIPTION=' "${RELEASE}" | sed -e 's/DISTRIB_DESCRIPTION=//' | tr -d '"'`
;;
/etc/gentoo-release)
if [ -h "/etc/make.profile" ]; then
OSNAME="Gentoo `ls -l /etc/make.profile 2>/dev/null | sed -e 's;^.*/\([^/]*/[^/]*\)$;\1;' | tr '/' ' '`"
else
OSNAME="Gentoo"
fi
;;
/var/ipcop/general-functions.pl)
OSNAME=`grep 'version *=' "${RELEASE}" 2>/dev/null | head ${HEAD_OPT}1`
;;
/etc/debian_version)
OSNAME="Debian `cat \"${RELEASE}\"`"
;;
/etc/devuan_version)
OSNAME="Devuan `cat \"${RELEASE}\"`"
;;
/etc/GoboLinuxVersion)
OSNAME="GoboLinux `cat \"${RELEASE}\"`"
;;
/etc/knoppix-version)
OSNAME="Knoppix `cat \"${RELEASE}\"`"
;;
/etc/zenwalk-version)
OSNAME="Zenwalk `cat \"${RELEASE}\"`"
;;
*)
OSNAME=`${AWK_CMD} '/^[ ]*[^ ]/ { print $0 }' "${RELEASE}" 2>/dev/null | head ${HEAD_OPT}1`
;;
esac
#
# Strip out any leading blanks and tabs from the O/S version.
#
test -n "${OSNAME}" && OSNAME=`echo ${OSNAME}`
#
# If we have a release file but it seems to be blank,
# and we are not looking at the LSB release file, then
# we take a look for the first non-blank line. We
# then, again, strip out any leading blanks and tabs.
#
if [ $RKH_IN_LSB -eq 0 -a -z "${OSNAME}" ]; then
OSNAME=`${AWK_CMD} '/^[ ]*[^ ]/ { print $0 }' "${RELEASE}" 2>/dev/null | head ${HEAD_OPT}1`
OSNAME=`echo ${OSNAME}`
fi
test -n "${OSNAME}" && break
fi
done
if [ -z "${OSNAME}" ]; then
RELEASE=""
if [ -d "/var/smoothwall" ]; then
OSNAME="Smoothwall Linux"
RELEASE="/var/smoothwall"
elif [ -n "`which sorcery 2>/dev/null | grep -v ' '`" -a -n "`which gaze 2>/dev/null | grep -v ' '`" ]; then
OSNAME="Source Mage Linux"
fi
fi
case "${OPERATING_SYSTEM}" in
SunOS)
ARCH=`uname -p 2>/dev/null`
;;
FreeBSD|DragonFly)
ARCH=`sysctl -n hw.machine_arch 2>/dev/null`
OSNAME=`uname -v 2>/dev/null | cut -d' ' -f1,2`
;;
OpenBSD)
OSNAME="OpenBSD ${UNAME_R}"
;;
Darwin)
OSNAME=`sw_vers 2>/dev/null | grep '^ProductName:' | sed -e 's/ProductName:[ ]*//'`
OSNAME="${OSNAME} `sw_vers 2>/dev/null | grep '^ProductVersion:' | sed -e 's/ProductVersion:[ ]*//'`"
# OSNAME="${OSNAME} `sysctl kern.version 2>/dev/null | sed -e 's/^kern.version = //' | cut -d: -f1`"
if [ -n "`sysctl -a 2>/dev/null | egrep '^(hw\.optional\.x86_64|hw\.optional\.64bitops|hw\.cpu64bit_capable).*1$'`" ]; then
OSNAME="${OSNAME} (64-bit capable)"
fi
;;
AIX)
ARCH=`uname -p 2>/dev/null`
OSNAME="IBM AIX `oslevel 2>/dev/null`"
;;
IRIX*)
OSNAME="${OPERATING_SYSTEM} ${UNAME_R}"
;;
esac
#
# If the O/S name seems to be a string of numbers, then forget we saw it.
#
test -n "`echo \"${OSNAME}\" | grep '^[0-9._-][0-9._-]*$'`" && OSNAME=""
#
# If we still have no O/S version information, then as a last
# resort we will look to see if an 'issue' file exists or use
# whatever is in the LSB release file. We test these last because
# they are not necessarily reliable in providing the O/S version.
#
if [ -z "${OSNAME}" ]; then
if [ -f "/etc/issue" ]; then
OSNAME=`${AWK_CMD} '/^[ ]*[^ \\\]/ { print $0 }' /etc/issue 2>/dev/null | head ${HEAD_OPT}1`
#
# Modify or remove the escape sequences seen in the file.
#
OSNAME=`echo "${OSNAME}" | sed -e "s/\\\\\s/${UNAME_S}/g; s/\\\\\r/${UNAME_R}/g; s/\\\\\m/${UNAME_M}/g"`
OSNAME=`echo "${OSNAME}" | sed -e 's/ (*\\\[^ ]*//g'`
OSNAME=`echo ${OSNAME}`
test -n "${OSNAME}" && RELEASE="/etc/issue"
fi
if [ $RKH_LSB_SEEN -eq 1 -a -z "${OSNAME}" ]; then
OSNAME=`${AWK_CMD} '/^[ ]*[^ ]/ { print $0 }' /etc/lsb-release 2>/dev/null | head ${HEAD_OPT}1`
OSNAME=`echo ${OSNAME}`
test -n "${OSNAME}" && RELEASE="/etc/lsb-release"
fi
fi
#
# If some things have still not been set, then set them now.
#
test -z "${ARCH}" && ARCH="${UNAME_M}"
test -z "${OSNAME}" && OSNAME="`uname` ${UNAME_R}"
return
}
rkh_dat_set_file_properties() {
#
# This function obtains various bits of information about the files to
# be checked. The current format in the rkhunter.dat file is:
#
# File:<colon count>:<pathname>:<hash value>:<inode>:<permissions>:
# <uid>:<gid>:<file size>:<date/time modified>:<package name>:
# <symbolic link colon count>:<symbolic link target>
#
# The format is actually governed by the stat.pl file, and the output
# it produces. Changing the order of options does not change the order
# of the output.
#
# To save time in the loops below, we determine the exact commands
# required before using them.
#
NODATFILE=0
NOHASH_COUNT=0
BROKEN_LINK_COUNT=0
PROP_FILE_LIST_COUNT=0
PROP_FILE_PROPOPT_COUNT=0
DIR_FILE_COUNT=""
display --to LOG --type PLAIN SET_FILE_PROP_START
if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
SCMD=""
INODECMD=""
elif [ -z "${STAT_CMD}" ]; then
SCMD=""
INODECMD=""
else
if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
if [ "${PKGMGR}" = "SOLARIS" ]; then
SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --mtime"
else
SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --Mtime"
fi
INODECMD="${STAT_CMD} --modeoct --raw --ino"
elif [ $BSDOS -eq 1 -o $MACOSX -eq 1 ]; then
SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'"
INODECMD="${STAT_CMD} -f '%i'"
else
SCMD="${STAT_CMD} -c '%i 0%a %u %g %s %Y:'"
INODECMD="${STAT_CMD} -c '%i'"
fi
fi
if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
HASH_CMD=""
elif [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then
HASH_CMD=""
else
HASH_CMD="${HASH_FUNC}"
fi
#
# Next dig out the old file format version. We may need this if
# we are only updating one file and the format has changed.
#
if [ -s "${RKHDAT_FILE}" ]; then
OLD_FMTVERSION=`grep '^FormatVersion:' "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
test -z "${OLD_FMTVERSION}" && OLD_FMTVERSION=0
else
NODATFILE=1
fi
#
# Now loop through the pathnames looking for the files.
#
# We must set IFS around this loop, otherwise any names in the file
# properties list containing whitespace will be separated out.
# However, because IFS interacts with some commands, executed via
# backticks, we must then reset IFS for the duration of the loop
# and set it again at the end of the loop. It's messy, but it works.
#
IFS=$IFSNL
for FNAME in `cat "${RKH_FILEPROP_LIST}"`; do
test ! -f "${FNAME}" -a ! -h "${FNAME}" && continue
FDATA=""
SYSLNK=""
SYSHASH=""
PKGNAME=""
FNAMEGREP=""
RPM_QUERY_RESULT=""
SYSLNK_CC=0
NOVRFYFILE=0
COLON_COUNT=0
FILE_IS_PKGD=0
DEPENDENCY_ERR=0
IFS=$RKHIFS
PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`
#
# Set up some variables here based on the file name. We will
# need them later on.
#
COLON_COUNT=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
#
# Test to see if we are looking for specific files or not.
#
if [ -n "${PROPUPD_OPT}" ]; then
#
# If we are looking for specific files, then just copy the
# entries from the current rkhunter.dat file for the files
# we aren't looking for. For the ones we do want, we fall
# through and process them as before.
#
if [ $NODATFILE -eq 0 ]; then
if [ -z "`echo \"${PROPUPD_OPT}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $OLD_FMTVERSION -eq 0 ]; then
RKHTMPVAR=`grep "^File:${FNAMEGREP}:" "${RKHDAT_FILE}"`
else
RKHTMPVAR=`grep "^File:${COLON_COUNT}:${FNAMEGREP}:" "${RKHDAT_FILE}"`
fi
if [ -n "${RKHTMPVAR}" ]; then
echo "${RKHTMPVAR}" >>"${RKHDAT_TMPFILE}"
IFS=$IFSNL
continue
fi
fi
fi
PROP_FILE_PROPOPT_COUNT=`expr ${PROP_FILE_PROPOPT_COUNT} + 1`
fi
#
# Sort out the directory counters.
#
test -n "${DIRNAME_CMD}" && DIR=`${DIRNAME_CMD} "${FNAME}"` || DIR=`echo "${FNAME}" | sed -e 's:/[^/]*$::'`
RKHTMPVAR2=`echo "${DIR}" | sed -e 's/\./\\\./g'`
RKHTMPVAR=`echo "${DIR_FILE_COUNT}" | grep "^${RKHTMPVAR2}:"`
if [ -z "${RKHTMPVAR}" ]; then
DIR_FILE_COUNT="${DIR_FILE_COUNT}
${DIR}:1"
else
RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^.*:\([0-9]*\)$/\1/'`
RKHTMPVAR=`expr ${RKHTMPVAR} + 1`
DIR_FILE_COUNT=`echo "${DIR_FILE_COUNT}" | sed -e "s;^\(${DIR}:\).*;\1${RKHTMPVAR};"`
fi
#
# See if the file is to be exempt from any package manager verification.
#
if [ -n "`echo \"${PKGMGRNOVRFY}\" | grep \"^${FNAMEGREP}$\"`" ]; then
NOVRFYFILE=1
fi
#
# Now start to get the file info by seeing if we are using a
# package manager. If we are, then get the package name and
# any other info we can except the hash value. That will be
# dealt with afterwards.
#
case "${PKGMGR}" in
RPM)
#
# First see if the file is exempt or belongs to a package.
#
if [ $NOVRFYFILE -eq 0 ]; then
RKHTMPVAR=`${RPM_CMD} -qf "${FNAME}" --queryformat '%{NAME}\n' 2>/dev/null`
ERRCODE=$?
if [ $ERRCODE -eq 0 ]; then
#
# Okay we have a package name.
#
FILE_IS_PKGD=1
PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1`
RPM_QUERY_RESULT_ARCH=`${RPM_CMD} -qf --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{=ARCH}:%{FILELINKTOS}:%{FILENAMES}\n]' "${FNAME}" 2>/dev/null | grep ":${FNAMEGREP}\$"`
ERRCODE=$?
#
# The error code actually refers to the 'grep' command above. If the
# file is not found in the package, then this is probably due to the
# 'bin' directory being a link. So we change the filename, and retest.
#
if [ $ERRCODE -eq 1 -a $BINISLINK -eq 1 ]; then
if [ -n "`echo \"$FNAME\" | grep '^\/usr\/'`" ]; then
RKHTMPVAR3=`echo "$FNAMEGREP" | sed -e 's:^/usr::'`
else
RKHTMPVAR3="/usr${FNAMEGREP}"
fi
RPM_QUERY_RESULT_ARCH=`${RPM_CMD} -qf --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{=ARCH}:%{FILELINKTOS}:%{FILENAMES}\n]' "${FNAME}" 2>/dev/null | grep ":${RKHTMPVAR3}\$"`
ERRCODE=$?
fi
if [ $ERRCODE -eq 0 ]; then
#
# If multiple packages claim the same file, we
# use the last one in the list. However, if we
# have 64-bit as well as 32-bit packages, then
# we use the 64-bit package in preference (as
# this is what RPM does).
#
RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT_ARCH}" | egrep ':(x86_64|ia64):' 2>/dev/null | tail ${TAIL_OPT}1`
test -z "${RPM_QUERY_RESULT}" && RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT_ARCH}" | tail ${TAIL_OPT}1`
FPERM="0`echo \"${RPM_QUERY_RESULT}\" | cut -d: -f1 | cut -c 3-`"
FPERM=`echo "${FPERM}" | sed -e 's/^00/0/'`
RKHUID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f2`
RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`
RKHGID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f3`
RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`
RKHSIZE=`echo "${RPM_QUERY_RESULT}" | cut -d: -f4`
RKHDTM=`echo "${RPM_QUERY_RESULT}" | cut -d: -f5`
if [ -h "${FNAME}" ]; then
test -n "${DIRNAME_CMD}" && DIR=`${DIRNAME_CMD} "${FNAME}"` || DIR=`echo "${FNAME}" | sed -e 's:/[^/]*$::'`
SYSLNK=`echo "${RPM_QUERY_RESULT}" | cut -d: -f8`
SYSLNK="${DIR}/${SYSLNK}"
# This ensures the link target has things like '..' removed.
test $HAVE_READLINK -eq 1 && SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${SYSLNK}"`
fi
#
# Now get the inode value directly from the disk,
# but only if prelinking is not being used.
#
RKHTMPVAR2=""
if [ $PRELINKED -eq 0 -a -n "${INODECMD}" ]; then
RKHTMPVAR2=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`
fi
FDATA="${RKHTMPVAR2}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
else
NOHASH_COUNT=`expr $NOHASH_COUNT + 1`
display --to LOG --type INFO CMD_ERROR "rpm -qf --queryformat... ${FNAME}" $ERRCODE
fi
fi
fi
;;
DPKG)
#
# First see if the file is exempt or part of a known package.
#
if [ $NOVRFYFILE -eq 1 ]; then
ERRCODE=1
else
RKHTMPVAR=`${DPKG_CMD} --search "${FNAME}" 2>/dev/null`
ERRCODE=$?
fi
if [ $ERRCODE -eq 0 ]; then
#
# Now we sort out the base part of the package name.
#
PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1 | cut -d: -f1`
fi
;;
BSD)
#
# First see if the file is exempt or part of a known package.
#
PKGNAME=""
if [ $NOVRFYFILE -eq 0 ]; then
RKHTMPVAR=`${PKG_CMD} -F -e "${FNAME}" 2>/dev/null`
ERRCODE=$?
if [ $ERRCODE -ne 0 ]; then
#
# It may be that we need to use the '-W' option instead.
#
RKHTMPVAR=`${PKG_CMD} -q -W "${FNAME}" 2>/dev/null`
ERRCODE=$?
fi
if [ $ERRCODE -eq 0 -a -n "${RKHTMPVAR}" ]; then
PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1`
fi
fi
;;
BSDNG)
#
# First see if the file is exempt or part of a known package.
#
if [ $NOVRFYFILE -eq 1 ]; then
ERRCODE=1
else
RKHTMPVAR=`${PKG_CMD} which -q "${FNAME}" 2>/dev/null`
ERRCODE=$?
fi
test $ERRCODE -eq 0 && PKGNAME="${RKHTMPVAR}" || PKGNAME=""
;;
SOLARIS)
#
# First see if the file is exempt or belongs to a package.
#
if [ $NOVRFYFILE -eq 1 ]; then
ERRCODE=1
else
RKHTMPVAR=`grep "^${FNAMEGREP} " /var/sadm/install/contents 2>/dev/null`
test -n "${RKHTMPVAR}" && ERRCODE=0 || ERRCODE=1
fi
if [ $ERRCODE -eq 0 ]; then
#
# Okay we have a package name.
#
PKGNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f10-`
FPERM=`echo "${RKHTMPVAR}" | cut -d' ' -f4`
RKHUID=`echo "${RKHTMPVAR}" | cut -d' ' -f5`
RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`
RKHGID=`echo "${RKHTMPVAR}" | cut -d' ' -f6`
RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`
RKHSIZE=`echo "${RKHTMPVAR}" | cut -d' ' -f7`
if [ $USE_SUNSUM -eq 1 ]; then
# Treat this as a fully packaged file.
FILE_IS_PKGD=1
SYSHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f8`
fi
RKHDTM=`echo "${RKHTMPVAR}" | cut -d' ' -f9`
#
# Now get the inode value.
#
RKHTMPVAR2=""
test -n "${INODECMD}" && RKHTMPVAR2=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`
FDATA="${RKHTMPVAR2}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
fi
;;
esac
if [ -n "${HASH_CMD}" ]; then
if [ -n "`echo \"${PRELINK_DEP_ERR_CMDS}\" | grep \" ${FNAMEGREP} \"`" ]; then
FILE_IS_PKGD=1
SYSHASH="ignore-prelink-dep-err"
display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
else
case "${PKGMGR}" in
RPM)
test $FILE_IS_PKGD -eq 1 && SYSHASH=`echo "${RPM_QUERY_RESULT}" | cut -d: -f6`
;;
DPKG)
#
# If we have a package name, then strip off the leading
# '/' from the pathname, and then get the hash value.
#
if [ -n "${PKGNAME}" ]; then
if [ -f "/var/lib/dpkg/info/${PKGNAME}.md5sums" ]; then
FILNAM=`echo "${FNAME}" | sed -e 's:^/::; s:\.:\\\.:g'`
SYSHASH=`egrep "( |\./)${FILNAM}\$" "/var/lib/dpkg/info/${PKGNAME}.md5sums" 2>/dev/null | cut -d' ' -f1`
test -n "${SYSHASH}" && FILE_IS_PKGD=1
fi
fi
;;
BSD)
#
# If we have a package name, then strip off the leading '/usr/pkg/' or
# '/usr/local/' from the pathname, and then get the hash value.
#
if [ -n "${PKGNAME}" ]; then
FILNAM=`echo "${FNAME}" | sed -e 's:^/usr/pkg/::; s:^/usr/local/::; s:\.:\\\.:g'`
SYSHASH=`${PKG_CMD} -v -L "${PKGNAME}" 2>/dev/null | grep -A 1 "File: ${FILNAM}\$" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f3`
test -n "${SYSHASH}" && FILE_IS_PKGD=1
fi
;;
BSDNG)
#
# If we have a package name, then get the hash value.
#
if [ -n "${PKGNAME}" ]; then
SYSHASH=`${PKG_CMD} query '%Fp: %Fs' ${PKGNAME} 2>/dev/null | grep "^${FNAME}: " 2>/dev/null | sed -r -e 's/^.*: (1\\$)?([A-Fa-f0-9]+)$/\2/'`
test -n "${SYSHASH}" && FILE_IS_PKGD=1
fi
;;
SOLARIS)
#
# If we are to use the stored 16-bit checksum, then
# SYSHASH will already have been set above. Otherwise,
# just calculate the hash as for non-packaged files.
#
;;
esac
fi
if [ $FILE_IS_PKGD -eq 0 ]; then
if [ "${HASH_CMD}" != "NONE" ]; then
SYSHASH=""
RKHTMPVAR=`${HASH_CMD} "${FNAME}" 2>&1`
if [ -n "`echo \"${RKHTMPVAR}\" | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
DEPENDENCY_ERR=1
RKHTMPVAR=`echo "${RKHTMPVAR}" | tr '\n' ':' | sed -e 's/:$//'`
else
SYSHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f $HASH_FLD_IDX | grep '^[0-9a-fA-F]*$'`
fi
fi
if [ -z "${SYSHASH}" ]; then
if [ "${HASH_CMD}" = "NONE" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_NO_PKGMGR_FILE "`name2text \"${FNAME}\"`"
fi
elif [ -h "${FNAME}" -a ! -e "${FNAME}" ]; then
if [ $HAVE_READLINK -eq 1 ]; then
SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
RKHTMPVAR="${SYSLNK}"
RKHTMPVAR2=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
else
RKHTMPVAR=""
fi
# Check the link target to see if it is whitelisted.
if [ $HAVE_READLINK -eq 1 -a -n "`echo \"${EXISTWHITELIST}\" | grep \"^${RKHTMPVAR2}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
fi
else
# Treat a broken link simply as a file with no hash.
BROKEN_LINK_COUNT=`expr ${BROKEN_LINK_COUNT} + 1`
display --to LOG --type WARNING FILE_PROP_NO_SYSHASH "`name2text \"${FNAME}\"`"
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_BL "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
fi
else
NOHASH_COUNT=`expr ${NOHASH_COUNT} + 1`
display --to LOG --type WARNING FILE_PROP_NO_SYSHASH "`name2text \"${FNAME}\"`"
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_CMD "${RKHTMPVAR}"
if [ $DEPENDENCY_ERR -eq 1 ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "`name2text \"${FNAME}\"`"
fi
fi
fi
fi
fi
if [ -h "${FNAME}" -a -z "${SYSLNK}" ]; then
test $HAVE_READLINK -eq 1 && SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
fi
if [ -z "${SCMD}" ]; then
FDATA=":::::"
else
if [ -z "${FDATA}" ]; then
FDATA=`eval ${SCMD} "\"${FNAME}\"" 2>/dev/null | tr ' ' ':' | sed -e 's/:$//'`
if [ -z "${FDATA}" ]; then
FDATA=":::::"
elif [ -n "`echo ${FDATA} | grep '^[^:]*:0[0-9][0-9][0-9][0-9]:'`" ]; then
# Ensure the file permissions consist of only 4 digits.
FDATA=`echo $FDATA | sed -e 's/^\([^:]*:\)0\(.*\)$/\1\2/'`
fi
fi
fi
# Check if the symbolic link has any colon characters in it.
SYSLNK_CC=`echo "${SYSLNK}" | tr -c -d ':' | wc -c | tr -d ' '`
echo "File:${COLON_COUNT}:${FNAME}:${SYSHASH}:${FDATA}:${PKGNAME}:${SYSLNK_CC}:${SYSLNK}:" >>"${RKHDAT_TMPFILE}"
IFS=$IFSNL
done
IFS=$RKHIFS
#
# Display the number of files found in the directories.
#
for DIR in ${DIR_FILE_COUNT}; do
test -z "${DIR}" && continue
RKHTMPVAR=`echo $DIR | cut -d: -f1`
RKHTMPVAR2=`echo $DIR | cut -d: -f2`
display --to LOG --type INFO SET_FILE_PROP_DIR_FILE_COUNT $RKHTMPVAR2 "${RKHTMPVAR}"
done
#
# Finally put the new file in place.
#
if [ -f "${RKHDAT_FILE}" ]; then
RKHTMPVAR="updated"
else
RKHTMPVAR="created"
fi
test $NOHASH_COUNT -gt 0 -o $BROKEN_LINK_COUNT -gt 0 && RET_CODE=1
# Don't display messages if this is an automatic update.
if [ $OS_CHANGED -eq 1 -a $UPDT_ON_OS_CHANGE -eq 1 ]; then
:
else
if [ $NOHASH_COUNT -eq 0 ]; then
if [ $BROKEN_LINK_COUNT -eq 0 ]; then
if [ -n "${PROPUPD_OPT}" ]; then
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_PROPOPT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT
else
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT
fi
else
if [ -n "${PROPUPD_OPT}" ]; then
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_PROPOPT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $BROKEN_LINK_COUNT
else
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $BROKEN_LINK_COUNT
fi
fi
else
if [ $BROKEN_LINK_COUNT -eq 0 ]; then
if [ -n "${PROPUPD_OPT}" ]; then
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $NOHASH_COUNT
else
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $NOHASH_COUNT
fi
else
if [ -n "${PROPUPD_OPT}" ]; then
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $NOHASH_COUNT $BROKEN_LINK_COUNT
else
display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $NOHASH_COUNT $BROKEN_LINK_COUNT
fi
fi
fi
fi
return
}
create_rkh_file_prop_list() {
#
# This function creates the file of pathnames
# used for the file properties check.
#
get_temp_file "${RKHTMPDIR}/rkh_prop_list.new"
touch "${TEMPFILE}"
IFS=$IFSNL
for DIR in ${PROP_DIR_LIST}; do
for FNAME in ${PROP_FILE_LIST}; do
echo "${DIR}/${FNAME}" >>"${TEMPFILE}"
done
done
#
# Now we add any user specified absolute
# pathnames to be included in the list.
#
if [ -n "${USER_FILE_LIST}" ]; then
for FNAME in ${USER_FILE_LIST}; do
#
# We must exclude any user requested files or directories.
#
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "${USER_EXCLUDE_PROP}" ]; then
test -n "`echo \"${USER_EXCLUDE_PROP}\" | grep \"^${FNAMEGREP}$\"`" && continue
fi
test -z "`grep \"^${FNAMEGREP}$\" "${TEMPFILE}" 2>/dev/null`" && echo "${FNAME}" >>"${TEMPFILE}"
done
fi
IFS=$RKHIFS
cp -f "${TEMPFILE}" "${RKH_FILEPROP_LIST}" >/dev/null 2>&1
chmod 600 "${RKH_FILEPROP_LIST}" >/dev/null 2>&1
rm -f "${TEMPFILE}" >/dev/null 2>&1
return
}
get_old_prop_attrs() {
#
# This function simply determines some of the attributes
# used when the file properties database was created.
#
FNAME=$1
test -z "${FNAME}" -o ! -f "${FNAME}" && return
if [ -s "${FNAME}" ]; then
OLD_HASH_FUNC=`grep '^Hash:' "${FNAME}" | cut -d: -f2-`
OLD_PKGMGR=`grep '^Pkgmgr:' "${FNAME}" | cut -d: -f2`
OLD_ATTRUPD=`grep '^Attributes:' "${FNAME}" | cut -d: -f2`
fi
return
}
do_prop_update() {
#
# This function updates the local hosts rkhunter.dat file
# with O/S information and file properties.
#
display --to LOG --type INFO --nl PROPUPD_START
#
# First we need to get a temporary file name to use.
#
get_temp_file "${RKHTMPDIR}/rkhunter.dat"
RKHDAT_TMPFILE="${TEMPFILE}"
touch "${RKHDAT_TMPFILE}"
display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE}"
#
# We now start to write out information about this system
# to the file. Some information we already have available,
# but for others we call functions to obtain what is wanted.
#
rkh_dat_set_version
display --to LOG --type PLAIN PROPUPD_OSINFO_START
rkh_dat_get_os_info
echo "Host:${HOST_NAME}" >>"${RKHDAT_TMPFILE}"
if [ -n "${ARCH}" ]; then
echo "Arch:${ARCH}" >>"${RKHDAT_TMPFILE}"
display --to LOG --type INFO PROPUPD_ARCH_FOUND "${ARCH}"
fi
if [ -n "${RELEASE}" ]; then
display --to LOG --type INFO PROPUPD_REL_FILE "${RELEASE}"
else
RKHTMPVAR=`ls -ld /etc/*release* /etc/*version* 2>/dev/null | tr '\n' ' '`
if [ -n "${RKHTMPVAR}" ]; then
display --to LOG --type INFO PROPUPD_NO_REL_FILE
display --to LOG --type PLAIN NAME " ${RKHTMPVAR}"
else
display --to LOG --type INFO PROPUPD_NO_REL_FILE_NO_OUTPUT
fi
fi
if [ -n "${OSNAME}" ]; then
echo "OS:${OSNAME}" >>"${RKHDAT_TMPFILE}"
display --to LOG --type INFO PROPUPD_OSNAME_FOUND "${OSNAME}"
fi
if [ $PRELINKED -eq 0 ]; then
echo "Prelinked:No" >>"${RKHDAT_TMPFILE}"
else
echo "Prelinked:Yes" >>"${RKHDAT_TMPFILE}"
fi
#
# We do not want to bother storing the file hashes or other attibutes
# if the user has disabled these tests permanently. However, to do
# this we must check whether the relevant test is enabled or not, and
# that the --enable/--disable command-line options have not been used.
#
if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
echo "Hash:Disabled" >>"${RKHDAT_TMPFILE}"
elif [ -n "${PRELINK_HASH}" ]; then
echo "Hash:${PRELINK_HASH}" >>"${RKHDAT_TMPFILE}"
else
echo "Hash:${HASH_FUNC}" >>"${RKHDAT_TMPFILE}"
fi
echo "Pkgmgr:${PKGMGR}" >>"${RKHDAT_TMPFILE}"
if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
echo "Attributes:Disabled" >>"${RKHDAT_TMPFILE}"
elif [ -z "${STAT_CMD}" ]; then
echo "Attributes:Nostatcmd" >>"${RKHDAT_TMPFILE}"
else
echo "Attributes:Stored" >>"${RKHDAT_TMPFILE}"
fi
echo "FormatVersion:1" >>"${RKHDAT_TMPFILE}"
#
# Before we get the actual file properties we need
# to write out the current list of pathnames.
#
create_rkh_file_prop_list
#
# Next get the file properties.
#
rkh_dat_set_file_properties
#
# We now need to record the hash function and
# package manager as if they were the old values.
#
get_old_prop_attrs "${RKHDAT_TMPFILE}"
#
# Now put the new rkhunter.dat file in place.
#
cp -f -p "${RKHDAT_FILE}" "${RKHDAT_FILE}.old" >/dev/null 2>&1
cp -f "${RKHDAT_TMPFILE}" "${RKHDAT_FILE}" >/dev/null 2>&1
ERRCODE=$?
if [ $ERRCODE -ne 0 ]; then
RET_CODE=1
display --to LOG --type INFO CMD_ERROR "cp ${RKHDAT_TMPFILE} ${RKHDAT_FILE}" $ERRCODE
display --to SCREEN+LOG --type WARNING PROPUPD_ERROR $ERRCODE
else
display --to LOG --type INFO PROPUPD_NEW_DAT_FILE "${DB_PATH}"
fi
chmod 600 "${RKHDAT_FILE}" >/dev/null 2>&1
rm -f "${RKHDAT_TMPFILE}" >/dev/null 2>&1
return
}
get_next_mirror() {
#
# This function will obtain the next mirror in the mirrors file
# if no mirror is currently being used. It then optionally
# rotates the mirrors in the file.
#
#
# Return if there is no mirrors file.
#
if [ ! -f "${DB_PATH}/mirrors.dat" ]; then
display --to LOG --type INFO MIRRORS_NO_FILE "${DB_PATH}/mirrors.dat"
return
fi
#
# Return if there are no defined mirrors.
#
case $MIRRORS_MODE in
0)
MIRROR=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}1`
;;
1)
MIRROR=`egrep -i '^local=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}1`
;;
2)
MIRROR=`egrep -i '^remote=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}1`
;;
esac
if [ -z "${MIRROR}" ]; then
display --to LOG --type INFO MIRRORS_NO_MIRRORS "${DB_PATH}/mirrors.dat"
return
fi
#
# If we are not rotating the mirrors, then we need to calculate
# which one to use next in the list. Return when we have done that.
#
if [ $ROTATE_MIRRORS -eq 0 ]; then
N=`expr $TOTAL_MIRRORS - $MIRROR_COUNT`
case $MIRRORS_MODE in
0)
MIRROR=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
;;
1)
MIRROR=`egrep -i '^local=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
;;
2)
MIRROR=`egrep -i '^remote=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
;;
esac
return
fi
#
# Now get the version number of the mirrors file. If the version
# does not exist or is corrupt, then we reset it to zero. This
# then allows the file to be updated next time the '--update'
# option is used.
#
MIRRORSVERSION=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${DB_PATH}/mirrors.dat" 2>/dev/null | tail ${TAIL_OPT}1`
if [ -z "${MIRRORSVERSION}" ]; then
display --to LOG --type INFO MIRRORS_NO_VERSION "${DB_PATH}/mirrors.dat"
MIRRORSVERSION="Version:0000000000"
fi
#
# Next get the remaining mirrors.
#
OTHERMIRRORS=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | grep -v "^${MIRROR}\$"`
#
# We need to get a temporary file name to use.
#
get_temp_file "${RKHTMPDIR}/mirrors.dat"
MIRRORS_FILE="${TEMPFILE}"
touch "${MIRRORS_FILE}"
display --to LOG --type INFO CREATED_TEMP_FILE "${MIRRORS_FILE}"
#
# Output to the temporary file the mirrors version, the other
# mirrors, and finally the mirror we are about to use.
#
echo "${MIRRORSVERSION}" >"${MIRRORS_FILE}"
for RKHM in ${OTHERMIRRORS}; do
echo "${RKHM}" >>"${MIRRORS_FILE}"
done;
echo "${MIRROR}" >>"${MIRRORS_FILE}"
MIRROR=`echo "${MIRROR}" | cut -d= -f2-`
#
# Move the new file into place, and delete the temporary file.
#
cat "${MIRRORS_FILE}" >"${DB_PATH}/mirrors.dat"
rm -f "${MIRRORS_FILE}" >/dev/null 2>&1
display --to LOG --type INFO MIRRORS_ROTATED "${DB_PATH}/mirrors.dat"
return
}
download_file() {
#
# This function downloads a specified file. It takes three parameters:
# 1=mirror, 2=url, 3=output file
#
# The URL is just the filename portion. The user will supply the
# full URL, less the filename, to where the files are stored on
# the local or remote server. For the SourceForge mirrors we will
# provide the URL.
#
# The function sets a return code (DNLOADERR).
#
#
# We loop round through the mirrors until the file is downloaded.
# We do this by first seeing how many mirrors are available. Then
# we call a function to get the next mirror, which also rotates
# the mirror file. If a mirror has already been set, then that
# mirror is used. That way, in effect, once we find a good mirror
# then it will be used for all the downloads.
#
MIRROR=$1
URL=$2
OUTPUT_FILE=$3
DNLOADERR=0
MIRROR_COUNT=0
TOTAL_MIRRORS=0
if [ -n "`echo \"${URL}\" | grep '/rkhunter_latest\.dat$'`" ]; then
DOING_VERS_CHK=1
else
DOING_VERS_CHK=0
fi
if [ -f "${DB_PATH}/mirrors.dat" ]; then
#
# The version check will use both the
# SF mirrors and remote mirrors.
#
case $MIRRORS_MODE in
0)
MIRROR_COUNT=`egrep -i '^(local|remote|mirror)=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | wc -l | tr -d ' '`
;;
1)
MIRROR_COUNT=`egrep -i '^local=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | wc -l | tr -d ' '`
;;
2)
MIRROR_COUNT=`egrep -i '^remote=https?://[-A-Za-z0-9\+@#/%=_:,.]*[-A-Za-z0-9\+@#/%=_]$' "${DB_PATH}/mirrors.dat" | wc -l | tr -d ' '`
;;
esac
test -z "${MIRROR_COUNT}" && MIRROR_COUNT=0
fi
test $MIRROR_COUNT -eq 0 && MIRROR_COUNT=1
TOTAL_MIRRORS=$MIRROR_COUNT
while test $MIRROR_COUNT -gt 0; do
MIRROR_COUNT=`expr $MIRROR_COUNT - 1`
if [ -z "${MIRROR}" ]; then
get_next_mirror
if [ -z "${MIRROR}" ]; then
if [ $MIRRORS_MODE -eq 0 ]; then
MIRROR="http://rkhunter.sourceforge.net"
display --to LOG --type INFO MIRRORS_SF_DEFAULT "${MIRROR}"
else
DNLOADERR=1
break
fi
fi
#
# For the SF mirrors add on the final part of the
# mirror URL, unless we are doing a version check.
#
if [ $DOING_VERS_CHK -eq 0 -a "${MIRROR}" = "http://rkhunter.sourceforge.net" ]; then
MIRROR="${MIRROR}/${RKH_VER_MAJ}.${RKH_VER_MIN}"
fi
fi
#
# Now we can download the data into the temporary file.
#
# uns - WGET_CMD (cmd, version tested, comments):
# wget, *, none.
# bget, 1.2, appends output.
# curl, 7.15.3: none.
# links/elinks, 0.4.2, decompresses output.
# lynx, 2.8.5dev.7, decompresses output.
CMD=""
DNLOADERR=0
rm -f "${OUTPUT_FILE}" >/dev/null 2>&1
case "${RKHWEBCMD_BASE}" in
wget)
CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -q -O \"${OUTPUT_FILE}\" ${MIRROR}${URL} 2>/dev/null"
;;
curl)
CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} --fail --output \"${OUTPUT_FILE}\" ${MIRROR}${URL} 2>/dev/null"
;;
bget)
CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} --out \"${OUTPUT_FILE}\" ${MIRROR}${URL} 2>/dev/null"
;;
links|elinks)
CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -no-home 1 -source ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
;;
lynx)
CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -source ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
;;
GET)
CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
;;
*)
CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} ${MIRROR}${URL} >\"${OUTPUT_FILE}\" 2>/dev/null"
;;
esac
display --to LOG --type INFO DOWNLOAD_CMD "${CMD}"
eval ${CMD}
DNLOADERR=$?
test $DNLOADERR -gt 1 && DNLOADERR=1
#
# Some of these commands do not set the return code. As such we
# need to look in the output file to see if an error occurred.
#
if [ $DNLOADERR -eq 0 ]; then
if [ -n "`echo \"${URL}\" | grep '/i18n\.ver$'`" ]; then
#
# The i18n.ver file is of a different
# format from the other files.
#
:
elif [ $DOING_VERS_CHK -eq 1 ]; then
#
# The versioncheck file should just be a version number.
#
if [ -z "`grep '^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' \"${OUTPUT_FILE}\"`" ]; then
DNLOADERR=1
fi
else
#
# All other files should have a normal
# version number as the first line in them.
#
if [ -z "`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' \"${OUTPUT_FILE}\"`" ]; then
DNLOADERR=1
fi
fi
fi
test ! -s "${OUTPUT_FILE}" && DNLOADERR=1
if [ $DNLOADERR -eq 0 ]; then
break
elif [ $MIRROR_COUNT -gt 0 ]; then
MIRROR=""
display --to LOG --type INFO DOWNLOAD_FAIL $MIRROR_COUNT
fi
done
return $DNLOADERR
}
do_i18n_update() {
#
# This function updates the i18n language files.
#
# We do not know which i18n files should be checked until we
# have downloaded the i18n/i18n.ver file. This file will tell
# us which i18n files are available, and their latest version
# number. We loop through the files, and check each version
# number against the installed file.
#
download_file "${MIRROR}" "/i18n/${PROGRAM_version}/i18n.ver" "${RKHUPD_FILE}"
ERRCODE=$?
if [ $ERRCODE -eq 0 ]; then
#
# Check that we have some version numbers. There
# should always be at least one, for the English
# language! Once we have the list of files, we can
# remove the temporary file and re-use it when
# downloading the language files.
#
FOUNDFILES=`grep '^[a-zA-Z][a-zA-Z0-9._-]*:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${RKHUPD_FILE}"`
rm -f "${RKHUPD_FILE}" >/dev/null 2>&1
if [ -z "${FOUNDFILES}" ]; then
RET_CODE=1
UPD_ERROR=1
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE 'i18n versions'
display --to LOG --type WARNING UPDATE_I18N_NO_VERS
return
fi
#
# Now loop through the language files checking their
# version numbers.
#
for FNAME in ${FOUNDFILES}; do
LANGFILE=`echo "${FNAME}" | cut -d: -f1`
LATEST_VERS=`echo "${FNAME}" | cut -d: -f2`
#
# Only update the language files the user has asked for.
#
if [ -n "${UPDATE_LANG}" ]; then
if [ -z "`echo \" ${UPDATE_LANG} \" | grep \" ${LANGFILE} \"`" ]; then
display --to LOG --type INFO UPDATE_SKIPPED
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color YELLOW --result SKIPPED UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
continue
fi
fi
if [ -s "${DB_PATH}/i18n/${LANGFILE}" ]; then
PROG_VERS=`grep ${GREP_OPT} '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${DB_PATH}/i18n/${LANGFILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`
if [ -z "${PROG_VERS}" ]; then
PROG_VERS=0
display --to LOG --type INFO UPDATE_FILE_NO_VERS "${DB_PATH}/i18n/${LANGFILE}"
fi
else
PROG_VERS=0
touch "${DB_PATH}/i18n/${LANGFILE}" >/dev/null 2>&1
chmod 600 "${DB_PATH}/i18n/${LANGFILE}" >/dev/null 2>&1
display --to LOG --type INFO UPDATE_FILE_MISSING "${DB_PATH}/i18n/${LANGFILE}"
fi
display --to LOG --type INFO VERSIONCHECK_CURRENT "${PROG_VERS}"
display --to LOG --type INFO VERSIONCHECK_LATEST "${LATEST_VERS}"
if [ $PROG_VERS -lt $LATEST_VERS ]; then
download_file "${MIRROR}" "/i18n/${PROGRAM_version}/${LANGFILE}" "${RKHUPD_FILE}"
ERRCODE=$?
if [ $ERRCODE -eq 0 ]; then
test $RET_CODE -eq 0 && RET_CODE=2
cat "${RKHUPD_FILE}" >"${DB_PATH}/i18n/${LANGFILE}"
display --to LOG --type INFO VERSIONCHECK_UPDT_AVAIL
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result UPD UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
else
RET_CODE=1
UPD_ERROR=1
display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL "i18n/${LANGFILE}"
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
fi
rm -f "${RKHUPD_FILE}" >/dev/null 2>&1
else
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result NO_UPD UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
fi
done
else
RET_CODE=1
UPD_ERROR=1
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE 'i18n versions'
display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL 'i18n.ver'
fi
rm -f "${RKHUPD_FILE}" >/dev/null 2>&1
return
}
do_update() {
#
# This function checks to see if any of the supplied RKH
# *.dat and i18n files needs updating. If it does, then the
# file is overwritten with the new version.
#
display --to SCREEN+LOG --type PLAIN --color YELLOW --nl UPDATE_START
#
# First we need to get a temporary file name to use.
#
get_temp_file "${RKHTMPDIR}/rkhunter.upd"
RKHUPD_FILE="${TEMPFILE}"
touch "${RKHUPD_FILE}"
display --to LOG --type INFO CREATED_TEMP_FILE "${RKHUPD_FILE}"
#
# Now we loop round through the files we need to check. Each file
# will use the first mirror, and if necessary loop through the
# remaining mirrors until the file is downloaded. In theory this
# could take some time if the mirror sites are all experiencing
# problems and this is affecting all the files.
#
# For each file we look at the current version number. If there
# is a problem doing this, then we just try and download a new
# copy of the file. If the version number is okay, then we
# download the file to find the latest version number. If
# that is successful, we then update the file if necessary.
#
UPD_ERROR=0
MIRROR=""
for UPDFILE in mirrors.dat programs_bad.dat backdoorports.dat suspscan.dat; do
if [ $UPDATE_MIRRORS -eq 0 -a "${UPDFILE}" = "mirrors.dat" ]; then
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result SKIPPED UPDATE_CHECKING_FILE "${UPDFILE}"
continue
fi
LATEST_VERS=0
if [ -s "${DB_PATH}/${UPDFILE}" ]; then
PROG_VERS=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${DB_PATH}/${UPDFILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`
if [ -z "${PROG_VERS}" ]; then
PROG_VERS=0
display --to LOG --type INFO UPDATE_FILE_NO_VERS "${UPDFILE}"
fi
else
PROG_VERS=0
touch "${DB_PATH}/${UPDFILE}" >/dev/null 2>&1
chmod 600 "${DB_PATH}/${UPDFILE}" >/dev/null 2>&1
display --to LOG --type INFO UPDATE_FILE_MISSING "${UPDFILE}"
fi
#
# Now download the file.
#
# Note: To avoid any backward incompatability we
# get the files from a specific directory which
# previous versions do not use.
#
download_file "${MIRROR}" "/${UPDFILE}" "${RKHUPD_FILE}"
ERRCODE=$?
#
# Next we compare the current and downloaded
# file version numbers.
#
if [ $ERRCODE -eq 0 ]; then
LATEST_VERS=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' "${RKHUPD_FILE}" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`
if [ -z "${LATEST_VERS}" ]; then
LATEST_VERS=0
elif [ -z "`echo \"${LATEST_VERS}\" | grep '^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$'`" ]; then
LATEST_VERS=0
fi
display --to LOG --type INFO VERSIONCHECK_CURRENT "${PROG_VERS}"
display --to LOG --type INFO VERSIONCHECK_LATEST "${LATEST_VERS}"
if [ $LATEST_VERS -eq 0 ]; then
RET_CODE=1
UPD_ERROR=1
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result VCHK_FAILED UPDATE_CHECKING_FILE "${UPDFILE}"
LATEST_VERS=`head ${HEAD_OPT}1 ${RKHUPD_FILE}`
display --to LOG --type WARNING VERSIONCHECK_CONV_FAIL "${PROG_VERS}" "${LATEST_VERS}"
elif [ $PROG_VERS -lt $LATEST_VERS ]; then
test $RET_CODE -eq 0 && RET_CODE=2
display --to LOG --type INFO VERSIONCHECK_UPDT_AVAIL
cat "${RKHUPD_FILE}" >"${DB_PATH}/${UPDFILE}"
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result UPD UPDATE_CHECKING_FILE "${UPDFILE}"
else
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result NO_UPD UPDATE_CHECKING_FILE "${UPDFILE}"
fi
else
RET_CODE=1
UPD_ERROR=1
display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL "${UPDFILE}"
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "${UPDFILE}"
fi
rm -f "${RKHUPD_FILE}" >/dev/null 2>&1
done
#
# We now need to update the i18n files. Since this is a little
# more complicated, it is handled in a separate function.
#
do_i18n_update
if [ $UPD_ERROR -eq 1 ]; then
if [ $NOLOG -eq 1 ]; then
display --to SCREEN --type PLAIN --nl --nl-after CHECK_WARNINGS_FOUND_RERUN
else
display --to SCREEN --type PLAIN --nl --nl-after CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
fi
fi
return
}
do_versioncheck() {
#
# This function performs a program version check.
#
# It will set the return code in some instances:
# 0 - (implied) no error, no new version available
# 1 - a download (of the version number) error occurred
# 2 - no error occurred, but a new version is available
#
MIRROR=""
LATESTVERSION=""
display --to SCREEN+LOG --type PLAIN --color YELLOW --nl VERSIONCHECK_START
#
# First we need to get a temporary file name to use.
#
get_temp_file "${RKHTMPDIR}/rkhunter.vc"
RKHVC_FILE="${TEMPFILE}"
touch "${RKHVC_FILE}"
display --to LOG --type INFO CREATED_TEMP_FILE "${RKHVC_FILE}"
#
# Next we get the current program version number.
#
PROG_VERS=`echo "${PROGRAM_version}" | cut -d. -f1-3 | sed -e 's/\.\([0-9]\)\./.0\1./' | sed -e 's/\.\([0-9]\)$/.0\1/' | tr -d '.'`
test -z "${PROG_VERS}" && PROG_VERS=0
display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_CURRENT "${PROGRAM_version}"
#
# Download the file, and then compare the current value
# with the downloaded one.
#
download_file "${MIRROR}" "/rkhunter_latest.dat" "${RKHVC_FILE}"
ERRCODE=$?
if [ $ERRCODE -eq 0 ]; then
LATESTVERSION=`cat "${RKHVC_FILE}" 2>/dev/null`
#
# Convert the version string to zero-spaced numbers.
# This allows us to numerically compare the versions,
# even when the numbers go above ten.
#
# E.g. '1.2.10' => 10210, '1.3.2' => 10302.
#
LATEST_VERS=`echo "${LATESTVERSION}" | cut -d. -f1-3 | sed -e 's/\.\([0-9]\)\./.0\1./' | sed -e 's/\.\([0-9]\)$/.0\1/' | tr -d '.'`
test -z "${LATEST_VERS}" && LATEST_VERS=0
display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_LATEST "${LATESTVERSION}"
if [ $LATEST_VERS -eq 0 ]; then
RET_CODE=1
display --to SCREEN+LOG --type WARNING --screen-indent 2 VERSIONCHECK_CONV_FAIL "${PROGRAM_version}" "${LATESTVERSION}"
elif [ $PROG_VERS -lt $LATEST_VERS ]; then
test $RET_CODE -eq 0 && RET_CODE=2
display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_UPDT_AVAIL
fi
else
RET_CODE=1
display --to LOG --type WARNING VERSIONCHECK_FAIL_ALL
display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_LATEST_FAIL
fi
rm -f "${RKHVC_FILE}" >/dev/null 2>&1
return
}
do_config_file_check() {
#
# This function performs a basic configuration file check. Use of
# the configuration check command-line option will cause the known
# configured options to be checked as usual. So all we need to do
# here is look for any configuration options which are unknown.
#
#
# First we define the list of valid configuration options.
#
#
# All the following specified options should be single
# value options (that is, not any sort of list).
#
VALIDOPTS="${SPACE_LIST_OPTS} ${NEWLINE_LIST_OPTS}
ALLOW_SSH_PROT_V1 ALLOW_SSH_ROOT_USER ALLOW_SYSLOG_REMOTE_LOGGING APPEND_LOG
AUTO_X_DETECT COLOR_SET2 COPY_LOG_ON_ERROR DBDIR EPOCH_DATE_CMD GLOBSTAR
HASH_FLD_IDX HASH_FUNC HASH_CMD IMMUTABLE_SET INETD_CONF_PATH INSTALLDIR
IPC_SEG_SIZE LANGUAGE LOCKDIR LOCK_TIMEOUT LOGFILE MAIL_CMD MIRRORS_MODE MODULES_DIR
OS_VERSION_FILE PASSWORD_FILE PHALANX2_DIRTEST PKGMGR ROOTDIR ROTATE_MIRRORS
SCAN_MODE_DEV SCANROOTKITMODE SCRIPTDIR SHOW_LOCK_MSGS SHOW_SUMMARY_TIME SHOW_SUMMARY_WARNINGS_NUMBER
SKIP_INODE_CHECK SSH_CONFIG_DIR SUSPSCAN_DEBUG SUSPSCAN_LINETHRESH SUSPSCAN_MAXSIZE SUSPSCAN_TEMP
SUSPSCAN_THRESH TMPDIR UPDATE_MIRRORS UPDT_ON_OS_CHANGE USE_SUNSUM USE_LOCKING
USE_SYSLOG WARN_ON_OS_CHANGE WEBCMD WEB_CMD WHITELISTED_IS_WHITE
XINETD_CONF_PATH"
VALIDOPTS=" `echo ${VALIDOPTS}` "
#
# Now check to see if any unknown options have been configured.
#
RKHTMPVAR=`egrep -h -v '^[ ]*(#|$)' ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES}`
IFS=$IFSNL
for CONFIGOPT in ${RKHTMPVAR}; do
CONFIGCMD=`echo ${CONFIGOPT} | cut -d= -f1`
#
# We have to handle the *_CMD entries specially because
# only certain commands are allowed to be replaced by
# a configuration option.
#
if [ -n "`echo ${CONFIGCMD} | grep '_CMD$'`" ]; then
case "${CONFIGCMD}" in
EPOCH_DATE_CMD|MAIL_CMD|WEB_CMD|HASH_CMD)
# We know about these ones.
;;
*)
# Dig out the actual command name used.
CFG_CMD=`echo ${CONFIGCMD} | sed -e 's/_CMD$//'`
# Check to see if the command is one we now about.
if [ -z "`echo \" ${CMDLIST} \" | grep -i \" ${CFG_CMD} \"`" ]; then
RET_CODE=1
echo "Unknown configuration file option: ${CONFIGOPT}"
fi
;;
esac
continue
fi
if [ -z "`echo \"${VALIDOPTS}\" | grep \" ${CONFIGCMD} \"`" ]; then
RET_CODE=1
echo "Unknown configuration file option: ${CONFIGOPT}"
fi
done
IFS=$RKHIFS
return
}
do_system_check_initialisation() {
#
# This function simply initialises the default rootkit
# files and directories.
#
# 55808 Variant A
W55808A_FILES="/tmp/.../r
/tmp/.../a"
W55808A_DIRS=
W55808A_KSYMS=
# Adore Rootkit. OK, nobody calls it that but basically it uses Adore.
# In one commercial AV vendors naming scheme it's called Dextenea.
AKIT_FILES="/usr/secure
/usr/doc/sys/qrt
/usr/doc/sys/run
/usr/doc/sys/crond
/usr/sbin/kfd
/usr/doc/kern/var
/usr/doc/kern/string.o
/usr/doc/kern/ava
/usr/doc/kern/adore.o
/var/log/ssh/old"
AKIT_DIRS="/lib/security/.config/ssh
/usr/doc/kern
/usr/doc/backup
/usr/doc/backup/txt
/lib/backup
/lib/backup/txt
/usr/doc/work
/usr/doc/sys
/var/log/ssh
/usr/doc/.spool
/usr/lib/kterm"
AKIT_KSYMS=
# AjaKit Rootkit
AJAKIT_FILES="/dev/tux/.addr
/dev/tux/.proc
/dev/tux/.file
/lib/.libgh-gh/cleaner
/lib/.libgh-gh/Patch/patch
/lib/.libgh-gh/sb0k"
AJAKIT_DIRS="/dev/tux
/lib/.libgh-gh"
AJAKIT_KSYMS=
# aPa Kit Rootkit
APAKIT_FILES="/usr/share/.aPa"
APAKIT_DIRS=
APAKIT_KSYMS=
# Apache Worm
APACHEWORM_FILES="/bin/.log"
APACHEWORM_DIRS=
APACHEWORM_KSYMS=
# Ambient (ark) Rootkit
ARK_FILES="/usr/lib/.ark?
/dev/ptyxx/.log
/dev/ptyxx/.file
/dev/ptyxx/.proc
/dev/ptyxx/.addr"
ARK_DIRS="/dev/ptyxx"
ARK_KSYMS=
# Balaur Rootkit 2.0 (LRK5 based)
BALAUR_FILES="/usr/lib/liblog.o"
BALAUR_DIRS="/usr/lib/.kinetic
/usr/lib/.egcs
/usr/lib/.wormie"
BALAUR_KSYMS=
# Beastkit Rootkit
BEASTKIT_FILES="/usr/sbin/arobia
/usr/sbin/idrun
/usr/lib/elm/arobia/elm
/usr/lib/elm/arobia/elm/hk
/usr/lib/elm/arobia/elm/hk.pub
/usr/lib/elm/arobia/elm/sc
/usr/lib/elm/arobia/elm/sd.pp
/usr/lib/elm/arobia/elm/sdco
/usr/lib/elm/arobia/elm/srsd"
BEASTKIT_DIRS="/lib/ldd.so/bktools"
BEASTKIT_KSYMS=
# beX2 Rootkit
BEX_FILES="/usr/info/termcap.info-5.gz
/usr/bin/sshd2"
BEX_DIRS="/usr/include/bex"
BEX_KSYMS=
# BOBkit Rootkit
BOBKIT_FILES="/usr/sbin/ntpsx
/usr/sbin/.../bkit-ava
/usr/sbin/.../bkit-d
/usr/sbin/.../bkit-shd
/usr/sbin/.../bkit-f
/usr/include/.../proc.h
/usr/include/.../.bash_history
/usr/include/.../bkit-get
/usr/include/.../bkit-dl
/usr/include/.../bkit-screen
/usr/include/.../bkit-sleep
/usr/lib/.../bkit-adore.o
/usr/lib/.../ls
/usr/lib/.../netstat
/usr/lib/.../lsof
/usr/lib/.../bkit-ssh/bkit-shdcfg
/usr/lib/.../bkit-ssh/bkit-shhk
/usr/lib/.../bkit-ssh/bkit-pw
/usr/lib/.../bkit-ssh/bkit-shrs
/usr/lib/.../bkit-ssh/bkit-mots
/usr/lib/.../uconf.inv
/usr/lib/.../psr
/usr/lib/.../find
/usr/lib/.../pstree
/usr/lib/.../slocate
/usr/lib/.../du
/usr/lib/.../top"
BOBKIT_DIRS="/usr/sbin/...
/usr/include/...
/usr/include/.../.tmp
/usr/lib/...
/usr/lib/.../.ssh
/usr/lib/.../bkit-ssh
/usr/lib/.bkit-
/tmp/.bkp"
BOBKIT_KSYMS=
# OSX Boonana-A Trojan (aka Koobface.A)
BOONANA_FILES="/Library/StartupItems/OSXDriverUpdates/OSXDriverUpdates
/Library/StartupItems/OSXDriverUpdates/StartupParameters.plist"
BOONANA_DIRS="/var/root/.jnana"
BOONANA_KSYMS=
# cb Rootkit (w00tkit by ZeeN)
# The '%' character represents a space.
# xC.o = Adore LKM
CB_FILES="/dev/srd0
/lib/libproc.so.2.0.6
/dev/mounnt
/etc/rc.d/init.d/init
/usr/bin/.zeen/..%/cl
/usr/bin/.zeen/..%/.x.tgz
/usr/bin/.zeen/..%/statdx
/usr/bin/.zeen/..%/wted
/usr/bin/.zeen/..%/write
/usr/bin/.zeen/..%/scan
/usr/bin/.zeen/..%/sc
/usr/bin/.zeen/..%/sl2
/usr/bin/.zeen/..%/wroot
/usr/bin/.zeen/..%/wscan
/usr/bin/.zeen/..%/wu
/usr/bin/.zeen/..%/v
/usr/bin/.zeen/..%/read
/usr/lib/sshrc
/usr/lib/ssh_host_key
/usr/lib/ssh_host_key.pub
/usr/lib/ssh_random_seed
/usr/lib/sshd_config
/usr/lib/shosts.equiv
/usr/lib/ssh_known_hosts
/u/zappa/.ssh/pid
/usr/bin/.system/..%/tcp.log
/usr/bin/.zeen/..%/curatare/attrib
/usr/bin/.zeen/..%/curatare/chattr
/usr/bin/.zeen/..%/curatare/ps
/usr/bin/.zeen/..%/curatare/pstree
/usr/bin/.system/..%/.x/xC.o"
CB_DIRS="/usr/bin/.zeen
/usr/bin/.zeen/..%/curatare
/usr/bin/.zeen/..%/scan
/usr/bin/.system/..%"
CB_KSYMS=
# CiNIK Worm (Slapper.B variant)
CINIK_FILES="/tmp/.cinik"
CINIK_DIRS="/tmp/.font-unix/.cinik"
CINIK_KSYMS=
# CX Rootkit
CXKIT_FILES="/usr/lib/ldlibso
/usr/lib/configlibso
/usr/lib/shklibso
/usr/lib/randomlibso
/usr/lib/ldlibstrings.so
/usr/lib/ldlibdu.so
/usr/lib/ldlibns.so
/usr/include/db"
CXKIT_DIRS="/usr/include/cxk"
CXKIT_KSYMS=
# Danny-Boy's Abuse Kit
DANNYBOYS_FILES="/dev/mdev
/usr/lib/libX.a"
DANNYBOYS_DIRS=
DANNYBOYS_KSYMS=
# Devil Rootkit
DEVIL_FILES="/var/lib/games/.src
/dev/dsx
/dev/caca
/dev/pro
/bin/bye
/bin/homedir
/usr/bin/xfss
/usr/sbin/tzava
/usr/doc/tar/.../.dracusor/stuff/holber
/usr/doc/tar/.../.dracusor/stuff/sense
/usr/doc/tar/.../.dracusor/stuff/clear
/usr/doc/tar/.../.dracusor/stuff/tzava
/usr/doc/tar/.../.dracusor/stuff/citeste
/usr/doc/tar/.../.dracusor/stuff/killrk
/usr/doc/tar/.../.dracusor/stuff/searchlog
/usr/doc/tar/.../.dracusor/stuff/gaoaza
/usr/doc/tar/.../.dracusor/stuff/cleaner
/usr/doc/tar/.../.dracusor/stuff/shk
/usr/doc/tar/.../.dracusor/stuff/srs
/usr/doc/tar/.../.dracusor/utile.tgz
/usr/doc/tar/.../.dracusor/webpage
/usr/doc/tar/.../.dracusor/getpsy
/usr/doc/tar/.../.dracusor/getbnc
/usr/doc/tar/.../.dracusor/getemech
/usr/doc/tar/.../.dracusor/localroot.sh
/usr/doc/tar/.../.dracusor/stuff/old/sense"
DEVIL_DIRS="/usr/doc/tar/.../.dracusor"
DEVIL_KSYMS=
# Diamorphine LKM
DIAMORPHINE_FILES=
DIAMORPHINE_DIRS=
DIAMORPHINE_KSYMS="diamorphine
module_hide
module_hidden
is_invisible
hacked_getdents
hacked_kill"
# Dica-Kit (T0rn variant) Rootkit
DICA_FILES="/lib/.sso
/lib/.so
/var/run/...dica/clean
/var/run/...dica/dxr
/var/run/...dica/read
/var/run/...dica/write
/var/run/...dica/lf
/var/run/...dica/xl
/var/run/...dica/xdr
/var/run/...dica/psg
/var/run/...dica/secure
/var/run/...dica/rdx
/var/run/...dica/va
/var/run/...dica/cl.sh
/var/run/...dica/last.log
/usr/bin/.etc
/etc/sshd_config
/etc/ssh_host_key
/etc/ssh_random_seed"
DICA_DIRS="/var/run/...dica
/var/run/...dica/mh
/var/run/...dica/scan"
DICA_KSYMS=
# Dreams Rootkit
DREAMS_FILES="/dev/ttyoa
/dev/ttyof
/dev/ttyop
/usr/bin/sense
/usr/bin/sl2
/usr/bin/logclear
/usr/bin/(swapd)
/usr/bin/initrd
/usr/bin/crontabs
/usr/bin/snfs
/usr/lib/libsss
/usr/lib/libsnf.log
/usr/lib/libshtift/top
/usr/lib/libshtift/ps
/usr/lib/libshtift/netstat
/usr/lib/libshtift/ls
/usr/lib/libshtift/ifconfig
/usr/include/linseed.h
/usr/include/linpid.h
/usr/include/linkey.h
/usr/include/linconf.h
/usr/include/iceseed.h
/usr/include/icepid.h
/usr/include/icekey.h
/usr/include/iceconf.h"
DREAMS_DIRS="/dev/ida/.hpd
/usr/lib/libshtift"
DREAMS_KSYMS=
# Duarawkz Rootkit
DUARAWKZ_FILES="/usr/bin/duarawkz/loginpass"
DUARAWKZ_DIRS="/usr/bin/duarawkz"
DUARAWKZ_KSYMS=
# Ebury sshd backdoor
EBURY_FILES="/lib/libns2.so
/lib64/libns2.so
/lib/libns5.so
/lib64/libns5.so
/lib/libpw3.so
/lib64/libpw3.so
/lib/libpw5.so
/lib64/libpw5.so
/lib/libsbr.so
/lib64/libsbr.so
/lib/libslr.so
/lib64/libslr.so"
EBURY_DIRS=
EBURY_KSYMS=
# ENYE LKM v1.1, v1.2
# Installer default.
ENYELKM_FILES="/etc/.enyelkmHIDE^IT.ko
/etc/.enyelkmOCULTAR.ko"
ENYELKM_DIRS=
ENYELKM_KSYMS=
# Flea Linux Rootkit
FLEA_FILES="/etc/ld.so.hash
/lib/security/.config/ssh/sshd_config
/lib/security/.config/ssh/ssh_host_key
/lib/security/.config/ssh/ssh_host_key.pub
/lib/security/.config/ssh/ssh_random_seed
/usr/bin/ssh2d
/usr/lib/ldlibns.so
/usr/lib/ldlibps.so
/usr/lib/ldlibpst.so
/usr/lib/ldlibdu.so
/usr/lib/ldlibct.so"
FLEA_DIRS="/lib/security/.config/ssh
/dev/..0
/dev/..0/backup"
FLEA_KSYMS=
# FreeBSD Rootkit (FBRK) catering to versions and compile-time defaults used by:
# 1.0 (1997, Method), 1.2 (1997, Method), "ImperialS-FBRK 1.0" (2001, Nyo)
FREEBSD_RK_FILES="/dev/ptyp
/dev/ptyq
/dev/ptyr
/dev/ptys
/dev/ptyt
/dev/fd/.88/freshb-bsd
/dev/fd/.88/fresht
/dev/fd/.88/zxsniff
/dev/fd/.88/zxsniff.log
/dev/fd/.99/.ttyf00
/dev/fd/.99/.ttyp00
/dev/fd/.99/.ttyq00
/dev/fd/.99/.ttys00
/dev/fd/.99/.pwsx00
/etc/.acid
/usr/lib/.fx/sched_host.2
/usr/lib/.fx/random_d.2
/usr/lib/.fx/set_pid.2
/usr/lib/.fx/setrgrp.2
/usr/lib/.fx/TOHIDE
/usr/lib/.fx/cons.saver
/usr/lib/.fx/adore/ava/ava
/usr/lib/.fx/adore/adore/adore.ko
/bin/sysback
/usr/local/bin/sysback"
FREEBSD_RK_DIRS="/dev/fd/.88
/dev/fd/.99
/usr/lib/.fx
/usr/lib/.fx/adore"
FREEBSD_RK_KSYMS=
# Fu Rootkit
FU_FILES="/sbin/xc
/usr/include/ivtype.h
/bin/.lib"
FU_DIRS=
FU_KSYMS=
# Fuckit Rootkit
FUCKIT_FILES="/lib/libproc.so.2.0.7
/dev/proc/.bash_profile
/dev/proc/.bashrc
/dev/proc/.cshrc
/dev/proc/fuckit/hax0r
/dev/proc/fuckit/hax0rshell
/dev/proc/fuckit/config/lports
/dev/proc/fuckit/config/rports
/dev/proc/fuckit/config/rkconf
/dev/proc/fuckit/config/password
/dev/proc/fuckit/config/progs
/dev/proc/fuckit/system-bins/init
/usr/lib/libcps.a
/usr/lib/libtty.a"
FUCKIT_DIRS="/dev/proc
/dev/proc/fuckit
/dev/proc/fuckit/system-bins
/dev/proc/toolz"
FUCKIT_KSYMS=
# GasKit Rootkit
GASKIT_FILES="/dev/dev/gaskit/sshd/sshdd"
GASKIT_DIRS="/dev/dev
/dev/dev/gaskit
/dev/dev/gaskit/sshd"
GASKIT_KSYMS=
# Heroin LKM
HEROIN_FILES=
HEROIN_DIRS=
HEROIN_KSYMS="heroin"
# HjC Kit Rootkit
HJCKIT_FILES=
HJCKIT_DIRS="/dev/.hijackerz"
HJCKIT_KSYMS=
# ignoKit Rootkit
IGNOKIT_FILES="/lib/defs/p
/lib/defs/q
/lib/defs/r
/lib/defs/s
/lib/defs/t
/usr/lib/defs/p
/usr/lib/defs/q
/usr/lib/defs/r
/usr/lib/defs/s
/usr/lib/defs/t
/usr/lib/.libigno/pkunsec
/usr/lib/.libigno/.igno/psybnc/psybnc"
IGNOKIT_DIRS="/usr/lib/.libigno
/usr/lib/.libigno/.igno"
IGNOKIT_KSYMS=
# iLLogiC Rootkit (SunOS Rootkit variant)
ILLOGIC_FILES="/dev/kmod
/dev/dos
/usr/lib/crth.o
/usr/lib/crtz.o
/etc/ld.so.hash
/usr/bin/sia
/usr/bin/ssh2d
/lib/security/.config/sn
/lib/security/.config/iver
/lib/security/.config/uconf.inv
/lib/security/.config/ssh/ssh_host_key
/lib/security/.config/ssh/ssh_host_key.pub
/lib/security/.config/ssh/sshport
/lib/security/.config/ssh/ssh_random_seed
/lib/security/.config/ava
/lib/security/.config/cleaner
/lib/security/.config/lpsched
/lib/security/.config/sz
/lib/security/.config/rcp
/lib/security/.config/patcher
/lib/security/.config/pg
/lib/security/.config/crypt
/lib/security/.config/utime
/lib/security/.config/wget
/lib/security/.config/instmod
/lib/security/.config/bin/find
/lib/security/.config/bin/du
/lib/security/.config/bin/ls
/lib/security/.config/bin/psr
/lib/security/.config/bin/netstat
/lib/security/.config/bin/su
/lib/security/.config/bin/ping
/lib/security/.config/bin/passwd"
ILLOGIC_DIRS="/lib/security/.config
/lib/security/.config/ssh
/lib/security/.config/bin
/lib/security/.config/backup
/root/%%%/.dir
/root/%%%/.dir/mass-scan
/root/%%%/.dir/flood"
ILLOGIC_KSYMS=
# OSX Inqtana (Variant A)
INQTANAA_FILES="/Users/w0rm-support.tgz
/Users/InqTest.class
/Users/com.openbundle.plist
/Users/com.pwned.plist
/Users/libavetanaBT.jnilib"
INQTANAA_DIRS="/Users/de
/Users/javax"
INQTANAA_KSYMS=
# OSX Inqtana (Variant B)
INQTANAB_FILES="/Users/w0rms.love.apples.tgz
/Users/InqTest.class
/Users/InqTest.java
/Users/libavetanaBT.jnilib
/Users/InqTanaHandler
/Users/InqTanaHandler.bundle"
INQTANAB_DIRS="/Users/de
/Users/javax"
INQTANAB_KSYMS=
# OSX Inqtana (Variant C)
INQTANAC_FILES="/Users/applec0re.tgz
/Users/InqTest.class
/Users/InqTest.java
/Users/libavetanaBT.jnilib
/Users/environment.plist
/Users/pwned.c
/Users/pwned.dylib"
INQTANAC_DIRS="/Users/de
/Users/javax"
INQTANAC_KSYMS=
# IntoXonia-NG Rootkit
INTOXONIA_FILES=
INTOXONIA_DIRS=
INTOXONIA_KSYMS="funces
ixinit
tricks
kernel_unlink
rootme
hide_module
find_sys_call_tbl"
# Irix Rootkit (for Irix 6.x)
IRIXRK_FILES=
IRIXRK_DIRS="/dev/pts/01
/dev/pts/01/backup
/dev/pts/01/etc
/dev/pts/01/tmp"
IRIXRK_KSYMS=
# Jynx Rootkit
JYNX_FILES="/xochikit/bc
/xochikit/ld_poison.so
/omgxochi/bc
/omgxochi/ld_poison.so
/var/local/^^/bc
/var/local/^^/ld_poison.so"
JYNX_DIRS="/xochikit
/omgxochi
/var/local/^^"
JYNX_KSYMS=
# Jynx2 Rootkit
JYNX2_FILES="/XxJynx/reality.so"
JYNX2_DIRS="/XxJynx"
JYNX2_KSYMS=
# KBeast (Kernel Beast) Rootkit
KBEAST_FILES="/usr/_h4x_/ipsecs-kbeast-v1.ko
/usr/_h4x_/_h4x_bd
/usr/_h4x_/acctlog"
KBEAST_DIRS="/usr/_h4x_"
KBEAST_KSYMS="h4x_delete_module
h4x_getdents64
h4x_kill
h4x_open
h4x_read
h4x_rename
h4x_rmdir
h4x_tcp4_seq_show
h4x_write"
# OSX Keydnap backdoor
# The '%' character represents a space.
KEYDNAP_FILES="/Applications/Transmission.app/Contents/Resources/License.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
/Library/LaunchAgents/com.geticloud.icloud.photo.plist"
KEYDNAP_DIRS="/Library/Application%Support/com.apple.iCloud.sync.daemon/"
KEYDNAP_KSYMS=
# Kitko Rootkit
KITKO_FILES=
KITKO_DIRS="/usr/src/redhat/SRPMS/..."
KITKO_KSYMS=
# Knark Rootkit
KNARK_FILES="/proc/knark/pids"
KNARK_DIRS="/proc/knark"
KNARK_KSYMS=
# OSX Komplex Trojan
KOMPLEX_FILES="/Users/Shared/.local/kextd
/Users/Shared/com.apple.updates.plist
/Users/Shared/start.sh"
KOMPLEX_DIRS=
KOMPLEX_KSYMS=
# ld-linuxv.so (LD_PRELOAD shared library rootkit)
LINUXV_FILES="/lib/ld-linuxv.so.1"
LINUXV_DIRS="/var/opt/_so_cache
/var/opt/_so_cache/ld
/var/opt/_so_cache/lc"
LINUXV_KSYMS=
# Lion Worm
LION_FILES="/bin/in.telnetd
/bin/mjy
/usr/man/man1/man1/lib/.lib/mjy
/usr/man/man1/man1/lib/.lib/in.telnetd
/usr/man/man1/man1/lib/.lib/.x
/dev/.lib/lib/scan/1i0n.sh
/dev/.lib/lib/scan/hack.sh
/dev/.lib/lib/scan/bind
/dev/.lib/lib/scan/randb
/dev/.lib/lib/scan/scan.sh
/dev/.lib/lib/scan/pscan
/dev/.lib/lib/scan/star.sh
/dev/.lib/lib/scan/bindx.sh
/dev/.lib/lib/scan/bindname.log
/dev/.lib/lib/1i0n.sh
/dev/.lib/lib/lib/netstat
/dev/.lib/lib/lib/dev/.1addr
/dev/.lib/lib/lib/dev/.1logz
/dev/.lib/lib/lib/dev/.1proc
/dev/.lib/lib/lib/dev/.1file"
LION_DIRS=
LION_KSYMS=
# Lockit Rootkit (aka LJK2)
LOCKIT_FILES="/usr/lib/libmen.oo/.LJK2/ssh_config
/usr/lib/libmen.oo/.LJK2/ssh_host_key
/usr/lib/libmen.oo/.LJK2/ssh_host_key.pub
/usr/lib/libmen.oo/.LJK2/ssh_random_seed*
/usr/lib/libmen.oo/.LJK2/sshd_config
/usr/lib/libmen.oo/.LJK2/backdoor/RK1bd
/usr/lib/libmen.oo/.LJK2/backup/du
/usr/lib/libmen.oo/.LJK2/backup/ifconfig
/usr/lib/libmen.oo/.LJK2/backup/inetd.conf
/usr/lib/libmen.oo/.LJK2/backup/locate
/usr/lib/libmen.oo/.LJK2/backup/login
/usr/lib/libmen.oo/.LJK2/backup/ls
/usr/lib/libmen.oo/.LJK2/backup/netstat
/usr/lib/libmen.oo/.LJK2/backup/ps
/usr/lib/libmen.oo/.LJK2/backup/pstree
/usr/lib/libmen.oo/.LJK2/backup/rc.sysinit
/usr/lib/libmen.oo/.LJK2/backup/syslogd
/usr/lib/libmen.oo/.LJK2/backup/tcpd
/usr/lib/libmen.oo/.LJK2/backup/top
/usr/lib/libmen.oo/.LJK2/clean/RK1sauber
/usr/lib/libmen.oo/.LJK2/clean/RK1wted
/usr/lib/libmen.oo/.LJK2/hack/RK1parse
/usr/lib/libmen.oo/.LJK2/hack/RK1sniff
/usr/lib/libmen.oo/.LJK2/hide/.RK1addr
/usr/lib/libmen.oo/.LJK2/hide/.RK1dir
/usr/lib/libmen.oo/.LJK2/hide/.RK1log
/usr/lib/libmen.oo/.LJK2/hide/.RK1proc
/usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c
/usr/lib/libmen.oo/.LJK2/modules/README.modules
/usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c
/usr/lib/libmen.oo/.LJK2/modules/RK1phide
/usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh"
LOCKIT_DIRS="/usr/lib/libmen.oo/.LJK2"
LOCKIT_KSYMS=
# Mokes backdoor
MOKES_FILES="/tmp/ss0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].sst
/tmp/aa0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].aat
/tmp/kk0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].kkt
/tmp/dd0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].ddt"
MOKES_DIRS=
MOKES_KSYMS=
# MRK (MiCrobul?) RootKit (based on Devil RootKit, also see Xzibit)
MRK_FILES="/dev/ida/.inet/pid
/dev/ida/.inet/ssh_host_key
/dev/ida/.inet/ssh_random_seed
/dev/ida/.inet/tcp.log"
MRK_DIRS="/dev/ida/.inet
/var/spool/cron/.sh"
MRK_KSYMS=
# Mood-NT Rootkit
# Binary is by default called "mood-nt" but can be anywhere.
# Here we look for collaterals, from include/prefs.h defaults
# until sig-based dirscan() is added.
MOODNT_FILES="/sbin/init__mood-nt-_-_cthulhu
/_cthulhu/mood-nt.init
/_cthulhu/mood-nt.conf
/_cthulhu/mood-nt.sniff"
MOODNT_DIRS="/_cthulhu"
MOODNT_KSYMS=
# Ni0 Rootkit
NIO_FILES="/var/lock/subsys/...datafile.../...net...
/var/lock/subsys/...datafile.../...port...
/var/lock/subsys/...datafile.../...ps...
/var/lock/subsys/...datafile.../...file..."
NIO_DIRS="/tmp/waza
/var/lock/subsys/...datafile...
/usr/sbin/es"
NIO_KSYMS=
# Ohhara Rootkit
OHHARA_FILES="/var/lock/subsys/...datafile.../...datafile.../in.smbd.log"
OHHARA_DIRS="/var/lock/subsys/...datafile...
/var/lock/subsys/...datafile.../...datafile...
/var/lock/subsys/...datafile.../...datafile.../bin
/var/lock/subsys/...datafile.../...datafile.../usr/bin
/var/lock/subsys/...datafile.../...datafile.../usr/sbin
/var/lock/subsys/...datafile.../...datafile.../lib/security"
OHHARA_KSYMS=
# Optic Kit (Tux variant) Rootkit
OPTICKIT_FILES=
OPTICKIT_DIRS="/dev/tux
/usr/bin/xchk
/usr/bin/xsf
/usr/bin/ssh2d"
OPTICKIT_KSYMS=
# OSX Rootkit 0.2.1 (OSXRK)
OSXRK_FILES="/dev/.rk/nc
/dev/.rk/diepu
/dev/.rk/backd
/Library/StartupItems/opener
/Library/StartupItems/opener.sh
/System/Library/StartupItems/opener
/System/Library/StartupItems/opener.sh"
OSXRK_DIRS="/dev/.rk
/Users/LDAP-daemon
/tmp/.work"
OSXRK_KSYMS=
# Oz Rootkit
OZ_FILES="/dev/.oz/.nap/rkit/terror"
OZ_DIRS="/dev/.oz"
OZ_KSYMS=
# Phalanx Rootkit
PHALANX_FILES="/uNFuNF
/etc/host.ph1
/bin/host.ph1
/usr/share/.home.ph1/phalanx
/usr/share/.home.ph1/cb
/usr/share/.home.ph1/kebab"
PHALANX_DIRS="/usr/share/.home.ph1
/usr/share/.home.ph1/tty"
PHALANX_KSYMS=
# Phalanx2 Rootkit
PHALANX2_FILES="/etc/khubd.p2/.p2rc
/etc/khubd.p2/.phalanx2
/etc/khubd.p2/.sniff
/etc/khubd.p2/sshgrab.py
/etc/lolzz.p2/.p2rc
/etc/lolzz.p2/.phalanx2
/etc/lolzz.p2/.sniff
/etc/lolzz.p2/sshgrab.py
/etc/cron.d/zupzzplaceholder
/usr/lib/zupzz.p2/.p-2.3d
/usr/lib/zupzz.p2/.p2rc"
PHALANX2_DIRS="/etc/khubd.p2
/etc/lolzz.p2
/usr/lib/zupzz.p2"
PHALANX2_KSYMS=
# Portacelo Rootkit
PORTACELO_FILES="/var/lib/.../.ak
/var/lib/.../.hk
/var/lib/.../.rs
/var/lib/.../.p
/var/lib/.../getty
/var/lib/.../lkt.o
/var/lib/.../show
/var/lib/.../nlkt.o
/var/lib/.../ssshrc
/var/lib/.../sssh_equiv
/var/lib/.../sssh_known_hosts
/var/lib/.../sssh_pid ~/.sssh/known_hosts"
PORTACELO_DIRS=
PORTACELO_KSYMS=
# OSX Proton backdoor
PROTON_FILES="/Library/LaunchAgents/com.apple.xpcd.plist
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/updateragent.app
/tmp/Updater.app"
PROTON_DIRS="/Library/.rand
/Library/.cachedir
/Library/.random"
PROTON_KSYMS=
# R3dstorm Toolkit
REDSTORM_FILES="/var/log/tk02/see_all
/var/log/tk02/.scris
/bin/.../sshd/sbin/sshd1
/bin/.../hate/sk
/bin/.../see_all"
REDSTORM_DIRS="/var/log/tk02
/var/log/tk02/old
/bin/..."
REDSTORM_KSYMS=
# RH-Sharpe's Rootkit
RHSHARPES_FILES="/bin/lps
/usr/bin/lpstree
/usr/bin/ltop
/usr/bin/lkillall
/usr/bin/ldu
/usr/bin/lnetstat
/usr/bin/wp
/usr/bin/shad
/usr/bin/vadim
/usr/bin/slice
/usr/bin/cleaner
/usr/include/rpcsvc/du"
RHSHARPES_DIRS=
RHSHARPES_KSYMS=
# RSHA's Rootkit
RSHA_FILES="/bin/kr4p
/usr/bin/n3tstat
/usr/bin/chsh2
/usr/bin/slice2
/usr/src/linux/arch/alpha/lib/.lib/.1proc
/etc/rc.d/arch/alpha/lib/.lib/.1addr"
RSHA_DIRS="/etc/rc.d/rsha
/etc/rc.d/arch/alpha/lib/.lib"
RSHA_KSYMS=
# Shutdown Rootkit
# The '%' character represents a space.
SHUTDOWN_FILES="/usr/man/man5/..%/.dir/scannah/asus
/usr/man/man5/..%/.dir/see
/usr/man/man5/..%/.dir/nscd
/usr/man/man5/..%/.dir/alpd
/etc/rc.d/rc.local%"
SHUTDOWN_DIRS="/usr/man/man5/..%/.dir
/usr/man/man5/..%/.dir/scannah
/etc/rc.d/rc0.d/..%/.dir"
SHUTDOWN_KSYMS=
# Scalper (FreeBSD.Scalper.Worm) Worm
SCALPER_FILES="/tmp/.a
/tmp/.uua"
SCALPER_DIRS=
SCALPER_KSYMS=
# SHV4 Rootkit
SHV4_FILES="/etc/ld.so.hash
/lib/libext-2.so.7
/lib/lidps1.so
/lib/libproc.a
/lib/libproc.so.2.0.6
/lib/ldd.so/tks
/lib/ldd.so/tkp
/lib/ldd.so/tksb
/lib/security/.config/sshd
/lib/security/.config/ssh/ssh_host_key
/lib/security/.config/ssh/ssh_host_key.pub
/lib/security/.config/ssh/ssh_random_seed
/usr/include/file.h
/usr/include/hosts.h
/usr/include/lidps1.so
/usr/include/log.h
/usr/include/proc.h
/usr/sbin/xntps
/dev/srd0"
SHV4_DIRS="/lib/ldd.so
/lib/security/.config
/lib/security/.config/ssh"
SHV4_KSYMS=
# SHV5 Rootkit
SHV5_FILES="/etc/sh.conf
/lib/libproc.a
/lib/libproc.so.2.0.6
/lib/lidps1.so
/lib/libsh.so/bash
/usr/include/file.h
/usr/include/hosts.h
/usr/include/log.h
/usr/include/proc.h
/lib/libsh.so/shdcf2
/lib/libsh.so/shhk
/lib/libsh.so/shhk.pub
/lib/libsh.so/shrs
/usr/lib/libsh/.bashrc
/usr/lib/libsh/shsb
/usr/lib/libsh/hide
/usr/lib/libsh/.sniff/shsniff
/usr/lib/libsh/.sniff/shp
/dev/srd0"
SHV5_DIRS="/lib/libsh.so
/usr/lib/libsh
/usr/lib/libsh/utilz
/usr/lib/libsh/.backup"
SHV5_KSYMS=
# Sin Rootkit
SINROOTKIT_FILES="/dev/.haos/haos1/.f/Denyed
/dev/ttyoa
/dev/ttyof
/dev/ttyop
/dev/ttyos
/usr/lib/.lib
/usr/lib/sn/.X
/usr/lib/sn/.sys
/usr/lib/ld/.X
/usr/man/man1/...
/usr/man/man1/.../.m
/usr/man/man1/.../.w"
SINROOTKIT_DIRS="/usr/lib/sn
/usr/lib/man1/...
/dev/.haos"
SINROOTKIT_KSYMS=
# Slapper Worm
SLAPPER_FILES="/tmp/.bugtraq
/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/httpd
/tmp/.unlock
/tmp/update
/tmp/.cinik
/tmp/.b"
SLAPPER_DIRS=
SLAPPER_KSYMS=
# Sneakin Rootkit
SNEAKIN_FILES=
SNEAKIN_DIRS="/tmp/.X11-unix/.../rk"
SNEAKIN_KSYMS=
# Solaris Wanuk backdoor
WANUKDOOR_FILES="/var/adm/sa/.adm/.lp-door.i86pc
/var/adm/sa/.adm/.lp-door.sun4
/var/spool/lp/admins/.lp-door.i86pc
/var/spool/lp/admins/.lp-door.sun4
/var/spool/lp/admins/lpshut
/var/spool/lp/admins/lpsystem
/var/spool/lp/admins/lpadmin
/var/spool/lp/admins/lpmove
/var/spool/lp/admins/lpusers
/var/spool/lp/admins/lpfilter
/var/spool/lp/admins/lpstat
/var/spool/lp/admins/lpd
/var/spool/lp/admins/lpsched
/var/spool/lp/admins/lpc"
WANUKDOOR_DIRS="/var/adm/sa/.adm"
WANUKDOOR_KSYMS=
# Solaris Wanuk Worm (ELF_WANUK.A)
WANUKWORM_FILES="/var/adm/.adm
/var/adm/.i86pc
/var/adm/.sun4
/var/adm/sa/.adm
/var/adm/sa/.adm/.i86pc
/var/adm/sa/.adm/.sun4
/var/adm/sa/.adm/.crontab
/var/adm/sa/.adm/devfsadmd
/var/adm/sa/.adm/svcadm
/var/adm/sa/.adm/cfgadm
/var/adm/sa/.adm/kadmind
/var/adm/sa/.adm/zoneadmd
/var/adm/sa/.adm/sadm
/var/adm/sa/.adm/sysadm
/var/adm/sa/.adm/dladm
/var/adm/sa/.adm/bootadm
/var/adm/sa/.adm/routeadm
/var/adm/sa/.adm/uadmin
/var/adm/sa/.adm/acctadm
/var/adm/sa/.adm/cryptoadm
/var/adm/sa/.adm/inetadm
/var/adm/sa/.adm/logadm
/var/adm/sa/.adm/nlsadmin
/var/adm/sa/.adm/sacadm
/var/adm/sa/.adm/syseventadmd
/var/adm/sa/.adm/ttyadmd
/var/adm/sa/.adm/consadmd
/var/adm/sa/.adm/metadevadm
/var/adm/sa/.i86pc
/var/adm/sa/.sun4
/var/adm/sa/acctadm
/var/adm/sa/bootadm
/var/adm/sa/cfgadm
/var/adm/sa/consadmd
/var/adm/sa/cryptoadm
/var/adm/sa/devfsadmd
/var/adm/sa/dladm
/var/adm/sa/inetadm
/var/adm/sa/kadmind
/var/adm/sa/logadm
/var/adm/sa/metadevadm
/var/adm/sa/nlsadmin
/var/adm/sa/routeadm
/var/adm/sa/sacadm
/var/adm/sa/sadm
/var/adm/sa/svcadm
/var/adm/sa/sysadm
/var/adm/sa/syseventadmd
/var/adm/sa/ttyadmd
/var/adm/sa/uadmin
/var/adm/sa/zoneadmd
/var/spool/lp/admins/.lp/.crontab
/var/spool/lp/admins/.lp/lpshut
/var/spool/lp/admins/.lp/lpsystem
/var/spool/lp/admins/.lp/lpadmin
/var/spool/lp/admins/.lp/lpmove
/var/spool/lp/admins/.lp/lpusers
/var/spool/lp/admins/.lp/lpfilter
/var/spool/lp/admins/.lp/lpstat
/var/spool/lp/admins/.lp/lpd
/var/spool/lp/admins/.lp/lpsched
/var/spool/lp/admins/.lp/lpc"
WANUKWORM_DIRS="/var/adm/sa/.adm
/var/spool/lp/admins/.lp"
WANUKWORM_KSYMS=
# 'Spanish' Rootkit
SPANISH_FILES="/dev/ptyq
/bin/ad
/bin/ava
/bin/server
/usr/sbin/rescue
/usr/share/.../chrps
/usr/share/.../chrifconfig
/usr/share/.../netstat
/usr/share/.../linsniffer
/usr/share/.../charbd
/usr/share/.../charbd2
/usr/share/.../charbd3
/usr/share/.../charbd4
/usr/man/tmp/update.tgz
/var/lib/rpm/db.rpm
/var/cache/man/.cat
/var/spool/lpd/remote/.lpq"
SPANISH_DIRS="/usr/share/..."
SPANISH_KSYMS=
# Suckit Rootkit
SUCKIT_FILES="/sbin/initsk12
/sbin/initxrk
/usr/bin/null
/usr/share/locale/sk/.sk12/sk
/etc/rc.d/rc0.d/S23kmdac
/etc/rc.d/rc1.d/S23kmdac
/etc/rc.d/rc2.d/S23kmdac
/etc/rc.d/rc3.d/S23kmdac
/etc/rc.d/rc4.d/S23kmdac
/etc/rc.d/rc5.d/S23kmdac
/etc/rc.d/rc6.d/S23kmdac"
SUCKIT_DIRS="/dev/sdhu0/tehdrakg
/etc/.MG
/usr/share/locale/sk/.sk12
/usr/lib/perl5/site_perl/i386-linux/auto/TimeDate/.packlist"
SUCKIT_KSYMS=
# SunOS / NSDAP Rootkit
NSDAP_FILES="/dev/pts/01/55su
/dev/pts/01/55ps
/dev/pts/01/55ping
/dev/pts/01/55login
/dev/pts/01/PATCHER_COMPLETED
/dev/prom/sn.l
/dev/prom/dos
/usr/lib/vold/nsdap/.kit
/usr/lib/vold/nsdap/defines
/usr/lib/vold/nsdap/patcher
/usr/lib/vold/nsdap/pg
/usr/lib/vold/nsdap/cleaner
/usr/lib/vold/nsdap/utime
/usr/lib/vold/nsdap/crypt
/usr/lib/vold/nsdap/findkit
/usr/lib/vold/nsdap/sn2
/usr/lib/vold/nsdap/sniffload
/usr/lib/vold/nsdap/runsniff
/usr/lib/lpset
/usr/lib/lpstart
/usr/bin/mc68000
/usr/bin/mc68010
/usr/bin/mc68020
/usr/ucb/bin/ps
/usr/bin/m68k
/usr/bin/sun2
/usr/bin/mc68030
/usr/bin/mc68040
/usr/bin/sun3
/usr/bin/sun3x
/usr/bin/lso
/usr/bin/u370"
NSDAP_DIRS="/dev/pts/01
/dev/prom
/usr/lib/vold/nsdap
/.pat"
NSDAP_KSYMS=
# SunOS Rootkit
SUNOSROOTKIT_FILES="/etc/ld.so.hash
/lib/libext-2.so.7
/usr/bin/ssh2d
/bin/xlogin
/usr/lib/crth.o
/usr/lib/crtz.o
/sbin/login
/lib/security/.config/sn
/lib/security/.config/lpsched
/dev/kmod
/dev/dos"
SUNOSROOTKIT_DIRS=
SUNOSROOTKIT_KSYMS=
# Superkit Rootkit (Suckit 1.3b-based)
SUPERKIT_FILES="/usr/man/.sman/sk/backsh
/usr/man/.sman/sk/izbtrag
/usr/man/.sman/sk/sksniff
/var/www/cgi-bin/cgiback.cgi"
SUPERKIT_DIRS="/usr/man/.sman/sk"
SUPERKIT_KSYMS=
# Telnet Backdoor
TBD_FILES="/usr/lib/.tbd"
TBD_DIRS=
TBD_KSYMS=
# TeLeKiT Rootkit
TELEKIT_FILES="/usr/man/man3/.../TeLeKiT/bin/sniff
/usr/man/man3/.../TeLeKiT/bin/telnetd
/usr/man/man3/.../TeLeKiT/bin/teleulo
/usr/man/man3/.../cl
/dev/ptyr
/dev/ptyp
/dev/ptyq
/dev/hda06
/usr/info/libc1.so"
TELEKIT_DIRS="/usr/man/man3/...
/usr/man/man3/.../lsniff
/usr/man/man3/.../TeLeKiT"
TELEKIT_KSYMS=
# OSX Togroot Rootkit
TOGROOT_FILES="/System/Library/Extensions/Togroot.kext/Contents/Info.plist
/System/Library/Extensions/Togroot.kext/Contents/pbdevelopment.plist
/System/Library/Extensions/Togroot.kext/Contents/MacOS/togrootkext"
TOGROOT_DIRS="/System/Library/Extensions/Togroot.kext
/System/Library/Extensions/Togroot.kext/Contents
/System/Library/Extensions/Togroot.kext/Contents/MacOS"
TOGROOT_KSYMS=
# T0rn (and misc) Rootkit
TORN_FILES="/dev/.lib/lib/lib/t0rns
/dev/.lib/lib/lib/du
/dev/.lib/lib/lib/ls
/dev/.lib/lib/lib/t0rnsb
/dev/.lib/lib/lib/ps
/dev/.lib/lib/lib/t0rnp
/dev/.lib/lib/lib/find
/dev/.lib/lib/lib/ifconfig
/dev/.lib/lib/lib/pg
/dev/.lib/lib/lib/ssh.tgz
/dev/.lib/lib/lib/top
/dev/.lib/lib/lib/sz
/dev/.lib/lib/lib/login
/dev/.lib/lib/lib/in.fingerd
/dev/.lib/lib/lib/1i0n.sh
/dev/.lib/lib/lib/pstree
/dev/.lib/lib/lib/in.telnetd
/dev/.lib/lib/lib/mjy
/dev/.lib/lib/lib/sush
/dev/.lib/lib/lib/tfn
/dev/.lib/lib/lib/name
/dev/.lib/lib/lib/getip.sh
/usr/info/.torn/sh*
/usr/src/.puta/.1addr
/usr/src/.puta/.1file
/usr/src/.puta/.1proc
/usr/src/.puta/.1logz
/usr/info/.t0rn"
TORN_DIRS="/dev/.lib
/dev/.lib/lib
/dev/.lib/lib/lib
/dev/.lib/lib/lib/dev
/dev/.lib/lib/scan
/usr/src/.puta
/usr/man/man1/man1
/usr/man/man1/man1/lib
/usr/man/man1/man1/lib/.lib
/usr/man/man1/man1/lib/.lib/.backup"
TORN_KSYMS=
# trNkit Rootkit
TRNKIT_FILES="/usr/lib/libbins.la
/usr/lib/libtcs.so
/dev/.ttpy/ulogin.sh
/dev/.ttpy/tcpshell.sh
/dev/.ttpy/bupdu
/dev/.ttpy/buloc
/dev/.ttpy/buloc1
/dev/.ttpy/buloc2
/dev/.ttpy/stat
/dev/.ttpy/backps
/dev/.ttpy/tree
/dev/.ttpy/topk
/dev/.ttpy/wold
/dev/.ttpy/whoold
/dev/.ttpy/backdoors"
TRNKIT_DIRS=
TRNKIT_KSYMS=
# Trojanit Kit Rootkit
TROJANIT_FILES="/bin/.ls
/bin/.ps
/bin/.netstat
/usr/bin/.nop
/usr/bin/.who"
TROJANIT_DIRS=
TROJANIT_KSYMS=
# Turtle / Turtle2 Rootkit
TURTLE_FILES="/dev/turtle2dev"
TURTLE_DIRS=
TURTLE_KSYMS=
# Tuxtendo (Tuxkit) Rootkit
TUXTENDO_FILES="/lib/libproc.so.2.0.7
/usr/bin/xchk
/usr/bin/xsf
/dev/tux/suidsh
/dev/tux/.addr
/dev/tux/.cron
/dev/tux/.file
/dev/tux/.log
/dev/tux/.proc
/dev/tux/.iface
/dev/tux/.pw
/dev/tux/.df
/dev/tux/.ssh
/dev/tux/.tux
/dev/tux/ssh2/sshd2_config
/dev/tux/ssh2/hostkey
/dev/tux/ssh2/hostkey.pub
/dev/tux/ssh2/logo
/dev/tux/ssh2/random_seed
/dev/tux/backup/crontab
/dev/tux/backup/df
/dev/tux/backup/dir
/dev/tux/backup/find
/dev/tux/backup/ifconfig
/dev/tux/backup/locate
/dev/tux/backup/netstat
/dev/tux/backup/ps
/dev/tux/backup/pstree
/dev/tux/backup/syslogd
/dev/tux/backup/tcpd
/dev/tux/backup/top
/dev/tux/backup/updatedb
/dev/tux/backup/vdir"
TUXTENDO_DIRS="/dev/tux
/dev/tux/ssh2
/dev/tux/backup"
TUXTENDO_KSYMS=
# Universal Rootkit by K2 (URK) Release 0.9.8
URK_FILES="/dev/prom/sn.l
/usr/lib/ldlibps.so
/usr/lib/ldlibnet.so
/dev/pts/01/uconf.inv
/dev/pts/01/cleaner
/dev/pts/01/bin/psniff
/dev/pts/01/bin/du
/dev/pts/01/bin/ls
/dev/pts/01/bin/passwd
/dev/pts/01/bin/ps
/dev/pts/01/bin/psr
/dev/pts/01/bin/su
/dev/pts/01/bin/find
/dev/pts/01/bin/netstat
/dev/pts/01/bin/ping
/dev/pts/01/bin/strings
/dev/pts/01/bin/bash
/usr/man/man1/xxxxxxbin/du
/usr/man/man1/xxxxxxbin/ls
/usr/man/man1/xxxxxxbin/passwd
/usr/man/man1/xxxxxxbin/ps
/usr/man/man1/xxxxxxbin/psr
/usr/man/man1/xxxxxxbin/su
/usr/man/man1/xxxxxxbin/find
/usr/man/man1/xxxxxxbin/netstat
/usr/man/man1/xxxxxxbin/ping
/usr/man/man1/xxxxxxbin/strings
/usr/man/man1/xxxxxxbin/bash
/tmp/conf.inv"
URK_DIRS="/dev/prom
/dev/pts/01
/dev/pts/01/bin
/usr/man/man1/xxxxxxbin"
URK_KSYMS=
# Also-see: /usr/lib/lpset (esniff), /var/lp/lpacct/ (files), /usr/lib/bnclp, /usr/lib/lpsys (identd),
# Also-see: /usr/lib/lptd (backdoor?), /sbin/rc2 and /sbin/rc3 containing string "/usr/lib/lpstart",
# Also-see: dos, psbnc, lpacct, USER, lp,
# Also see: /etc/lpconfig vs /etc/ttyhash, uconv.inv vs urk.conf.
# VcKit Rootkit
VCKIT_FILES=
VCKIT_DIRS="/usr/include/linux/modules/lib.so
/usr/include/linux/modules/lib.so/bin"
VCKIT_KSYMS=
# Vampire Rootkit
VAMPIRE_FILES=
VAMPIRE_DIRS=
VAMPIRE_KSYMS="new_getdents
old_getdents
should_hide_file_name
should_hide_task_name"
# Volc Rootkit
# Omit listing system binaries that should be picked up by changed hashes.
VOLC_FILES="/usr/bin/volc
/usr/lib/volc/backdoor/divine
/usr/lib/volc/linsniff
/etc/rc.d/rc1.d/S25sysconf
/etc/rc.d/rc2.d/S25sysconf
/etc/rc.d/rc3.d/S25sysconf
/etc/rc.d/rc4.d/S25sysconf
/etc/rc.d/rc5.d/S25sysconf"
VOLC_DIRS="/var/spool/.recent
/var/spool/.recent/.files
/usr/lib/volc
/usr/lib/volc/backup"
VOLC_KSYMS=
# weaponX 0.1
WEAPONX_FILES="/System/Library/Extensions/WeaponX.kext"
WEAPONX_DIRS="/tmp/..."
WEAPONX_KSYMS=
# WMKR26 2.0, WindEX, XND Crew, LKM for kernel 2.6
# (2.6.12 - 2.6.19.2, i[456]86 and x86_64)
# These files don't exist and can't be seen:
# /proc/qwerty
# /proc/givemeroot
# /proc/hide+[PID]
# /proc/hide-[PID]
# /proc/active-
# /proc/module_hide+
# /proc/module_hide-
# /proc/givemeinfo
# Xzibit Rootkit (also see MRK (MiCrobul?) RootKit)
XZIBIT_FILES="/dev/dsx
/dev/caca
/dev/ida/.inet/linsniffer
/dev/ida/.inet/logclear
/dev/ida/.inet/sense
/dev/ida/.inet/sl2
/dev/ida/.inet/sshdu
/dev/ida/.inet/s
/dev/ida/.inet/ssh_host_key
/dev/ida/.inet/ssh_random_seed
/dev/ida/.inet/sl2new.c
/dev/ida/.inet/tcp.log
/home/httpd/cgi-bin/becys.cgi
/usr/local/httpd/cgi-bin/becys.cgi
/usr/local/apache/cgi-bin/becys.cgi
/www/httpd/cgi-bin/becys.cgi
/www/cgi-bin/becys.cgi"
XZIBIT_DIRS="/dev/ida/.inet"
XZIBIT_KSYMS=
# X-Org SunOS Rootkit
XORGSUNOS_FILES="/usr/lib/libX.a/bin/tmpfl
/usr/lib/libX.a/bin/rps
/usr/bin/srload
/usr/lib/libX.a/bin/sparcv7/rps
/usr/sbin/modcheck"
XORGSUNOS_DIRS="/usr/lib/libX.a
/usr/lib/libX.a/bin
/usr/lib/libX.a/bin/sparcv7
/usr/share/man..."
XORGSUNOS_KSYMS=
# zaRwT.KiT Rootkit
ZARWT_FILES="/dev/rd/s/sendmeil
/dev/ttyf
/dev/ttyp
/dev/ttyn
/rk/tulz"
ZARWT_DIRS="/rk
/dev/rd/s"
ZARWT_KSYMS=
# ZK Rootkit
ZK_FILES="/usr/share/.zk/zk
/usr/X11R6/.zk/xfs
/usr/X11R6/.zk/echo
/etc/1ssue.net
/etc/sysconfig/console/load.zk"
ZK_DIRS="/usr/share/.zk
/usr/X11R6/.zk"
ZK_KSYMS=
# Miscellaneous login backdoors
LOGIN_BACKDOOR_FILES="/bin/.login
/sbin/.login"
# Suspicious directories
SUSPICIOUS_DIRS="/usr/X11R6/bin/.,/copy
/dev/rd/cdb"
# Evil strings
STRINGSCAN="crond:LOGNAME=root:Illogic Rootkit
hostname:phalanx:Phalanx Rootkit
init:/dev/proc/fuckit:Fuckit Rootkit
init:FUCK:Suckit Rootkit
init:backdoor:Suckit Rootkit (backdoored init file)
init:/usr/bin/rcpc:Portacelo Rootkit
init:/usr/sbin/login:trNkit Rootkit ulogin
killall:/dev/ptyxx/.proc:Ambient (ark) Rootkit
login:vt200:Linux Rootkit (LRK4)
login:/usr/bin/xstat:Linux Rootkit (LRK4)
login:/bin/envpc:Linux Rootkit (LRK4)
login:L4m3r0x:Linux Rootkit (LRK4)
login:/lib/libext:SHV4 Rootkit
login:/usr/sbin/login:Flea Linux Rootkit
login:/usr/lib/.tbd:TBD Rootkit
login:sendmail:Ambient (ark) Rootkit
login:cocacola:cb Rootkit
login:joao:Spanish Rootkit
ls:/dev/ptyxx/.file:Dica-Kit Rootkit
ls:/dev/ptyxx/.file:Ambient (ark) Rootkit
ls:/dev/sgk:Linux Rootkit (LRK4)
ls:/var/lock/subsys/...datafile...:Ohhara Rootkit
ls:/usr/lib/.tbd:TBD Rootkit
netstat:/dev/proc/fuckit:Fuckit Rootkit
netstat:/lib/.sso:Dica-Kit Rootkit
netstat:/var/lock/subsys/...datafile...:Ohhara Rootkit
netstat:/dev/caca:MRK Rootkit
netstat:/dev/ttyoa:Sin Rootkit
netstat:/usr/lib/ldlibns.so:Flea Linux Rootkit
netstat:/dev/ptyxx/.addr:Ambient (ark) Rootkit
netstat:syg:Trojaned netstat
nscd:sshd_config:Backdoor shell installed (SSH)
ps:/var/lock/subsys/...datafile...:Ohhara Rootkit or Ni0 Rootkit
ps:/dev/pts/01:Universal Rootkit (URK)
ps:tw33dl3:SunOS Rootkit
ps:psniff:SunOS Rootkit
ps:uconf.inv:Universal Rootkit (URK)
ps:lib/ldlibps.so:Flea Linux Rootkit or Universal Rootkit (URK)
pstree:/usr/lib/ldlibpst.so:Flea Linux Rootkit
ps:libproc.so.2.0.7:Fuckit Rootkit
ps:/dev/ptyxx/.proc:Ambient (ark) Rootkit
pstree:/dev/ptyxx/.proc:Ambient (ark) Rootkit
pgrep:libproc.so.2.0.7:Fuckit Rootkit
pkill:libproc.so.2.0.7:Fuckit Rootkit
ping:/bin/bash:Ping Rootkit or other backdoor
rpc.nfsd:cant open log:Sniffer installed
rpc.nfsd:sniff.pid:Sniffer installed
rpc.nfsd:tcp.log:Sniffer installed
sshd:/dev/ptyxx:OpenBSD Rootkit
sshd:/.config:SHV4 Rootkit
sshd:+\\$.*\\$\!.*\!\!\\$:Backdoored SSH daemon installed
sshd:backdoor.h:Trojaned SSH daemon
sshd:backdoor_active:Trojaned SSH daemon
sshd:magic_pass_active:Trojaned SSH daemon
sshd:/usr/include/gpm2.h:Trojaned SSH daemon
sshd:/usr/include/openssl:Trojaned SSH daemon
sshd:aion:Trojaned SSH daemon
sshd:pcszPass:Trojaned SSH daemon
sshd:LogPass:Trojaned SSH daemon
sshd:Login_Check:Trojaned SSH daemon
sshd:includes.h:Trojaned SSH daemon
sshd:DecodeString:Trojaned SSH daemon
sshd:EncodeString:Trojaned SSH daemon
sshd:libns2.so:Ebury sshd backdoor
sshd:libns5.so:Ebury sshd backdoor
sshd:libpw3.so:Ebury sshd backdoor
sshd:libpw5.so:Ebury sshd backdoor
sshd:libsbr.so:Ebury sshd backdoor
sshd:libslr.so:Ebury sshd backdoor
xntps:/.config:SHV4 Rootkit
syslogd:promiscuous:Sniffer installed
syslogd:/usr/lib/.tbd:TBD Rootkit
syslogd:/dev/ptyxx/.log:Ambient (ark) Rootkit
syslogd:/usr/share/pci.r:Trojaned Syslog daemon
tcpd:/dev/xdta:Dica-Kit Rootkit
top:/usr/lib/.tbd:TBD Rootkit
top:/dev/ptyxx/.proc:Ambient (ark) Rootkit
xtty:/bin/sh:Backdoor shell
ttymon:fucknut:SHV5 Rootkit
ttymon:lamersucks:SHV5 Rootkit
ttymon:skillz:SHV5 Rootkit
ttyload:/sbin/ttyload:SHV5 Rootkit
ttyload:/sbin/ttymon:SHV5 Rootkit
ttyload:propert of SH:SHV5 Rootkit
rcfile:in.inetd:SHV4 Rootkit
rcfile:+#<HIDE_.*>:Enye LKM
rcfile:bin/xchk:Optic Kit (Tux) Worm
rcfile:bin/xsf:Optic Kit (Tux) Worm
rcfile:/usr/bin/ssh2d:Flea Linux Rootkit or Optic Kit (Tux variant) Rootkit or SunOS Rootkit
rcfile:/usr/sbin/xntps:SHV4 Rootkit
rcfile:ttyload:SHV5 Rootkit
rcfile:/etc/rc.d/init.d/init:cb Rootkit or w00tkit Rootkit
rcfile:usr/bin/xfss:Devil Rootkit
rcfile:/usr/sbin/rpc.netinet:FreeBSD (FBRK) Rootkit
rcfile:/usr/lib/.fx/cons.saver:FreeBSD (FBRK) Rootkit
rcfile:/usr/lib/.fx/xs:FreeBSD (FBRK) Rootkit
rcfile:/ssh2d:Illogic Rootkit or SunOS Rootkit
rcfile:/dev/kmod:Illogic Rootkit or SunOS Rootkit
rcfile:/crth.o:Illogic Rootkit or SunOS Rootkit
rcfile:/crtz.o:Illogic Rootkit or SunOS Rootkit
rcfile:/dev/dos:Illogic Rootkit or SunOS Rootkit
rcfile:/lpq:Illogic Rootkit or SunOS Rootkit
rcfile:/usr/sbin/rescue:Spanish Rootkit
rcfile:/usr/lib/lpstart:SunOS NSDAP Rootkit or Universal Rootkit (URK)
rcfile:/volc:Volc Rootkit
rcfile:sourcemask:Rootkit component
rcfile:/bin/vobiscum:Rootkit component
rcfile:/usr/sbin/in.telnet:Rootkit component
rcfile:/usr/bin/hdparm?-t1?-X53?-p:Xzibit Rootkit
rcfile:/lib/.xsyslog:Flooder (Linux/Bckdr-RKC) component
rcfile:/etc/.xsyslog:Flooder (Linux/Bckdr-RKC) component
rcfile:/lib/.ssyslog:Flooder (Linux/Bckdr-RKC) component
rcfile:/tmp/.sendmail:Flooder (Linux/Bckdr-RKC) component
rcfile:IptabLex:malware component
rcfile:IptabLes:malware component
ssh:/lib/ldd.so/tkps:SHV4 Rootkit
ssh1:/lib/ldd.so/tkps:SHV4 Rootkit
ssh:t0rnkit:T0rn Rootkit
ssh:/dev/proc/fuckit:Fuckit Rootkit
ssh:backdoor.h:Trojaned SSH daemon
ssh:backdoor_active:Trojaned SSH daemon
ssh:magic_pass_active:Trojaned SSH daemon
ssh:/usr/include/gpm2.h:Trojaned SSH daemon
skill:libproc.so.2.0.7:Fuckit Rootkit
snice:libproc.so.2.0.7:Fuckit Rootkit
top:libproc.so.2.0.7:Fuckit Rootkit
slocate:/usr/lib/ldlibct.so:Flea Linux Rootkit
locate:/usr/lib/ldlibct.so:Flea Linux Rootkit
du:/usr/lib/ldlibdu.so:Flea Linux Rootkit
du:/dev/ptyxx/.file:Ambient (ark) Rootkit
w:libproc.so.2.0.7:Fuckit Rootkit
xlogin:/lib/libext:SHV4 Rootkit
hdparm:/dev/ida/.inet:Xzibit Rootkit
pgrep:/usr/include/mysql/mysql.hh1:Rootkit component
pkill:/usr/include/mysql/mysql.hh1:Rootkit component
pmap:/usr/include/mysql/mysql.hh1:Rootkit component
ps:/usr/include/mysql/mysql.hh1:Rootkit component
w:/usr/include/mysql/mysql.hh1:Rootkit component
top:/usr/include/mysql/mysql.hh1:Rootkit component
bc:backconnect:Jynx Rootkit
bc:magic?packet?received:Jynx Rootkit"
# Possible rootkit files and directories
# The '%' character represents a space.
FILESCAN="file:/dev/sdr0:T0rn Rootkit MD5 hash database
file:/dev/pisu:Rootkit component
file:/dev/xdta:Dica-Kit Rootkit
file:/dev/saux:Trojaned SSH daemon sniffer log
file:/dev/hdx:Linux.RST.B infection
file:/dev/hdx1:Linux.RST.B infection
file:/dev/hdx2:Linux.RST.B infection
file:/dev/ptyy:Rootkit component
file:/dev/ptyu:Rootkit component
file:/dev/ptyv:Rootkit component
file:/dev/hdbb:Rootkit component
file:/tmp/.syshackfile:Trojaned syslog daemon
file:/tmp/.bash_history:Lite5-r Rootkit
file:/usr/info/.clib:Backdoor component
file:/usr/sbin/tcp.log:Sniffer log
file:/usr/bin/take/pid:Trojaned SSH daemon
file:/sbin/create:MzOzD Local backdoor
file:/dev/ttypz:spwn login backdoor
file:/var/log/tcp.log:beX2 Rootkit
file:/usr/include/audit.h:beX2 Rootkit
file:/usr/bin/sourcemask:Rootkit component
file:/usr/bin/ras2xm:Rootkit component
file:/dev/xmx:Dica-Kit Rootkit
file:/usr/sbin/gpm.root:Rootkit component
file:/bin/vobiscum:Rootkit component
file:/bin/psr:Rootkit component
file:/dev/kdx:Rootkit component
file:/dev/dkx:Rootkit component
file:/usr/sbin/sshd3:Rootkit component
file:/usr/sbin/jcd:Rootkit component
file:/usr/sbin/atd2:Rootkit component
file:/home/httpd/cgi-bin/linux.cgi:Dica-Kit Rootkit
file:/home/httpd/cgi-bin/psid:Dica-Kit Rootkit
file:/home/httpd/cgi-bin/void.cgi:Dica-Kit Rootkit
file:/etc/rc.d/init.d/system:Rootkit component
file:/etc/rc.d/rc3.d/S93users:Rootkit component
file:/tmp/.ush:Dica-Kit Rootkit
file:/usr/lib/libhidefile.so:HIDEFILE envvar file-hiding library
file:/etc/cron.d/kmod:Illogic Rootkit
file:/usr/lib/dmis/dmisd:Trojaned SSH daemon
file:/lib/secure/libhij.so:Solaris Trojaned SSH daemon
file:/usr/sbin/sshd3:Rootkit component
file:/etc/rc.d/init.d/crontab:Rootkit component
file:/etc/rc.d/init.d/jcd:Rootkit component
file:/usr/sbin/atd2:Rootkit component
file:/etc/rc.d/rc5.d/S93users:Rootkit component
file:/usr/include/mysql/mysql.hh1:Rootkit component
file:/etc/init.d/xfs3:Rootkit component
file:/usr/sbin/t.txt:Opyum kit component
file:/usr/sbin/change:Opyum kit component
file:/usr/sbin/s:Opyum kit component
file:/bin/f:Opyum kit component
file:/bin/i:Opyum kit component
file:/lib/libncom.so.4.0.1:ncom rootkit library
file:/sbin/zinit:Rootkit component
file:/tmp/pass_ssh.log:Trojaned SSH daemon
file:/usr/include/gpm2.h:Trojaned SSH daemon
file:/etc/ssh/.sshd_auth:Trojaned SSH daemon (logins)
file:/usr/lib/.sshd.h:Trojaned SSH daemon (logins)
file:/var/run/.defunct:Trojaned SSH daemon
file:/etc/httpd/run/.defunct:Trojaned SSH daemon
file:/usr/share/pci.r:Trojaned Syslog daemon
file:/etc/cron.daily/dnsquery:Sniffer
file:/usr/lib/libutil1.2.1.2.so:Trojaned SSH daemon component (hwclock binary)
file:/usr/lib/libppopen.so:Trojaned SSH daemon component
file:/usr/include/libutil2.1.h:Trojaned SSH daemon component
file:/usr/bin/munchhausen:Trojaned SSH daemon component
file:/bin/ceva:Trojaned SSH daemon (client binary)
file:/sbin/syslogd%:Trojaned SSH daemon (sebd)
file:/usr/include/shup.h:Trojaned SSH daemon (client binary)
file:/etc/rpm/sshdOLD:Trojaned SSH daemon (original sshd binary)
file:/etc/rpm/sshOLD:Trojaned SSH daemon (original ssh binary)
file:/usr/share/passwd.h:Trojaned SSH daemon (default configuration)
file:/lib/.xsyslog:Flooder (Linux/Bckdr-RKC) component
file:/etc/.xsyslog:Flooder (Linux/Bckdr-RKC) component
file:/lib/.ssyslog:Flooder (Linux/Bckdr-RKC) component
file:/tmp/.sendmail:Flooder (Linux/Bckdr-RKC) component
file:/usr/share/sshd.sync:Trojaned SSH daemon
file:/bin/zcut:Trojaned SSH daemon
file:/usr/bin/zmuie:Trojaned SSH daemon
file:/IptabLes:malware component
file:/.IptabLex:malware component
file:/boot/.IptabLex:malware component
file:/boot/.IptabLes:malware component
file:/boot/IptabLes:malware component
file:/tmp/IptabLes:malware component
file:/etc/rc.d/init.d/IptabLex:malware component
file:/etc/rc.d/init.d/IptabLes:malware component
file:/etc/rc.d/rc0.d/S55IptabLex:malware component
file:/etc/rc.d/rc1.d/S55IptabLex:malware component
file:/etc/rc.d/rc2.d/S55IptabLex:malware component
file:/etc/rc.d/rc3.d/S55IptabLex:malware component
file:/etc/rc.d/rc4.d/S55IptabLex:malware component
file:/etc/rc.d/rc5.d/S55IptabLex:malware component
file:/etc/rc.d/rc6.d/S55IptabLex:malware component
file:/var/lib/update-rc.d/IptabLex:malware component
file:/delallmykkk:malware component
file:/usr/.IptabLes:malware component
file:/usr/IptabLes:malware component
file:/tmp/.flush:malware component
file:/var/log/.flush:malware component
file:/usr/.flush:malware component
file:/etc/init.d/bluetoothdaemon:malware component
file:/usr/bin/btdaemon:malware component
file:/etc/rc1.d/S90bluetooth:malware component
file:/etc/rc2.d/S90bluetooth:malware component
file:/etc/rc3.d/S90bluetooth:malware component
file:/etc/rc4.d/S90bluetooth:malware component
file:/etc/rc5.d/S90bluetooth:malware component
file:/etc/rc6.d/S90bluetooth:malware component
file:/boot/pro:BillGates botnet component
file:/boot/proh:BillGates botnet component
file:/etc/atdd:BillGates botnet component
file:/etc/atddd:BillGates botnet component
file:/etc/cupsdd:BillGates botnet component
file:/etc/cupsddd:BillGates botnet component
file:/etc/cupsddh:BillGates botnet component
file:/etc/dsfrefr:BillGates botnet component
file:/etc/fdsfsfvff:BillGates botnet component
file:/etc/ferwfrre:BillGates botnet component
file:/etc/fwke.cfg:BillGates botnet component
file:/etc/gdmorpen:BillGates botnet component
file:/etc/gfhddsfew:BillGates botnet component
file:/etc/gfhjrtfyhuf:BillGates botnet component
file:/etc/ksapd:BillGates botnet component
file:/etc/ksapdd:BillGates botnet component
file:/etc/kysapd:BillGates botnet component
file:/etc/kysapdd:BillGates botnet component
file:/etc/rewgtf3er4t:BillGates botnet component
file:/etc/sdmfdsfhjfe:BillGates botnet component
file:/etc/sfewfesfs:BillGates botnet component
file:/etc/sfewfesfsh:BillGates botnet component
file:/etc/sksapd:BillGates botnet component
file:/etc/sksapdd:BillGates botnet component
file:/etc/skysapd:BillGates botnet component
file:/etc/skysapdd:BillGates botnet component
file:/etc/smarvtd:BillGates botnet component
file:/etc/whitptabil:BillGates botnet component
file:/etc/xfsdx:BillGates botnet component
file:/etc/xfsdxd:BillGates botnet component
file:/tmp/bill.lock:BillGates botnet component
file:/tmp/gates.lock:BillGates botnet component
file:/tmp/gates.lod:BillGates botnet component
file:/tmp/moni.lock:BillGates botnet component
file:/tmp/moni.lod:BillGates botnet component
file:/tmp/notify.file:BillGates botnet component
file:/usr/bin/.sshd:BillGates botnet component
file:/usr/bin/bsd-port/getty:BillGates botnet component
file:/usr/bin/bsd-port/getty.lock:BillGates botnet component
file:/usr/bin/bsd-port/udevd.lock:BillGates botnet component
file:/usr/bin/pojie:BillGates botnet component
file:/usr/lib/libamplify.so:BillGates botnet component
file:/etc/init.d/DbSecuritySpt:BillGates botnet component
file:/etc/rc.d/init.d/DbSecuritySpt:BillGates botnet component
file:/etc/cron.hourly/gcc.sh:BillGates botnet component
file:/root/2016ttfacai:BillGates botnet component
file:/proc/rs_dev:xorddos component
file:/var/run/sftp.pid:xorddos component
file:/var/run/udev.pid:xorddos component
file:/var/run/mount.pid:xorddos component
file:/etc/cron.hourly/cron.sh:xorddos component
file:/etc/cron.hourly/udev.sh:xorddos component
file:/etc/cron.hourly/udev.sh:xorddos component
file:/lib/libgcc.so:xorddos component
file:/lib/libgcc.so.bak:xorddos component
file:/lib/libgcc4.so:xorddos component
file:/lib/libgcc4.4.so:xorddos component
file:/lib/udev/udev:xorddos component
file:/lib/udev/debug:xorddos component
dir:/dev/ptyas:Langsuir installation directory
dir:/usr/bin/take:Trojaned SSH daemon
dir:/usr/src/.lib:Rootkit component
dir:/usr/share/man/man1/.1c:Eggdrop (IRC bot)
dir:/lib/lblip.tk:T0rn Rootkit directory with backdoored SSH-configuration
dir:/usr/sbin/...:Rootkit component
dir:/usr/share/.gun:Rootkit component
dir:/unde/vrei/tu/sa/te/ascunzi/in/server:Unknown rootkit
dir:/usr/man/man1/..%%/.dir:Unknown rootkit
dir:/usr/X11R6/include/X11/...:Unknown rootkit
dir:/usr/X11R6/lib/X11/.fonts/misc/...:Unknown rootkit
dir:/tmp/.sys:Rootkit component
dir:/tmp/':Rootkit component
dir:/tmp/.,:Rootkit component
dir:/tmp/,.,:Rootkit component
dir:/dev/shm/emilien:Rootkit component
dir:/var/tmp/.log:Rootkit component
dir:/tmp/zmeu/...%:Rootkit component
dir:/var/log/ssh:Rootkit component
dir:/dev/ida:Rootkit component
dir:/var/lib/games/.src/ssk/shit:Rootkit component
dir:/usr/lib/libshtift:Rootkit component
dir:/usr/src/.poop:Ramen worm
dir:/dev/wd4:IRC bot
dir:/var/run/.tmp:Rootkit component
dir:/usr/man/man1/lib/.lib:Rootkit component
dir:/dev/portd:Rootkit component
dir:/dev/...:Rootkit component
dir:/usr/share/man/mansps:Rootkit component
dir:/lib/.so:Rootkit component
dir:/lib/.sso:Rootkit component
dir:/usr/include/sslv3:Rootkit component
dir:/dev/shm/sshd:Trojaned SSH daemon
dir:/usr/share/locale/mk/.dev/sk:Sniffer
dir:/usr/share/locale/mk/.dev:Sniffer
dir:/usr/include/netda.h:Trojaned SSH daemon
dir:/usr/include/.ssh:Trojaned SSH daemon
dir:/usr/share/locale/jp/.%:IRC bot
dir:/usr/share/.sqe:IRC bot"
# Evil strings for FreeBSD KLD (Dynamic Kernel Linker modules)
KLDSTATKEYWORDS="backd00r backdoor darkside nekit rpldev rpldev_mod spapem_core spapem_genr00t hide_process turtle"
# Suspicious startup file strings
RCLOCAL_STRINGS="/usr/bin/rpc.wall:Linux Rootkit (LRK4)
sshdd:GasKit Rootkit
hidef:Knark Rootkit
/usr/bin/.etc:Dica-Kit Rootkit"
# Suspicious open files
# If the file information field starts with 'OSX ' then
# it will only be tested for on OSX systems.
SUSP_FILES_INFO="backdoor:Generic backdoor
adore.o:Adore kernel module
mod_rootme.so:Apache mod_rootme backdoor
phide_mod.o:Process hiding kernel module
lbk.ko:LBK FreeBSD kernel module
vlogger.o:THC-Vlogger kernel module
cleaner.o:Adore kernel module
cleaner:Adore Rootkit
ava:Adore Rootkit
tzava:Adore Rootkit
mod_klgr.o:klgr, keyboard logger (kernel module)
hydra:THC-Hydra (password capture)
hydra.restore:THC-Hydra (password capture)
ras2xm:Unknown rootkit
vobiscum:Unknown rootkit
sshd3:Unknown rootkit
system:Unknown rootkit
t0rnsb:T0rn Rootkit
t0rns:T0rn Rootkit
t0rnp:T0rn Rootkit
rx4u:Unknown rootkit
rx2me:Unknown rootkit
sshdu:Unknown rootkit
glotzer:Unknown rootkit
holber:Devil Rootkit
xhide:Process hiding software
xh:Process hiding software (alternative of XHide)
emech:IRC bot
psybnc:IRC bot
mech:IRC bot
httpd.bin:IRC bot
mh:Dica-Kit Rootkit IRC bot
xl:Dica-Kit Rootkit
write:Dica-Kit Rootkit
Phantasmagoria.o:Process hiding Linux kernel module
lkt.o:Portacelo Rootkit
nlkt.o:Portacelo Rootkit
ld_poison.so:Jynx Rootkit
.xsyslog:Flooder (Linux/Bckdr-RKC) component
.ssyslog:Flooder (Linux/Bckdr-RKC) component
pscan2:Port scanner
scanssh:Port scanner
sshf:Possible port scanner
ssh-scan:Port scanner
atac:Port scanner component
\[pdflush\]:IRC bot
.IptabLex:malware component
.IptabLes:malware component
.flush:malware component
\[bluetooth\]:malware component
\[flush:malware component
jynx2.so:Jynx2 Rootkit
reality.so:Jynx2 Rootkit
kernel_service:OSX KeRanger ransomware
icloudsyncd:OSX Keydnap backdoor
icloudproc:OSX Keydnap backdoor
dbd:OSX Eleanor backdoor
check_hostname:OSX Eleanor backdoor
profiled:Mokes backdoor
DropboxCache:Mokes backdoor
storeuserd:OSX Mokes backdoor
updateragent:OSX Proton backdoor"
# System startup file pathnames
RCLOCATIONS="/etc/rc.d
/etc/rc.local
/usr/local/etc/rc.d
/usr/local/etc/rc.local
/etc/conf.d/local.start
/etc/init.d
/etc/inittab
/etc/systemd/system"
# Integrity tests
STRINGS_INTEGRITY="${BOBKIT_FILES} ${BOBKIT_DIRS} ${CINIK_FILES}
${CINIK_DIRS} ${DICA_FILES} ${FREEBSD_RK_FILES}
${TBD_FILES} ${TORN_FILES} ${TORN_DIRS}"
SNIFFER_FILES="/usr/lib/libice.log
/dev/prom/sn.l
/dev/fd/.88/zxsniff.log"
# Known bad Linux kernel modules
LKM_BADNAMES="adore.o
bkit-adore.o
cleaner.o
flkm.o
knark.o
modhide.o
mod_klgr.o
phide_mod.o
vlogger.o
p2.ko
rpldev.o
xC.o
strings.o
wkmr26.ko
diamorphine.ko"
return
}
strings_check() {
#
# This function carries out the 'strings' command check.
# It passes specific strings through the strings command to
# see if they are missing. If so, then it can indicate that
# the command has been modified to hide information.
#
if `check_test strings`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST strings
display --to SCREEN+LOG --type PLAIN --screen-indent 2 STRINGS_CHECK_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST strings
fi
return
fi
#
# First check to see if we have a 'strings' command.
#
if [ -z "${STRINGS_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 STRINGS_CHECK
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' strings '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'strings'
else
display --to LOG --type INFO NOT_FOUND_CMD 'strings'
fi
return
fi
STRINGSFAILED=0
for STRING in ${STRINGS_INTEGRITY}; do
STRINGNAME=`echo "${STRING}" | sed -e 's/\./\\\./g'`
STRING_SEEN=`echo "${STRING}" | ${STRINGS_CMD} -a | grep "${STRINGNAME}" | tr -d ' '`
if [ -z "${STRING_SEEN}" ]; then
STRINGSFAILED=1
display --to LOG --type WARNING --result WARNING --log-indent 2 STRINGS_SCANNING_BAD "${STRING}"
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result OK --log-indent 2 STRINGS_SCANNING_OK "${STRING}"
fi
done
if [ $STRINGSFAILED -eq 0 ]; then
RKHTMPVAR="SCREEN"
test $VERBOSE_LOGGING -eq 0 && RKHTMPVAR="SCREEN+LOG"
display --to "${RKHTMPVAR}" --type PLAIN --result OK --color GREEN --screen-indent 4 STRINGS_CHECK
else
display --to SCREEN --type PLAIN --result WARNING --color RED --screen-indent 4 STRINGS_CHECK
fi
return
}
shared_libs_check() {
#
# This function checks shared library loading problems.
# It is part of do_system_commands_checks and should precede or run
# just after strings_check if enabled.
#
#
# Remarks:
# Oracle-10.1.0.3 on RHEL3 needs /etc/libcwait.so,
# F-PROT Antivirus for GNU/Linux needs f-prot.so,
# AVAYA Labs "stack overflow protection" uses libsafe.
#
if `check_test shared_libs`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST shared_libs
display --to SCREEN+LOG --type PLAIN --screen-indent 2 SHARED_LIBS_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST shared_libs
fi
return
fi
#
# First check for preloading exported variables.
#
VARFOUND=""
for VARNAME in LD_PRELOAD LD_AOUT_PRELOAD LD_ELF_PRELOAD; do
VARNAME_VALUE_ORIG=`eval echo "\\$${VARNAME}"`
VARNAME_VALUE=`echo "${VARNAME_VALUE_ORIG}" | tr ':' ' '`
FOUND=0
for FNAME in ${VARNAME_VALUE}; do
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`echo \"${SHARED_LIB_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
FOUND=1
else
display --to LOG --type INFO SHARED_LIBS_PRELOAD_LIB_WLIST "${FNAME}"
fi
done
if [ $FOUND -eq 1 ]; then
VARFOUND="${VARFOUND}
${VARNAME}=\"${VARNAME_VALUE_ORIG}\""
fi
done
VARFOUND=`echo "${VARFOUND}" | sed -e '/^$/d'`
if [ -z "${VARFOUND}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_VAR
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_VAR
IFS=$IFSNL
for FNAME in ${VARFOUND}; do
display --to LOG --type WARNING SHARED_LIBS_PRELOAD_VAR_FOUND "${FNAME}"
done
IFS=$RKHIFS
fi
#
# Next check for a preload file.
#
FOUND=0
PRELOAD_FILE="/etc/ld.so.preload"
if [ -s "${PRELOAD_FILE}" ]; then
RKHLIBLIST=""
display --to LOG --type INFO SHARED_LIBS_PRELOAD_FILE_FOUND "${PRELOAD_FILE}"
for FNAME in `grep -v '^#' "${PRELOAD_FILE}"`; do
FOUND=1
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`echo \"${SHARED_LIB_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
RKHLIBLIST="${RKHLIBLIST} ${FNAME}"
else
display --to LOG --type INFO SHARED_LIBS_PRELOAD_LIB_WLIST "${FNAME}"
fi
done
if [ -n "${RKHLIBLIST}" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
for FNAME in ${RKHLIBLIST}; do
display --to LOG --type WARNING SHARED_LIBS_PRELOAD_LIB_FOUND "${FNAME}"
done
elif [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
else
display --to SCREEN+LOG --type PLAIN --result WHITELISTED --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
fi
else
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
fi
#
# Finally we check the LD_LIBRARY_PATH. This check may be
# disabled by the user if the 'ldd' command is not available.
#
if `check_test shared_libs_path`; then
display --to LOG --type INFO --log-nl STARTING_TEST shared_libs_path
if [ -n "${LDD_CMD}" ]; then
if [ -n "${LD_LIBRARY_PATH}" ]; then
LD_LIBR_FAILED=0
RKHTMPVAR_BIN=""
LD_LIBRARY_PATH_SAVED="${LD_LIBRARY_PATH}"
if [ -z "${MD5_CMD}" ]; then
MD5_CMD=`find_cmd md5sum`
test -z "${MD5_CMD}" && MD5_CMD=`find_cmd md5`
fi
LS_CMD=`find_cmd ls`
for RKHTMPVAR in FIND PS STRINGS MD5 LS STAT; do
RKHTMPVAR=`eval echo "\\$${RKHTMPVAR}_CMD"`
RKHTMPVAR=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
RKHTMPVAR_BIN="${RKHTMPVAR_BIN} ${RKHTMPVAR}"
done
for RKHTMPVAR in ${RKHTMPVAR_BIN}; do
LD_LIBRARY_PATH="${LD_LIBRARY_PATH_SAVED}"
export LD_LIBRARY_PATH
RKHTMPVAR_WITH=`${LDD_CMD} ${RKHTMPVAR} | sed -e 's/(0x[0-9a-f]*)/0xHEX/' 2>&1`
unset LD_LIBRARY_PATH
RKHTMPVAR_WITHOUT=`${LDD_CMD} ${RKHTMPVAR} | sed -e 's/(0x[0-9a-f]*)/0xHEX/' 2>&1`
if [ "${RKHTMPVAR_WITH}" != "${RKHTMPVAR_WITHOUT}" ]; then
#
# Testing one command should be "evidence" enough.
#
LD_LIBR_FAILED=1
break
fi
done
#
# Reset things to the way they were before.
#
LD_LIBRARY_PATH="${LD_LIBRARY_PATH_SAVED}"
export LD_LIBRARY_PATH
if [ $LD_LIBR_FAILED -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
display --to LOG --type WARNING SHARED_LIBS_PATH_BAD "${LD_LIBRARY_PATH}"
fi
else
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ldd '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'ldd'
else
display --to LOG --type INFO NOT_FOUND_CMD 'ldd'
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST shared_libs_path
fi
return
}
updt_rkhdat() {
#
# This function is part of the file properties check. It is
# used to add and remove entries from the rkhunter.dat file.
#
get_temp_file "${RKHTMPDIR}/rkhunter.dat"
RKHDAT_TMPFILE="${TEMPFILE}"
get_temp_file "${RKHTMPDIR}/rkhunter.dat2"
RKHDAT_TMPFILE2="${TEMPFILE}"
touch "${RKHDAT_TMPFILE}" "${RKHDAT_TMPFILE2}"
display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE}"
display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE2}"
cp -f -p "${RKHDAT_FILE}" "${RKHDAT_TMPFILE}"
IFS=$IFSNL
OLDRKHENTRIES=`echo "${OLDRKHENTRIES}" | sed -e '/^$/d'`
for FNAME in ${OLDRKHENTRIES}; do
if [ $FMTVERSION -eq 0 ]; then
FILENAME=`echo "${FNAME}" | cut -d: -f2`
else
RKH_CC=`echo "${FNAME}" | cut -d: -f2`
RKH_CC2=`expr 3 + $RKH_CC`
FILENAME=`echo "${FNAME}" | cut -d: -f3-$RKH_CC2`
fi
display --to LOG --type INFO RKHDAT_DEL_OLD_ENTRY "`name2text \"${FILENAME}\"`"
FNAMEGREP=`echo "${FNAME}" | sed -e 's:/:\\\/:g'`
sed -e "/^${FNAMEGREP}$/d" "${RKHDAT_TMPFILE}" >"${RKHDAT_TMPFILE2}"
cp -f "${RKHDAT_TMPFILE2}" "${RKHDAT_TMPFILE}"
done
NEWRKHENTRIES=`echo "${NEWRKHENTRIES}" | sed -e '/^$/d'`
for FNAME in ${NEWRKHENTRIES}; do
if [ $FMTVERSION -eq 0 ]; then
FILENAME=`echo "${FNAME}" | cut -d: -f2`
else
RKH_CC=`echo "${FNAME}" | cut -d: -f2`
RKH_CC2=`expr 3 + $RKH_CC`
FILENAME=`echo "${FNAME}" | cut -d: -f3-$RKH_CC2`
fi
display --to LOG --type INFO RKHDAT_ADD_NEW_ENTRY "`name2text \"${FILENAME}\"`"
echo "${FNAME}" >>"${RKHDAT_TMPFILE}"
done
IFS=$RKHIFS
#
# Now put the new rkhunter.dat file in place.
#
cp -f -p "${RKHDAT_FILE}" "${RKHDAT_FILE}.old" >/dev/null 2>&1
cp -f "${RKHDAT_TMPFILE}" "${RKHDAT_FILE}" >/dev/null 2>&1
ERRCODE=$?
if [ $ERRCODE -ne 0 ]; then
RET_CODE=1
display --to LOG --type INFO CMD_ERROR "cp ${RKHDAT_TMPFILE} ${RKHDAT_FILE}" $ERRCODE
display --to SCREEN+LOG --type WARNING PROPUPD_ERROR $ERRCODE
else
display --to LOG --type INFO PROPUPD_NEW_DAT_FILE "${DB_PATH}"
fi
chmod 600 "${RKHDAT_FILE}" >/dev/null 2>&1
rm -f "${RKHDAT_TMPFILE}" "${RKHDAT_TMPFILE2}" >/dev/null 2>&1
return
}
file_properties_check() {
#
# This function carries out a check of system command property
# values checked against their previous value, which is stored
# in the rkhunter.dat file. Other checks work on the current
# file, and do not use any previously stored value (for example,
# the immutable-bit check).
#
#
# Each test will set the variable TEST_RESULT, and use it to
# display the actual result. Typically a null string indicates
# 'OK', and anything else is a 'Warning'.
#
TEST_RESULT=""
NEWRKHENTRIES=""
OLDRKHENTRIES=""
WHITELIST_RESULT=""
SKIP_ATTR=0; SKIP_HASH=0; SKIP_IMMUT=0; SKIP_SCRIPT=0
USE_DAT_FILE=1
SKIP_IMMUT_OS=0
PROP_FILE_LIST_COUNT=0
ADDNEWENTRY=0
#
# In order to disable the whole test we have to check if
# each specific test has been disabled.
#
for RKHTMPVAR in attributes hashes immutable scripts; do
if ! `check_test ${RKHTMPVAR}`; then
case "${RKHTMPVAR}" in
attributes)
SKIP_ATTR=1
;;
hashes)
SKIP_HASH=1
;;
immutable)
SKIP_IMMUT=1
;;
scripts)
SKIP_SCRIPT=1
;;
esac
fi
done
#
# The immutable-bit test is only applicable to Linux and
# BSD systems. We need to disable the test, but not have
# it logged as if the user had disabled it (that would be
# confusing).
#
if [ $BSDOS -eq 0 -a $LINUXOS -eq 0 ]; then
if [ $SKIP_IMMUT -eq 0 ]; then
SKIP_IMMUT=1
SKIP_IMMUT_OS=1
fi
fi
if ! `check_test properties`; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST properties
fi
return
elif [ $SKIP_ATTR -eq 1 -a $SKIP_HASH -eq 1 -a $SKIP_IMMUT -eq 1 -a $SKIP_SCRIPT -eq 1 ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST properties
fi
return
else
display --to LOG --type INFO --screen-nl --nl STARTING_TEST properties
display --to SCREEN+LOG --type PLAIN --screen-indent 2 FILE_PROP_START
fi
#
# If the user wants to skip a test then log it.
#
for RKHTMPVAR in attributes hashes immutable scripts; do
case "${RKHTMPVAR}" in
attributes)
TEST_NAME=$SKIP_ATTR
;;
hashes)
TEST_NAME=$SKIP_HASH
;;
scripts)
TEST_NAME=$SKIP_SCRIPT
;;
immutable)
TEST_NAME=0
test $SKIP_IMMUT_OS -eq 0 && TEST_NAME=$SKIP_IMMUT
;;
esac
if [ $TEST_NAME -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO USER_DISABLED_TEST ${RKHTMPVAR}
fi
done
#
# The first test we do is on the commands needed to
# perform all the file checks. If the user has not
# disabled any test, and a command is missing, then
# we must let them know that without marking each file
# test as a 'Warning' (because that could hide a real
# problem). We include checks on the rkhunter.dat file
# as well.
#
RKHTMPVAR=""
if [ $SKIP_ATTR -eq 0 -a -z "${STAT_CMD}" ]; then
SKIP_ATTR=1
RKHTMPVAR="${RKHTMPVAR} attr"
fi
if [ $SKIP_HASH -eq 0 ]; then
# Not sure about this one...!
if [ -z "${OLD_PKGMGR}" -a -s ${RKHDAT_FILE} -a "${HASH_FUNC}" != "NONE" -a \( "${OLD_HASH_FUNC}" = "NONE" -o "${OLD_HASH_FUNC}" = "Disabled" -o -z "${OLD_HASH_FUNC}" \) ]; then
SKIP_HASH=1
RKHTMPVAR="${RKHTMPVAR} hash"
if [ -n "${PRELINK_HASH}" ]; then
HASH_FUNC_ERR="prelink with ${PRELINK_HASH}"
else
HASH_FUNC_ERR="${HASH_FUNC}"
fi
if [ -z "${OLD_HASH_FUNC}" ]; then
OLD_HASH_FUNC_ERR="Unset"
elif [ "${OLD_HASH_FUNC}" = "MD5" -o "${OLD_HASH_FUNC}" = "SHA1" ]; then
# Oops! This can't be reached.
OLD_HASH_FUNC_ERR="prelink with ${OLD_HASH_FUNC}"
else
OLD_HASH_FUNC_ERR="${OLD_HASH_FUNC}"
fi
if [ -z "${PKGMGR}" ]; then
PKGMGR_ERR="Unset"
else
PKGMGR_ERR="${PKGMGR}"
fi
if [ -z "${OLD_PKGMGR}" ]; then
OLD_PKGMGR_ERR="Unset"
else
OLD_PKGMGR_ERR="${OLD_PKGMGR}"
fi
fi
if [ $SKIP_HASH_MSG -eq 1 ]; then
SKIP_HASH=1
RKHTMPVAR="${RKHTMPVAR} sha1"
elif [ $SKIP_HASH_MSG -eq 2 ]; then
SKIP_HASH=1
RKHTMPVAR="${RKHTMPVAR} libsafe"
fi
fi
if [ $SKIP_IMMUT -eq 0 ]; then
if [ $BSDOS -eq 1 ]; then
for FNAME in ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES} ${DB_PATH}/*.dat ${DB_PATH}/i18n/*; do
test -f "${FNAME}" -a ! -h "${FNAME}" && break
done
if [ -z "`ls -lno \"${FNAME}\" 2>/dev/null`" ]; then
SKIP_IMMUT=1
RKHTMPVAR="${RKHTMPVAR} immutable-bsd"
fi
else
if [ -z "${LSATTR_CMD}" ]; then
SKIP_IMMUT=1
RKHTMPVAR="${RKHTMPVAR} immutable"
else
for FNAME in ${CONFIGFILE} ${LOCALCONFIGFILE} ${LOCALCONFDIRFILES} ${DB_PATH}/*.dat ${DB_PATH}/i18n/*; do
test -f "${FNAME}" -a ! -h "${FNAME}" && break
done
if [ -z "`${LSATTR_CMD} \"${FNAME}\" 2>/dev/null`" ]; then
SKIP_IMMUT=1
RKHTMPVAR="${RKHTMPVAR} immutable-cmd"
fi
fi
fi
fi
if [ $SKIP_SCRIPT -eq 0 ]; then
if [ -z "${FILE_CMD}" ]; then
SKIP_SCRIPT=1
RKHTMPVAR="${RKHTMPVAR} script"
elif [ -z "`${FILE_CMD} \"${CONFIGFILE}\" 2>/dev/null`" ]; then
SKIP_SCRIPT=1
RKHTMPVAR="${RKHTMPVAR} script-cmd"
fi
fi
if [ $SKIP_ATTR -eq 0 -o $SKIP_HASH -eq 0 ]; then
if [ ! -f "${RKHDAT_FILE}" ]; then
SKIP_HASH=1
SKIP_ATTR=1
USE_DAT_FILE=0
RKHTMPVAR="${RKHTMPVAR} missing"
fi
if [ $USE_DAT_FILE -eq 1 -a ! -s ${RKHDAT_FILE} ]; then
SKIP_HASH=1
SKIP_ATTR=1
USE_DAT_FILE=0
RKHTMPVAR="${RKHTMPVAR} empty"
fi
else
#
# If we are not checking the file attributes or
# the hash value, then we don't need to look at
# the rkhunter.dat file. The other tests can be
# done without the file.
#
USE_DAT_FILE=0
fi
#
# If the O/S has changed in some way, and we are not just reporting warnings,
# and O/S warnings are enabled, then show a warning in the prerequisites test.
#
if [ $OS_CHANGED -eq 1 -a $SHOWWARNINGSONLY -eq 0 -a $WARN_ON_OS_CHANGE -eq 1 ]; then
RKHTMPVAR="${RKHTMPVAR} os_changed"
fi
#
# If all the previous checks have disabled all the tests,
# then we tell the user and then return.
#
if [ $SKIP_ATTR -eq 1 -a $SKIP_HASH -eq 1 -a $SKIP_IMMUT -eq 1 -a $SKIP_SCRIPT -eq 1 ]; then
RKHTMPVAR="${RKHTMPVAR} notests"
fi
#
# Display the results.
#
if [ $SKIP_IMMUT_OS -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_IMMUT_OS
fi
if [ $IMMUTABLE_SET -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_IMMUT_SET
fi
if [ $SKIP_INODE_CHECK -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_SKIP_INODE
fi
if [ -z "${RKHTMPVAR}" ]; then
display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result OK --color GREEN FILE_PROP_CMDS
else
SUMMARY_PROP_REQCMDS=1
display --to SCREEN+LOG --type WARNING --screen-indent 4 --log-indent 2 --result WARNING --color RED FILE_PROP_CMDS
RKHTMPVAR2=0
for TEST_RESULT in ${RKHTMPVAR}; do
case "${TEST_RESULT}" in
attr)
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_ATTR_DISABLED
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_ATTR
fi
;;
hash|prelink|sha1|libsafe)
if [ $RKHTMPVAR2 -eq 0 ]; then
RKHTMPVAR2=1
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_HASH
fi
case "${TEST_RESULT}" in
hash)
display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_FUNC "${HASH_FUNC_ERR}" "${PKGMGR_ERR}" "${OLD_HASH_FUNC_ERR}" "${OLD_PKGMGR_ERR}"
;;
prelink)
display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_PRELINK
;;
sha1)
display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_SHA1
;;
libsafe)
display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_LIBSAFE
;;
esac
;;
immutable)
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsattr '`" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_DISABLED
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT
fi
;;
immutable-bsd)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_CMD 'ls -lno'
;;
immutable-cmd)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_CMD 'lsattr'
;;
script)
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_SCRIPT_DISABLED
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_SCRIPT
fi
;;
script-cmd)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_FILE_CMD
;;
os_changed)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_OS_CHANGED
;;
missing)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_DAT_MISSING
display --to LOG --type INFO FILE_PROP_DAT_MISSING_INFO
;;
empty)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_DAT_EMPTY
display --to LOG --type INFO FILE_PROP_DAT_MISSING_INFO
;;
esac
done
if [ -n "`echo \"${RKHTMPVAR}\" | egrep 'libsafe|missing|empty'`" ]; then
display --to LOG --type WARNING --nl PROPUPD_WARN
fi
if [ -n "`echo \"${RKHTMPVAR}\" | grep 'notests'`" ]; then
display --to LOG --type WARNING --nl FILE_PROP_SKIP_ALL
return
fi
fi
#
# Set up some local variables depending on what
# commands we have available.
#
if [ $SKIP_ATTR -eq 1 ]; then
SCMD=""
INODECMD=""
else
if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
if [ "${PKGMGR}" = "SOLARIS" ]; then
SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --mtime"
else
SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --Mtime"
fi
INODECMD="${STAT_CMD} --modeoct --raw --ino"
elif [ $BSDOS -eq 1 -o $MACOSX -eq 1 ]; then
SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'"
INODECMD="${STAT_CMD} -f '%i'"
else
SCMD="${STAT_CMD} -c '%i 0%a %u %g %s %Y:'"
INODECMD="${STAT_CMD} -c '%i'"
fi
fi
if [ $SKIP_HASH -eq 1 ]; then
SYSHASH=""
HASH_CMD=""
else
HASH_CMD="${HASH_FUNC}"
fi
#
# Next we have to recreate the list of pathnames for the
# file properties checks. We need to recreate it because
# the root PATH may have changed, and so there may be more
# directories to be checked. However, if we have just run
# the '--propupd' option, then we can skip this.
#
test $PROP_UPDATE -eq 0 && create_rkh_file_prop_list
#
# We need the current 'rkhunter.dat' file format.
#
if [ $USE_DAT_FILE -eq 1 ]; then
FMTVERSION=`grep '^FormatVersion:' "${RKHDAT_FILE}" | cut -d: -f2`
test -z "${FMTVERSION}" && FMTVERSION=0
else
FMTVERSION=0
fi
#
# Now loop through each of the files and perform the tests on each one.
#
# We must set IFS around this loop, otherwise any names in the file
# properties list containing whitespace will be separated out.
# However, because IFS interacts with some commands, executed via
# backticks, we must then reset IFS for the duration of the loop
# and set it again at the end of the loop. It's messy, but it works.
#
IFS=$IFSNL
VERIFIED_PKG_LIST=""
for FNAME in `cat "${RKH_FILEPROP_LIST}"`; do
SYSLNK=""
FILENAME=""
FNAMEGREP=""
TEST_RESULT=""
WHITELIST_RESULT=""
RKH_CC=0
SYSLNK_CC=0
NOVRFYFILE=0
ADDNEWENTRY=0
COLON_COUNT=0
FILE_IS_PKGD=0
DEPENDENCY_ERR=0
HASH_TEST_PASSED=0
SIZE_TEST_PASSED=0
IFS=$RKHIFS
#
# We first need to test if the file exists or not,
# and if the file is listed in the rkhunter.dat
# file or not. This can indicate files that have
# appeared on or disappeared from the system.
#
FNAME=`echo "${FNAME}" | sed -e 's/^"\(.*\)"$/\1/'`
if [ -f "${FNAME}" -o -h "${FNAME}" ]; then
FILE_EXISTS=1
PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`
else
FILE_EXISTS=0
fi
if [ $USE_DAT_FILE -eq 1 ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ $FMTVERSION -eq 0 ]; then
RKHLINE=`grep "^File:${FNAMEGREP}:" "${RKHDAT_FILE}"`
else
COLON_COUNT=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`
RKHLINE=`grep "^File:${COLON_COUNT}:${FNAMEGREP}:" "${RKHDAT_FILE}"`
fi
if [ $FILE_EXISTS -eq 1 -a -z "${RKHLINE}" ]; then
if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
#
# We need to add the file to the rkhunter.dat file.
# We add a dummy entry to start with, but it must contain values.
#
ADDNEWENTRY=1
if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
fi
if [ $FMTVERSION -eq 0 ]; then
RKHLINE="File:${FNAME}:1:1:1:1:1:1:1::${SYSLNK}:"
else
SYSLNK_CC=`echo "${SYSLNK}" | tr -c -d ':' | wc -c | tr -d ' '`
RKHLINE="File:${COLON_COUNT}:${FNAME}:1:1:1:1:1:1:1::${SYSLNK_CC}:${SYSLNK}:"
fi
else
TEST_RESULT="${TEST_RESULT} norkhline"
fi
elif [ $FILE_EXISTS -eq 0 ]; then
if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ -n "${RKHLINE}" ]; then
#
# We need to remove the file from the rkhunter.dat file.
#
OLDRKHENTRIES="${OLDRKHENTRIES}
${RKHLINE}"
fi
elif [ -n "${RKHLINE}" ]; then
PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`
display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "`name2text \"${FNAME}\"`"
display --to LOG --type WARNING FILE_PROP_FILE_NOT_EXIST "`name2text \"${FNAME}\"`"
fi
IFS=$IFSNL
continue
fi
elif [ $FILE_EXISTS -eq 1 ]; then
RKHLINE=""
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
else
IFS=$IFSNL
continue
fi
#
# Start the tests.
#
SYSUID=0
SYSGID=0
SYSDTM=0
SYSSIZE=0
SYSPERM=0
SYSINODE=0
RKHLNK=""
SYSHASH=""
if [ $USE_DAT_FILE -eq 1 -a -n "${RKHLINE}" ]; then
FDATA=""
RPM_QUERY_RESULT=""
PKGMGR_VERIFY_RESULT=""
#
# We need to calculate if the filename (in the file) has any colons in it.
# We then set RKH_CC to point to the field after the filename (the hash field).
#
if [ $FMTVERSION -eq 0 ]; then
RKH_CC=3
else
RKH_CC=`echo "${RKHLINE}" | cut -d: -f2`
RKH_CC=`expr 4 + $RKH_CC`
fi
#
# See if the file is to be exempt from any package manager verification.
#
if [ -n "`echo \"${PKGMGRNOVRFY}\" | grep \"^${FNAMEGREP}$\"`" ]; then
NOVRFYFILE=1
fi
#
# Because the RPM package manager can verify most of the tests we are
# doing, we obtain the verified data now. The Solaris package manager
# provides some data, but does not verify it against the values on disk.
# With all the package managers we have to obtain unverified data by
# using commands. The other package managers, at present, only provide
# the MD5 checksum. As such we simply handle them within the hash test.
#
if [ "${PKGMGR}" = "RPM" ]; then
#
# First we see if the file is exempt or part of a package.
#
if [ $NOVRFYFILE -eq 0 ]; then
PKGNAME_ARCH=`${RPM_CMD} -qf "${FNAME}" --queryformat '%{N}-%{V}-%{R}.%{ARCH}\n' 2>/dev/null`
ERRCODE=$?
if [ $ERRCODE -eq 0 ]; then
#
# Okay we have a package name. Is it in the list
# of packages we have already tested as verified?
#
# If multiple packages claim the same file, we use
# 64-bit over 32-bit, or simply the last one.
#
FILE_IS_PKGD=1
PKGNAME=`echo "${PKGNAME_ARCH}" | egrep '\.(x86_64|ia64)$' 2>/dev/null | tail ${TAIL_OPT}1`
test -z "${PKGNAME}" && PKGNAME=`echo "${PKGNAME_ARCH}" | tail ${TAIL_OPT}1`
RKHTMPVAR=`echo "${PKGNAME}" | sed -e 's/\./\\\./g'`
if [ -z "`echo \"${VERIFIED_PKG_LIST}\" | grep \" ${RKHTMPVAR} \"`" ]; then
#
# No, it isn't in the list. So we verify the package
# and either add it to the list if it verifies okay,
# or get the verification result for the file.
#
PKGMGR_VERIFY_RESULT=`${RPM_CMD} -V "${PKGNAME}" 2>&1`
if [ -z "${PKGMGR_VERIFY_RESULT}" ]; then
VERIFIED_PKG_LIST="${VERIFIED_PKG_LIST} ${PKGNAME} "
else
if [ -n "`echo \"${PKGMGR_VERIFY_RESULT}\" | grep \"prelink.* ${FNAME}.* dependenc\"`" ]; then
DEPENDENCY_ERR=1
fi
PKGMGR_VERIFY_RESULT=`echo "${PKGMGR_VERIFY_RESULT}" | grep " ${FNAMEGREP}\$" | cut -d' ' -f1`
fi
fi
#
# The package manager check does not verify all the items
# we check. So we still need to dig out the rest of the
# information about this file from the package manager database.
# Note that the filenames are displayed at the end of the rpm output.
# This means that any filename containing a colon will not cause
# a problem.
#
RPM_QUERY_RESULT=`${RPM_CMD} -q --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{FILELINKTOS}:%{FILENAMES}\n]' "${PKGNAME}" 2>/dev/null | grep ":${FNAMEGREP}\$"`
ERRCODE=$?
#
# The error code actually refers to the 'grep' command above. If the
# file is not found in the package, then this is probably due to the
# 'bin' directory being a link. So we change the filename, and retest.
#
if [ $ERRCODE -eq 1 -a $BINISLINK -eq 1 ]; then
if [ -n "`echo \"${FNAME}\" | grep '^\/usr\/'`" ]; then
RKHTMPVAR3=`echo "${FNAMEGREP}" | sed -e 's:^/usr::'`
else
RKHTMPVAR3="/usr${FNAMEGREP}"
fi
RPM_QUERY_RESULT=`${RPM_CMD} -q --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{FILELINKTOS}:%{FILENAMES}\n]' "${PKGNAME}" 2>/dev/null | grep ":${RKHTMPVAR3}\$"`
ERRCODE=$?
fi
if [ $ERRCODE -eq 0 ]; then
RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT}" | tail ${TAIL_OPT}1`
FPERM="0`echo \"${RPM_QUERY_RESULT}\" | cut -d: -f1 | cut -c 3-`"
FPERM=`echo "${FPERM}" | sed -e 's/^00/0/'`
RKHUID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f2`
RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`
RKHGID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f3`
RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`
RKHSIZE=`echo "${RPM_QUERY_RESULT}" | cut -d: -f4`
RKHDTM=`echo "${RPM_QUERY_RESULT}" | cut -d: -f5`
if [ -h "${FNAME}" ]; then
RKHLNK=`echo "${RPM_QUERY_RESULT}" | cut -d: -f7`
if [ -z "`echo \"${RKHLNK}\" | grep '^/'`" ]; then
test -n "${DIRNAME_CMD}" && DIR=`${DIRNAME_CMD} "${FNAME}"` || DIR=`echo "${FNAME}" | sed -e 's:/[^/]*$::'`
RKHLNK="${DIR}/${RKHLNK}"
fi
# This ensures the link target has things like '..' removed.
test $HAVE_READLINK -eq 1 && RKHLNK=`${READLINK_CMD} ${READLINK_OPT} "${RKHLNK}"`
fi
FDATA="${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}:"
else
#
# If, for some reason, we cannot get the package information,
# then treat it as if it returned all null values.
#
FDATA=":::::"
display --to LOG --type INFO CMD_ERROR "rpm -qf --queryformat... \"${FNAME}\" (${PKGNAME})" $ERRCODE
fi
#
# Now get the inode value directly from the disk,
# but only if prelinking is not being used.
#
RKHTMPVAR=""
if [ $PRELINKED -eq 0 -a -n "${INODECMD}" ]; then
RKHTMPVAR=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`
fi
FDATA="${RKHTMPVAR}:${FDATA}"
fi
fi
elif [ "${PKGMGR}" = "SOLARIS" ]; then
#
# First we see if the file is exempt or part of a package.
#
if [ $NOVRFYFILE -eq 1 ]; then
ERRCODE=1
else
RKHTMPVAR=`grep "^${FNAMEGREP} " /var/sadm/install/contents 2>/dev/null`
test -n "${RKHTMPVAR}" && ERRCODE=0 || ERRCODE=1
fi
if [ $ERRCODE -eq 0 ]; then
#
# We will rebuild the RKHLINE value with the values from
# the package manager database. We can then verify it just
# as if it had been read from the RKH database.
#
FPERM=`echo "${RKHTMPVAR}" | cut -d' ' -f4`
RKHUID=`echo "${RKHTMPVAR}" | cut -d' ' -f5`
RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`
RKHGID=`echo "${RKHTMPVAR}" | cut -d' ' -f6`
RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`
RKHSIZE=`echo "${RKHTMPVAR}" | cut -d' ' -f7`
if [ $USE_SUNSUM -eq 1 ]; then
# Treat this as a fully packaged file.
FILE_IS_PKGD=1
RKHHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f8`
else
RKHHASH=`echo "${RKHLINE}" | cut -d: -f$RKH_CC`
fi
RKHDTM=`echo "${RKHTMPVAR}" | cut -d' ' -f9`
#
# Now get the inode value.
#
RKHTMPVAR=""
test -n "${INODECMD}" && RKHTMPVAR=`eval ${INODECMD} "\"${FNAME}\"" 2>/dev/null | tr -d ' '`
#
# Finally, get the file name. To do this we adjust RKH_CC back one field.
#
RKH_CC2=`expr $RKH_CC - 1`
RKHTMPVAR2=`echo "${RKHLINE}" | cut -d: -f1-$RKH_CC2`
#
# Now put it all together.
#
RKHLINE="${RKHTMPVAR2}:${RKHHASH}:${RKHTMPVAR}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
fi
fi
#
# Do the file hash value check.
#
if [ $SKIP_HASH -eq 0 ]; then
#
# First we get all the package manager results.
#
case "${PKGMGR}" in
RPM)
;;
DPKG)
#
# First see if the file is exempt or part of a known package.
#
if [ $NOVRFYFILE -eq 1 ]; then
PKGNAME=""
else
PKGNAME=`${DPKG_CMD} --search "${FNAME}" 2>/dev/null | cut -d: -f1`
fi
if [ -n "${PKGNAME}" -a -f "/var/lib/dpkg/info/${PKGNAME}.md5sums" ]; then
FNGREP=`echo "${FNAMEGREP}" | sed -e 's:^/::'`
SYSHASH=`egrep "( |\./)${FNGREP}\$" "/var/lib/dpkg/info/${PKGNAME}.md5sums" | cut -d' ' -f1`
if [ -n "${SYSHASH}" ]; then
FILE_IS_PKGD=1
RKHTMPVAR=`${PKGMGR_MD5_HASH} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`
if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
PKGMGR_VERIFY_RESULT="5"
if [ -n "`${PKGMGR_MD5_HASH} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
DEPENDENCY_ERR=1
fi
fi
fi
fi
;;
BSD)
#
# First see if the file is exempt or part of a known package.
#
PKGNAME=""
if [ $NOVRFYFILE -eq 0 ]; then
RKHTMPVAR=`${PKG_CMD} -F -e "${FNAME}" 2>/dev/null`
ERRCODE=$?
if [ $ERRCODE -ne 0 ]; then
#
# It may be that we need to use the '-W' option instead.
#
RKHTMPVAR=`${PKG_CMD} -q -W "${FNAME}" 2>/dev/null`
ERRCODE=$?
fi
if [ $ERRCODE -eq 0 -a -n "${RKHTMPVAR}" ]; then
PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1`
fi
fi
if [ -n "${PKGNAME}" ]; then
#
# Next strip off the '/usr/pkg/' or '/usr/local/' from the
# pathname, and then get the hash value.
#
FNGREP=`echo "${FNAMEGREP}" | sed -e 's:^/usr/pkg/::; s:^/usr/local/::'`
SYSHASH=`${PKG_CMD} -v -L "${PKGNAME}" 2>/dev/null | grep -A 1 "File: ${FNGREP}\$" 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f3`
if [ -n "${SYSHASH}" ]; then
FILE_IS_PKGD=1
RKHTMPVAR=`${PKGMGR_MD5_HASH} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`
if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
PKGMGR_VERIFY_RESULT="5"
if [ -n "`${PKGMGR_MD5_HASH} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
DEPENDENCY_ERR=1
fi
fi
fi
fi
;;
BSDNG)
#
# First see if the file is exempt or part of a known package.
#
if [ $NOVRFYFILE -eq 1 ]; then
PKGNAME=""
else
RKHTMPVAR=`${PKG_CMD} which -q "${FNAME}" 2>/dev/null`
ERRCODE=$?
test $ERRCODE -eq 0 && PKGNAME="${RKHTMPVAR}" || PKGNAME=""
fi
if [ -n "${PKGNAME}" ]; then
SYSHASH=`${PKG_CMD} query '%Fp: %Fs' ${PKGNAME} 2>/dev/null | grep "^${FNAME}: " 2>/dev/null | sed -r -e 's/^.*: (1\\$)?([A-Fa-f0-9]+)$/\2/'`
if [ -n "${SYSHASH}" ]; then
FILE_IS_PKGD=1
RKHTMPVAR=`${PKGMGR_SHA_HASH} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`
if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
PKGMGR_VERIFY_RESULT="5"
if [ -n "`${PKGMGR_SHA_HASH} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
DEPENDENCY_ERR=1
fi
fi
fi
fi
;;
SOLARIS)
#
# We only use the Solaris package manager
# hash value if we have been told to do so.
#
if [ $NOVRFYFILE -eq 0 -a $USE_SUNSUM -eq 1 ]; then
SYSHASH="${RKHHASH}"
RKHTMPVAR=`${SUM_CMD} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`
if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
PKGMGR_VERIFY_RESULT="5"
fi
fi
;;
esac
#
# Now see if we need to work out the hash value or not.
#
RKHHASH=`echo "${RKHLINE}" | cut -d: -f$RKH_CC`
if [ $FILE_IS_PKGD -eq 1 ]; then
if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
if [ $DEPENDENCY_ERR -eq 1 ]; then
DEPENDENCY_ERR=0
PKGMGR_VERIFY_RESULT=""
display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
else
PKGMGR_VERIFY_RESULT="5"
fi
fi
if [ -z "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep '5|(^..\?)'`" ]; then
HASH_TEST_PASSED=1
else
TEST_RESULT="${TEST_RESULT} verify:hashchanged"
fi
else
#
# The file is not part of a package. So we need
# to compare the on-disk hash value against the
# value in the rkhunter.dat file.
#
# First see if we have a stored hash value.
#
RKHTMPVAR=0
if [ -z "${RKHHASH}" ]; then
if [ "${HASH_CMD}" = "NONE" ]; then
:
else
#
# Broken links may not give a hash value, so we must check to see if the link is whitelisted.
#
if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
# Check the link target to see if it is whitelisted.
if [ -z "${SYSLNK}" ]; then
SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
fi
FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
RKHTMPVAR=1
if [ ! -e "${FNAME}" -a $VERBOSE_LOGGING -eq 1 ]; then
# Only log this if it is a broken link.
display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "`name2text \"${FNAME}\"`" "`name2text \"${SYSLNK}\"`"
fi
fi
fi
test $RKHTMPVAR -eq 0 && TEST_RESULT="${TEST_RESULT} norkhhash"
fi
fi
if [ $RKHTMPVAR -eq 0 -a -z "${TEST_RESULT}" ]; then
if [ "${HASH_CMD}" = "NONE" ]; then
SYSHASH=""
else
SYSHASH=`${HASH_CMD} "${FNAME}" 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`
if [ -z "${SYSHASH}" ]; then
if [ -n "`${HASH_CMD} "${FNAME}" 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
SYSHASH="${RKHHASH}"
display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
else
DEPENDENCY_ERR=1
fi
fi
fi
fi
if [ "${RKHHASH}" != "${SYSHASH}" ]; then
#
# We must test for cases where a symbolic link becomes broken. In those
# cases the link would have had a hash value, but will now have none.
# If it was whitelisted, then we should not give a warning.
#
if [ -h "${FNAME}" -a ! -e "${FNAME}" ]; then
if [ $HAVE_READLINK -eq 1 ]; then
# Check the link target to see if it is whitelisted.
if [ -z "${SYSLNK}" ]; then
SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
fi
FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "`name2text \"${FNAME}\"`" "`name2text \"${SYSLNK}\"`"
fi
else
TEST_RESULT="${TEST_RESULT} hashchanged"
fi
else
TEST_RESULT="${TEST_RESULT} hashchanged"
fi
else
TEST_RESULT="${TEST_RESULT} hashchanged"
fi
fi
fi
fi
#
# Because the BSD and DPKG package managers only provide the MD5
# checksum, and the Solaris package manager does not provide verified
# data, we can assume that any file which is part of a package after
# this test must be an RPM file.
#
test "${PKGMGR}" != "RPM" && FILE_IS_PKGD=0
fi
#
# Do the file attributes checks.
#
# This checks the files permissions, and the uid/gid.
# The file permissions are also checked to see if 'w'
# has been allowed for all users. If prelinking is not
# in use then the inode, file size, and modification
# date-time are checked as well.
#
if [ $SKIP_ATTR -eq 0 ]; then
#
# First check to see if the file is whitelisted here,
# just the once. It is better than checking after
# each individual attribute test.
#
WL_FILE=""
if [ -n "`echo \"${ATTRWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
WL_FILE="whitelisted"
WHITELIST_RESULT="${WHITELIST_RESULT} attr"
fi
if [ -z "${FDATA}" ]; then
FDATA=`eval ${SCMD} "\"${FNAME}\"" 2>/dev/null | tr ' ' ':'`
# Ensure the file permissions consist of only 4 digits.
if [ -n "`echo ${FDATA} | grep '^[^:]*:0[0-9][0-9][0-9][0-9]:'`" ]; then
FDATA=`echo $FDATA | sed -e 's/^\([^:]*:\)0\(.*\)$/\1\2/'`
fi
fi
if [ -z "${WL_FILE}" -a -n "${FDATA}" ]; then
#
# Check the file permissions.
#
if [ $FILE_IS_PKGD -eq 1 ]; then
echo "${PKGMGR_VERIFY_RESULT}" | egrep 'M|(^.\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:permchanged"
else
RKH_CC2=`expr $RKH_CC + 2`
RKHPERM=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
SYSPERM=`echo ${FDATA} | cut -d: -f2`
if [ -n "${RKHPERM}" ]; then
test "${RKHPERM}" != "${SYSPERM}" && TEST_RESULT="${TEST_RESULT} permchanged"
else
TEST_RESULT="${TEST_RESULT} norkhperm"
fi
fi
#
# Check the file user-id.
#
if [ $FILE_IS_PKGD -eq 1 ]; then
echo "${PKGMGR_VERIFY_RESULT}" | egrep 'U|(^.....\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:uidchanged"
else
RKH_CC2=`expr $RKH_CC + 3`
RKHUID=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
SYSUID=`echo ${FDATA} | cut -d: -f3`
if [ -n "${RKHUID}" ]; then
test "${RKHUID}" != "${SYSUID}" && TEST_RESULT="${TEST_RESULT} uidchanged"
else
TEST_RESULT="${TEST_RESULT} norkhuid"
fi
fi
#
# Check the file group-id.
#
if [ $FILE_IS_PKGD -eq 1 ]; then
echo "${PKGMGR_VERIFY_RESULT}" | egrep 'G|(^......\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:gidchanged"
else
RKH_CC2=`expr $RKH_CC + 4`
RKHGID=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
SYSGID=`echo ${FDATA} | cut -d: -f4`
if [ -n "${RKHGID}" ]; then
test "${RKHGID}" != "${SYSGID}" && TEST_RESULT="${TEST_RESULT} gidchanged"
else
TEST_RESULT="${TEST_RESULT} norkhgid"
fi
fi
#
# Check the file inode number.
#
if [ $PRELINKED -eq 0 ]; then
RKH_CC2=`expr $RKH_CC + 1`
RKHINODE=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
SYSINODE=`echo ${FDATA} | cut -d: -f1`
if [ $SKIP_INODE_CHECK -eq 0 ]; then
if [ -n "${RKHINODE}" ]; then
test "${RKHINODE}" != "${SYSINODE}" && TEST_RESULT="${TEST_RESULT} inodechanged"
else
TEST_RESULT="${TEST_RESULT} norkhinode"
fi
fi
fi
#
# Check the file size.
#
if [ $FILE_IS_PKGD -eq 1 ]; then
if [ -z "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep 'S|(^\?)'`" ]; then
SIZE_TEST_PASSED=1
else
TEST_RESULT="${TEST_RESULT} verify:sizechanged"
fi
elif [ $PRELINKED -eq 0 -o $FILE_IS_PKGD -eq 0 ]; then
RKH_CC2=`expr $RKH_CC + 5`
RKHSIZE=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
SYSSIZE=`echo ${FDATA} | cut -d: -f5`
if [ -n "${RKHSIZE}" ]; then
if [ "${RKHSIZE}" = "${SYSSIZE}" ]; then
SIZE_TEST_PASSED=1
else
TEST_RESULT="${TEST_RESULT} sizechanged"
fi
else
TEST_RESULT="${TEST_RESULT} norkhsize"
fi
fi
#
# Check the file modification date-time.
#
if [ $FILE_IS_PKGD -eq 1 ]; then
echo "${PKGMGR_VERIFY_RESULT}" | egrep 'T|(^.......\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:dtmchanged"
elif [ $PRELINKED -eq 0 -o $FILE_IS_PKGD -eq 0 ]; then
RKH_CC2=`expr $RKH_CC + 6`
RKHDTM=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
SYSDTM=`echo ${FDATA} | cut -d: -f6`
if [ -n "${RKHDTM}" ]; then
test "${RKHDTM}" != "${SYSDTM}" && TEST_RESULT="${TEST_RESULT} dtmchanged"
else
TEST_RESULT="${TEST_RESULT} norkhdtm"
fi
fi
#
# If the file is a link, then check that the target has not changed.
#
if [ -h "${FNAME}" ]; then
if [ $FILE_IS_PKGD -eq 1 ]; then
if [ -n "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep 'L|(^....\?)'`" ]; then
if [ $HAVE_READLINK -eq 1 ]; then
# Check the link target to see if it is whitelisted.
if [ -z "${SYSLNK}" ]; then
SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
fi
FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
test -z "${SYSLNK}" && RKHTMPVAR="Unavailable" || RKHTMPVAR=${SYSLNK}
display --to LOG --type INFO FILE_PROP_LINK_WL "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
fi
else
TEST_RESULT="${TEST_RESULT} verify:linkchanged"
fi
else
TEST_RESULT="${TEST_RESULT} verify:linkchanged"
fi
fi
else
RKH_CC2=`expr $RKH_CC + 8`
SYSLNK_CC=`echo ${RKHLINE} | cut -d: -f$RKH_CC2`
RKH_CC2=`expr $RKH_CC + 9`
SYSLNK_CC=`expr $RKH_CC2 + $SYSLNK_CC`
RKHLNK=`echo ${RKHLINE} | cut -d: -f${RKH_CC2}-${SYSLNK_CC}`
if [ $HAVE_READLINK -eq 1 -a -z "${SYSLNK}" ]; then
SYSLNK=`${READLINK_CMD} ${READLINK_OPT} "${FNAME}"`
fi
if [ -n "${RKHLNK}" ]; then
if [ "${RKHLNK}" != "${SYSLNK}" ]; then
FNGREP=`echo "${SYSLNK}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
test -z "${SYSLNK}" && RKHTMPVAR="Unavailable" || RKHTMPVAR="${SYSLNK}"
display --to LOG --type INFO FILE_PROP_LINK_WL "`name2text \"${FNAME}\"`" "`name2text \"${RKHTMPVAR}\"`"
fi
else
TEST_RESULT="${TEST_RESULT} linkchanged"
fi
fi
else
TEST_RESULT="${TEST_RESULT} norkhlnk"
fi
fi
fi
elif [ -z "${WL_FILE}" ]; then
TEST_RESULT="${TEST_RESULT} sysattrunavail"
fi
#
# Check the file permissions here to see if the 'other' permission
# contains a 'w'. The check is against the octal value. Symbolic
# links are ignored.
#
if [ ! -h "${FNAME}" -a $FILE_IS_PKGD -eq 0 ]; then
WL_FILE=""
if [ -n "`echo \"${WRITEWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
WL_FILE="whitelisted"
WHITELIST_RESULT="${WHITELIST_RESULT} write"
fi
if [ -z "${WL_FILE}" ]; then
SYSPERM=`echo ${FDATA} | cut -d: -f2`
if [ -n "`echo ${SYSPERM} | grep '[2367]\$'`" ]; then
TEST_RESULT="${TEST_RESULT} write"
elif [ -z "${SYSPERM}" ]; then
TEST_RESULT="${TEST_RESULT} syspermunavail"
fi
fi
fi
fi
#
# If we are adding this file to the rkhunter.dat file, then we
# need to remove any failed test results caused by the file
# currently being missing. We then add the file to the list of
# files to be added, and include the detected system attributes
# of the file.
#
if [ $ADDNEWENTRY -eq 1 ]; then
if [ -n "${TEST_RESULT}" ]; then
for RKHTMPVAR in ${TEST_RESULT}; do
case "${RKHTMPVAR}" in
hashchanged|permchanged|uidchanged|gidchanged|inodechanged|sizechanged|dtmchanged|linkchanged)
TEST_RESULT=`echo "${TEST_RESULT}" | sed -e "s/ ${RKHTMPVAR}//"`
;;
esac
done
fi
if [ $FMTVERSION -eq 0 ]; then
NEWRKHENTRIES="${NEWRKHENTRIES}
File:${FNAME}:${SYSHASH}:${SYSINODE}:${SYSPERM}:${SYSUID}:${SYSGID}:${SYSSIZE}:${SYSDTM}::${SYSLNK}:"
else
RKH_CC=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`
SYSLNK_CC=`echo "${SYSLNK}" | tr -c -d ':' | wc -c | tr -d ' '`
NEWRKHENTRIES="${NEWRKHENTRIES}
File:${RKH_CC}:${FNAME}:${SYSHASH}:${SYSINODE}:${SYSPERM}:${SYSUID}:${SYSGID}:${SYSSIZE}:${SYSDTM}::${SYSLNK_CC}:${SYSLNK}:"
fi
fi
fi
#
# We can now carry out the tests which do not
# require the rkhunter.dat file.
#
#
# Do the file immutable-bit check.
#
if [ $SKIP_IMMUT -eq 0 ]; then
#
# Test if the file is whitelisted.
#
WL_FILE=""
RKHTMPVAR=""
if [ -n "`echo \"${IMMUTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
WL_FILE="whitelisted"
WHITELIST_RESULT="${WHITELIST_RESULT} immutable"
fi
if [ -z "${WL_FILE}" ]; then
if [ $BSDOS -eq 0 ]; then
if [ ! -h "${FNAME}" ]; then
RKHTMPVAR=`${LSATTR_CMD} "${FNAME}" 2>&1 | cut -d' ' -f1 | grep 'i'`
fi
else
RKHTMPVAR=`ls -lno "${FNAME}" 2>&1 | ${AWK_CMD} '{ print $5 }' | egrep 'uchg|schg|sappnd|uappnd|sunlnk|sunlink|schange|simmutable|sappend|uappend|uchange|uimmutable'`
fi
#
# Reverse the test result if the immutable bit is always set.
#
if [ $IMMUTABLE_SET -eq 1 ]; then
test -n "${RKHTMPVAR}" && RKHTMPVAR="" || RKHTMPVAR="set"
fi
test -n "${RKHTMPVAR}" && TEST_RESULT="${TEST_RESULT} immutable"
fi
fi
#
# Do the file script replacement check.
#
if [ $SKIP_SCRIPT -eq 0 ]; then
#
# If we are using a package manager, and both the hash test
# and the file size test have passed, then we skip the script
# replacement check. The assumption is that to change a file
# with one value remaining the same is possible, but to change
# it such that both are the same is improbable. It would also
# require the package manager database having being corrupted
# as well.
#
if [ $HASH_TEST_PASSED -eq 0 -o $SIZE_TEST_PASSED -eq 0 ]; then
#
# See if the file is whitelisted.
#
WL_FILE=""
SYSSCRIPT=""
if [ -n "`echo \"${SCRIPTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
WL_FILE="whitelisted"
WHITELIST_RESULT="${WHITELIST_RESULT} script"
fi
if [ -z "${WL_FILE}" ]; then
test -n "${BASENAME_CMD}" && RKHTMPVAR=`${BASENAME_CMD} "${FNAME}"` || RKHTMPVAR=`echo "${FNAME}" | sed -e 's:^.*/::'`
if [ "${RKHTMPVAR}" = "rkhunter" ]; then
SYSSCRIPT=`${FILE_CMD} "${FNAME}" 2>&1 | tr -d '\n' | tr '[:cntrl:]' '?' | egrep -i -v '(shell|/bin/sh) script( |,|$)'`
else
SYSSCRIPT=`${FILE_CMD} "${FNAME}" 2>&1 | tr -d '\n' | tr '[:cntrl:]' '?' | egrep -i ' script( |,|$)'`
fi
test -n "${SYSSCRIPT}" && TEST_RESULT="${TEST_RESULT} script"
fi
fi
fi
#
# Now output the results.
#
if [ -z "${TEST_RESULT}" ]; then
display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result OK --color GREEN NAME "`name2text \"${FNAME}\"`"
else
display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "`name2text \"${FNAME}\"`"
PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`
RKHTMPVAR2=0
RKHTMPVAR3=0
for RKHTMPVAR in ${TEST_RESULT}; do
case "${RKHTMPVAR}" in
hashchanged|permchanged|uidchanged|gidchanged|inodechanged|sizechanged|dtmchanged|linkchanged)
if [ $RKHTMPVAR2 -eq 0 ]; then
RKHTMPVAR2=1
display --to LOG --type WARNING FILE_PROP_CHANGED
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_CHANGED2 "`name2text \"${FNAME}\"`"
fi
case "${RKHTMPVAR}" in
hashchanged)
if [ -z "${SYSHASH}" ]; then
if [ -h "${FNAME}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH_UNAVAIL_BL
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH_UNAVAIL
fi
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH "${SYSHASH}"
fi
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHHASH "${RKHHASH}"
test $DEPENDENCY_ERR -eq 1 && display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "`name2text \"${FNAME}\"`"
;;
permchanged)
if [ -z "${SYSPERM}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_PERM_UNAVAIL "${RKHPERM}"
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_PERM "${SYSPERM}" "${RKHPERM}"
fi
;;
uidchanged)
if [ -z "${SYSUID}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_UID_UNAVAIL "${RKHUID}"
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_UID "${SYSUID}" "${RKHUID}"
fi
;;
gidchanged)
if [ -z "${SYSGID}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_GID_UNAVAIL "${RKHGID}"
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_GID "${SYSGID}" "${RKHGID}"
fi
;;
inodechanged)
if [ -z "${SYSINODE}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_INODE_UNAVAIL "${RKHINODE}"
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_INODE "${SYSINODE}" "${RKHINODE}"
fi
;;
sizechanged)
if [ -z "${SYSSIZE}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SIZE_UNAVAIL "${RKHSIZE}"
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SIZE "${SYSSIZE}" "${RKHSIZE}"
fi
;;
dtmchanged)
if [ -z "${SYSDTM}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM_UNAVAIL
else
get_readable_date ${SYSDTM}
if [ -n "${READABLE_DATE}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM "${SYSDTM} (${READABLE_DATE})"
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM "${SYSDTM}"
fi
fi
get_readable_date ${RKHDTM}
if [ -n "${READABLE_DATE}" ]; then
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHDTM "${RKHDTM} (${READABLE_DATE})"
else
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHDTM "${RKHDTM}"
fi
;;
linkchanged)
test -z "${RKHLNK}" && RKHLNK="Unavailable"
test -z "${SYSLNK}" && SYSLNK="Unavailable"
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSLNK "`name2text \"${FNAME}\"`" "`name2text \"${SYSLNK}\"`"
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHLNK "`name2text \"${FNAME}\"`" "`name2text \"${RKHLNK}\"`"
;;
esac
;;
verify:hashchanged|verify:permchanged|verify:uidchanged|verify:gidchanged|verify:sizechanged|verify:dtmchanged|verify:linkchanged)
if [ $RKHTMPVAR3 -eq 0 ]; then
RKHTMPVAR3=1
display --to LOG --type WARNING FILE_PROP_VRFY
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_CHANGED2 "`name2text \"${FNAME}\"`"
test $DEPENDENCY_ERR -eq 1 && display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "`name2text \"${FNAME}\"`"
fi
case "${RKHTMPVAR}" in
verify:hashchanged)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_HASH
if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
display --to LOG --type INFO --log-indent 9 FILE_PROP_IGNORE_PRELINK_DEP_ERR "`name2text \"${FNAME}\"`"
fi
;;
verify:permchanged)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_PERM
;;
verify:uidchanged)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_UID
;;
verify:gidchanged)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_GID
;;
verify:sizechanged)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_SIZE
;;
verify:dtmchanged)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_DTM
;;
verify:linkchanged)
display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_LNK
;;
esac
;;
norkhline)
display --to LOG --type WARNING FILE_PROP_NO_RKH_REC "`name2text \"${FNAME}\"`"
;;
norkhhash)
display --to LOG --type WARNING FILE_PROP_NO_RKHHASH "`name2text \"${FNAME}\"`"
;;
norkhperm)
display --to LOG --type WARNING FILE_PROP_NO_RKHPERM "`name2text \"${FNAME}\"`"
;;
norkhuid)
display --to LOG --type WARNING FILE_PROP_NO_RKHUID "`name2text \"${FNAME}\"`"
;;
norkhgid)
display --to LOG --type WARNING FILE_PROP_NO_RKHGID "`name2text \"${FNAME}\"`"
;;
norkhinode)
display --to LOG --type WARNING FILE_PROP_NO_RKHINODE "`name2text \"${FNAME}\"`"
;;
norkhsize)
display --to LOG --type WARNING FILE_PROP_NO_RKHSIZE "`name2text \"${FNAME}\"`"
;;
norkhdtm)
display --to LOG --type WARNING FILE_PROP_NO_RKHDTM "`name2text \"${FNAME}\"`"
;;
norkhlnk)
display --to LOG --type WARNING FILE_PROP_NO_RKHLNK "`name2text \"${FNAME}\"`"
;;
sysattrunavail)
display --to LOG --type WARNING FILE_PROP_NO_SYSATTR "`name2text \"${FNAME}\"`"
;;
write)
display --to LOG --type WARNING FILE_PROP_WRITE "`name2text \"${FNAME}\"`"
;;
syspermunavail)
display --to LOG --type WARNING FILE_PROP_SYSPERM_UNAVAIL "`name2text \"${FNAME}\"`"
;;
immutable)
if [ $IMMUTABLE_SET -eq 0 ]; then
display --to LOG --type WARNING FILE_PROP_IMMUT "`name2text \"${FNAME}\"`"
else
display --to LOG --type WARNING FILE_PROP_IMMUT_NOT_SET "`name2text \"${FNAME}\"`"
fi
;;
script)
test -n "${BASENAME_CMD}" && RKHTMPVAR4=`${BASENAME_CMD} "${FNAME}"` || RKHTMPVAR4=`echo "${FNAME}" | sed -e 's:^.*/::'`
if [ "${RKHTMPVAR4}" = "rkhunter" ]; then
display --to LOG --type WARNING FILE_PROP_SCRIPT_RKH "`name2text \"${FNAME}\"`" "${SYSSCRIPT}"
else
display --to LOG --type WARNING FILE_PROP_SCRIPT "`name2text \"${FNAME}\"`" "${SYSSCRIPT}"
fi
;;
esac
done
fi
if [ -n "${WHITELIST_RESULT}" -a $VERBOSE_LOGGING -eq 1 ]; then
for WL_FILE in ${WHITELIST_RESULT}; do
case "${WL_FILE}" in
hash)
RKHTMPVAR="file hash"
;;
attr)
RKHTMPVAR="file attributes"
;;
write)
RKHTMPVAR="file write permission"
;;
immutable)
RKHTMPVAR="file immutable-bit"
;;
script)
RKHTMPVAR="script replacement"
;;
esac
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" "${RKHTMPVAR}"
done
fi
IFS=$IFSNL
done
IFS=$RKHIFS
#
# We must now loop through the rkhunter.dat file and see if any filenames
# are missing from the rkhunter_prop_list.dat file. If so, then this
# indicates a (probably wildcarded) file has been removed from the system.
#
if [ $USE_DAT_FILE -eq 1 ]; then
IFS=$IFSNL
for RKHTMPVAR in `grep '^File:' "${RKHDAT_FILE}"`; do
if [ $FMTVERSION -eq 0 ]; then
FNAME=`echo "${RKHTMPVAR}" | cut -d: -f2`
else
RKH_CC=`echo "${RKHTMPVAR}" | cut -d: -f2`
RKH_CC2=`expr 3 + $RKH_CC`
FNAME=`echo "${RKHTMPVAR}" | cut -d: -f3-$RKH_CC2`
fi
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`grep \"^${FNAMEGREP}$\" \"${RKH_FILEPROP_LIST}\"`" ]; then
if [ -n "`echo \"${EXISTWHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
#
# Remove the entry from the rkhunter.dat file.
#
if [ $FMTVERSION -eq 0 ]; then
OLDRKHENTRIES="${OLDRKHENTRIES}
File:${FNAME}:.*"
else
OLDRKHENTRIES="${OLDRKHENTRIES}
File:${RKH_CC}:${FNAME}:.*"
fi
elif [ ! -e "${FNAME}" ]; then
PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`
PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`
display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "`name2text \"${FNAME}\"`"
display --to LOG --type WARNING FILE_PROP_FILE_NOT_EXIST "`name2text \"${FNAME}\"`"
fi
fi
done
IFS=$RKHIFS
fi
#
# Finally, add or remove any specified entries to/from the rkhunter.dat file.
#
test -n "${OLDRKHENTRIES}" -o -n "${NEWRKHENTRIES}" && updt_rkhdat
return
}
suspscan() {
#
# Suspscan content scan using fixed strings.
#
# Suspscan is a CPU hog and only useful to some limit.
# Suspscan should NEVER be enabled by default.
#
if `check_test suspscan`; then
display --to LOG --type INFO --nl STARTING_TEST suspscan
display --to LOG --type PLAIN --log-indent 2 SUSPSCAN_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST suspscan
fi
return
fi
#
# First check that we have the commands we need.
#
if [ -z "${FILE_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 SUSPSCAN_CHECK
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'file'
else
display --to LOG --type INFO NOT_FOUND_CMD 'file'
fi
return
elif [ -z "${STRINGS_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 SUSPSCAN_CHECK
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' strings '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'strings'
else
display --to LOG --type INFO NOT_FOUND_CMD 'strings'
fi
return
fi
#
# Now check that the suspscan data file is usable.
#
if [ ! -e "${DB_PATH}/suspscan.dat" -o ! -s "${DB_PATH}/suspscan.dat" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
display --to LOG --type WARNING --log-indent 9 SUSPSCAN_DAT_MISSING "${DB_PATH}/suspscan.dat"
return
elif [ ! -f "${DB_PATH}/suspscan.dat" -o -h "${DB_PATH}/suspscan.dat" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
display --to LOG --type WARNING --log-indent 9 SUSPSCAN_DAT_NOTAFILE "${DB_PATH}/suspscan.dat"
return
fi
#
# Next log our configuration settings.
#
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO SUSPSCAN_DIRS "${SUSPSCAN_DIRS}"
display --to LOG --type INFO SUSPSCAN_TEMP "${SUSPSCAN_TEMP}"
display --to LOG --type INFO SUSPSCAN_SIZE "${SUSPSCAN_MAXSIZE}"
display --to LOG --type INFO SUSPSCAN_THRESH "${SUSPSCAN_THRESH}"
fi
#
# Finally start the test.
#
FOUND=0
FOUNDDIRS=""
FILENAME="${SUSPSCAN_TEMP}/suspscan.$$.strings"
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
rm -f ${SUSPSCAN_TEMP}/suspscan.*.strings >/dev/null 2>&1
#
# Get a temporary file used to log the scan results.
#
get_temp_file "${RKHTMPDIR}/suspscan.tmp"
SUSPSCAN_TMPFILE="${TEMPFILE}"
touch "${SUSPSCAN_TMPFILE}"
#
# We expand the whitelist option here to ensure
# that any wildcard entries are the most recent.
#
if [ -n "${SUSPSCAN_WL_OPT}" ]; then
SUSPSCAN_WHITELIST=`expand_paths SUSPSCAN_WL_OPT`
else
SUSPSCAN_WHITELIST=""
fi
for SUSPSCAN_DIR in ${SUSPSCAN_DIRS}; do
if [ -d "${SUSPSCAN_DIR}" ]; then
FOUND=0
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "4 SUSPSCAN_DIR_CHECK "${SUSPSCAN_DIR}"" >>"${SUSPSCAN_TMPFILE}"
fi
$FIND_CMD "${SUSPSCAN_DIR}" -type f -o -type l 2>/dev/null | while read SUSPSCAN_ITEM; do
#
# Skip the debug file which may well be in one of the default suspscan directories.
#
test $DEBUG_OPT -eq 1 -a "${SUSPSCAN_ITEM}" = "${RKHDEBUGFILE}" && continue
#
# If the file is a link, then find what it points to.
#
if [ -h "${SUSPSCAN_ITEM}" ]; then
if [ $HAVE_READLINK -eq 1 ]; then
RKHTMPVAR="${SUSPSCAN_ITEM}"
SUSPSCAN_ITEM=`${READLINK_CMD} ${READLINK_OPT} "${RKHTMPVAR}" 2>/dev/null`
if [ -z "${SUSPSCAN_ITEM}" ]; then
continue
elif [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_LINK_CHANGE "${RKHTMPVAR}" "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
fi
else
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_SKIPPED_LINK "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
fi
continue
fi
fi
#
# Ignore any whitelisted files.
#
FNAMEGREP=`echo "${SUSPSCAN_ITEM}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${SUSPSCAN_WHITELIST}\" | grep \"^${SUSPSCAN_ITEM}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO SUSPSCAN_WL "${SUSPSCAN_ITEM}"
fi
continue
fi
#
# Next check the size of the file.
#
if [ ! -s "${SUSPSCAN_ITEM}" ]; then
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_SKIPPED_EMPTY "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
fi
continue
elif [ -z "`${FIND_CMD} "${SUSPSCAN_ITEM}" -size -${SUSPSCAN_MAXSIZE}c 2>/dev/null`" ]; then
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_SKIPPED_SIZE "${SUSPSCAN_ITEM}"" >>"${SUSPSCAN_TMPFILE}"
fi
continue
fi
#
# Finally, test the file type.
#
FTYPE=`${FILE_CMD} "${SUSPSCAN_ITEM}" 2>&1 | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
#
# We need to check errors from the file command, but not
# if they are caused by the file disappearing beneath us.
#
test ! -e "${SUSPSCAN_ITEM}" && continue
#
# Adding "text" to the egrep below widens scope at the expense of more false-positives and extending running time.
#
if [ -n "`echo \"${FTYPE}\" | grep -v -i 'compres' | egrep -i 'execu|reloc|shell|libr|data|obj|text'`" ]; then
FOUND=1
SUSPSCAN_NUM=1; SUSPSCAN_SCORE=0; SUSPSCAN_HITCOUNT=0
SUSPSCAN_STRINGS=""
$STRINGS_CMD -n 4 -a "${SUSPSCAN_ITEM}" 2>/dev/null | head ${HEAD_OPT}$SUSPSCAN_LINETHRESH >"${FILENAME}" 2>&1
for SUSPSCAN_STRING in `grep -v '^Version' "${DB_PATH}/suspscan.dat" 2>/dev/null | tail ${TAIL_OPT}1` ; do
#
# Break off if the score already exceeds the threshold.
#
if [ $SUSPSCAN_SCORE -ge $SUSPSCAN_THRESH ]; then
break
fi
SUSPSCAN_TERM="${SUSPSCAN_STRING}"
#
# Searchterm with class.
#
case "${SUSPSCAN_STRING}" in
[a-z]:*)
SUSPSCAN_CLASS=`echo "${SUSPSCAN_STRING}" | cut -d: -f1`
SUSPSCAN_TERM=`echo "${SUSPSCAN_STRING}" | cut -d: -f2-`
;;
esac
#
# Searchterm with multiplier.
#
case "${SUSPSCAN_STRING}" in
*+[0-9][0-9]*)
SUSPSCAN_TERM=`echo "${SUSPSCAN_TERM}" | cut -d'+' -f1`
SUSPSCAN_MULTIPLIER=`echo "${SUSPSCAN_STRING}" | cut -d'+' -f2`
;;
esac
grep -i ${SUSPSCAN_TERM} "${FILENAME}" >/dev/null 2>&1
ERRCODE=$?
if [ $ERRCODE -eq 0 ]; then
if [ "$SUSPSCAN_CLASS" = "$SUSPSCAN_CLASS_PREV" ]; then
SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + 10`
fi
SUSPSCAN_HITS="$SUSPSCAN_NUM ${SUSPSCAN_HITS}"
if [ -n "$SUSPSCAN_MULTIPLIER" ]; then
SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + ${SUSPSCAN_MULTIPLIER}`
unset SUSPSCAN_MULTIPLIER
else
SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + 1`
fi
SUSPSCAN_HITCOUNT=`expr $SUSPSCAN_HITCOUNT + 1`
SUSPSCAN_STRINGS="${SUSPSCAN_STRINGS} ${SUSPSCAN_TERM}"
SUSPSCAN_CLASS_PREV="$SUSPSCAN_CLASS"
fi
SUSPSCAN_NUM=`expr ${SUSPSCAN_NUM} + 1`
done
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_CHECK_DEBUG "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE" "$SUSPSCAN_HITCOUNT" "${SUSPSCAN_STRINGS}"" >>"${SUSPSCAN_TMPFILE}"
fi
if [ $SUSPSCAN_SCORE -ge $SUSPSCAN_THRESH ]; then
echo "6 SUSPSCAN_FILE_CHECK "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE"" >>"${SUSPSCAN_TMPFILE}"
echo "SUSPSCAN_INSPECT "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE"" >>"${SUSPSCAN_TMPFILE}"
fi
unset SUSPSCAN_TERM
#
# Compressed or obfuscated.
#
elif [ -n "`echo \"${FTYPE}\" | grep 'corrupted section header size'`" ]; then
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "Possible UPX-compressed or Dexter01s obfuscated binary"" >>"${SUSPSCAN_TMPFILE}"
fi
#
# ELF ultimate compression kit (ELFuck).
#
elif [ -n "`echo \"${FTYPE}\" | grep 'invalid class invalid byte order'`" ]; then
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "Possible ELFuck obfuscated binary"" >>"${SUSPSCAN_TMPFILE}"
fi
elif [ $SUSPSCAN_DEBUG -eq 1 ]; then
echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "${FTYPE}"" >>"${SUSPSCAN_TMPFILE}"
fi
done
else
echo "4 SUSPSCAN_DIR_NOT_EXIST "${SUSPSCAN_DIR}"" >>"${SUSPSCAN_TMPFILE}"
fi
done
rm -f ${SUSPSCAN_TEMP}/suspscan.*.strings >/dev/null 2>&1
#
# Now display the results.
#
cat "${SUSPSCAN_TMPFILE}" | while read LINE; do
LOGCHAR=`echo "$LINE" | cut -c 1`
case "$LOGCHAR" in
4|6) LOGTYPE=`echo "$LINE" | cut -d ' ' -f 2`
case "$LOGTYPE" in
SUSPSCAN_FILE_SKIPPED_TYPE)
SUSP_SKIP_ITEM=`echo "$LINE" | cut -d ' ' -f 3`
SUSP_SKIP_MSG=`echo "$LINE" | cut -d ' ' -f 4-`
if [ $SUSPSCAN_DEBUG -eq 1 ]; then
display --to LOG --type PLAIN --log-indent $LOGCHAR $LOGTYPE "${SUSP_SKIP_ITEM}" "${SUSP_SKIP_MSG}"
fi
;;
*)
display --to LOG --type PLAIN --log-indent $LINE
;;
esac
;;
S)
display --to LOG --type WARNING $LINE
;;
esac
done
FOUNDDIRS=`grep '^6 SUSPSCAN_FILE_CHECK' "${SUSPSCAN_TMPFILE}" 2>/dev/null | head ${HEAD_OPT}1`
if [ -z "${FOUNDDIRS}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 SUSPSCAN_CHECK
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
# The 'type' here should be PLAIN, but the loop prevents RKH from seeing that a warning has occurred.
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
fi
rm -f "${SUSPSCAN_TMPFILE}" >/dev/null 2>&1
return
}
do_system_commands_checks() {
#
# This function carries out a sequence of tests on
# system commands. These consist of the 'strings' command
# check, library checks and the file properties checks.
#
if `check_test system_commands`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST system_commands
display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_SYS_COMMANDS
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST system_commands
fi
return
fi
strings_check
shared_libs_check
file_properties_check
keypresspause
return
}
rootkit_file_dir_checks() {
#
# This function performs the check for known rootkit
# files and directories.
#
if `check_test known_rkts`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST known_rkts
display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_FILES_DIRS_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST known_rkts
fi
return
fi
# 55808 Trojan - Variant A
SCAN_ROOTKIT="55808 Trojan - Variant A"
SCAN_FILES=${W55808A_FILES}
SCAN_DIRS=${W55808A_DIRS}
SCAN_KSYMS=${W55808A_KSYMS}
scanrootkit
# ADM Worm
SCAN_ROOTKIT="ADM Worm"
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
if [ -f "/etc/passwd" ]; then
RKHTMPVAR=`grep 'w0rm' /etc/passwd`
if [ -z "${RKHTMPVAR}" ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_STR 'w0rm'
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "
display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_STR 'w0rm'
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_STR_FOUND 'w0rm' '/etc/passwd'
fi
else
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_NOFILE '/etc/passwd'
fi
# AjaKit Rootkit
SCAN_ROOTKIT="AjaKit Rootkit"
SCAN_FILES=${AJAKIT_FILES}
SCAN_DIRS=${AJAKIT_DIRS}
SCAN_KSYMS=${AJAKIT_KSYMS}
scanrootkit
# "Adore" Rootkit
SCAN_ROOTKIT="Adore Rootkit"
SCAN_FILES=${AKIT_FILES}
SCAN_DIRS=${AKIT_DIRS}
SCAN_KSYMS=${AKIT_KSYMS}
scanrootkit
# aPa Kit
SCAN_ROOTKIT="aPa Kit"
SCAN_FILES=${APAKIT_FILES}
SCAN_DIRS=${APAKIT_DIRS}
SCAN_KSYMS=${APAKIT_KSYMS}
scanrootkit
# Apache worm
SCAN_ROOTKIT="Apache Worm"
SCAN_FILES=${APACHEWORM_FILES}
SCAN_DIRS=${APACHEWORM_DIRS}
SCAN_KSYMS=${APACHEWORM_KSYMS}
scanrootkit
# Ambient (ark) Rootkit
SCAN_ROOTKIT="Ambient (ark) Rootkit"
SCAN_FILES=${ARK_FILES}
SCAN_DIRS=${ARK_DIRS}
SCAN_KSYMS=${ARK_KSYMS}
scanrootkit
# Balaur Rootkit
SCAN_ROOTKIT="Balaur Rootkit"
SCAN_FILES=${BALAUR_FILES}
SCAN_DIRS=${BALAUR_DIRS}
SCAN_KSYMS=${BALAUR_KSYMS}
scanrootkit
# BeastKit Rootkit
SCAN_ROOTKIT="BeastKit Rootkit"
SCAN_FILES=${BEASTKIT_FILES}
SCAN_DIRS=${BEASTKIT_DIRS}
SCAN_KSYMS=${BEASTKIT_KSYMS}
scanrootkit
# beX2 Rootkit
SCAN_ROOTKIT="beX2 Rootkit"
SCAN_FILES=${BEX_FILES}
SCAN_DIRS=${BEX_DIRS}
SCAN_KSYMS=${BEX_KSYMS}
scanrootkit
# BOBKit Rootkit
SCAN_ROOTKIT="BOBKit Rootkit"
SCAN_FILES=${BOBKIT_FILES}
SCAN_DIRS=${BOBKIT_DIRS}
SCAN_KSYMS=${BOBKIT_KSYMS}
scanrootkit
# OSX Boonana Trojan
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Boonana Trojan"
SCAN_FILES=${BOONANA_FILES}
SCAN_DIRS=${BOONANA_DIRS}
SCAN_KSYMS=${BOONANA_KSYMS}
scanrootkit
fi
# cb Rootkit
SCAN_ROOTKIT="cb Rootkit"
SCAN_FILES=${CB_FILES}
SCAN_DIRS=${CB_DIRS}
SCAN_KSYMS=${CB_KSYMS}
scanrootkit
# CiNIK Worm (Slapper.B variant)
SCAN_ROOTKIT="CiNIK Worm (Slapper.B variant)"
SCAN_FILES=${CINIK_FILES}
SCAN_DIRS=${CINIK_DIRS}
SCAN_KSYMS=${CINIK_KSYMS}
scanrootkit
# CX Rootkit
if [ $SUNOS -eq 1 ]; then
SCAN_ROOTKIT="CX Rootkit"
SCAN_FILES=${CXKIT_FILES}
SCAN_DIRS=${CXKIT_DIRS}
SCAN_KSYMS=${CXKIT_KSYMS}
scanrootkit
fi
# Danny-Boy's Abuse Kit
SCAN_ROOTKIT="Danny-Boy's Abuse Kit"
SCAN_FILES=${DANNYBOYS_FILES}
SCAN_DIRS=${DANNYBOYS_DIRS}
SCAN_KSYMS=${DANNYBOYS_KSYMS}
scanrootkit
# Devil RootKit
SCAN_ROOTKIT="Devil RootKit"
SCAN_FILES=${DEVIL_FILES}
SCAN_DIRS=${DEVIL_DIRS}
SCAN_KSYMS=${DEVIL_KSYMS}
scanrootkit
# Diamorphine LKM
SCAN_ROOTKIT="Diamorphine LKM"
SCAN_FILES=${DIAMORPHINE_FILES}
SCAN_DIRS=${DIAMORPHINE_DIRS}
SCAN_KSYMS=${DIAMORPHINE_KSYMS}
scanrootkit
# Dica-Kit Rootkit
SCAN_ROOTKIT="Dica-Kit Rootkit"
SCAN_FILES=${DICA_FILES}
SCAN_DIRS=${DICA_DIRS}
SCAN_KSYMS=${DICA_KSYMS}
scanrootkit
# Dreams RootKit
SCAN_ROOTKIT="Dreams Rootkit"
SCAN_FILES=${DREAMS_FILES}
SCAN_DIRS=${DREAMS_DIRS}
SCAN_KSYMS=${DREAMS_KSYMS}
scanrootkit
# Duarawkz Rootkit
SCAN_ROOTKIT="Duarawkz Rootkit"
SCAN_FILES=${DUARAWKZ_FILES}
SCAN_DIRS=${DUARAWKZ_DIRS}
SCAN_KSYMS=${DUARAWKZ_KSYMS}
scanrootkit
# Ebury sshd backdoor
SCAN_ROOTKIT="Ebury backdoor"
SCAN_FILES=${EBURY_FILES}
SCAN_DIRS=${EBURY_DIRS}
SCAN_KSYMS=${EBURY_KSYMS}
scanrootkit
# Enye LKM
SCAN_ROOTKIT="Enye LKM"
SCAN_FILES=${ENYELKM_FILES}
SCAN_DIRS=${ENYELKM_DIRS}
SCAN_KSYMS=${ENYELKM_KSYMS}
scanrootkit
# Flea Linux Rootkit
SCAN_ROOTKIT="Flea Linux Rootkit"
SCAN_FILES=${FLEA_FILES}
SCAN_DIRS=${FLEA_DIRS}
SCAN_KSYMS=${FLEA_KSYMS}
scanrootkit
# FreeBSD Rootkit
if [ $BSDOS -eq 1 ]; then
SCAN_ROOTKIT="FreeBSD Rootkit"
SCAN_FILES=${FREEBSD_RK_FILES}
SCAN_DIRS=${FREEBSD_RK_DIRS}
SCAN_KSYMS=${FREEBSD_RK_KSYMS}
scanrootkit
fi
# Fu Rootkit
SCAN_ROOTKIT="Fu Rootkit"
SCAN_FILES=${FU_FILES}
SCAN_DIRS=${FU_DIRS}
SCAN_KSYMS=${FU_KSYMS}
scanrootkit
# Fuck`it Rootkit
SCAN_ROOTKIT="Fuck\`it Rootkit"
SCAN_FILES=${FUCKIT_FILES}
SCAN_DIRS=${FUCKIT_DIRS}
SCAN_KSYMS=${FUCKIT_KSYMS}
scanrootkit
# GasKit Rootkit
SCAN_ROOTKIT="GasKit Rootkit"
SCAN_FILES=${GASKIT_FILES}
SCAN_DIRS=${GASKIT_DIRS}
SCAN_KSYMS=${GASKIT_KSYMS}
scanrootkit
# Heroin LKM
SCAN_ROOTKIT="Heroin LKM"
SCAN_FILES=${HEROIN_FILES}
SCAN_DIRS=${HEROIN_DIRS}
SCAN_KSYMS=${HEROIN_KSYMS}
scanrootkit
# HjC Kit
SCAN_ROOTKIT="HjC Kit"
SCAN_FILES=${HJCKIT_FILES}
SCAN_DIRS=${HJCKIT_DIRS}
SCAN_KSYMS=${HJCKIT_KSYMS}
scanrootkit
# ignoKit Rootkit
SCAN_ROOTKIT="ignoKit Rootkit"
SCAN_FILES=${IGNOKIT_FILES}
SCAN_DIRS=${IGNOKIT_DIRS}
SCAN_KSYMS=${IGNOKIT_KSYMS}
scanrootkit
# iLLogiC Rootkit (SunOS Rootkit variant)
if [ $SUNOS -eq 1 ]; then
SCAN_ROOTKIT="iLLogiC Rootkit"
SCAN_FILES=${ILLOGIC_FILES}
SCAN_DIRS=${ILLOGIC_DIRS}
SCAN_KSYMS=${ILLOGIC_KSYMS}
scanrootkit
fi
# OSX Inqtana (Variant A)
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Inqtana Worm (Variant A)"
SCAN_FILES=${INQTANAA_FILES}
SCAN_DIRS=${INQTANAA_DIRS}
SCAN_KSYMS=${INQTANAA_KSYMS}
scanrootkit
fi
# OSX Inqtana (Variant B)
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Inqtana Worm (Variant B)"
SCAN_FILES=${INQTANAB_FILES}
SCAN_DIRS=${INQTANAB_DIRS}
SCAN_KSYMS=${INQTANAB_KSYMS}
scanrootkit
fi
# OSX Inqtana (Variant C)
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Inqtana Worm (Variant C)"
SCAN_FILES=${INQTANAC_FILES}
SCAN_DIRS=${INQTANAC_DIRS}
SCAN_KSYMS=${INQTANAC_KSYMS}
scanrootkit
fi
# IntoXonia-NG Rootkit
SCAN_ROOTKIT="IntoXonia-NG Rootkit"
SCAN_FILES=${INTOXONIA_FILES}
SCAN_DIRS=${INTOXONIA_DIRS}
SCAN_KSYMS=${INTOXONIA_KSYMS}
scanrootkit
# Irix Rootkit
SCAN_ROOTKIT="Irix Rootkit"
SCAN_FILES=${IRIXRK_FILES}
SCAN_DIRS=${IRIXRK_DIRS}
SCAN_KSYMS=${IRIXRK_KSYMS}
scanrootkit
# Jynx Rootkit
SCAN_ROOTKIT="Jynx Rootkit"
SCAN_FILES=${JYNX_FILES}
SCAN_DIRS=${JYNX_DIRS}
SCAN_KSYMS=${JYNX_KSYMS}
scanrootkit
# Jynx2 Rootkit
SCAN_ROOTKIT="Jynx2 Rootkit"
SCAN_FILES=${JYNX2_FILES}
SCAN_DIRS=${JYNX2_DIRS}
SCAN_KSYMS=${JYNX2_KSYMS}
scanrootkit
# KBeast Rootkit
SCAN_ROOTKIT="KBeast Rootkit"
SCAN_FILES=${KBEAST_FILES}
SCAN_DIRS=${KBEAST_DIRS}
SCAN_KSYMS=${KBEAST_KSYMS}
scanrootkit
# OSX Keydnap backdoor
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Keydnap backdoor"
SCAN_FILES=${KEYDNAP_FILES}
SCAN_DIRS=${KEYDNAP_DIRS}
SCAN_KSYMS=${KEYDNAP_KSYMS}
scanrootkit
fi
# Kitko Rootkit
SCAN_ROOTKIT="Kitko Rootkit"
SCAN_FILES=${KITKO_FILES}
SCAN_DIRS=${KITKO_DIRS}
SCAN_KSYMS=${KITKO_KSYMS}
scanrootkit
# Knark Rootkit
SCAN_ROOTKIT="Knark Rootkit"
SCAN_FILES=${KNARK_FILES}
SCAN_DIRS=${KNARK_DIRS}
SCAN_KSYMS=${KNARK_KSYMS}
scanrootkit
# OSX Komplex Trojan
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Komplex Trojan"
SCAN_FILES=${KOMPLEX_FILES}
SCAN_DIRS=${KOMPLEX_DIRS}
SCAN_KSYMS=${KOMPLEX_KSYMS}
scanrootkit
fi
# ld-linuxv.so (LD_PRELOAD shared library rootkit)
SCAN_ROOTKIT="ld-linuxv.so Rootkit"
SCAN_FILES=${LINUXV_FILES}
SCAN_DIRS=${LINUXV_DIRS}
SCAN_KSYMS=${LINUXV_KSYMS}
scanrootkit
# Li0n Worm
SCAN_ROOTKIT="Li0n Worm"
SCAN_FILES=${LION_FILES}
SCAN_DIRS=${LION_DIRS}
SCAN_KSYMS=${LION_KSYMS}
scanrootkit
# Lockit / LJK2 Rootkit
SCAN_ROOTKIT="Lockit / LJK2 Rootkit"
SCAN_FILES=${LOCKIT_FILES}
SCAN_DIRS=${LOCKIT_DIRS}
SCAN_KSYMS=${LOCKIT_KSYMS}
scanrootkit
# Mokes backdoor
SCAN_ROOTKIT="Mokes backdoor"
SCAN_FILES=${MOKES_FILES}
SCAN_DIRS=${MOKES_DIRS}
SCAN_KSYMS=${MOKES_KSYMS}
scanrootkit
# Mood-NT Rootkit
SCAN_ROOTKIT="Mood-NT Rootkit"
SCAN_FILES=${MOODNT_FILES}
SCAN_DIRS=${MOODNT_DIRS}
SCAN_KSYMS=${MOODNT_KSYMS}
scanrootkit
# MRK (MiCrobul?) RootKit
SCAN_ROOTKIT="MRK Rootkit"
SCAN_FILES=${MRK_FILES}
SCAN_DIRS=${MRK_DIRS}
SCAN_KSYMS=${MRK_KSYMS}
scanrootkit
# Ni0 Rootkit
SCAN_ROOTKIT="Ni0 Rootkit"
SCAN_FILES=${NIO_FILES}
SCAN_DIRS=${NIO_DIRS}
SCAN_KSYMS=${NIO_KSYMS}
scanrootkit
# Ohhara Rootkit
SCAN_ROOTKIT="Ohhara Rootkit"
SCAN_FILES=${OHHARA_FILES}
SCAN_DIRS=${OHHARA_DIRS}
SCAN_KSYMS=${OHHARA_KSYMS}
scanrootkit
# Optic Kit Worm
SCAN_ROOTKIT="Optic Kit (Tux) Worm"
SCAN_FILES=${OPTICKIT_FILES}
SCAN_DIRS=${OPTICKIT_DIRS}
SCAN_KSYMS=${OPTICKIT_KSYMS}
scanrootkit
# OSX Rootkit 0.2.1
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="OS X Rootkit"
SCAN_FILES="${OSXRK_FILES}"
SCAN_DIRS="${OSXRK_DIRS}"
SCAN_KSYMS=${OSXRK_KSYMS}
scanrootkit
fi
# Oz Rootkit
SCAN_ROOTKIT="Oz Rootkit"
SCAN_FILES=${OZ_FILES}
SCAN_DIRS=${OZ_DIRS}
SCAN_KSYMS=${OZ_KSYMS}
scanrootkit
# Phalanx Rootkit
SCAN_ROOTKIT="Phalanx Rootkit"
SCAN_FILES=${PHALANX_FILES}
SCAN_DIRS=${PHALANX_DIRS}
SCAN_KSYMS=${PHALANX_KSYMS}
scanrootkit
# Phalanx2 Rootkit (dirs and files)
SCAN_ROOTKIT="Phalanx2 Rootkit"
SCAN_FILES=${PHALANX2_FILES}
SCAN_DIRS=${PHALANX2_DIRS}
SCAN_KSYMS=${PHALANX2_KSYMS}
scanrootkit
# Phalanx2 Rootkit (extended tests)
if [ $LINUXOS -eq 1 ]; then
SCAN_ROOTKIT="Phalanx2 Rootkit (extended tests)"
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
ROOTKIT_PHALANX2_TEST=0
display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
if [ $ROOTKIT_PHALANX2_DIRTESTVAL -eq 1 ]; then
ROOTKIT_PHALANX2_DIRNAMES=`${FIND_CMD} /etc /usr -type d -iname "*.p2"`
else
ROOTKIT_PHALANX2_DIRNAMES="/etc/khubd.p2 /etc/lolzz.p2 /usr/lib/zupzz.p2"
fi
if [ -n "${ROOTKIT_PHALANX2_DIRNAMES}" ]; then
for ROOTKIT_PHALANX2_DIRNAME in ${ROOTKIT_PHALANX2_DIRNAMES}; do
if `cd ${ROOTKIT_PHALANX2_DIRNAME} >/dev/null 2>&1`; then
ROOTKIT_PHALANX2_TEST=1
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${ROOTKIT_PHALANX2_DIRNAME}"
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_DIR_FOUND "${ROOTKIT_PHALANX2_DIRNAME}"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${ROOTKIT_PHALANX2_DIRNAME}"
fi
done
elif [ $ROOTKIT_PHALANX2_DIRTESTVAL -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "*.p2"
fi
if `grep -q '^/dev/root .* ext[23] ' /proc/mounts 2>/dev/null`; then
if [ -n "${STAT_CMD}" ]; then
for DIR_NAME in /etc /usr/share; do
if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
NLINKS1=`${STAT_CMD} --nlink ${DIR_NAME} 2>/dev/null`
else
NLINKS1=`${STAT_CMD} -c %h ${DIR_NAME} 2>/dev/null`
fi
NLINKS2=`ls -ld ${DIR_NAME} 2>/dev/null | ${AWK_CMD} -F' ' '/^d/ {print $2}' 2>/dev/null | head ${HEAD_OPT}1`
test -z "${NLINKS1}" && NLINKS1=-1
test -z "${NLINKS2}" && NLINKS2=-2
if [ $NLINKS1 -ne $NLINKS2 ]; then
display --to LOG --type PLAIN --result WARNING --log-indent 2 ROOTKIT_LINK_COUNT "${DIR_NAME}"
if [ $NLINKS1 -eq -1 ]; then
display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_CMDERR "${STAT_CMD}" "${DIR_NAME}"
fi
if [ $NLINKS2 -eq -2 ]; then
display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_CMDERR 'ls -ld' "${DIR_NAME}"
fi
display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_FAIL "${STAT_CMD}" "$NLINKS1"
display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_FAIL 'ls -ld' "$NLINKS2"
if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
ROOTKIT_PHALANX2_TEST=1
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
fi
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_PHALANX2_LINK_COUNT_FAIL "${DIR_NAME}"
else
display --to LOG --type PLAIN --result OK --log-indent 2 ROOTKIT_LINK_COUNT "${DIR_NAME}"
fi
done
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_LINK_COUNT '/etc and /usr/share'
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' stat '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'stat'
else
display --to LOG --type INFO NOT_FOUND_CMD 'stat'
fi
fi
fi
# On Linux 2.6 kernels certain processes are children of the kthread process which itself is a child of init.
# argv[0] hiding in plain sight works OK (who expects '^ata/0$' processes to be illegal?) but if the parent process Id is not kthread's
# then suspicion is justified. Like other process listing relying on 'ps' the usual process hiding caveat remains.
if [ -n "${PGREP_CMD}" ]; then
if [ -n "`${PGREP_CMD} 'ata/0'`" ]; then
ROOTKIT_PHALANX2_PROC_KTHREAD_PPID=`${PGREP_CMD} -f '^kthread.?$'`
ROOTKIT_PHALANX2_PROC_ATA_PPID=`${PS_CMD} --no-headers -C 'ata/0' -oppid 2>/dev/null`
if [ -n "${ROOTKIT_PHALANX2_PROC_ATA_PPID}" -a -n "${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID}" ]; then
if [ ${ROOTKIT_PHALANX2_PROC_ATA_PPID} -ne ${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID} ]; then
display --to LOG --type PLAIN --result WARNING --log-indent 2 ROOTKIT_PHALANX2_PROC_FOUND
display --to LOG --type PLAIN --log-indent 4 ROOTKIT_PHALANX2_PROC_PPID "${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID}" "${ROOTKIT_PHALANX2_PROC_ATA_PPID}"
if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
ROOTKIT_PHALANX2_TEST=1
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
fi
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_PHALANX2_PROC_FOUND
else
display --to LOG --type PLAIN --result OK --log-indent 2 ROOTKIT_PHALANX2_PROC
fi
else # ROOTKIT_PHALANX2_PROC_ATA_PPID ps might not support some cmdline args
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_PHALANX2_PROC
display --to LOG --type INFO ROOTKIT_PHALANX2_PROC_PS_ERR
fi
# else # This kernel does not run any 'ata/0' kthread child processes, no warning necessary.
fi
else # PGREP_CMD not found
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_PHALANX2_PROC
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' pgrep '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'pgrep'
else
display --to LOG --type INFO NOT_FOUND_CMD 'pgrep'
fi
fi
if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "
fi
fi
# Portacelo Rootkit
SCAN_ROOTKIT="Portacelo Rootkit"
SCAN_FILES=${PORTACELO_FILES}
SCAN_DIRS=${PORTACELO_DIRS}
SCAN_KSYMS=${PORTACELO_KSYMS}
scanrootkit
# OSX Proton backdoor
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Proton backdoor"
SCAN_FILES=${PROTON_FILES}
SCAN_DIRS=${PROTON_DIRS}
SCAN_KSYMS=${PROTON_KSYMS}
scanrootkit
fi
# R3dstorm Toolkit
SCAN_ROOTKIT="R3dstorm Toolkit"
SCAN_FILES=${REDSTORM_FILES}
SCAN_DIRS=${REDSTORM_DIRS}
SCAN_KSYMS=${REDSTORM_KSYMS}
scanrootkit
# RH-Sharpe's Rootkit
SCAN_ROOTKIT="RH-Sharpe's Rootkit"
SCAN_FILES=${RHSHARPES_FILES}
SCAN_DIRS=${RHSHARPES_DIRS}
SCAN_KSYMS=${RHSHARPES_KSYMS}
scanrootkit
# RSHA's Rootkit
SCAN_ROOTKIT="RSHA's Rootkit"
SCAN_FILES=${RSHA_FILES}
SCAN_DIRS=${RSHA_DIRS}
SCAN_KSYMS=${RSHA_KSYMS}
scanrootkit
# Scalper Worm
SCAN_ROOTKIT="Scalper Worm"
SCAN_FILES=${SCALPER_FILES}
SCAN_DIRS=${SCALPER_DIRS}
SCAN_KSYMS=${SCALPER_KSYMS}
scanrootkit
# Sebek LKM (Honeypot)
SCAN_ROOTKIT="Sebek LKM"
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
FOUND=0
if [ -n "${KSYMS_FILE}" ]; then
egrep -i 'adore|sebek' "${KSYMS_FILE}" >/dev/null 2>&1 && FOUND=1
fi
if [ $FOUND -eq 0 ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
if [ -n "${KSYMS_FILE}" ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM 'adore or sebek'
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_FILES_DIRS_KSYM 'adore or sebek'
fi
fi
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "
display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM 'adore or sebek'
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_KSYM_FOUND 'adore or sebek'
fi
# Shutdown Rootkit
SCAN_ROOTKIT="Shutdown Rootkit"
SCAN_FILES=${SHUTDOWN_FILES}
SCAN_DIRS=${SHUTDOWN_DIRS}
SCAN_KSYMS=${SHUTDOWN_KSYMS}
scanrootkit
# SHV4 Rootkit
SCAN_ROOTKIT="SHV4 Rootkit"
SCAN_FILES=${SHV4_FILES}
SCAN_DIRS=${SHV4_DIRS}
SCAN_KSYMS=${SHV4_KSYMS}
scanrootkit
# SHV5 Rootkit
SCAN_ROOTKIT="SHV5 Rootkit"
SCAN_FILES=${SHV5_FILES}
SCAN_DIRS=${SHV5_DIRS}
SCAN_KSYMS=${SHV5_KSYMS}
scanrootkit
# Sin Rootkit
SCAN_ROOTKIT="Sin Rootkit"
SCAN_FILES=${SINROOTKIT_FILES}
SCAN_DIRS=${SINROOTKIT_DIRS}
SCAN_KSYMS=${SINROOTKIT_KSYMS}
scanrootkit
# SInAR Rootkit
if [ $SUNOS -eq 1 ]; then
FOUND=0
SINARFILES=""
SCAN_ROOTKIT="SInAR Rootkit"
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
if [ -n "${FIND_CMD}" ]; then
for DIR in ${BINPATHS}; do
FOUNDINDIR="NOT_FOUND"
for FNAME in `${FIND_CMD} "${DIR}" -type f -name "*[sS][iI][nN][aA][rR]*" 2>/dev/null`; do
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "${FNAME}" known_rkts
fi
elif `grep -i 'sinar' "${FNAME}" >/dev/null 2>&1`; then
FOUND=1
FOUNDINDIR="FOUND"
SINARFILES="${SINARFILES} ${FNAME}"
fi
done
display --to LOG --type PLAIN --result "${FOUNDINDIR}" --log-indent 2 ROOTKIT_FILES_DIRS_SINAR_DIR "${DIR}"
done
#
# Now display the result.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_SINAR "${SINARFILES}"
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NAME "${SCAN_ROOTKIT}"
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' find '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'find'
else
display --to LOG --type INFO NOT_FOUND_CMD 'find'
fi
fi
fi
# Slapper Worm
SCAN_ROOTKIT="Slapper Worm"
SCAN_FILES=${SLAPPER_FILES}
SCAN_DIRS=${SLAPPER_DIRS}
SCAN_KSYMS=${SLAPPER_KSYMS}
scanrootkit
# Sneakin Rootkit
SCAN_ROOTKIT="Sneakin Rootkit"
SCAN_FILES=${SNEAKIN_FILES}
SCAN_DIRS=${SNEAKIN_DIRS}
SCAN_KSYMS=${SNEAKIN_KSYMS}
scanrootkit
# Solaris Wanuk backdoor
if [ $SUNOS -eq 1 ]; then
SCAN_ROOTKIT="Solaris Wanuk backdoor"
SCAN_FILES=${WANUKDOOR_FILES}
SCAN_DIRS=${WANUKDOOR_DIRS}
SCAN_KSYMS=${WANUKDOOR_KSYMS}
scanrootkit
fi
# Solaris Wanuk Worm
if [ $SUNOS -eq 1 ]; then
SCAN_ROOTKIT="Solaris Wanuk Worm"
SCAN_FILES=${WANUKWORM_FILES}
SCAN_DIRS=${WANUKWORM_DIRS}
SCAN_KSYMS=${WANUKWORM_KSYMS}
scanrootkit
fi
# 'Spanish' Rootkit
SCAN_ROOTKIT="'Spanish' Rootkit"
SCAN_FILES=${SPANISH_FILES}
SCAN_DIRS=${SPANISH_DIRS}
SCAN_KSYMS=${SPANISH_KSYMS}
scanrootkit
# Suckit Rootkit
SCAN_ROOTKIT="Suckit Rootkit"
SCAN_FILES=${SUCKIT_FILES}
SCAN_DIRS=${SUCKIT_DIRS}
SCAN_KSYMS=${SUCKIT_KSYMS}
scanrootkit
# SunOS Rootkit
if [ $SUNOS -eq 1 ]; then
SCAN_ROOTKIT="SunOS Rootkit"
SCAN_FILES=${SUNOSROOTKIT_FILES}
SCAN_DIRS=${SUNOSROOTKIT_DIRS}
SCAN_KSYMS=${SUNOSROOTKIT_KSYMS}
scanrootkit
fi
# SunOS / NSDAP Rootkit
if [ $SUNOS -eq 1 ]; then
SCAN_ROOTKIT="SunOS / NSDAP Rootkit"
SCAN_FILES=${NSDAP_FILES}
SCAN_DIRS=${NSDAP_DIRS}
SCAN_KSYMS=${NSDAP_KSYMS}
scanrootkit
fi
# Superkit Rootkit
SCAN_ROOTKIT="Superkit Rootkit"
SCAN_FILES=${SUPERKIT_FILES}
SCAN_DIRS=${SUPERKIT_DIRS}
SCAN_KSYMS=${SUPERKIT_KSYMS}
scanrootkit
# TBD (Telnet BackDoor)
SCAN_ROOTKIT="TBD (Telnet BackDoor)"
SCAN_FILES=${TBD_FILES}
SCAN_DIRS=${TBD_DIRS}
SCAN_KSYMS=${TBD_KSYMS}
scanrootkit
# TeLeKiT Rootkit
SCAN_ROOTKIT="TeLeKiT Rootkit"
SCAN_FILES=${TELEKIT_FILES}
SCAN_DIRS=${TELEKIT_DIRS}
SCAN_KSYMS=${TELEKIT_KSYMS}
scanrootkit
# OSX Togroot Rootkit
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="Togroot Rootkit"
SCAN_FILES=${TOGROOT_FILES}
SCAN_DIRS=${TOGROOT_DIRS}
SCAN_KSYMS=${TOGROOT_KSYMS}
scanrootkit
fi
# T0rn Rootkit
SCAN_ROOTKIT="T0rn Rootkit"
SCAN_FILES=${TORN_FILES}
SCAN_DIRS=${TORN_DIRS}
SCAN_KSYMS=${TORN_KSYMS}
scanrootkit
# TrNkit Rootkit
SCAN_ROOTKIT="trNkit Rootkit"
SCAN_FILES=${TRNKIT_FILES}
SCAN_DIRS=${TRNKIT_DIRS}
SCAN_KSYMS=${TRNKIT_KSYMS}
scanrootkit
# Trojanit Kit
SCAN_ROOTKIT="Trojanit Kit"
SCAN_FILES=${TROJANIT_FILES}
SCAN_DIRS=${TROJANIT_DIRS}
SCAN_KSYMS=${TROJANIT_KSYMS}
scanrootkit
# Turtle / Turtle2 Rootkit
if [ $BSDOS -eq 1 ]; then
SCAN_ROOTKIT="Turtle Rootkit"
SCAN_FILES=${TURTLE_FILES}
SCAN_DIRS=${TURTLE_DIRS}
SCAN_KSYMS=${TURTLE_KSYMS}
scanrootkit
fi
# Tuxtendo Rootkit
SCAN_ROOTKIT="Tuxtendo Rootkit"
SCAN_FILES=${TUXTENDO_FILES}
SCAN_DIRS=${TUXTENDO_DIRS}
SCAN_KSYMS=${TUXTENDO_KSYMS}
scanrootkit
# Universal Rootkit by K2 (URK)
SCAN_ROOTKIT="URK Rootkit"
SCAN_FILES=${URK_FILES}
SCAN_DIRS=${URK_DIRS}
SCAN_KSYMS=${URK_KSYMS}
scanrootkit
# Vampire Rootkit
SCAN_ROOTKIT="Vampire Rootkit"
SCAN_FILES=${VAMPIRE_FILES}
SCAN_DIRS=${VAMPIRE_DIRS}
SCAN_KSYMS=${VAMPIRE_KSYMS}
scanrootkit
# VcKit Rootkit
SCAN_ROOTKIT="VcKit Rootkit"
SCAN_FILES=${VCKIT_FILES}
SCAN_DIRS=${VCKIT_DIRS}
SCAN_KSYMS=${VCKIT_KSYMS}
scanrootkit
# Volc Rootkit
SCAN_ROOTKIT="Volc Rootkit"
SCAN_FILES=${VOLC_FILES}
SCAN_DIRS=${VOLC_DIRS}
SCAN_KSYMS=${VOLC_KSYMS}
scanrootkit
# weaponX Rootkit
if [ $MACOSX -eq 1 ]; then
SCAN_ROOTKIT="weaponX Rootkit"
SCAN_FILES=${WEAPONX_FILES}
SCAN_DIRS=${WEAPONX_DIRS}
SCAN_KSYMS=${WEAPONX_KSYMS}
scanrootkit
fi
# Xzibit Rootkit
SCAN_ROOTKIT="Xzibit Rootkit"
SCAN_FILES=${XZIBIT_FILES}
SCAN_DIRS=${XZIBIT_DIRS}
SCAN_KSYMS=${XZIBIT_KSYMS}
scanrootkit
# X-Org SunOS Rootkit
if [ $SUNOS -eq 1 ]; then
SCAN_ROOTKIT="X-Org SunOS Rootkit"
SCAN_FILES=${XORGSUNOS_FILES}
SCAN_DIRS=${XORGSUNOS_DIRS}
SCAN_KSYMS=${XORGSUNOS_KSYMS}
scanrootkit
fi
# zaRwT.KiT Rootkit
SCAN_ROOTKIT="zaRwT.KiT Rootkit"
SCAN_FILES=${ZARWT_FILES}
SCAN_DIRS=${ZARWT_DIRS}
SCAN_KSYMS=${ZARWT_KSYMS}
scanrootkit
# ZK Rootkit
SCAN_ROOTKIT="ZK Rootkit"
SCAN_FILES=${ZK_FILES}
SCAN_DIRS=${ZK_DIRS}
SCAN_KSYMS=${ZK_KSYMS}
scanrootkit
return
}
possible_rootkit_file_dir_checks() {
#
# This function performs the check for possible rootkit
# files and directories.
#
if `check_test possible_rkt_files`; then
display --to LOG --type INFO --nl STARTING_TEST possible_rkt_files
display --to LOG --type PLAIN --log-indent 2 ROOTKIT_POSS_FILES_DIRS_LOG
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST possible_rkt_files
fi
return
fi
FOUND=0
FOUNDFILES=""
FOUNDDIRS=""
IFS=$IFSNL
for RKHTMPVAR in ${FILESCAN}; do
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ ]*//'`
TYPE=`echo ${RKHTMPVAR} | cut -d: -f1`
FILE=`echo ${RKHTMPVAR} | cut -d: -f2`
INFO=`echo ${RKHTMPVAR} | cut -d: -f3`
FNAME=`echo "${FILE}" | tr '%' ' '`
case "${TYPE}" in
dir)
if [ -d "${FNAME}" ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL_DIR "`name2text \"${FNAME}\"`" 'possible_rkt_files'
display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${FNAME}\"`"
fi
else
FOUND=1
FOUNDDIRS="${FOUNDDIRS}
${FNAME}:${INFO}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${FNAME}\"`"
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${FNAME}\"`"
fi
;;
file)
if [ -f "${FNAME}" ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'possible_rkt_files'
display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
fi
else
FOUND=1
FOUNDFILES="${FOUNDFILES}
${FNAME}:${INFO}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
fi
;;
*)
echo "Error: Unknown file type in possible rootkit check: FILESCAN contains: ${TYPE}"
;;
esac
done
IFS=$RKHIFS
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_POSS_FILES_DIRS
else
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_POSS_FILES_DIRS
IFS=$IFSNL
FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`
for RKHTMPVAR in ${FOUNDFILES}; do
FILE=`echo "${RKHTMPVAR}" | cut -d: -f1`
INFO=`echo "${RKHTMPVAR}" | cut -d: -f2`
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_FILES_FILE_FOUND "`name2text \"${FILE}\"`" "${INFO}"
done
FOUNDDIRS=`echo "${FOUNDDIRS}" | sed -e '/^$/d'`
for RKHTMPVAR in ${FOUNDDIRS}; do
FILE=`echo "${RKHTMPVAR}" | cut -d: -f1`
INFO=`echo "${RKHTMPVAR}" | cut -d: -f2`
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_FILES_DIR_FOUND "`name2text \"${FILE}\"`" "${INFO}"
done
IFS=$RKHIFS
fi
return
}
get_rc_paths() {
#
# This function gets a list of the system startup files.
# Directories are searched for files.
#
# This functions will set the variable RC_PATHS.
#
RC_PATHS=""
RKHTMPVAR2=""
#
# For systemd systems we should follow symbolic links, but
# for init systems we do not. Additionally, older UNIX
# systems do not recognise the 'find' command '-L' option.
# (The '-follow' option is now deprecated.) So we need to
# check that '-L' is valid, and only use it if the systemd
# startup directory is being used.
#
FINDFOLLOW=0
if [ -n "${FIND_CMD}" ]; then
test -z "`${FIND_CMD} -L ${DB_PATH} 2>&1 >/dev/null`" && FINDFOLLOW=1
fi
if [ -n "${STARTUP_PATHS}" ]; then
RKHTMPVAR="${STARTUP_PATHS}"
else
RKHTMPVAR="${RCLOCATIONS}"
fi
for DIR in ${RKHTMPVAR}; do
test -h "${DIR}" && continue
if [ -f "${DIR}" ]; then
RC_PATHS="${RC_PATHS}
${DIR}"
RKHTMPVAR2="${RKHTMPVAR2} ${DIR}"
elif [ -d "${DIR}" ]; then
RKHTMPVAR2="${RKHTMPVAR2} ${DIR}"
if [ -n "${FIND_CMD}" ]; then
if [ $FINDFOLLOW -eq 1 -a -n "`echo \"${DIR}\" | grep '^/etc/systemd/'`" ]; then
RKHTMPVAR3=`${FIND_CMD} -L "${DIR}" -type f 2>/dev/null`
else
RKHTMPVAR3=`${FIND_CMD} "${DIR}" -type f -a ! -type l 2>/dev/null`
fi
if [ -n "${RKHTMPVAR3}" ]; then
RC_PATHS="${RC_PATHS}
${RKHTMPVAR3}"
fi
else
for FNAME in ${DIR}/*; do
test -f "${FNAME}" -a ! -h "${FNAME}" && RC_PATHS="${RC_PATHS}
${FNAME}"
done
fi
fi
done
if [ $STARTUP_PATHS_LOGGED -eq 0 ]; then
STARTUP_PATHS_LOGGED=1
if [ $VERBOSE_LOGGING -eq 1 ]; then
test -z "${RKHTMPVAR2}" && RKHTMPVAR2="${RKHTMPVAR}"
RKHTMPVAR2=`echo ${RKHTMPVAR2}`
display --to LOG --type INFO CONFIG_STARTUP_PATHS "${RKHTMPVAR2}"
fi
fi
return
}
possible_rootkit_string_checks() {
#
# This function performs the check for possible rootkit
# strings in files.
#
if `check_test possible_rkt_strings`; then
display --to LOG --type INFO --nl STARTING_TEST possible_rkt_strings
display --to LOG --type PLAIN --log-indent 2 ROOTKIT_POSS_STRINGS_LOG
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST possible_rkt_strings
fi
return
fi
#
# First check to see that we can run the test.
#
if [ -z "${STRINGS_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 ROOTKIT_POSS_STRINGS
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' strings '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'strings'
else
display --to LOG --type INFO NOT_FOUND_CMD 'strings'
fi
return
elif [ "${STARTUP_PATHS}" = "NONE" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color GREEN --screen-indent 4 ROOTKIT_POSS_STRINGS
display --to LOG --type INFO STARTUP_NONE_GIVEN
return
fi
#
# Now get and check that the system startup files are okay.
#
get_rc_paths
if [ -z "${RC_PATHS}" ]; then
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 ROOTKIT_POSS_STRINGS
display --to LOG --type PLAIN --log-indent 9 STARTUP_CHECK_NO_RC_FILES
return
fi
FOUND=0
FOUNDFILES=""
IFS=$IFSNL
for RKHTMPVAR in ${STRINGSCAN}; do
FOUNDFILE=0
STRINGFOUND=0
FOUNDSTRING=""
RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ ]*//'`
FILE=`echo ${RKHTMPVAR} | cut -d: -f1`
FILESTRING=`echo ${RKHTMPVAR} | cut -d: -f2`
# If the string begins with '+', then it is already a regular expression.
if [ "`echo ${FILESTRING} | cut -c 1`" = "+" ]; then
STRINGGREP=`echo ${FILESTRING} | cut -c 2-`
FILESTRING="${STRINGGREP}"
else
STRINGGREP=`echo ${FILESTRING} | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
fi
INFO=`echo ${RKHTMPVAR} | cut -d: -f3`
if [ "${FILE}" = "rcfile" ]; then
FOUNDFILE=1
for FNAME in ${RC_PATHS}; do
FOUNDSTRING=`${STRINGS_CMD} -n 3 -a "${FNAME}" | grep -v '^[ ]*#' | grep "${STRINGGREP}"`
if [ -n "${FOUNDSTRING}" ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:${STRINGGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL_STR "`name2text \"${FNAME}\"`" "${FILESTRING}" 'possible_rkt_strings'
fi
elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'possible_rkt_strings'
fi
else
FOUND=1
STRINGFOUND=1
FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${FILESTRING}:${INFO}"
fi
fi
done
else
#
# We cannot use the 'find_cmd' function here because we
# are looking at the command binaries themselves, not
# executing them as commands from the local system.
#
# We need to jiggle with IFS here because we are in
# two loops which are using different field separators.
#
IFS=$RKHIFS
for DIR in ${BINPATHS}; do
FNAME="${DIR}/${FILE}"
if [ -f "${FNAME}" ]; then
FOUNDFILE=1
FOUNDSTRING=`${STRINGS_CMD} -n 3 -a "${FNAME}" | grep "${STRINGGREP}"`
if [ -n "${FOUNDSTRING}" ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:${STRINGGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL_STR "`name2text \"${FNAME}\"`" "${FILESTRING}" 'possible_rkt_strings'
fi
elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'possible_rkt_strings'
fi
else
FOUND=1
STRINGFOUND=1
FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${FILESTRING}:${INFO}"
fi
fi
break
fi
done
fi
if [ $FOUNDFILE -eq 1 ]; then
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
if [ $STRINGFOUND -eq 0 ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_STR "${FILESTRING}"
fi
else
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_STR "${FILESTRING}"
fi
fi
IFS=$IFSNL
done
IFS=$RKHIFS
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_POSS_STRINGS
else
display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_POSS_STRINGS
IFS=$IFSNL
FOUNDSTRINGS=`echo "${FOUNDSTRINGS}" | sed -e '/^$/d'`
for RKHTMPVAR in ${FOUNDSTRINGS}; do
FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
STRING=`echo "${RKHTMPVAR}" | cut -d: -f2`
if [ "`echo ${STRING} | cut -c 1`" = "+" ]; then
STRING=`echo ${STRING} | cut -c 2-`
fi
INFO=`echo "${RKHTMPVAR}" | cut -d: -f3`
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_STRINGS_FOUND "${STRING}" "`name2text \"${FNAME}\"`" "${INFO}"
done
IFS=$RKHIFS
fi
return
}
additional_rootkit_checks() {
#
# This function performs additional rootkit checks.
#
if `check_test additional_rkts`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST additional_rkts
display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_ADD_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST additional_rkts
fi
return
fi
test $LINUXOS -eq 1 && suckit_extra_checks
possible_rootkit_file_dir_checks
possible_rootkit_string_checks
return
}
malware_checks() {
#
# This function performs malware checks.
#
if `check_test malware`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST malware
display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_MALWARE_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST malware
fi
return
fi
#
# First we check for processes using deleted files.
#
if `check_test deleted_files`; then
display --to LOG --type INFO --nl STARTING_TEST deleted_files
if [ -n "${LSOF_CMD}" ]; then
FOUND=0
WHITEPROC=""
BLACKPROC=""
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
DELE_FILES=`${LSOF_CMD} -wnlP +c 0 ${SOLARISX} 2>/dev/null | grep '(dele' 2>/dev/null | head ${HEAD_OPT}1`
if [ -n "${DELE_FILES}" ]; then
PIDLIST=" "
IFS=$IFSNL
for LINE in `${LSOF_CMD} -wnlP +c 0 ${SOLARISX} 2>/dev/null | grep '(dele'`; do
PROC=""
PID=`echo "${LINE}" | ${AWK_CMD} '{ print $2 }'`
NODE=`echo "${LINE}" | ${AWK_CMD} '{ print $8 }'`
FNAME=`echo "${LINE}" | ${AWK_CMD} '{ print $9 }'`
#
# Skip any PID's we have already seen.
#
test -n "`echo \"${PIDLIST}\" | grep \" $PID \"`" && continue
#
# Try and get the running process name.
#
if [ $HAVE_READLINK -eq 1 ]; then
RKHTMPVAR=""
if [ $SOL_PROC -eq 1 ]; then
test -h "/proc/${PID}/path/a.out" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/path/a.out"`
elif [ $SUNOS -eq 0 -o -h "/proc/${PID}/exe" ]; then
test -h "/proc/${PID}/exe" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/exe"`
fi
test -n "${RKHTMPVAR}" && PROC=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
fi
if [ -z "${PROC}" ]; then
if [ $SUNOS -eq 1 ]; then
PROC=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ ]txt[ ][ ]*VREG[ ]' 2>/dev/null | head ${HEAD_OPT}1 | ${AWK_CMD} '{ print $NF }'`
else
PROC=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ ]txt[ ][ ]*REG[ ]' | ${AWK_CMD} '{ print $NF }'`
fi
test -z "${PROC}" && PROC=`echo "${LINE}" | ${AWK_CMD} '{ print $1 }'`
fi
#
# If FNAME is not a pathname then look at the NODE.
#
if [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
if [ -n "`echo \"${NODE}\" | grep '^/'`" ]; then
FNAME="${NODE}"
fi
fi
#
# Strip anything after the pathname.
#
if [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
FNAME=`echo "${FNAME}" | cut -d' ' -f1`
fi
#
# Now see if the process is whitelisted.
#
PROCWHITELISTED=0
PROCDELFILES_GIVEN=0
#
# For this test we do not want to use globbing because it may match with
# files that actually exist. This could then lead to a false-positive for
# what should have been a whitelisted pathname. Instead we disable globbing,
# and then change the glob characters to regular expression ones. We also
# escape typical grep regex characters (e.g. '.'). The resulting regular
# expression is then matched against the deleted file pathname.
#
set -f
for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
RKHTMPVAR2=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F ':/' '{ print $1 }'`
test "${RKHTMPVAR}" = "${RKHTMPVAR2}" && PROCDELFILES_GIVEN=0 || PROCDELFILES_GIVEN=1
if [ "${PROC}" = "${RKHTMPVAR2}" ]; then
if [ $PROCDELFILES_GIVEN -eq 1 ]; then
RKHTMPVAR3=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F ':/' '{ for (i = 2; i <= NF; i++) { a[i] = $i } } END { for (i in a) { print "/" a[i] } }'`
FNAMEGREP=""
for FN in ${RKHTMPVAR3}; do
FNGREP=`echo "${FN}" | sed -e 's/\([.^+]\)/\\\\\1/g; s/\([^\\]\)\*/\1.*/g; s/\([^\\]\)?/\1./g;'`
FNAMEGREP="${FNAMEGREP}|${FNGREP}"
done
FNAMEGREP=`echo "${FNAMEGREP}" | sed -e 's/^|//;'`
if [ -n "`echo \"${FNAME}\" | egrep \"^(${FNAMEGREP})$\"`" ]; then
PROCWHITELISTED=1
fi
else
PROCWHITELISTED=1
fi
test $PROCWHITELISTED -eq 1 && break
fi
done
set +f
test $HAVE_READLINK -eq 0 && PROC="\"${PROC}\""
if [ $PROCWHITELISTED -eq 1 ]; then
if [ $PROCDELFILES_GIVEN -eq 1 ]; then
if [ -z "`echo \"${WHITEPROC}\" | grep \"^${PROC} ${FNAME}$\"`" ]; then
WHITEPROC="${WHITEPROC}
${PROC} ${FNAME}"
fi
elif [ -z "`echo \"${WHITEPROC}\" | grep \"^${PROC}$\"`" ]; then
WHITEPROC="${WHITEPROC}
${PROC}"
fi
else
FOUND=1
BLACKPROC="${BLACKPROC}
${PROC} ${PID} ${FNAME}"
fi
#
# Finally add the PID to the seen PID list.
#
PIDLIST="$PIDLIST $PID "
done
fi
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
display --to LOG --type WARNING ROOTKIT_MALWARE_DELETED_FILES_FOUND
for LINE in ${BLACKPROC}; do
test -z "${LINE}" && continue
PROC=`echo "$LINE" | cut -d' ' -f1`
PID=`echo "$LINE" | cut -d' ' -f2`
FNAME=`echo "$LINE" | cut -d' ' -f3-`
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA "${PROC}" "${PID}" "`name2text \"${FNAME}\"`"
done
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
for RKHTMPVAR in ${WHITEPROC}; do
test -z "${RKHTMPVAR}" && continue
if [ -n "`echo \"${RKHTMPVAR}\" | grep ' /'`" ]; then
PROC=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
FNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f2-`
display --to LOG --type INFO ROOTKIT_MALWARE_DELETED_FILES_WL "${PROC}" "`name2text \"${FNAME}\"`"
else
display --to LOG --type INFO NETWORK_PACKET_CAP_WL "${RKHTMPVAR}"
fi
done
fi
IFS=$RKHIFS
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsof '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'lsof'
else
display --to LOG --type INFO NOT_FOUND_CMD 'lsof'
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST deleted_files
fi
#
# Next we check to see if there any running processes
# using suspicious files.
#
if `check_test running_procs`; then
display --to LOG --type INFO --nl STARTING_TEST running_procs
if [ -n "${LSOF_CMD}" ]; then
#
# First get a temporary file to store the output.
#
get_temp_file "${RKHTMPDIR}/lsofprocs.out"
RKHLSOF_FILE="${TEMPFILE}"
touch "${RKHLSOF_FILE}"
${LSOF_CMD} -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) ' | sort | uniq >"${RKHLSOF_FILE}"
#
# Now loop through the known suspicious filenames,
# and see if any are in the lsof output.
#
FOUND=0
SUSP_FILES=""
IFS=$IFSNL
for RKHTMPVAR in ${SUSP_FILES_INFO}; do
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
RKHTMPVAR=`echo "${RKHTMPVAR}" | sed -e 's/^[ ]*//'`
FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
FOUNDFILES=`grep "/${FNAMEGREP}$" "${RKHLSOF_FILE}"`
if [ -n "${FOUNDFILES}" ]; then
FOUND=0
INFO=`echo "${RKHTMPVAR}" | cut -d: -f2-`
if [ -n "`echo \"${INFO}\" | grep '^OSX '`" ]; then
if [ $MACOSX -eq 1 ]; then
INFO=`echo "${INFO}" | cut -d' ' -f2-`
else
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT - 1`
continue
fi
fi
#
# It is possible that more than one line of output was found.
# So we must loop through them and record them all.
#
for FNAME in ${FOUNDFILES}; do
#
# See if the filename has been whitelisted.
#
FILENAME=`echo "${FNAME}" | sed -e 's/^.*[ ]\([^ ][^ ]*\)$/\1/'`
FNAMEGREP=`echo "${FILENAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FILENAME}\"`" 'running_procs'
fi
else
FOUND=1
SUSP_FILES="${SUSP_FILES}
${RKHTMPVAR}:${FNAME}"
fi
done
if [ $FOUND -eq 1 ]; then
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "
fi
fi
done
IFS=$RKHIFS
rm -f "${RKHLSOF_FILE}" >/dev/null 2>&1
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
display --to LOG --type WARNING ROOTKIT_MALWARE_SUSP_FILES_FOUND
IFS=$IFSNL
SUSP_FILES=`echo "${SUSP_FILES}" | sed -e '/^$/d'`
for FILENAME in ${SUSP_FILES}; do
INFO=`echo ${FILENAME} | cut -d: -f2`
RKHTMPVAR=`echo ${FILENAME} | cut -d: -f3-`
FOUNDINFO=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $1 }'`
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD "${FOUNDINFO}"
FOUNDINFO=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $3 }'`
RKHTMPVAR2=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $2 }'`
display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_UID "${FOUNDINFO}" "${RKHTMPVAR2}"
FOUNDINFO=`echo "${RKHTMPVAR}" | ${AWK_CMD} '{ print $9 }'`
display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH "${FOUNDINFO}"
display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT "${INFO}"
done
IFS=$RKHIFS
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsof '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'lsof'
else
display --to LOG --type INFO NOT_FOUND_CMD 'lsof'
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST running_procs
fi
#
# Next we check for any hidden processes.
#
if `check_test hidden_procs`; then
FOUND=0
UNHIDE_VERS=0
HIDDEN_PROCS=""
display --to LOG --type INFO --nl STARTING_TEST hidden_procs
#
# First we test for the 'unhide' C program.
#
SEEN=0
RKHTMPVAR="unhide"
UNHIDE_CMD=`find_cmd unhide`
if [ -z "${UNHIDE_CMD}" ]; then
RKHTMPVAR="unhide-posix"
UNHIDE_CMD=`find_cmd unhide-posix`
fi
if [ $LINUXOS -eq 1 -a -z "${UNHIDE_CMD}" ]; then
RKHTMPVAR="unhide-linux"
UNHIDE_CMD=`find_cmd unhide-linux`
if [ -z "${UNHIDE_CMD}" ]; then
if [ -n "`echo \"${UNAME_R}\" | grep '^2\.6'`" ]; then
RKHTMPVAR="unhide-linux26"
UNHIDE_CMD=`find_cmd unhide-linux26`
fi
fi
fi
if [ -n "${UNHIDE_CMD}" ]; then
FOUND=1
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FOUND_CMD "${RKHTMPVAR}" "${UNHIDE_CMD}"
fi
#
# Dig out the version number for use later on.
#
UNHIDE_VERS=`${UNHIDE_CMD} -V 2>/dev/null | head ${HEAD_OPT}1`
if [ -n "`echo ${UNHIDE_VERS} | grep '^Unhide [2-9][0-9]*$'`" ]; then
UNHIDE_VERS=`echo ${UNHIDE_VERS} | cut -d' ' -f2`
else
UNHIDE_VERS=0
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS "${UNHIDE_VERS}"
fi
#
# Now run each of the configured tests.
#
UNHIDE_OPTS=""
FOUND_PROCS=""
for RKHTMPVAR in ${UNHIDE_TESTS}; do
if [ -n "`echo \"${RKHTMPVAR} \" | grep '^-'`" ]; then
# Only newer versions have command-line options.
if [ $UNHIDE_VERS -ge 20100919 ]; then
# Ignore obvious invalid options.
test "${RKHTMPVAR}" = "-V" -o "${RKHTMPVAR}" = "-h" && continue
UNHIDE_OPTS="${UNHIDE_OPTS} ${RKHTMPVAR}"
fi
continue
elif [ $UNHIDE_VERS -lt 20100819 ]; then
# Ignore unknown tests for earlier versions.
test "${RKHTMPVAR}" != "sys" -a "${RKHTMPVAR}" != "proc" -a "${RKHTMPVAR}" != "brute" && continue
fi
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
SEEN=1
FOUND_PROCS=`${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR} 2>&1 | egrep -v '^(Unhide |yjesus@|http:|Copyright |License |NOTE :|Used options:|\[\*\]|$)'`
if [ -z "${FOUND_PROCS}" ]; then
# Nothing found.
display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR}"
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
# For newer versions we can sort the messages.
if [ $UNHIDE_VERS -ge 20100919 ]; then
FOUND_PROCS=`echo "${FOUND_PROCS}" | sort | uniq`
fi
HIDDEN_PROCS="${HIDDEN_PROCS}
${FOUND_PROCS}"
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR}"
fi
done
#
# Mark the test as skipped if we have not executed any command because of invalid test names.
#
if [ $SEEN -eq 0 ]; then
display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR}"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NOT_FOUND_CMD 'unhide'
if [ "${RKHTMPVAR}" != "unhide" ]; then
display --to LOG --type INFO NOT_FOUND_CMD "${RKHTMPVAR}"
fi
fi
#
# Now display the results.
#
# At this point if SEEN is 0, then a problem occurred with the 'unhide' program.
# We treat these as warnings so that the user is aware that something went
# wrong.
#
HIDDEN_PROCS=`echo "${HIDDEN_PROCS}" | sed -e '/^$/d'`
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS
elif [ -z "${HIDDEN_PROCS}" -a $SEEN -eq 1 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS
else
#
# At this point we have either found a hidden PID, or an error occurred with the 'unhide' program,
# or both. We need to warn the user in either case. We also need to display all the information.
#
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS
#
# Lets see if there was a problem executing the 'unhide' commands.
#
if [ $SEEN -eq 0 ]; then
display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR "${UNHIDE_TESTS}"
fi
#
# Now display if any actual hidden PIDs were found.
#
if [ -n "${HIDDEN_PROCS}" ]; then
display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND
IFS=$IFSNL
for RKHTMPVAR in ${HIDDEN_PROCS}; do
display --to LOG --type PLAIN --log-indent 9 NAME "${RKHTMPVAR}"
done
IFS=$RKHIFS
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST hidden_procs
fi
#
# Next we run the check for suspicious file contents.
#
suspscan
#
# Next we check for login backdoors.
#
if `check_test login_backdoors`; then
FOUND=0
FOUNDFILES=""
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
display --to LOG --type INFO --nl STARTING_TEST login_backdoors
for FNAME in ${LOGIN_BACKDOOR_FILES}; do
if [ -e "${FNAME}" ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'login_backdoors'
fi
else
FOUND=1
FOUNDFILES="${FOUNDFILES} ${FNAME}"
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_MALWARE_LOGIN_BDOOR_CHK "`name2text \"${FNAME}\"`"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_MALWARE_LOGIN_BDOOR_CHK "`name2text \"${FNAME}\"`"
fi
done
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR
for FNAME in ${FOUNDFILES}; do
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
display --to LOG --type WARNING ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND "`name2text \"${FNAME}\"`"
done
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST login_backdoors
fi
#
# Next, check for sniffer log files.
#
if `check_test sniffer_logs`; then
FOUND=0
FOUNDFILES=""
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
display --to LOG --type INFO --nl STARTING_TEST sniffer_logs
for FNAME in ${SNIFFER_FILES}; do
if [ -f "${FNAME}" ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'sniffer_logs'
fi
else
FOUND=1
FOUNDFILES="${FOUNDFILES} ${FNAME}"
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "`name2text \"${FNAME}\"`"
fi
done
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SNIFFER
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SNIFFER
for FNAME in ${FOUNDFILES}; do
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
display --to LOG --type WARNING ROOTKIT_MALWARE_SNIFFER_FOUND "`name2text \"${FNAME}\"`"
done
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST sniffer_logs
fi
#
# Next we check for any software intrusions.
#
if `check_test tripwire`; then
display --to LOG --type INFO --nl STARTING_TEST tripwire
TRIPWIREFILE="/var/lib/tripwire/`uname -n 2>/dev/null`.twd"
if [ -f "${TRIPWIREFILE}" ]; then
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
if [ -z "`grep ${GREP_OPT} 'Tripwire segment-faulted !' \"${TRIPWIREFILE}\"`" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION_FOUND "${TRIPWIREFILE}" 'Tripwire segment-faulted'
fi
else
if [ -n "`echo \" ${CL_ENABLE_TESTS} \" | grep ' tripwire '`" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION
fi
display --to LOG --type INFO ROOTKIT_MALWARE_SFW_INTRUSION_SKIP
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST tripwire
fi
#
# Next check for any suspicious directories.
#
if `check_test susp_dirs`; then
FOUND=0
FOUNDDIRS=""
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
display --to LOG --type INFO --nl STARTING_TEST susp_dirs
for DIR in ${SUSPICIOUS_DIRS}; do
if [ -d "${DIR}" ]; then
FNAMEGREP=`echo "${DIR}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL_DIR "`name2text \"${DIR}\"`" 'susp_dirs'
fi
else
FOUND=1
FOUNDDIRS="${FOUNDDIRS} ${DIR}"
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${DIR}\"`"
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "`name2text \"${DIR}\"`"
fi
done
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR
for DIR in ${FOUNDDIRS}; do
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
display --to LOG --type WARNING ROOTKIT_MALWARE_SUSP_DIR_FOUND "`name2text \"${DIR}\"`"
done
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST susp_dirs
fi
#
# Next we check the System V Shared Memory (Linux only for now).
#
if `check_test ipc_shared_mem`; then
display --to LOG --type INFO --nl STARTING_TEST ipc_shared_mem
if [ $LINUXOS -eq 1 ]; then
if [ -n "${IPCS_CMD}" ]; then
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
#
# Log the minimum segment size we are going to check.
# If possible, use the human-readable format for the
# number of bytes.
#
IPC_SSIZE_HUMAN=$IPC_SEG_SIZE
if [ $HAVE_NUMFMT -eq 1 ]; then
RKHTMPVAR=`${NUMFMT_CMD} --to iec $IPC_SEG_SIZE 2>/dev/null`
if [ -n "${RKHTMPVAR}" ]; then
IPC_SSIZE_HUMAN="${RKHTMPVAR}B"
RKHTMPVAR="$IPC_SEG_SIZE (${IPC_SSIZE_HUMAN})"
else
RKHTMPVAR="$IPC_SEG_SIZE"
fi
else
RKHTMPVAR="$IPC_SEG_SIZE"
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO IPC_SEG_SIZE "$RKHTMPVAR"
fi
# No bad segments found yet.
SEGS_FOUND=""
# No whitelisted entries found yet.
SHM_WL_LIST_PID=""
SHM_WL_LIST_PATH=""
SHM_WL_LIST_USER=""
RKHTMPVAR=`LC_LANG=C ${IPCS_CMD} -u 2>/dev/null | ${AWK_CMD} -F' ' '/segments allocated/ {print $3}'`
test -z "${RKHTMPVAR}" && RKHTMPVAR=0
if [ $RKHTMPVAR -gt 0 ]; then
#
# We expand the process whitelist option here to ensure
# that any wildcard entries are the most recent.
#
if [ -n "${ALLOWIPCPROC_OPT}" ]; then
ALLOWIPCPROC=`expand_paths ALLOWIPCPROC_OPT`
fi
IFS=$IFSNL
for SHM_LINE in `LC_LANG=C ${IPCS_CMD} -m 2>/dev/null | ${AWK_CMD} -v SHM_SIZE="$IPC_SEG_SIZE" '/^0x/ && ($4 == 600 || $4 == 666) && $5 >= SHM_SIZE { print $0 }'`; do
RKH_SHM_SHMID=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $2 }'`
RKH_SHM_OWNER=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $3 }'`
RKH_SHM_SIZE=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $5 }'`
RKH_SHM_NATTACH=`echo "${SHM_LINE}" | ${AWK_CMD} '{ print $6 }'`
if [ $HAVE_NUMFMT -eq 1 ]; then
RKH_SHM_SIZE_HUMAN=`${NUMFMT_CMD} --to iec $RKH_SHM_SIZE 2>/dev/null`
if [ -n "${RKH_SHM_SIZE_HUMAN}" ]; then
RKH_SHM_SIZE_HUMAN="${RKH_SHM_SIZE_HUMAN}B"
else
RKH_SHM_SIZE_HUMAN=$RKH_SHM_SIZE
fi
else
RKH_SHM_SIZE_HUMAN=$RKH_SHM_SIZE
fi
for SHM_PID_LINE in `LC_LANG=C ${IPCS_CMD} -p 2>/dev/null | grep "^${RKH_SHM_SHMID} "` ; do
RKH_SHM_CPID=`echo "${SHM_PID_LINE}" | ${AWK_CMD} '{ print $3 }'`
RKH_SHM_LPID=`echo "${SHM_PID_LINE}" | ${AWK_CMD} '{ print $4 }'`
if [ $HAVE_READLINK -eq 1 ]; then
RKH_SHM_PATH=`${READLINK_CMD} ${READLINK_OPT} /proc/${RKH_SHM_CPID}/exe`
else
# Make an attempt to get the pathname using the 'ls' command.
RKH_SHM_PATH=`ls -l /proc/${RKH_SHM_CPID}/exe | ${AWK_CMD} '{ print $NF }'`
fi
# Strip off the '(deleted)' part from the pathname if present.
RKH_SHM_PATH_STRIPPED=`echo "${RKH_SHM_PATH}" | sed -e 's/ (deleted)$//'`
#
# First check to see if this segment is whitelisted.
#
FOUND=0
if [ -n "${RKH_SHM_PATH}" ]; then
FNAMEGREP=`echo "${RKH_SHM_PATH_STRIPPED}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${ALLOWIPCPROC}\" | grep \"^${FNAMEGREP}$\"`" ]; then
FOUND=1
SHM_WL_LIST_PATH="${SHM_WL_LIST_PATH} `name2text \"${RKH_SHM_PATH_STRIPPED}\"`"
fi
fi
if [ $FOUND -eq 0 -a -n "`echo \"${ALLOWIPCUSER}\" | grep \" ${RKH_SHM_OWNER} \"`" ]; then
FOUND=1
SHM_WL_LIST_USER="${SHM_WL_LIST_USER} ${RKH_SHM_OWNER}"
fi
if [ $FOUND -eq 0 -a -n "`echo \"${ALLOWIPCPID}\" | grep \" ${RKH_SHM_CPID} \"`" ]; then
FOUND=1
SHM_WL_LIST_PID="${SHM_WL_LIST_PID} ${RKH_SHM_CPID}"
fi
if [ $FOUND -eq 0 ]; then
#
# We have found a suspicious segment. We just add it to a
# newline-separated list for displaying later on.
#
if [ -n "${RKH_SHM_PATH}" ]; then
RKHTMPVAR2=`name2text "${RKH_SHM_PATH_STRIPPED}"`
if [ "${RKH_SHM_PATH}" = "${RKH_SHM_PATH_STRIPPED}" ]; then
SEGS_FOUND="${SEGS_FOUND}
1:${RKHTMPVAR2} ${RKH_SHM_CPID} ${RKH_SHM_OWNER} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
else
SEGS_FOUND="${SEGS_FOUND}
2:${RKHTMPVAR2} ${RKH_SHM_CPID} ${RKH_SHM_OWNER} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
fi
elif [ -n "${RKH_SHM_OWNER}" -a ${RKH_SHM_CPID} -gt 0 ]; then
if [ ${RKH_SHM_NATTACH} -eq 0 ]; then
SEGS_FOUND="${SEGS_FOUND}
3:${RKH_SHM_OWNER} ${RKH_SHM_CPID} ${RKH_SHM_SHMID} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
else
SEGS_FOUND="${SEGS_FOUND}
4:${RKH_SHM_OWNER} ${RKH_SHM_SHMID} ${RKH_SHM_NATTACH} ${RKH_SHM_CPID} ${RKH_SHM_LPID} ${RKH_SHM_SIZE_HUMAN} ${IPC_SSIZE_HUMAN}"
fi
fi
fi
done
done
IFS=$RKHIFS
fi
#
# Now display the results.
#
if [ -z "${SEGS_FOUND}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_IPCS
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_IPCS
display --to LOG --type WARNING ROOTKIT_MALWARE_IPCS_FOUND
IFS=$IFSNL
for SHM_LINE in ${SEGS_FOUND}; do
test -z "${SHM_LINE}" && continue
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
# We need to do this to ensure the 'set' below works correctly.
IFS=$RKHIFS
SHM_TYPE=`echo "${SHM_LINE}" | cut -d: -f1`
SHM_LINE=`echo "${SHM_LINE}" | cut -d: -f2-`
case "${SHM_TYPE}" in
1) # A normal segment.
set -- ${SHM_LINE}
# Display $RKH_SHM_PATH, $RKH_SHM_CPID, $RKH_SHM_OWNER, $RKH_SHM_SIZE, $IPC_SEG_SIZE
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_DETAILS "$1" "$2" "$3" "$4" "$5"
;;
2) # A segment with a deleted pathname.
set -- ${SHM_LINE}
# Display $RKH_SHM_PATH, $RKH_SHM_CPID, $RKH_SHM_OWNER, $RKH_SHM_SIZE, $IPC_SEG_SIZE
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_DETAILS "$1 (deleted)" "$2" "$3" "$4" "$5"
;;
3) # A detached segment with no pathname.
set -- ${SHM_LINE}
# Display $RKH_SHM_OWNER, $RKH_SHM_CPID, $RKH_SHM_SHMID, $RKH_SHM_SIZE, $IPC_SEG_SIZE
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_DETACHED "$1" "$2" "$3" "$4" "$5"
;;
4) # An attached segment, but with no pathname.
set -- ${SHM_LINE}
# Display $RKH_SHM_OWNER, $RKH_SHM_SHMID, $RKH_SHM_NATTACH, $RKH_SHM_CPID, $RKH_SHM_LPID, $RKH_SHM_SIZE, $IPC_SEG_SIZE
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_IPCS_ATTACHED "$1" "$2" "$3" "$4" "$5" "$6" "$7"
;;
esac
IFS=$IFSNL
done
IFS=$RKHIFS
fi
#
# Finally display any whitelisted segments that were found.
#
if [ $VERBOSE_LOGGING -eq 1 ]; then
FOUND=""
for FNAME in ${SHM_WL_LIST_PATH}; do
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -z "`echo \"${FOUND}\" | grep \" ${FNAMEGREP} \"`" ]; then
FOUND="${FOUND} ${FNAME} "
display --to LOG --type INFO ROOTKIT_MALWARE_IPCS_WL_PATH "${FNAME}"
fi
done
FOUND=""
for FNAME in ${SHM_WL_LIST_USER}; do
if [ -z "`echo \"${FOUND}\" | grep \" ${FNAME} \"`" ]; then
FOUND="${FOUND} ${FNAME} "
display --to LOG --type INFO ROOTKIT_MALWARE_IPCS_WL_USER "${FNAME}"
fi
done
FOUND=""
for FNAME in ${SHM_WL_LIST_PID}; do
if [ -z "`echo \"${FOUND}\" | grep \" ${FNAME} \"`" ]; then
FOUND="${FOUND} ${FNAME} "
display --to LOG --type INFO ROOTKIT_MALWARE_IPCS_WL_PID "${FNAME}"
fi
done
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_IPCS
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ipcs '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'ipcs'
else
display --to LOG --type INFO NOT_FOUND_CMD 'ipcs'
fi
fi
else
if [ -n "`echo \" ${CL_ENABLE_TESTS} \" | grep ' ipc_shared_mem '`" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_IPCS
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_MALWARE_IPCS
fi
display --to LOG --type INFO LINUX_ONLY
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST ipc_shared_mem
fi
return
}
xinetd_include() {
#
# This function handles the xinetd 'include' directive.
# It is also used to initially process the xinetd.conf
# file, and to process any files within an 'includedir'
# directory.
#
# Any filename containing a dot or ending in a tilde (~)
# is ignored. Also absolute pathnames must be used.
#
FILENAME=$1
test -z "${FILENAME}" -o ! -f "${FILENAME}" && return
test -z "`echo \"${FILENAME}\" | grep '^/'`" && return
test -n "`echo \"${FILENAME}\" | grep '/[^/]*\.[^/]*$'`" -a "${FILENAME}" != "${XINETD_CONF_PATH}" && return
test -n "`echo \"${FILENAME}\" | grep '~$'`" && return
#
# First see if any defaults have been seen. Only the first instance is used.
#
SEEN=0
if [ $XINETD_DFLTS_SEEN -eq 0 ]; then
if [ -n "`grep '^defaults' \"${FILENAME}\"`" ]; then
XINETD_DFLTS_SEEN=1
IFS=$IFSNL
# Get the default enabled services.
for LINE in `egrep '^[ ]*enabled[ ]*\+?=' "${FILENAME}"`; do
SEEN=1
RKHTMPVAR=`echo "${LINE}" | sed -e 's/^.*=//' | tr -s ' ' ' '`
XINETD_DFLTS_ENABLED="${XINETD_DFLTS_ENABLED} ${RKHTMPVAR}"
done
# We must ensure that the enabled default is
# either the null string or set to something.
if [ -n "${XINETD_DFLTS_ENABLED}" ]; then
XINETD_DFLTS_ENABLED=`echo ${XINETD_DFLTS_ENABLED}`
test -n "${XINETD_DFLTS_ENABLED}" && XINETD_DFLTS_ENABLED=" ${XINETD_DFLTS_ENABLED} "
fi
# Get the default disabled services.
for LINE in `egrep '^[ ]*disabled[ ]*\+?=' "${FILENAME}"`; do
RKHTMPVAR=`echo "${LINE}" | sed -e 's/^.*=//' | tr -s ' ' ' '`
XINETD_DFLTS_DISABLED="${XINETD_DFLTS_DISABLED} ${RKHTMPVAR}"
done
# We must ensure that the disabled default is
# either the null string or set to something.
if [ -n "${XINETD_DFLTS_DISABLED}" ]; then
XINETD_DFLTS_DISABLED=`echo ${XINETD_DFLTS_DISABLED}`
test -n "${XINETD_DFLTS_DISABLED}" && XINETD_DFLTS_DISABLED=" ${XINETD_DFLTS_DISABLED} "
fi
IFS=$RKHIFS
fi
fi
#
# Now check to see if an actual service has been configured.
#
if [ -n "`grep '^service' \"${FILENAME}\"`" ]; then
IFS=$IFSNL
#
# We must dig out the service name and its 'id' for each service configured in the file.
#
for DATA in `${AWK_CMD} '/^service/, /^[ ]*\}/ { if ($0 ~ /^[ ]*(#|$)/) next; printf "%s", $0; if ($0 ~ /\}/) print ""; }' "${FILENAME}"`; do
# Unfortunately we must jiggle with IFS again to ensure that subsequent commands work.
IFS=$RKHIFS
# We 'echo' the configured service to flatten out any whitespace.
RKHTMPVAR=`echo ${DATA} | cut -d' ' -f2 | sed -e 's/{$//'`
RKHTMPVAR2=`echo ${DATA} | sed -e 's/^.* id = \([^ ]*\).*$/\1/'`
if [ -z "${RKHTMPVAR2}" ]; then
SVCID=" ${RKHTMPVAR} "
else
SVCID=" (${RKHTMPVAR}|${RKHTMPVAR2}) "
fi
#
# We now check the service name and id against those listed in the defaults.
#
if [ -n "${XINETD_DFLTS_ENABLED}" ]; then
if [ -n "`echo \"${XINETD_DFLTS_ENABLED}\" | egrep \"${SVCID}\"`" ]; then
if [ -z "`echo \"${XINETD_DFLTS_DISABLED}\" | egrep \"${SVCID}\"`" ]; then
SEEN=1
IFS=$IFSNL
break
fi
fi
elif [ -n "`echo \"${XINETD_DFLTS_DISABLED}\" | egrep \"${SVCID}\"`" ]; then
:
elif [ -z "`echo $DATA | grep 'disable = yes'`" ]; then
SEEN=1
IFS=$IFSNL
break
fi
IFS=$IFSNL
done
IFS=$RKHIFS
fi
if [ $SEEN -eq 1 ]; then
#
# See if the file is whitelisted.
#
FOUNDWL=0
for FNAME in ${XINETDALLOWEDSVCS}; do
if [ "${FNAME}" = "${FILENAME}" ]; then
FOUNDWL=1
break
fi
done
if [ $FOUNDWL -eq 0 ]; then
FOUND=1
FOUNDFILES="${FOUNDFILES} ${FILENAME}"
display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "${FILENAME}"
else
display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "${FILENAME}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${FILENAME}" 'xinetd'
fi
fi
else
display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "${FILENAME}"
fi
#
# Next we look for any 'include' directives.
#
for FNAME in `grep '^[ ]*include[ ]' "${FILENAME}" | ${AWK_CMD} '{ print $2 }'`; do
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --log-indent 6 ROOTKIT_TROJAN_XINETD_INCLUDE "${FNAME}"
fi
xinetd_include "${FNAME}"
done
#
# Finally we look for any 'includedir' directives.
#
for DIR in `grep '^[ ]*includedir[ ]' "${FILENAME}" | ${AWK_CMD} '{ print $2 }'`; do
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --log-indent 6 ROOTKIT_TROJAN_XINETD_INCLUDEDIR "${DIR}"
fi
xinetd_includedir "${DIR}"
done
return
}
xinetd_includedir() {
#
# This function handles the xinetd 'includedir' directive.
#
# Absolute pathnames must be used.
#
test -z "$1" -o ! -d "$1" && return
test -z "`echo \"$1\" | grep '^/'`" && return
for FNAME in `ls $1`; do
xinetd_include "$1/${FNAME}"
done
return
}
sol10_inetd() {
#
# This function handles the Solaris 10, and later, inetd
# configuration. Because the original inetd.conf file may
# well exist, we look in there as well for any enabled services.
#
# This function sets the FOUNDSTRING variable, which will
# be used later.
#
FOUNDSTRING=`${INETADM_CMD} | grep '^enabled' | cut -d: -f2`
if [ -f "${INETD_CONF_PATH}" ]; then
STR=`grep -v '^#' "${INETD_CONF_PATH}" | ${AWK_CMD} '{ print $1 }'`
#
# Remove any inetd services which we already know
# about from inetadm.
#
for RKHTMPVAR in ${STR}; do
if [ -z "`echo \"${FOUNDSTRING}\" | grep \"/${RKHTMPVAR}/\"`" ]; then
FOUNDSTRING="${FOUNDSTRING} ${RKHTMPVAR}"
fi
done
fi
return
}
trojan_checks() {
#
# This function performs some trojan specific checks.
#
#
# We must first of all remember if the test was named on the command-line.
#
test -n "`echo \" ${CL_ENABLE_TESTS} \" | grep ' trojans '`" && CL_TEST=1 || CL_TEST=0
if `check_test trojans`; then
display --to LOG --type INFO --nl STARTING_TEST trojans
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST trojans
fi
return
fi
#
# We first need to see if we are running Solaris 10 or later.
# Earlier versions of Solaris used the standard inetd configuration
# file, but later versions use a different mechanism. The 'inetadm'
# command can be used on these later Solaris versions.
#
if [ $SUNOS -eq 1 ]; then
INETADM_CMD=`find_cmd inetadm`
test -n "${INETADM_CMD}" && sol10_inetd
else
INETADM_CMD=""
fi
if [ $CL_TEST -eq 1 ]; then
RKHTMPVAR="SCREEN+LOG --screen-nl"
elif [ -f "${INETD_CONF_PATH}" -o -f "${XINETD_CONF_PATH}" -o -n "${INETADM_CMD}" ]; then
RKHTMPVAR="SCREEN+LOG"
else
RKHTMPVAR="LOG"
fi
display --to ${RKHTMPVAR} --type PLAIN --screen-indent 2 ROOTKIT_TROJAN_START
#
# We first check the inetd.conf file. This includes the
# Solaris 10 inetd services as well.
#
if [ -f "${INETD_CONF_PATH}" -o -n "${INETADM_CMD}" ]; then
if [ -z "${INETADM_CMD}" ]; then
display --to LOG --type INFO CONFIG_XINETD_PATH 'inetd' "${INETD_CONF_PATH}"
FOUNDSTRING=`grep -v '^#' "${INETD_CONF_PATH}" | ${AWK_CMD} '{ print $1 }'`
else
display --to LOG --type INFO CONFIG_SOL10_INETD
fi
#
# We now need to see if any of the services are whitelisted.
#
RKHTMPVAR=""
for STR in ${FOUNDSTRING}; do
FOUND=0
for SVC in ${INETDALLOWEDSVCS}; do
if [ "${STR}" = "${SVC}" ]; then
FOUND=1
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${SVC}" 'inetd'
fi
break
fi
done
if [ $FOUND -eq 0 ]; then
#
# We want to change any RPC services into
# an actual executable name, if we can. The
# executable is the sixth field. If the
# sixth field is empty or this is an internal
# service, then we just use the service name.
#
if [ -n "`echo \"${STR}\" | grep '^[0-9/_-]*$'`" ]; then
EXECNAME=`grep "^${STR}" "${INETD_CONF_PATH}" | ${AWK_CMD} '{ print $6 }'`
test -z "${EXECNAME}" -o "${EXECNAME}" = "internal" && EXECNAME="${STR}"
STR="${EXECNAME}"
#
# Now check if the executable has been whitelisted.
#
for SVC in ${INETDALLOWEDSVCS}; do
if [ "${STR}" = "${SVC}" ]; then
FOUND=1
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${SVC}" 'inetd'
fi
break
fi
done
fi
test $FOUND -eq 0 && RKHTMPVAR="${RKHTMPVAR} ${STR}"
fi
done
FOUNDSTRING="${RKHTMPVAR}"
#
# Now display the results.
#
if [ -z "${FOUNDSTRING}" ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD
for STR in ${FOUNDSTRING}; do
display --to LOG --type WARNING ROOTKIT_TROJAN_INETD_FOUND "${STR}"
done
fi
else
if [ $CL_TEST -eq 1 ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_INETD
fi
display --to LOG --type INFO ROOTKIT_TROJAN_INETD_SKIP "${INETD_CONF_PATH}"
fi
#
# Next we check the xinetd.conf file.
#
FOUND=0
FOUNDFILES=""
if [ -f "${XINETD_CONF_PATH}" ]; then
XINETD_DFLTS_SEEN=0
XINETD_DFLTS_ENABLED=""
XINETD_DFLTS_DISABLED=""
display --to LOG --type INFO CONFIG_XINETD_PATH 'xinetd' "${XINETD_CONF_PATH}"
xinetd_include "${XINETD_CONF_PATH}"
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD
for FNAME in ${FOUNDFILES}; do
display --to LOG --type WARNING ROOTKIT_TROJAN_XINETD_ENABLED_FOUND "${FNAME}"
done
fi
else
if [ $CL_TEST -eq 1 ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_XINETD
fi
display --to LOG --type INFO ROOTKIT_TROJAN_INETD_SKIP "${XINETD_CONF_PATH}"
fi
#
# Finally we check for an Apache backdoor module.
#
FOUND=0
FOUNDFILES=""
MOD_DIRS="/etc/apache2/mods-enabled /etc/httpd/modules /usr/apache/libexec /usr/lib/modules /usr/local/apache/modules"
HTTPDDIRS="/usr/local/apache/conf /usr/local/etc/apache /etc/apache /etc/httpd/conf"
for DIR in ${MOD_DIRS} ${HTTPDDIRS}; do
if [ -d "${DIR}" ]; then
FOUND=1
test -f "${DIR}/mod_rootme.so" && FOUNDFILES="${FOUNDFILES} ${DIR}/mod_rootme.so"
test -f "${DIR}/mod_rootme2.so" && FOUNDFILES="${FOUNDFILES} ${DIR}/mod_rootme2.so"
if [ -f "${DIR}/httpd.conf" ]; then
if [ -n "`egrep 'mod_rootme2?\.so' \"${DIR}/httpd.conf\"`" ]; then
FOUNDFILES="${FOUNDFILES} ${DIR}/httpd.conf"
fi
fi
fi
done
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
if [ $CL_TEST -eq 1 ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE
else
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_APACHE
fi
display --to LOG --type INFO ROOTKIT_TROJAN_APACHE_SKIPPED
elif [ -z "${FOUNDFILES}" ]; then
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE
for FILE in ${FOUNDFILES}; do
display --to LOG --type WARNING ROOTKIT_TROJAN_APACHE_FOUND "`name2text \"${FILE}\"`"
done
fi
return
}
bsd_specific_checks() {
#
# This function performs tests specific to the BSD O/S.
#
#
# We check that the output of sockstat and netstat for
# local listening sockets is the same.
#
SOCKSTAT_CMD=`find_cmd sockstat`
if [ -n "${SOCKSTAT_CMD}" -a -n "${NETSTAT_CMD}" ]; then
test "${OPERATING_SYSTEM}" = "NetBSD" && RKHTMPVAR="-n" || RKHTMPVAR=""
SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | ${AWK_CMD} '$5 ~ /^(tcp|udp)/ { if ($6 == 6) print $7; else print $6 } $4 ~ /^(tcp|udp)/ { if ($5 == 6) print $6; else print $5 }'`
SOCKSTAT_OUTPUT=`echo "${SOCKSTAT_OUTPUT}" | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | ${AWK_CMD} '$1 ~ /^(tcp|udp)/ { print $4 }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`
if [ "${SOCKSTAT_OUTPUT}" = "${NETSTAT_OUTPUT}" ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET
else
SOCKSTAT_OUTPUT=`echo ${SOCKSTAT_OUTPUT}`
NETSTAT_OUTPUT=`echo ${NETSTAT_OUTPUT}`
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET
display --to LOG --type WARNING ROOTKIT_OS_BSD_SOCKNET_FOUND
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_BSD_SOCKNET_OUTPUT 'Sockstat' "${SOCKSTAT_OUTPUT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_BSD_SOCKNET_OUTPUT 'Netstat' "${NETSTAT_OUTPUT}"
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET
test -z "${SOCKSTAT_CMD}" && display --to LOG --type INFO NOT_FOUND_CMD 'sockstat'
if [ -z "${NETSTAT_CMD}" ]; then
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' netstat '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'netstat'
else
display --to LOG --type INFO NOT_FOUND_CMD 'netstat'
fi
fi
fi
return
}
freebsd_specific_checks() {
#
# This function performs tests specific to the FreeBSD O/S.
#
#
# First we check for KLD backdoors.
#
KLDSTAT_CMD=`find_cmd kldstat`
if [ -n "${KLDSTAT_CMD}" ]; then
FOUND=0
FOUNDKEYS=""
for RKHTMPVAR in ${KLDSTATKEYWORDS}; do
RKHTMPVAR=`echo ${RKHTMPVAR}`
KLDKEYWD=`echo ${RKHTMPVAR} | sed -e 's/\./\\\./g'`
if [ -n "`${KLDSTAT_CMD} -v | grep \"${KLDKEYWD}\"`" ]; then
FOUND=1
FOUNDKEYS="${FOUNDKEYS} ${RKHTMPVAR} "
fi
done
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD
for RKHTMPVAR in ${FOUNDKEYS}; do
display --to LOG --type WARNING ROOTKIT_OS_FREEBSD_KLD_FOUND "${RKHTMPVAR}"
done
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD
display --to LOG --type INFO NOT_FOUND_CMD 'kldstat'
fi
#
# Next we check that the package database is okay.
#
if [ "${OPERATING_SYSTEM}" = "DragonFly" ]; then
PKGDB_CMD=`find_cmd pkg_admin`
if [ -n "${PKGDB_CMD}" ]; then
RKHTMPVAR=`${PKGDB_CMD} check 2>&1 >/dev/null`
if [ -z "${RKHTMPVAR}" ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
display --to LOG --type WARNING ROOTKIT_OS_DFLY_PKGDB_NOTOK
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
display --to LOG --type INFO NOT_FOUND_CMD 'pkg_admin'
fi
else
PKGDB_CMD=`find_cmd pkgdb`
if [ -n "${PKGDB_CMD}" ]; then
RKHTMPVAR=`${PKGDB_CMD} -Fa -v 2>&1 | grep 'Skipped\.'`
if [ -z "${RKHTMPVAR}" ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
display --to LOG --type WARNING ROOTKIT_OS_FREEBSD_PKGDB_NOTOK
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
display --to LOG --type INFO NOT_FOUND_CMD 'pkgdb'
fi
fi
return
}
linux_loaded_modules() {
#
# This test checks the currently loaded kernel modules. It verifies
# that what is seen by the 'lsmod' command is the same as seen in
# the /proc/modules directory.
#
if ! `check_test loaded_modules`; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST loaded_modules
fi
return
fi
if [ ! -f "/proc/modules" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM
display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_MOD_MISSING '/proc/modules'
elif [ -z "${LSMOD_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM
if [ -z "${LSMOD_CMD}" ]; then
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsmod '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'lsmod'
else
display --to LOG --type INFO NOT_FOUND_CMD 'lsmod'
fi
fi
else
PROC_OUTPUT=`cat /proc/modules | cut -d' ' -f1 | sort`
LSMOD_OUTPUT=`${LSMOD_CMD} | grep -v 'Size *Used *by' | cut -d' ' -f1 | sort`
if [ -n "${PROC_OUTPUT}" -a -n "${LSMOD_OUTPUT}" ]; then
if [ "${PROC_OUTPUT}" = "${LSMOD_OUTPUT}" ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM
display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_FOUND
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT '/proc/modules' "${PROC_OUTPUT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT 'lsmod' "${LSMOD_OUTPUT}"
fi
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKM
display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_EMPTY
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT '/proc/modules' "${PROC_OUTPUT}"
display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT 'lsmod' "${LSMOD_OUTPUT}"
fi
fi
return
}
linux_avail_modules() {
#
# This test checks the names of the kernel
# modules that are available on this system.
#
if ! `check_test avail_modules`; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST avail_modules
fi
return
fi
#
# First obtain and log where the modules are kept. This can
# be set in the configuration file, but generally rkhunter
# will determine the location based on the kernel version.
#
FOUND=0
FOUNDFILES=""
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ROOTKIT_OS_LINUX_LKMNAMES_PATH "${LKM_PATH}"
fi
#
# Now do the test.
#
if [ ! -d "${LKM_PATH}" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES
display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING "${LKM_PATH}"
elif [ -z "${FIND_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' find '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'find'
else
display --to LOG --type INFO NOT_FOUND_CMD 'find'
fi
elif [ -z "`ls -1 \"${LKM_PATH}\" 2>/dev/null`" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES
display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING "${LKM_PATH}"
else
#
# Reformat the LKM names so we only need to do it once.
#
LKM_NAMES=""
for RKHTMPVAR in ${LKM_BADNAMES}; do
RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/\./\\\./g'`
LKM_NAMES="${LKM_NAMES} ${RKHTMPVAR}"
done
get_temp_file "${RKHTMPDIR}/modslist"
${FIND_CMD} "${LKM_PATH}" -type f -a \( -name "*.o" -o -name "*.ko" -o -name "*.ko.xz" \) >"${TEMPFILE}" 2>/dev/null
for RKHTMPVAR in ${LKM_NAMES}; do
if [ -n "`egrep \"/${RKHTMPVAR}(\.xz)?$\" "${TEMPFILE}"`" ]; then
FOUND=1
FOUNDFILES="${FOUNDFILES} ${RKHTMPVAR}"
fi
done
rm -f "${TEMPFILE}" >/dev/null 2>&1
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 4 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES
for RKHTMPVAR in ${FOUNDFILES}; do
RKHTMPVAR=`echo "${RKHTMPVAR}" | sed -e 's/\\\././g'`
display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_FOUND "${LKM_PATH}" "${RKHTMPVAR}"
done
fi
fi
return
}
linux_specific_checks() {
#
# This function performs tests specific to the Linux O/S.
#
linux_loaded_modules
linux_avail_modules
return
}
os_specific_checks() {
#
# This function performs any O/S specific tests.
#
if `check_test os_specific`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST os_specific
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST os_specific
fi
return
fi
#
# Run the relevant O/S specific tests.
#
case "${OPERATING_SYSTEM}" in
FreeBSD|NetBSD|DragonFly)
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --log-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"
bsd_specific_checks
test "${OPERATING_SYSTEM}" = "FreeBSD" -o "${OPERATING_SYSTEM}" = "DragonFly" && freebsd_specific_checks
;;
Linux)
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --log-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"
linux_specific_checks
;;
*)
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color YELLOW --result SKIPPED --log-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"
display --to LOG --type INFO ROOTKIT_OS_SKIPPED
;;
esac
return
}
do_rootkit_checks() {
#
# This function carries out a sequence of tests for rootkits.
# This consists of the default files and directories check,
# possible rootkit checks, and checks for malware.
#
if `check_test rootkits`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST rootkits
display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_ROOTKITS
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST rootkits
fi
return
fi
rootkit_file_dir_checks
check_test known_rkts || check_test all && keypresspause
additional_rootkit_checks
malware_checks
trojan_checks
os_specific_checks
keypresspause
return
}
check_port_wl() {
#
# This function tries to find the PID and command pathname using
# a given port. It then checks to see if the port is whitelisted.
#
# A single parameter indicates if we are in the 'hidden_ports'
# test or not.
#
PID=0
PID_SEEN=0
FNAME=""
FOUND=""
IN_HIDDEN_PORTS=$1
if [ -n "${LSOF_CMD}" ]; then
IFS=$IFSNL
for LSOFLINE in `${LSOF_CMD} -wnlP -i ${PROTO}:${PORT} 2>/dev/null`; do
#
# We must only look at connections using the port on the local host.
#
if [ -n "`echo \"${LSOFLINE}\" | grep \" ${PROTO} \*:${PORT} \"`" ]; then
# Process listening for connections from anywhere.
PID=`echo "${LSOFLINE}" | ${AWK_CMD} '{ print $2 }'`
elif [ -n "`echo \"${LSOFLINE}\" | egrep \" ${PROTO} [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:${PORT}[ -]\"`" ]; then
# Established or listening process using IPv4 address.
PID=`echo "${LSOFLINE}" | ${AWK_CMD} '{ print $2 }'`
elif [ -n "`echo \"${LSOFLINE}\" | egrep \" ${PROTO} \[[:0-9a-fA-F]+\]:${PORT}[ -]\"`" ]; then
# Established or listening process using IPv6 address.
PID=`echo "${LSOFLINE}" | ${AWK_CMD} '{ print $2 }'`
else
# Ignore anything else.
continue
fi
PID_SEEN=1
#
# Try and get the running process name.
#
if [ $HAVE_READLINK -eq 1 ]; then
RKHTMPVAR=""
if [ $SOL_PROC -eq 1 ]; then
test -h "/proc/${PID}/path/a.out" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/path/a.out"`
elif [ $SUNOS -eq 0 -o -h "/proc/${PID}/exe" ]; then
test -h "/proc/${PID}/exe" && RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "/proc/${PID}/exe"`
fi
test -n "${RKHTMPVAR}" && FNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
fi
if [ -z "${FNAME}" ]; then
if [ $SUNOS -eq 1 ]; then
FNAME=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ ]txt[ ][ ]*VREG[ ]' 2>/dev/null | head ${HEAD_OPT}1 | ${AWK_CMD} '{ print $NF }'`
else
FNAME=`${LSOF_CMD} -wnlP +c 0 -p $PID 2>/dev/null | grep '[ ]txt[ ][ ]*REG[ ]' | ${AWK_CMD} '{ print $NF }'`
fi
fi
if [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
FOUND="${FNAME}"
break
fi
done
IFS=$RKHIFS
if [ -z "${FOUND}" -a $PID_SEEN -eq 1 ]; then
FNAME=""
FOUND="${PROTO}:${PORT}"
fi
elif [ $IN_HIDDEN_PORTS -eq 1 ]; then
# The 'netstat' command offers us no further information
# on hidden ports, so we can skip it.
:
else
case "${OPERATING_SYSTEM}" in
Linux)
FOUND=`${NETSTAT_CMD} -an | grep -i "^${PROTO}.*:${PORT} " | ${AWK_CMD} '{ print $4 }' | grep ":${PORT}$"`
;;
*BSD|Darwin|IRIX*|DragonFly)
FOUND=`${NETSTAT_CMD} -an | grep -i "^${PROTO}.*\.${PORT} " | ${AWK_CMD} '{ print $4 }' | grep "\.${PORT}$"`
;;
AIX)
if [ "${PROTO}" = "UDP" ]; then
FOUND=`${NETSTAT_CMD} -an | grep -i "^udp.*\.${PORT} " | ${AWK_CMD} '{ print $4 }' | grep "\.${PORT}$"`
elif [ "${PROTO}" = "TCP" ]; then
FOUND=`${NETSTAT_CMD} -an | egrep -i "^tcp.*\.${PORT} .*(BOUND|ESTABLISH|LISTEN)" | ${AWK_CMD} '{ print $4 }' | grep "\.${PORT}$"`
fi
;;
SunOS)
if [ "${PROTO}" = "UDP" ]; then
FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^UDP: IPv4/, /^$/ { print $1 }' | grep "\.${PORT}$"`
if [ -z "${FOUND}" ]; then
FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^UDP: IPv6/, /^$/ { print $1 }' | grep "\.${PORT}$"`
fi
elif [ "${PROTO}" = "TCP" ]; then
FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^TCP: IPv4/, /^$/ { print $0 }' | egrep 'BOUND|ESTABLISH|LISTEN' | ${AWK_CMD} '{ print $1 }' | grep "\.${PORT}$"`
if [ -z "${FOUND}" ]; then
FOUND=`${NETSTAT_CMD} -an | ${AWK_CMD} '/^TCP: IPv6/, /^$/ { print $0 }' | egrep 'BOUND|ESTABLISH|LISTEN' | ${AWK_CMD} '{ print $1 }' | grep "\.${PORT}$"`
fi
fi
;;
esac
fi
#
# If we have found something, then see if it is whitelisted.
#
if [ -n "${FOUND}" -o $IN_HIDDEN_PORTS -eq 1 ]; then
RKHTMPVAR2=0
if [ -n "${LSOF_CMD}" ]; then
if [ -n "${FNAME}" ]; then
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${PORT_WHITELIST}\" | grep \"^${FNAMEGREP}:${PROTO}:${PORT}$\"`" ]; then
RKHTMPVAR2=1
FOUND="path_whitelisted"
elif [ -n "`echo \"${PORT_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
RKHTMPVAR2=1
FOUND="path_whitelisted"
elif [ $PORT_WHITELIST_ALL_TRUSTED -eq 1 ]; then
test -n "${BASENAME_CMD}" && RKHTMPVAR=`${BASENAME_CMD} "${FNAME}"` || RKHTMPVAR=`echo "${FNAME}" | sed -e 's:^.*/::'`
RKHTMPVAR=`IFS=$RKHIFS find_cmd ${RKHTMPVAR}`
if [ "${RKHTMPVAR}" = "${FNAME}" ]; then
RKHTMPVAR2=1
FOUND="trusted_whitelisted"
fi
fi
fi
fi
if [ $RKHTMPVAR2 -eq 0 -a -n "`echo \"${PORT_WHITELIST}\" | grep \"^${PROTO}:${PORT}$\"`" ]; then
FOUND="port_whitelisted"
fi
fi
return
}
do_network_port_checks() {
#
# This function will check the network ports to see
# if any known backdoor ports are being used.
#
if `check_test ports || check_test hidden_ports`; then
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --nl NETWORK_PORTS_START
fi
if `check_test ports`; then
display --to LOG --type INFO STARTING_TEST ports
display --to LOG --type PLAIN --log-indent 2 NETWORK_PORTS_BACKDOOR_LOG
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST ports
fi
return
fi
#
# We must first check to see if we can perform this test.
#
if [ -z "${LSOF_CMD}" -a -z "${NETSTAT_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color YELLOW --result SKIPPED NETWORK_PORTS_BACKDOOR
display --to LOG --type INFO TEST_SKIPPED_OS 'network port checks' 'lsof or netstat command required.'
return
fi
#
# Check that the backdoor ports data file is usable.
#
if [ ! -e "${DB_PATH}/backdoorports.dat" -o ! -s "${DB_PATH}/backdoorports.dat" ]; then
display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
display --to LOG --type WARNING NETWORK_PORTS_FILE_MISSING "${DB_PATH}/backdoorports.dat"
return
elif [ ! -f "${DB_PATH}/backdoorports.dat" -o -h "${DB_PATH}/backdoorports.dat" ]; then
display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
display --to LOG --type WARNING NETWORK_PORTS_FILE_NOTAFILE "${DB_PATH}/backdoorports.dat"
return
fi
#
# Next we do some further testing and the initial logging.
#
if [ -z "${LSOF_CMD}" ]; then
case "${OPERATING_SYSTEM}" in
*BSD|Linux|AIX|SunOS|Darwin|IRIX*|DragonFly)
;;
*)
display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
display --to LOG --type WARNING NETWORK_PORTS_UNKNOWN_NETSTAT
return
;;
esac
fi
if [ $PORT_WHITELIST_ALL_TRUSTED -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_PORTS_ENABLE_TRUSTED
fi
#
# Now do the test.
#
FOUNDPORT=0
IFS=$IFSNL
for LINE in `cat "${DB_PATH}/backdoorports.dat"`; do
if [ -z "`echo \"${LINE}\" | grep '^[0-9][0-9]*:'`" ]; then
continue
fi
PORT=`echo "${LINE}" | cut -d: -f1`
DESCRIPTION=`echo "${LINE}" | cut -d: -f2`
PROTO=`echo "${LINE}" | cut -d: -f3 | tr '[:lower:]' '[:upper:]'`
ROOTKIT_COUNT=`expr $ROOTKIT_COUNT + 1`
if [ -z "`echo \"${PORT}\" | grep '^[1-9][0-9]*$'`" ]; then
echo "Error: Invalid port in backdoorports.dat file: $LINE"
continue
elif [ "${PROTO}" != "UDP" -a "${PROTO}" != "TCP" ]; then
echo "Error: Invalid protocol in backdoorports.dat file: $LINE"
continue
fi
check_port_wl 0
# We need to reset IFS because it is set in 'check_port_wl'.
IFS=$IFSNL
#
# Now log the result.
#
case "${FOUND}" in
path_whitelisted)
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_PORTS_PATH_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
fi
;;
trusted_whitelisted)
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_PORTS_TRUSTED_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
fi
;;
port_whitelisted)
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_PORTS_PORT_WHITELIST "${PROTO}" "${PORT}"
display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
fi
;;
"")
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --log-indent 4 --result NOT_FOUND NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
fi
;;
*)
FOUNDPORT=1
ROOTKIT_FAILED_COUNT=`expr $ROOTKIT_FAILED_COUNT + 1`
display --to LOG --type PLAIN --log-indent 4 --result FOUND NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
test -n "${FNAME}" && FNAME=" by `name2text \"${FNAME}\"`"
display --to LOG --type WARNING NETWORK_PORTS_BKDOOR_FOUND "${PROTO}" "${PORT}" "${FNAME}" "${DESCRIPTION}"
;;
esac
done
IFS=$RKHIFS
#
# Finally show the overall result on the screen.
#
if [ $FOUNDPORT -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color GREEN --result NONE_FOUND NETWORK_PORTS_BACKDOOR
else
display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
fi
return
}
do_network_hidden_port_checks() {
#
# This function will check the network
# ports to see if any are being hidden.
#
if `check_test hidden_ports`; then
display --to LOG --type INFO --nl STARTING_TEST hidden_ports
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST hidden_ports
fi
return
fi
#
# We must first check to see if we can perform this test.
#
UNHIDETCP_CMD=`find_cmd unhide-tcp`
if [ -n "${UNHIDETCP_CMD}" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FOUND_CMD 'unhide-tcp' "${UNHIDETCP_CMD} ${UNHIDETCP_OPTS}"
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NETWORK_HIDDEN_PORTS
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NOT_FOUND_CMD 'unhide-tcp'
fi
return
fi
if [ $SUNOS -eq 1 ]; then
if [ "${AWK_CMD}" = "awk" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NETWORK_HIDDEN_PORTS
display --to LOG --type INFO NOT_FOUND_CMD 'gawk or nawk'
return
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FOUND_CMD 'awk' "${AWK_CMD}"
fi
fi
#
# We don't *need* the 'lsof' command to perform this test, but
# if it is available then it will be used to find out pathnames.
#
if [ $PORT_WHITELIST_ALL_TRUSTED -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_PORTS_ENABLE_TRUSTED
fi
#
# Now perform the test. We must do this in two parts
# to pick out the TCP ports, and then the UDP ports.
#
RKHTMPVAR=`${UNHIDETCP_CMD} ${UNHIDETCP_OPTS} 2>&1`
TCP_PORTS=`echo "${RKHTMPVAR}" | ${AWK_CMD} '/^(\[\*\])?Starting TCP check/, /^(\[\*\])?Starting UDP check/ { print $0 }' | grep '^Found ' | cut -d: -f2`
UDP_PORTS=`echo "${RKHTMPVAR}" | ${AWK_CMD} '/^(\[\*\])?Starting UDP check/, 0 { print $0 }' | grep '^Found ' | cut -d: -f2`
if [ -z "${TCP_PORTS}" -a -z "${UDP_PORTS}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
else
FOUND_PORTS=""
for PROTO in TCP UDP; do
HIDDEN_PORTS=`eval echo "\\$${PROTO}_PORTS"`
test -z "${HIDDEN_PORTS}" && continue
HIDDEN_PORTS=`echo ${HIDDEN_PORTS} | tr ' ' '\n' | sort | uniq`
HIDDEN_PORTS=`echo ${HIDDEN_PORTS}`
for PORT in ${HIDDEN_PORTS}; do
check_port_wl 1
#
# Now log the result.
#
case "${FOUND}" in
path_whitelisted)
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_HIDDEN_PORTS_PATH_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
fi
;;
trusted_whitelisted)
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_HIDDEN_PORTS_TRUSTED_WHITELIST "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
fi
;;
port_whitelisted)
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO NETWORK_HIDDEN_PORTS_PORT_WHITELIST "${PROTO}" "${PORT}"
fi
;;
*)
FOUND_PORTS="${FOUND_PORTS}
${PROTO}:${PORT}:${FNAME}"
;;
esac
done
done
if [ -z "${FOUND_PORTS}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
display --to LOG --type WARNING --log-indent 2 NETWORK_HIDDEN_PORTS_FOUND
IFS=$IFSNL
FOUND_PORTS=`echo "${FOUND_PORTS}" | sed -e '/^$/d'`
for RKHTMPVAR in ${FOUND_PORTS}; do
PROTO=`echo ${RKHTMPVAR} | cut -d: -f1`
PORT=`echo ${RKHTMPVAR} | cut -d: -f2`
FNAME=`echo ${RKHTMPVAR} | cut -d: -f3-`
if [ -z "${FNAME}" ]; then
display --to LOG --type PLAIN --log-indent 9 NETWORK_HIDDEN_PORTS_CHK "${PROTO}" "${PORT}"
else
display --to LOG --type PLAIN --log-indent 9 NETWORK_HIDDEN_PORTS_CHK_NAME "${PROTO}" "${PORT}" "`name2text \"${FNAME}\"`"
fi
done
IFS=$RKHIFS
fi
fi
return
}
do_network_interface_checks() {
#
# This function will check the network interfaces to see
# if any are in promiscuous mode. It will also check to see
# if there are any applications running which are capturing
# network interface packets.
#
if `check_test promisc || check_test packet_cap_apps`; then
display --to SCREEN+LOG --type PLAIN --screen-indent 2 --nl NETWORK_INTERFACE_START
fi
if `check_test promisc`; then
display --to LOG --type INFO STARTING_TEST promisc
if [ -n "${IFCONFIG_CMD}" -o \( $LINUXOS -eq 1 -a -n "${IP_CMD}" \) ]; then
PROMISCSCAN1=""
PROMISCSCAN2=""
if [ -n "${IFCONFIG_CMD}" ]; then
if [ -n "${IFWLIST}" ]; then
IFWLIST=`echo ${IFWLIST}`
display --to LOG --type INFO NETWORK_PROMISC_WLIST "${IFWLIST}"
IFWLIST=`echo ${IFWLIST} | tr ' ' '|'`
fi
case "${OPERATING_SYSTEM}" in
*BSD|DragonFly)
if [ -z "${IFWLIST}" ]; then
PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '$1 !~ /^pflog/ && /PROMISC/ { print }'`
else
PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '$1 !~ /^pflog/ && $1 !~ /^('${IFWLIST}'):$/ && /PROMISC/ { print }'`
fi
;;
SunOS|IRIX*|AIX)
if [ -z "${IFWLIST}" ]; then
PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '/PROMISC/ { print }'`
else
PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | ${AWK_CMD} '$1 !~ /^('${IFWLIST}'):$/ && /PROMISC/ { print }'`
fi
;;
*)
if [ -z "${IFWLIST}" ]; then
PROMISCSCAN1=`${IFCONFIG_CMD} 2>&1 | ${AWK_CMD} 'BEGIN { RS="" }; /PROMISC/ { print }'`
else
PROMISCSCAN1=`${IFCONFIG_CMD} 2>&1 | ${AWK_CMD} 'BEGIN { RS="" }; $1 !~ /^('${IFWLIST}'):?$/ && /PROMISC/ { print }'`
fi
;;
esac
else
display --to LOG --type INFO NETWORK_PROMISC_NO_CMD ifconfig ip
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ifconfig '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'ifconfig'
else
display --to LOG --type INFO NOT_FOUND_CMD 'ifconfig'
fi
fi
if [ $LINUXOS -eq 1 ]; then
if [ -n "${IP_CMD}" ]; then
PROMISCSCAN2=`${IP_CMD} link | grep '^[0-9]' | grep -vE "^[0-9][0-9]*: (${IFWLIST}):" | grep 'PROMISC'`
else
display --to LOG --type INFO NETWORK_PROMISC_NO_CMD ip ifconfig
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ip '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'ip'
else
display --to LOG --type INFO NOT_FOUND_CMD 'ip'
fi
fi
fi
#
# Now show the results of the interface check.
#
if [ -z "${PROMISCSCAN1}" -a -z "${PROMISCSCAN2}" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 NETWORK_PROMISC_CHECK
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PROMISC_CHECK
display --to LOG --type WARNING NETWORK_PROMISC_IF
if [ -n "${PROMISCSCAN1}" ]; then
display --to LOG --type PLAIN --log-indent 9 NETWORK_PROMISC_IF_1
PROMISCSCAN1=`echo "${PROMISCSCAN1}" | ${AWK_CMD} '$0 !~ /^ / || /PROMISC/ { print }'`
IFS=$IFSNL
for IFACE in ${PROMISCSCAN1}; do
display --to LOG --type PLAIN --log-indent 13 NAME "${IFACE}"
done
IFS=$RKHIFS
fi
if [ -n "${PROMISCSCAN2}" ]; then
display --to LOG --type PLAIN --log-indent 9 NETWORK_PROMISC_IF_2
PROMISCSCAN2=`echo "${PROMISCSCAN2}" | cut -d: -f2-`
IFS=$IFSNL
# Only indent by 12 spaces here because the output starts with a space.
for IFACE in ${PROMISCSCAN2}; do
display --to LOG --type PLAIN --log-indent 12 NAME "${IFACE}"
done
IFS=$RKHIFS
fi
fi
else
display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --screen-indent 4 NETWORK_PROMISC_CHECK
display --to LOG --type INFO NETWORK_PROMISC_NO_IFCONF_IP
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ifconfig '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'ifconfig'
else
display --to LOG --type INFO NOT_FOUND_CMD 'ifconfig'
fi
if [ $LINUXOS -eq 1 ]; then
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ip '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'ip'
else
display --to LOG --type INFO NOT_FOUND_CMD 'ip'
fi
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST promisc
fi
#
# For the packet capturing check, we must first see if we
# are able to run the test. We let the user know if the test
# was disabled, or if the lsof command is not present.
#
if `check_test packet_cap_apps`; then
display --to LOG --type INFO --nl STARTING_TEST packet_cap_apps
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST packet_cap_apps
fi
return
fi
if [ $LINUXOS -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
display --to LOG --type INFO TEST_SKIPPED_OS 'packet_cap_apps' '/proc/net/packet required.'
return
elif [ ! -f "/proc/net/packet" ]; then
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
display --to LOG --type WARNING NETWORK_PACKET_CAP_CHECK_NO_FILE '/proc/net/packet'
return
elif [ -z "${LSOF_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' lsof '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'lsof'
else
display --to LOG --type INFO NOT_FOUND_CMD 'lsof'
fi
return
fi
#
# Now run the test.
#
FOUND=0
WHITEPROC=""
BLACKPROC=""
LIBPCAPRES=`egrep -v '(^sk | 888e )' /proc/net/packet 2>/dev/null | head ${HEAD_OPT}1`
if [ -n "${LIBPCAPRES}" ]; then
ALLOWPROCLISTENERS=""
#
# We expand the whitelist option here to ensure
# that any wildcard entries are the most recent.
#
if [ -n "${ALLOWPROCLIST_OPT}" ]; then
ALLOWPROCLISTENERS=`expand_paths ALLOWPROCLIST_OPT`
fi
INODE_LIST=""
for INODE in `egrep -v '(^sk | 888e )' /proc/net/packet | ${AWK_CMD} '{ print $9 }'`; do
INODE_LIST="${INODE_LIST}|$INODE"
done
INODE_LIST=`echo "${INODE_LIST}" | sed -e 's/^|//'`
test -z "${INODE_LIST}" && INODE_LIST="RKHunterPktCapture"
for PID in `${LSOF_CMD} -lMnPw -d 1-20 2>/dev/null | egrep "[ ](pack[ ]+(${INODE_LIST})|sock[ ]+[^ ]+[ ]+[^ ]+[ ]+(${INODE_LIST}))[ ]" | ${AWK_CMD} '{ print $2 }'`; do
NAME=""
if [ -h "/proc/$PID/exe" -a $HAVE_READLINK -eq 1 ]; then
NAME=`${READLINK_CMD} ${READLINK_OPT} "/proc/$PID/exe" | cut -d' ' -f1`
elif [ -f "/proc/$PID/status" ]; then
NAME=`grep '^Name:.' /proc/$PID/status | sed -e 's/^Name:.//'`
fi
test -z "${NAME}" && continue
FNAMEGREP=`echo "${NAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${ALLOWPROCLISTENERS}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ -z "`echo \"${WHITEPROC}\" | grep \"^${FNAMEGREP}$\"`" ]; then
WHITEPROC="${WHITEPROC}
${NAME}"
fi
else
FOUND=1
BLACKPROC="${BLACKPROC}
${PID}:${NAME}"
fi
done
fi
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
IFS=$IFSNL
for RKHTMPVAR in ${BLACKPROC}; do
test -z "${RKHTMPVAR}" && continue
PID=`echo "${RKHTMPVAR}" | cut -d: -f1`
NAME=`echo "${RKHTMPVAR}" | cut -d: -f2-`
display --to LOG --type WARNING NETWORK_PACKET_CAP_FOUND "`name2text \"${NAME}\"`" "${PID}"
done
IFS=$RKHIFS
fi
#
# Log any whitelisted entries.
#
if [ $VERBOSE_LOGGING -eq 1 ]; then
IFS=$IFSNL
for NAME in ${WHITEPROC}; do
test -z "${NAME}" && continue
display --to LOG --type INFO NETWORK_PACKET_CAP_WL "`name2text \"${NAME}\"`"
done
fi
IFS=$RKHIFS
return
}
do_network_checks() {
#
# This function carries out some network checks. This consists
# of port checks, and some interface checks.
#
if `check_test network`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST network
display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_NETWORK
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST network
fi
return
fi
do_network_port_checks
do_network_hidden_port_checks
do_network_interface_checks
return
}
do_system_startup_file_checks() {
#
# This function carries out checks on the system startup files.
#
if `check_test startup_files`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST startup_files
display --to SCREEN+LOG --type PLAIN --screen-indent 2 STARTUP_FILES_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST startup_files
fi
return
fi
#
# First we check that the local host name has been set.
#
if [ -n "${HOST_NAME}" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 STARTUP_HOSTNAME
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_HOSTNAME
display --to LOG --type WARNING STARTUP_NO_HOSTNAME
fi
#
# Check that the startup file malware checks are to be done.
#
if `check_test startup_malware`; then
display --to LOG --type INFO --nl STARTING_TEST startup_malware
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST startup_malware
fi
return
fi
#
# First check to see that we can run the test.
#
if [ "${STARTUP_PATHS}" = "NONE" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result SKIPPED --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
display --to LOG --type INFO STARTUP_NONE_GIVEN
return
fi
#
# Now get and check that the system startup files are okay.
#
get_rc_paths
if [ -n "${RC_PATHS}" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
display --to LOG --type WARNING STARTUP_CHECK_NO_RC_FILES
return
fi
#
# Next we check all the startup files for any suspicious
# strings in them.
#
FOUND=0
FOUNDSTRINGS=""
#
# Since we are going to be checking a lot of files
# for strings that are static, we may as well do
# some pre-processing of the string, and then we
# only need to spend time if a string is found.
#
RCSTRINGS=""
ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
IFS=$IFSNL
for RKHTMPVAR in ${RCLOCAL_STRINGS}; do
RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ ]*//'`
STRING=`echo ${RKHTMPVAR} | cut -d: -f1 | sed -e 's/\./\\\./g'`
INFO=`echo ${RKHTMPVAR} | cut -d: -f2`
RCSTRINGS="${RCSTRINGS}
${STRING}:${INFO}"
done
IFS=$RKHIFS
RCSTRINGS=`echo "${RCSTRINGS}" | sed -e '/^$/d'`
for FNAME in ${RC_PATHS}; do
IFS=$IFSNL
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
for STR in ${RCSTRINGS}; do
STRING=`echo ${STR} | cut -d: -f1`
RKHTMPVAR=`grep "${STRING}" "${FNAME}"`
if [ -n "${RKHTMPVAR}" ]; then
test -z "`echo \"${RKHTMPVAR}\" | egrep -v '^[ ]*#'`" && continue
if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:${STRING}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
STRING=`echo ${STRING} | sed -e 's/\\\//g'`
display --to LOG --type INFO FILE_PROP_WL_STR "`name2text \"${FNAME}\"`" "${STRING}" 'startup_malware'
fi
elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}$\"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \"^${FNAMEGREP}:$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_WL "`name2text \"${FNAME}\"`" 'startup_malware'
fi
else
FOUND=1
STRING=`echo ${STRING} | sed -e 's/\\\//g'`
INFO=`echo ${STR} | cut -d: -f2`
FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${STRING}:${INFO}"
fi
fi
done
IFS=$RKHIFS
done
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_MALWARE
else
ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_MALWARE
IFS=$IFSNL
FOUNDSTRINGS=`echo "${FOUNDSTRINGS}" | sed -e '/^$/d'`
for RKHTMPVAR in ${FOUNDSTRINGS}; do
FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
STRING=`echo "${RKHTMPVAR}" | cut -d: -f2`
INFO=`echo "${RKHTMPVAR}" | cut -d: -f3`
display --to LOG --type WARNING ROOTKIT_POSS_STRINGS_FOUND "${STRING}" "`name2text \"${FNAME}\"`" "${INFO}"
done
IFS=$RKHIFS
fi
return
}
pwdgrp_changes() {
#
# This function checks the changes made to the passwd and group files.
#
FNAME=$1
LINES=$2
SEEN_IDS=""
IFS=$IFSNL
for LINE in ${LINES}; do
#
# First we need to check if we have already dealt with
# this id. If we have, then just get the next line.
#
PWDGRPID=`echo "${LINE}" | cut -d: -f1 | cut -c3-`
IDGREP=`echo "${PWDGRPID}" | sed -e 's/\./\\\./g'`
RKHTMPVAR=`echo "${SEEN_IDS}" | grep " ${IDGREP} "`
test -n "${RKHTMPVAR}" && continue
#
# This id hasn't been seen before, so we record it.
#
SEEN_IDS="${SEEN_IDS} ${PWDGRPID} "
#
# Next we see if the id has just been added or removed.
# To do this we simply see if it appears more than once.
#
RKHTMPVAR=`echo "${LINES}" | grep "^> ${IDGREP}:"`
RKHTMPVAR2=`echo "${LINES}" | grep "^< ${IDGREP}:"`
if [ \( -n "${RKHTMPVAR}" -a -z "${RKHTMPVAR2}" \) -o \( -z "${RKHTMPVAR}" -a -n "${RKHTMPVAR2}" \) ]; then
if [ -n "${RKHTMPVAR}" ]; then
if [ "${FNAME}" = "passwd" ]; then
display --to LOG --type WARNING --log-indent 4 PWD_CHANGES_IDREM "${PWDGRPID}"
else
display --to LOG --type WARNING --log-indent 4 GROUP_CHANGES_IDREM "${PWDGRPID}"
fi
else
if [ "${FNAME}" = "passwd" ]; then
display --to LOG --type WARNING --log-indent 4 PWD_CHANGES_IDADD "${PWDGRPID}"
else
display --to LOG --type WARNING --log-indent 4 GROUP_CHANGES_IDADD "${PWDGRPID}"
fi
fi
continue
fi
#
# The id has changed in some way. We now need to
# go through the fields and see what has changed.
#
FIELD_IDX=1
OLD_LINE=`echo "${RKHTMPVAR}" | cut -d: -f2-`
NEW_LINE=`echo "${RKHTMPVAR2}" | cut -d: -f2-`
STR=${OLD_LINE}
if [ "${FNAME}" = "passwd" ]; then
display --to LOG --type WARNING PWD_CHANGES_FOUND "${PWDGRPID}"
else
display --to LOG --type WARNING GROUP_CHANGES_FOUND "${PWDGRPID}"
fi
while test -n "${STR}"; do
OLD_FIELD=`echo "${OLD_LINE}" | cut -d: -f$FIELD_IDX`
NEW_FIELD=`echo "${NEW_LINE}" | cut -d: -f$FIELD_IDX`
if [ "${OLD_FIELD}" != "${NEW_FIELD}" ]; then
if [ "${FNAME}" = "passwd" ]; then
case $FIELD_IDX in
1)
display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_PWD "${OLD_FIELD}" "${NEW_FIELD}"
;;
2)
display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_UID "${OLD_FIELD}" "${NEW_FIELD}"
;;
3)
display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_GID "${OLD_FIELD}" "${NEW_FIELD}"
;;
4)
display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_COMM "${OLD_FIELD}" "${NEW_FIELD}"
;;
5)
display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_HOME "${OLD_FIELD}" "${NEW_FIELD}"
;;
6)
display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_SHL "${OLD_FIELD}" "${NEW_FIELD}"
;;
*)
display --to LOG --type PLAIN --log-indent 9 PWDGRP_CHANGES_UNK "${FNAME}" "${OLD_FIELD}" "${NEW_FIELD}"
;;
esac
else
case $FIELD_IDX in
1)
display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_PWD "${OLD_FIELD}" "${NEW_FIELD}"
;;
2)
display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GID "${OLD_FIELD}" "${NEW_FIELD}"
;;
3)
OLD_GRPUSRS=" `echo ${OLD_FIELD} | tr ',' ' '` "
NEW_GRPUSRS=" `echo ${NEW_FIELD} | tr ',' ' '` "
IFS=$RKHIFS
for GRPUSR in ${OLD_GRPUSRS} ${NEW_GRPUSRS}; do
RKHTMPVAR=`echo ${GRPUSR} | sed -e 's/\./\\\./g'`
RKHTMPVAR2=`echo "${OLD_GRPUSRS}" | grep " ${RKHTMPVAR} "`
RKHTMPVAR3=`echo "${NEW_GRPUSRS}" | grep " ${RKHTMPVAR} "`
if [ -n "${RKHTMPVAR2}" -a -z "${RKHTMPVAR3}" ]; then
display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GRPREM "${GRPUSR}"
elif [ -z "${RKHTMPVAR2}" -a -n "${RKHTMPVAR3}" ]; then
display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GRPADD "${GRPUSR}"
fi
done
IFS=$IFSNL
;;
*)
display --to LOG --type PLAIN --log-indent 9 PWDGRP_CHANGES_UNK "${FNAME}" "${OLD_FIELD}" "${NEW_FIELD}"
;;
esac
fi
fi
FIELD_IDX=`expr $FIELD_IDX + 1`
RKHTMPVAR=`echo "${STR}" | cut -d: -f2-`
#
# For the group file the last field may be
# empty, so we need to cater for this.
#
if [ -z "${RKHTMPVAR}" ]; then
if [ \( "${FNAME}" = "passwd" -a $FIELD_IDX -eq 6 \) -o \( "${FNAME}" = "group" -a $FIELD_IDX -eq 3 \) ]; then
STR=""
RKHTMPVAR="x"
fi
fi
test "${RKHTMPVAR}" = "${STR}" && STR="" || STR=${RKHTMPVAR}
done
done
IFS=$RKHIFS
return
}
do_group_accounts_check() {
#
# This function carries out checks on the /etc/passwd and
# /etc/group files.
#
if `check_test group_accounts`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST group_accounts
display --to SCREEN+LOG --type PLAIN --screen-indent 2 ACCOUNTS_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST group_accounts
fi
return
fi
#
# First check that /etc/passwd exists.
#
if [ -s "/etc/passwd" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 ACCOUNTS_PWD_FILE_CHECK
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ACCOUNTS_FOUND_PWD_FILE '/etc/passwd'
fi
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 ACCOUNTS_PWD_FILE_CHECK
display --to LOG --type WARNING ACCOUNTS_NO_PWD_FILE '/etc/passwd'
fi
#
# Next, check for root equivalent accounts. These will have
# a UID of zero.
#
if [ -s "/etc/passwd" ]; then
UID_LIST=""
RKHTMPVAR2=""
if [ $MACOSX -eq 1 ]; then
DSCL_CMD=`find_cmd dscl`
if [ -n "${DSCL_CMD}" ]; then
display --to LOG --type INFO FOUND_CMD 'dscl' "${DSCL_CMD}"
RKHTMPVAR2=`${DSCL_CMD} . search /Users uid 0 | egrep '^[^ )]' | cut -d' ' -f1`
else
display --to LOG --type INFO NOT_FOUND_CMD 'dscl'
fi
fi
IFS=$IFSNL
for RKHTMPVAR in `grep '^[^:]*:[^:]*:0:' /etc/passwd | cut -d: -f1` ${RKHTMPVAR2}; do
test -z "${RKHTMPVAR}" && continue
test "${RKHTMPVAR}" = "root" && continue
RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`
#
# We will ignore any whitelisted UID 0 accounts.
#
if [ -z "`echo \"${UID0_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
UID_LIST="${UID_LIST}
${RKHTMPVAR}"
else
display --to LOG --type INFO ACCOUNTS_UID0_WL "${RKHTMPVAR}"
fi
done
IFS=$RKHIFS
#
# Now display the results.
#
if [ -z "${UID_LIST}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ACCOUNTS_UID0
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ACCOUNTS_UID0
IFS=$IFSNL
for RKHTMPVAR in ${UID_LIST}; do
test -z "${RKHTMPVAR}" && continue
display --to LOG --type WARNING ACCOUNTS_UID0_FOUND "${RKHTMPVAR}"
done
IFS=$RKHIFS
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ACCOUNTS_UID0
display --to LOG --type INFO ACCOUNTS_NO_PWD_FILE '/etc/passwd'
fi
#
# Now check for any passwordless accounts. We do this in two steps.
# The first is to check the shadow file, and for TCB shadow files we
# have to loop through all the shadow files in the /etc/tcb directory.
# Then we check the /etc/passwd file for any passwordless accounts.
# Finally we display the overall result. We ignore any whitelisted
# passwordless accounts.
#
WL_SEEN=""
PWD_PWDLESS_LIST=""
SHAD_PWDLESS_LIST=""
#
# Check for passwordless accounts in the shadow file(s).
#
if [ -n "${SHADOW_FILE}" -o $HAVE_TCB_SHADOW -eq 1 ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
if [ -n "${SHADOW_FILE}" ]; then
display --to LOG --type INFO ACCOUNTS_SHADOW_FILE "${SHADOW_FILE}"
else
display --to LOG --type INFO ACCOUNTS_SHADOW_TCB '/etc/tcb'
fi
fi
#
# We have do a bit of a kludge here. We need a loop in order to
# cater for TCB shadow files in /etc/tcb. But at the same time
# we only want to execute the loop once for non-TCB systems. To
# do this we loop through either /etc or /etc/tcb. However, for
# /etc we only execute the loop once because the grep statement
# will have the exact shadow filename in SHADOW_FILE. For TCB
# systems, SHADOW_FILE is set for each individual shadow file as
# it pass round the loop.
#
if [ $HAVE_TCB_SHADOW -eq 1 ]; then
RKHTMPVAR2="/etc/tcb"
else
RKHTMPVAR2="/etc"
fi
IFS=$IFSNL
for DIR in ${RKHTMPVAR2}/*; do
if [ $HAVE_TCB_SHADOW -eq 1 ]; then
if [ -f "${DIR}/shadow" ]; then
SHADOW_FILE="${DIR}/shadow"
else
continue
fi
fi
for RKHTMPVAR in `grep '^[^:]*::' "${SHADOW_FILE}" | cut -d: -f1`; do
# Ignore any NIS/YP entries
test "${RKHTMPVAR}" = "+" && continue
RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`
if [ -z "`echo \"${PWD_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
SHAD_PWDLESS_LIST="${SHAD_PWDLESS_LIST}
${RKHTMPVAR}"
test $HAVE_TCB_SHADOW -eq 1 && SHAD_PWDLESS_LIST="${SHAD_PWDLESS_LIST} (${SHADOW_FILE})"
else
WL_SEEN="${WL_SEEN} ${RKHTMPVAR} "
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ACCOUNTS_PWDLESS_WL "${RKHTMPVAR}"
fi
fi
done
test $HAVE_TCB_SHADOW -eq 0 && break
done
IFS=$RKHIFS
else
#
# No shadow file found.
#
SHAD_PWDLESS_LIST="RKH:No shadow file"
fi
#
# Check for passwordless accounts in /etc/passwd.
#
if [ -s "/etc/passwd" ]; then
IFS=$IFSNL
for RKHTMPVAR in `grep '^[^:]*::' /etc/passwd | cut -d: -f1`; do
# Ignore any NIS/YP entries
test "${RKHTMPVAR}" = "+" && continue
RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`
if [ -z "`echo \"${PWD_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
PWD_PWDLESS_LIST="${PWD_PWDLESS_LIST}
${RKHTMPVAR}"
elif [ -z "`echo \"${WL_SEEN}\" | grep \" ${RKHUSERID} \"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO ACCOUNTS_PWDLESS_WL "${RKHTMPVAR}"
fi
fi
done
IFS=$RKHIFS
fi
#
# Now display the results.
#
if [ -z "${SHAD_PWDLESS_LIST}" -a -z "${PWD_PWDLESS_LIST}" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 ACCOUNTS_PWDLESS
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 ACCOUNTS_PWDLESS
#
# Log the shadow file results.
#
if [ "${SHAD_PWDLESS_LIST}" = "RKH:No shadow file" ]; then
display --to LOG --type WARNING ACCOUNTS_NO_SHADOW_FILE
else
IFS=$IFSNL
for RKHTMPVAR in ${SHAD_PWDLESS_LIST}; do
test -z "${RKHTMPVAR}" && continue
display --to LOG --type WARNING ACCOUNTS_PWDLESS_FOUND 'shadow' "${RKHTMPVAR}"
done
fi
#
# Log the passwd file results.
#
IFS=$IFSNL
for RKHTMPVAR in ${PWD_PWDLESS_LIST}; do
test -z "${RKHTMPVAR}" && continue
display --to LOG --type WARNING ACCOUNTS_PWDLESS_FOUND 'passwd' "${RKHTMPVAR}"
done
IFS=$RKHIFS
fi
#
# Now we check for any changes that have occurred to the passwd
# file since rkhunter was last run.
#
DIFF_CMD=`find_cmd diff`
if `check_test passwd_changes`; then
RKHTMPVAR=0
display --to LOG --type INFO --nl STARTING_TEST passwd_changes
else
RKHTMPVAR=1
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST passwd_changes
fi
fi
if [ $RKHTMPVAR -eq 1 ]; then
:
elif [ ! -f "/etc/passwd" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 PASSWD_CHANGES
display --to LOG --type INFO ACCOUNTS_NO_PWD_FILE '/etc/passwd'
elif [ -z "${DIFF_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 PASSWD_CHANGES
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' diff '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'diff'
else
display --to LOG --type INFO NOT_FOUND_CMD 'diff'
fi
cp -f -p /etc/passwd "${RKHTMPDIR}/passwd"
elif [ ! -f "${RKHTMPDIR}/passwd" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 PASSWD_CHANGES
display --to LOG --type WARNING PASSWD_CHANGES_NO_TMP
cp -f -p /etc/passwd "${RKHTMPDIR}/passwd"
else
DIFFS=`${DIFF_CMD} /etc/passwd "${RKHTMPDIR}/passwd" 2>/dev/null | grep '^[<>]'`
if [ -z "${DIFFS}" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 PASSWD_CHANGES
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 PASSWD_CHANGES
pwdgrp_changes "passwd" "${DIFFS}"
#
# Finally, move the current copy of the passwd file out
# of the way, and take a new copy of the passwd file.
# This allows the user to look back to see what the
# last changes were, even if RKH is run again.
#
mv -f "${RKHTMPDIR}/passwd" "${RKHTMPDIR}/passwd.old" >/dev/null 2>&1
cp -f -p /etc/passwd "${RKHTMPDIR}/passwd"
fi
fi
test -f "${RKHTMPDIR}/passwd" && chmod 600 "${RKHTMPDIR}/passwd"
#
# Next check for any changes that have occurred to the group
# file since rkhunter was last run.
#
if `check_test group_changes`; then
RKHTMPVAR=0
display --to LOG --type INFO --nl STARTING_TEST group_changes
else
RKHTMPVAR=1
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST group_changes
fi
fi
if [ $RKHTMPVAR -eq 1 ]; then
:
elif [ ! -f "/etc/group" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 GROUP_CHANGES
display --to LOG --type WARNING GROUP_CHANGES_NO_FILE '/etc/group'
elif [ -z "${DIFF_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 GROUP_CHANGES
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' diff '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'diff'
else
display --to LOG --type INFO NOT_FOUND_CMD 'diff'
fi
cp -f -p /etc/group "${RKHTMPDIR}/group"
elif [ ! -f "${RKHTMPDIR}/group" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 GROUP_CHANGES
display --to LOG --type WARNING GROUP_CHANGES_NO_TMP
cp -f -p /etc/group "${RKHTMPDIR}/group"
else
DIFFS=`${DIFF_CMD} /etc/group "${RKHTMPDIR}/group" 2>/dev/null | grep '^[<>]'`
if [ -z "${DIFFS}" ]; then
display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 GROUP_CHANGES
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 GROUP_CHANGES
pwdgrp_changes "group" "${DIFFS}"
#
# Finally, move the current copy of the group file out
# of the way, and take a new copy of the group file.
# This allows the user to look back to see what the
# last changes were, even if RKH is run again.
#
mv -f "${RKHTMPDIR}/group" "${RKHTMPDIR}/group.old" >/dev/null 2>&1
cp -f -p /etc/group "${RKHTMPDIR}/group"
fi
fi
test -f "${RKHTMPDIR}/group" && chmod 600 "${RKHTMPDIR}/group"
#
# Finally we do a check on the root account shell history files.
# We check for bash, Korn, C-shell and zsh history files.
#
FOUND=0
FOUNDFILES=""
if [ -f "/root/.bash_history" ]; then
FOUND=1
if [ -h "/root/.bash_history" ]; then
FOUNDFILES="${FOUNDFILES} bash:/root/.bash_history"
fi
fi
if [ -f "/root/.sh_history" ]; then
FOUND=1
if [ -h "/root/.sh_history" ]; then
FOUNDFILES="${FOUNDFILES} Korn:/root/.sh_history"
fi
fi
if [ -f "/root/.history" ]; then
FOUND=1
if [ -h "/root/.history" ]; then
FOUNDFILES="${FOUNDFILES} C-shell:/root/.history"
fi
fi
if [ -f "/root/.zhistory" ]; then
FOUND=1
if [ -h "/root/.zhistory" ]; then
FOUNDFILES="${FOUNDFILES} zsh:/root/.zhistory"
fi
fi
#
# Now display the results.
#
if [ -z "${FOUNDFILES}" ]; then
test $FOUND -eq 1 && RKHTMPVAR="OK" || RKHTMPVAR="NONE_FOUND"
display --to SCREEN+LOG --type PLAIN --color GREEN --result ${RKHTMPVAR} --log-indent 2 --screen-indent 4 HISTORY_CHECK
else
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 HISTORY_CHECK
for RKHTMPVAR in ${FOUNDFILES}; do
SHELLNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
FILENAME=`echo "${RKHTMPVAR}" | cut -d: -f2`
display --to LOG --type WARNING HISTORY_CHECK_FOUND "`name2text \"${SHELLNAME}\"`" "`name2text \"${FILENAME}\"`"
done
fi
return
}
do_system_config_files_check() {
#
# This function carries out checks on some of the system
# software configurations. At present this checks the SSH
# and system logging configurations.
#
if `check_test system_configs`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST system_configs
display --to SCREEN+LOG --type PLAIN --screen-indent 2 SYSTEM_CONFIGS_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST system_configs
fi
return
fi
if `check_test system_configs_ssh`; then
display --to LOG --type INFO --nl STARTING_TEST system_configs_ssh
#
# First find out where the SSH configuration file is located.
#
SSH_CONFIG_FILE=""
if [ -n "${SSH_CONFIG_DIR}" ]; then
RKHTMPVAR="${SSH_CONFIG_DIR}"
else
RKHTMPVAR="/etc /etc/ssh /usr/local/etc /usr/local/etc/ssh"
fi
for DIR in ${RKHTMPVAR}; do
if [ -f "${DIR}/sshd_config" ]; then
SSH_CONFIG_FILE="${DIR}/sshd_config"
break
fi
done
if [ -n "${SSH_CONFIG_FILE}" ]; then
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE_SSH
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND 'an' 'SSH' "${SSH_CONFIG_FILE}"
display --to LOG --type INFO CONFIG_SSH_ROOT "${ALLOW_SSH_ROOT_USER}"
display --to LOG --type INFO CONFIG_SSH_PROTV1 $ALLOW_SSH_PROT_V1
fi
#
# Now we check some of the configuration options.
#
# First we check for allowed root access.
#
RKHTMPVAR=`grep -i '^[ ]*PermitRootLogin[ =]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`
if [ -n "${RKHTMPVAR}" ]; then
#
# Get the value that has been set.
#
RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ =]*[ ]*=*[ ]*\([^ #]*\).*$/\1/' | tr '[:upper:]' '[:lower:]'`
if [ "${RKHTMPVAR2}" = "${ALLOW_SSH_ROOT_USER}" ]; then
test "${RKHTMPVAR2}" = "no" && RKHTMPVAR="NOT_ALLOWED" || RKHTMPVAR="ALLOWED"
display --to SCREEN+LOG --type PLAIN --result ${RKHTMPVAR} --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_FOUND
display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_ROOT_FOUND1 "${RKHTMPVAR2}"
display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_ROOT_FOUND2 "${ALLOW_SSH_ROOT_USER}"
fi
elif [ "${ALLOW_SSH_ROOT_USER}" = "unset" ]; then
display --to SCREEN+LOG --type PLAIN --result UNSET --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND
fi
#
# Next we check to see if protocol version 1 is allowed.
#
RKHTMPVAR=`grep -i '^[ ]*Protocol[ =]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`
if [ -n "${RKHTMPVAR}" ]; then
#
# See if the set protocol versions includes '1'.
#
RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ =]*[ ]*=*[ ]*\([^ #]*\).*$/\1/'`
RKHTMPVAR3=`echo "${RKHTMPVAR2}" | grep '1'`
if [ -z "${RKHTMPVAR3}" -a $ALLOW_SSH_PROT_V1 -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NOT_ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
elif [ -n "${RKHTMPVAR3}" -a \( $ALLOW_SSH_PROT_V1 -eq 1 -o $ALLOW_SSH_PROT_V1 -eq 2 \) ]; then
display --to SCREEN+LOG --type PLAIN --result ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_FOUND
display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_PROTO_DIFF1 "${RKHTMPVAR2}"
display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_PROTO_DIFF2 "${ALLOW_SSH_PROT_V1}"
fi
elif [ $ALLOW_SSH_PROT_V1 -eq 2 ]; then
display --to SCREEN+LOG --type PLAIN --result UNSET --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND
fi
#
# Finally we check for any other known suspicious configuration settings.
#
FOUND=0
FOUNDNAMES=""
#
# First check for the Ebury backdoor.
#
RKHTMPVAR=`grep -i '^[ ]*AuthorizedKeysFile[ =]' "${SSH_CONFIG_FILE}" 2>/dev/null | tail ${TAIL_OPT}1`
if [ -n "${RKHTMPVAR}" ]; then
RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ =]*[ ]*=*[ ]*\([^ #]*\).*$/\1/'`
if [ "${RKHTMPVAR2}" = "/proc/self/environ" ]; then
FOUND=1
FOUNDNAMES="${FOUNDNAMES} ebury"
fi
fi
#
# Now display the results.
#
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_EXTRA
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_EXTRA
for RKHTMPVAR in ${FOUNDNAMES}; do
case "${RKHTMPVAR}" in
ebury)
display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_EBURY
;;
esac
done
fi
else
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE_SSH
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST system_configs_ssh
fi
if `check_test system_configs_syslog`; then
display --to LOG --type INFO --nl STARTING_TEST system_configs_syslog
#
# Next we find out if a system logging daemon is running.
#
TITLE_SHOWN=0
SYSLOG_SEEN=0; SYSTEMD_SEEN=0
METALOG_SEEN=0; SOCKLOG_SEEN=0
if [ -n "${PS_CMD}" ]; then
PS_ARGS="ax"
test $SUNOS -eq 1 -o $IRIXOS -eq 1 && PS_ARGS="-ef"
RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep '(syslogd|syslog-ng)( |$)' | grep -v 'egrep'`
if [ -n "${RKHTMPVAR}" ]; then
SYSLOG_SEEN=1
test $TITLE_SHOWN -eq 0 && display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
if [ $VERBOSE_LOGGING -eq 1 ]; then
if [ -n "`echo \"${RKHTMPVAR}\" | grep 'rsyslog'`" ]; then
display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'rsyslog'
elif [ -n "`echo \"${RKHTMPVAR}\" | grep 'syslog-ng'`" ]; then
display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'syslog-ng'
else
display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'syslog'
fi
fi
TITLE_SHOWN=1
fi
RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'systemd-journald( |$)' | grep -v 'egrep'`
if [ -n "${RKHTMPVAR}" ]; then
SYSTEMD_SEEN=1
if [ $TITLE_SHOWN -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'systemd-journald'
fi
TITLE_SHOWN=1
fi
RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'metalog( |$)' | grep -v 'egrep'`
if [ -n "${RKHTMPVAR}" ]; then
METALOG_SEEN=1
if [ $TITLE_SHOWN -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'metalog'
fi
TITLE_SHOWN=1
fi
RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'socklog( |$)' | grep -v 'egrep'`
if [ -n "${RKHTMPVAR}" ]; then
SOCKLOG_SEEN=1
if [ $TITLE_SHOWN -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_DAEMON 'socklog'
fi
TITLE_SHOWN=1
fi
if [ $TITLE_SHOWN -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING
fi
else
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' ps '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'ps'
else
display --to LOG --type INFO NOT_FOUND_CMD 'ps'
fi
fi
#
# Now loop through the system logging configuration files.
#
if [ -z "${SYSLOG_CONFIG_FILE}" ]; then
SYSLOG_CONFIG_FILE="/etc/syslog.conf /etc/rsyslog.conf /etc/syslog-ng/syslog-ng.conf /etc/systemd/journald.conf /etc/systemd/systemd-journald.conf"
fi
if [ "${SYSLOG_CONFIG_FILE}" = "NONE" ]; then
display --to SCREEN+LOG --type PLAIN --result WHITELISTED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
else
FILEFOUND=""
REM_LOGGING_FOUND=0
if [ $ALLOW_SYSLOG_REMOTE_LOGGING -eq 1 -a $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED
fi
for FNAME in ${SYSLOG_CONFIG_FILE}; do
test ! -f "${FNAME}" && continue
# First, log where the configuration file is located.
RKHTMPVAR="a"
if [ -n "`echo \"${FNAME}\" | grep '/rsyslog\.conf$'`" ]; then
FTYPE="rsyslog"
RKHTMPVAR="an"
elif [ -n "`echo \"${FNAME}\" | grep '/syslog-ng\.conf$'`" ]; then
FTYPE="syslog-ng"
elif [ -n "`echo \"${FNAME}\" | egrep '/(systemd-)?journald\.conf$'`" ]; then
FTYPE="systemd"
else
FTYPE="syslog"
fi
FILEFOUND="${FILEFOUND} ${FTYPE} "
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND "${RKHTMPVAR}" "${FTYPE}" "`name2text \"${FNAME}\"`"
fi
# Next see if the configuration file allows remote logging.
if [ "${FTYPE}" != "systemd" ]; then
RKHTMPVAR=""
if [ -n "`echo \"${FNAME}\" | egrep '/r?syslog\.conf$'`" ]; then
RKHTMPVAR=`egrep -i '^[^#].*[ ](@|:omrelp:).' "${FNAME}" | egrep -i -v '(@|:omrelp:)127\.'`
else
#
# For syslog-ng we must look for a destination
# block which uses TCP or UDP.
#
RKHTMPVAR=`${AWK_CMD} '/^[ ]*destination( | |$)/, /}/ { print $0 }' "${FNAME}" | egrep -i '( | |\{|^)(tcp|udp)6?( | |\(|$)' | egrep -v -i '(tcp|udp)6?[ ]*\([ ]*("[ ]*)?127\.'`
fi
if [ -n "${RKHTMPVAR}" ]; then
REM_LOGGING_FOUND=1
display --to LOG --type INFO SYSTEM_CONFIGS_SYSLOG_REMOTE_LOG "${FTYPE}" "${RKHTMPVAR}"
fi
fi
done
#
# Now display the results. We need to rank these so
# that the warnings are shown before anything else.
#
if [ $SYSLOG_SEEN -eq 1 -a -z "`echo \"${FILEFOUND}\" | egrep ' (syslog|rsyslog|syslog-ng) '`" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NO_FILE 'syslog'
elif [ $SYSTEMD_SEEN -eq 1 -a -z "`echo \"${FILEFOUND}\" | grep ' systemd '`" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NO_FILE 'systemd-journald'
elif [ -n "${FILEFOUND}" ]; then
display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
else
display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE
fi
#
# We only display the remote logging result if a configuration file was found.
#
if [ -n "`echo \"${FILEFOUND}\" | egrep ' (syslog|rsyslog|syslog-ng) '`" ]; then
if [ $ALLOW_SYSLOG_REMOTE_LOGGING -eq 1 ]; then
display --to SCREEN+LOG --type PLAIN --result ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
elif [ $REM_LOGGING_FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --result NOT_ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
fi
fi
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST system_configs_syslog
fi
return
}
do_dev_whitelist_check() {
#
# The check of /dev files has two methods. One uses a simple
# top-level file check, the other is more thorough and does a
# complete 'find' on the /dev directory. However, the check on
# whether the given file is whitelisted is the same for both
# methods. As such, it makes sense to use a function rather than
# repeating the code for each method.
#
FTYPE=`${FILE_CMD} "${RKHTMPVAR}" 2>&1 | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
if [ $MACOSX -eq 1 -a -n "`echo \"${FTYPE}\" | grep 'universal binary'`" ]; then
FTYPE=`echo "${FTYPE}" | tail ${TAIL_OPT}1`
fi
if [ -z "`echo \"${FTYPE}\" | egrep -v '(character special|block special|socket|fifo \(named pipe\)|symbolic link to|empty|directory|/MAKEDEV:)'`" ]; then
return
fi
#
# Not sure why but '?' doesn't seem to need to be escaped. Neither do parentheses or braces.
# Also, cannot get the '[]' characters to work in the bracket expression. So these are handled individually.
#
FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${ALLOWDEVFILES}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILESYSTEM_DEV_FILE_WL "`name2text \"${RKHTMPVAR}\"`"
fi
else
FOUNDFILES="${FOUNDFILES}
${RKHTMPVAR}: ${FTYPE}"
fi
return
}
do_filesystem_check() {
#
# This function carries out various checks on the local filesystem.
#
if `check_test filesystem`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST filesystem
display --to SCREEN+LOG --type PLAIN --screen-indent 2 FILESYSTEM_START
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST filesystem
fi
return
fi
if [ ! -d "/dev" ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
display --to LOG --type WARNING FILESYSTEM_DEV_CHECK_NO_DEV
elif [ -z "${FILE_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'file'
else
display --to LOG --type INFO NOT_FOUND_CMD 'file'
fi
elif [ "${SCAN_MODE_DEV}" = "THOROUGH" -a -z "${FIND_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' find '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'find'
else
display --to LOG --type INFO NOT_FOUND_CMD 'find'
fi
else
#
# Now we can run the check on /dev.
#
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO CONFIG_SCAN_MODE_DEV "${SCAN_MODE_DEV}"
fi
#
# First we expand the whitelist option to ensure
# that any wildcard entries are the most recent.
#
if [ -n "${ALLOWDEVFILE_OPT}" ]; then
ALLOWDEVFILES=`expand_paths ALLOWDEVFILE_OPT`
fi
#
# Note: We do not look for hidden files here - that is,
# those beginning with a dot. Any hidden files will be
# picked up in the next check.
# Note2: Filenames can contain a colon (:), so we need to
# be careful in separating the filename from the file type.
# Note3: We have to cater for *BSD systems which may have
# fdesc/fdescfs mounted. If it is, then we must skip over
# any detected file descriptors.
#
FDESCFS=0
FOUNDFILES=""
if [ $BSDOS -eq 1 ]; then
RKHTMPVAR=`find_cmd mount`
if [ -n "${RKHTMPVAR}" ]; then
test -n "`${RKHTMPVAR} 2>/dev/null | egrep '^fdesc(fs)? .*(type fdesc|\(fdescfs\))'`" && FDESCFS=1
else
display --to LOG --type INFO NOT_FOUND_CMD 'mount'
fi
fi
if [ "${SCAN_MODE_DEV}" = "LAZY" ]; then
for RKHTMPVAR in /dev/*; do
test -d "${RKHTMPVAR}" -o -h "${RKHTMPVAR}" && continue
if [ $FDESCFS -eq 1 ]; then
test -n "`echo \"${RKHTMPVAR}/\" | grep '^/dev/fd/[0-9][0-9]*'`" && continue
fi
do_dev_whitelist_check
done
else
IFS=$IFSNL
for RKHTMPVAR in `${FIND_CMD} /dev ! -type d -a ! -type l 2>/dev/null`; do
if [ $FDESCFS -eq 1 ]; then
test -n "`echo \"${RKHTMPVAR}/\" | grep '^/dev/fd/[0-9][0-9]*'`" && continue
fi
test -z "`echo \"${RKHTMPVAR}\" | grep '/\.[^/]*$'`" && do_dev_whitelist_check
done
IFS=$RKHIFS
fi
#
# Now display the results.
#
FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`
if [ -z "${FOUNDFILES}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
display --to LOG --type WARNING FILESYSTEM_DEV_FILE_FOUND '/dev'
IFS=$IFSNL
for RKHTMPVAR in ${FOUNDFILES}; do
FTYPE=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
FNAME=`echo "${RKHTMPVAR}" | sed -e 's/: [^:]*$//'`
display --to LOG --type PLAIN --log-indent 9 NAME "`name2text \"${FNAME}\"`: ${FTYPE}"
done
IFS=$RKHIFS
fi
fi
#
# Now we check various directories for hidden files and
# directories. We must have the 'file' command for this
# test to run.
#
# First we look in two sets of directories. One set we search
# recursively, using 'find', the other set we only search to
# one-level. If we have no 'find' command, then all the
# directories are only searched to one-level.
#
if [ -z "${FILE_CMD}" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK
if [ -n "`echo \"${DISABLED_CMDS}\" | grep ' file '`" ]; then
display --to LOG --type INFO DISABLED_CMD 'file'
else
display --to LOG --type INFO NOT_FOUND_CMD 'file'
fi
return
fi
FOUNDDIRS=""
FOUNDFILES=""
LOOKINDIRS=""
SHORTSEARCHDIRS="/usr /etc"
LONGSEARCHDIRS="/dev /bin /usr/man /usr/share/man /usr/bin /usr/sbin /sbin"
if [ -z "${FIND_CMD}" ]; then
SHORTSEARCHDIRS="${SHORTSEARCHDIRS} ${LONGSEARCHDIRS}"
LONGSEARCHDIRS=""
fi
for DIR in ${SHORTSEARCHDIRS}; do
if [ -d "${DIR}" ]; then
RKHTMPVAR=`ls -1d ${DIR}/.* 2>/dev/null | egrep -v '/\.\.?$'`
test -n "${RKHTMPVAR}" && LOOKINDIRS="${LOOKINDIRS}
${RKHTMPVAR}"
fi
done
for DIR in ${LONGSEARCHDIRS}; do
if [ -d "${DIR}" ]; then
RKHTMPVAR=`${FIND_CMD} "${DIR}" -name ".*" 2>/dev/null`
test -n "${RKHTMPVAR}" && LOOKINDIRS="${LOOKINDIRS}
${RKHTMPVAR}"
fi
done
#
# We expand the whitelisting options to ensure that any
# wildcard entries are the most recent.
#
if [ -n "${ALLOWHIDDENFILE_OPT}" ]; then
ALLOWHIDDENFILES=`expand_paths ALLOWHIDDENFILE_OPT`
fi
if [ -n "${ALLOWHIDDENDIR_OPT}" ]; then
ALLOWHIDDENDIRS=`expand_paths ALLOWHIDDENDIR_OPT`
fi
#
# Next we look for any whitelisted files and directories. We also
# exclude certain types of files.
#
IFS=$IFSNL
for FNAME in ${LOOKINDIRS}; do
if [ $FDESCFS -eq 1 ]; then
test -n "`echo \"${FNAME}/\" | grep '^/dev/fd/[0-9][0-9]*'`" && continue
fi
FTYPE=`${FILE_CMD} "${FNAME}" 2>&1 | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
test -n "`echo \"${FTYPE}\" | egrep 'character special|block special|empty'`" && continue
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ -n "`echo \"${FTYPE}\" | grep 'directory'`" ]; then
if [ -n "`echo \"${ALLOWHIDDENDIRS}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILESYSTEM_HIDDEN_DIR_WL "`name2text \"${FNAME}\"`"
fi
else
FOUNDDIRS="${FOUNDDIRS}
${FNAME}: ${FTYPE}"
fi
else
if [ -n "`echo \"${ALLOWHIDDENFILES}\" | grep \"^${FNAMEGREP}$\"`" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILESYSTEM_HIDDEN_FILE_WL "`name2text \"${FNAME}\"`"
fi
else
FOUNDFILES="${FOUNDFILES}
${FNAME}: ${FTYPE}"
fi
fi
done
IFS=$RKHIFS
FOUNDDIRS=`echo "${FOUNDDIRS}" | sed -e '/^$/d'`
FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`
#
# Now display the results.
#
if [ -z "${FOUNDDIRS}" -a -z "${FOUNDFILES}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK
IFS=$IFSNL
for RKHTMPVAR in ${FOUNDDIRS}; do
FTYPE=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
FNAME=`echo "${RKHTMPVAR}" | sed -e 's/: [^:]*$//'`
if [ "${FTYPE}" = "directory" ]; then
display --to LOG --type WARNING FILESYSTEM_HIDDEN_DIR_FOUND "`name2text \"${FNAME}\"`"
else
display --to LOG --type WARNING FILESYSTEM_HIDDEN_DIR_FOUND "`name2text \"${FNAME}\"`: ${FTYPE}"
fi
done
for RKHTMPVAR in ${FOUNDFILES}; do
FTYPE=`echo "${RKHTMPVAR}" | ${AWK_CMD} -F':' '{ print $NF }' | cut -c2-`
FNAME=`echo "${RKHTMPVAR}" | sed -e 's/: [^:]*$//'`
display --to LOG --type WARNING FILESYSTEM_HIDDEN_FILE_FOUND "`name2text \"${FNAME}\"`: ${FTYPE}"
done
IFS=$RKHIFS
fi
#
# Next check if any configured log files are missing.
#
FOUNDFILES=""
if [ -n "${LOGFILE_MISSING}" ]; then
MISSINGFILES=""
for FNAME in ${LOGFILE_MISSING}; do
if [ ! -f "${FNAME}" ]; then
MISSINGFILES="${MISSINGFILES}
${FNAME}"
fi
done
#
# Now show the results.
#
MISSINGFILES=`echo "${MISSINGFILES}" | sed -e '/^$/d'`
if [ -z "${MISSINGFILES}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_MISSING --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_MISSING
else
FOUNDFILES="${MISSINGFILES}"
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_MISSING
IFS=$IFSNL
for FNAME in ${MISSINGFILES}; do
display --to LOG --type WARNING FILESYSTEM_LOGFILE_MISSING_FOUND "`name2text \"${FNAME}\"`"
done
IFS=$RKHIFS
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 FILESYSTEM_LOGFILE_MISSING
display --to LOG --type INFO FILESYSTEM_LOGFILE_MISS_DISABLED
fi
#
# Next check if any configured log files are empty or missing.
#
if [ -n "${LOGFILE_EMPTY}" ]; then
EMPTYFILES=""
MISSINGFILES=""
for FNAME in ${LOGFILE_EMPTY}; do
if [ ! -f "${FNAME}" ]; then
#
# Only record a missing log file if the previous
# missing log file test didn't check it.
#
if [ -z "`echo \"${FOUNDFILES}\" | grep \"^${FNAME}$\"`" ]; then
MISSINGFILES="${MISSINGFILES}
${FNAME}"
fi
elif [ ! -s "${FNAME}" ]; then
EMPTYFILES="${EMPTYFILES}
${FNAME}"
fi
done
#
# Now show the results.
#
EMPTYFILES=`echo "${EMPTYFILES}" | sed -e '/^$/d'`
MISSINGFILES=`echo "${MISSINGFILES}" | sed -e '/^$/d'`
if [ -z "${EMPTYFILES}" -a -z "${MISSINGFILES}" ]; then
display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_EMPTY
else
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_LOGFILE_EMPTY
IFS=$IFSNL
for FNAME in ${EMPTYFILES}; do
display --to LOG --type WARNING FILESYSTEM_LOGFILE_EMPTY_FOUND "`name2text \"${FNAME}\"`"
done
for FNAME in ${MISSINGFILES}; do
display --to LOG --type WARNING FILESYSTEM_LOGFILE_MISSING_FOUND "`name2text \"${FNAME}\"`"
done
IFS=$RKHIFS
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type PLAIN --result SKIPPED --log-indent 2 FILESYSTEM_LOGFILE_EMPTY
display --to LOG --type INFO FILESYSTEM_LOGFILE_EMPTY_DISABLED
fi
return
}
do_local_host_checks() {
#
# This function carries out a sequence of tests on the local
# host.
#
if `check_test local_host`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST local_host
display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_LOCALHOST
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST local_host
fi
return
fi
#
# We start by performing checks on the startup files.
#
do_system_startup_file_checks
#
# Now we check the /etc/passwd file, and run some checks
# on the accounts and groups.
#
do_group_accounts_check
#
# Next check some of the system configuration files.
#
do_system_config_files_check
#
# Finally check the filesystem for hidden files, directories etc.
#
do_filesystem_check
keypresspause
return
}
do_app_checks() {
#
# This function carries out a sequence of application checks.
#
if `check_test apps`; then
display --to LOG --type INFO --screen-nl --nl STARTING_TEST apps
else
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO --nl USER_DISABLED_TEST apps
fi
return
fi
#
# First we check that our apps data file is usable.
#
if [ ! -e "${DB_PATH}/programs_bad.dat" -o ! -s "${DB_PATH}/programs_bad.dat" ]; then
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING CHECK_APPS
display --to LOG --type WARNING APPS_DAT_MISSING "${DB_PATH}/programs_bad.dat"
return
elif [ ! -f "${DB_PATH}/programs_bad.dat" -o -h "${DB_PATH}/programs_bad.dat" ]; then
display --to SCREEN+LOG --type PLAIN --color RED --result WARNING CHECK_APPS
display --to LOG --type WARNING APPS_DAT_NOTAFILE "${DB_PATH}/programs_bad.dat"
return
fi
display --to SCREEN+LOG --type PLAIN --color YELLOW --nl-after CHECK_APPS
#
# We loop through the applications and obtain the version number.
# This is then checked against the file of known bad versions.
# We build up a list of application names, the version number,
# and whether it is known to be bad or not. When this has all
# been done, we then display the results.
#
# The results line for each application is made up of percent (%)
# delimited fields. They are:
#
# application%description%version%if known bad%whole version number
#
# A 'version' number of '-1' means the application was not found.
#
# An 'if known bad' number of:
#
# '-1' means a specific version of the application is whitelisted,
# '-2' means the application is whitelisted, regardless of version.
#
APPS_COUNT=0
APP_RESULTS=""
APP_NAMES="exim:Exim MTA
gpg:GnuPG
httpd:Apache
named:Bind DNS
openssl:OpenSSL
php:PHP
procmail:Procmail MTA
proftpd:ProFTPD
sshd:OpenSSH"
APPS_TOTAL_COUNT=`echo "${APP_NAMES}" | wc -l | tr -d ' '`
IFS=$IFSNL
for APP in ${APP_NAMES}; do
APP=`echo ${APP} | sed -e 's/^[ ]*//'`
APPLICATION=`echo ${APP} | cut -d: -f1`
APPLICATION_DESC=`echo ${APP} | cut -d: -f2-`
IFS=$RKHIFS
APP_CMD_FOUND=`find_cmd ${APPLICATION}`
IFS=$IFSNL
if [ -z "${APP_CMD_FOUND}" ]; then
APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%-1"
continue
fi
#
# Find out the version of the application.
#
APPS_COUNT=`expr ${APPS_COUNT} + 1`
VERSION=""
WHOLE_VERSION=""
#
# Applications which are whitelisted completely (no specific
# version number), are handled first.
#
if [ -n "`echo \"${APP_WHITELIST}\" | grep \" ${APPLICATION} \"`" ]; then
APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%0%-2"
else
case "${APPLICATION}" in
exim)
WHOLE_VERSION=`${APP_CMD_FOUND} -bV 2>/dev/null`
VERSION=`echo "${WHOLE_VERSION}" | grep '^Exim version [0-9]' | ${AWK_CMD} '{ print $3 }'`
;;
gpg)
WHOLE_VERSION=`${APP_CMD_FOUND} --version --homedir / 2>/dev/null`
VERSION=`echo "${WHOLE_VERSION}" | grep 'GnuPG' | ${AWK_CMD} '{ print $3 }'`
;;
httpd)
WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
VERSION=`echo "${WHOLE_VERSION}" | grep -i '^Server version:[ ][ ]*Apache/[0-9]' | cut -d' ' -f3 | cut -d'/' -f2`
;;
named)
WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
VERSION=`echo "${WHOLE_VERSION}" | egrep '^(named|BIND)[ ][ ]*[0-9]' | grep -v '/' | ${AWK_CMD} '{ print $2 }'`
if [ -n "`echo \"${VERSION}\" | grep '^[^-]*\.[0-9][0-9]*-P[^-]*-'`" ]; then
VERSION=`echo "${VERSION}" | cut -d'-' -f1-2`
elif [ -n "`echo \"${VERSION}\" | grep '^[^-]*\.[0-9][0-9]*-[^P]'`" ]; then
VERSION=`echo "${VERSION}" | cut -d'-' -f1`
fi
if [ -z "${VERSION}" ]; then
VERSION=`${APP_CMD_FOUND} -v | ${AWK_CMD} '{ print $2 }'`
fi
;;
openssl)
WHOLE_VERSION=`${APP_CMD_FOUND} version 2>/dev/null`
VERSION=`echo "${WHOLE_VERSION}" | grep '^OpenSSL[ ][ ]*[0-9]' | cut -d' ' -f2`
if [ -n "`echo \"${VERSION}\" | grep '^[^-]*-fips'`" ]; then
VERSION=`echo "${VERSION}" | cut -d'-' -f1`
fi
;;
php)
WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
VERSION=`echo "${WHOLE_VERSION}" | grep '^PHP[ ][ ]*[0-9]' | ${AWK_CMD} '{ print $2 }' | cut -d'-' -f1`
;;
procmail)
WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>&1`
VERSION=`echo "${WHOLE_VERSION}" | grep '^procmail[ ][ ]*v[0-9]' | ${AWK_CMD} '{ print $2 }' | sed -e 's/^v//'`
;;
proftpd)
WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>&1`
VERSION=`echo "${WHOLE_VERSION}" | sed -e 's/^.*\(ProFTPD.*\)$/\1/' | grep '^ProFTPD[ ][ ]*Version[ ][ ]*[0-9]' | ${AWK_CMD} '{ print $3 }'`
;;
sshd)
WHOLE_VERSION=`${APP_CMD_FOUND} -t -d 2>&1`
VERSION=`echo "${WHOLE_VERSION}" | grep 'sshd version OpenSSH' | sed -e 's/^.*sshd version OpenSSH_//' | cut -d' ' -f1`
if [ -n "`echo \"${VERSION}\" | grep '+'`" ]; then
VERSION=`echo "${VERSION}" | cut -d'+' -f1`
fi
;;
esac
VERSION=`echo "${VERSION}" | tr -d '\r'`
WHOLE_VERSION=`echo "${WHOLE_VERSION}" | tr -d '\r'`
if [ -z "${VERSION}" ]; then
WHOLE_VERSION=`echo "${WHOLE_VERSION}" | tr '\n' '%'`
APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%%0%${WHOLE_VERSION}"
continue
fi
#
# Now see if the application version is known to be bad.
#
RKHTMPVAR=`echo "${VERSION}" | sed -e 's/\./\\\./g'`
if [ -n "`echo \"${APP_WHITELIST}\" | grep -i \" ${APPLICATION}:${RKHTMPVAR} \"`" ]; then
APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%-1"
elif [ -n "`egrep -i \"^${APPLICATION}:.* ${RKHTMPVAR}( |$)\" \"${DB_PATH}/programs_bad.dat\" 2>&1`" ]; then
APPS_FAILED_COUNT=`expr ${APPS_FAILED_COUNT} + 1`
APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%1"
else
APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%0"
fi
fi
done
IFS=$RKHIFS
#
# Now display the results.
#
if [ $APPS_COUNT -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN --color YELLOW --nl --result SKIPPED CHECK_APPS
display --to LOG --type INFO APPS_NONE_FOUND
else
IFS=$IFSNL
for RKHTMPVAR in ${APP_RESULTS}; do
APPLICATION=`echo "${RKHTMPVAR}" | cut -d% -f1`
APPLICATION_DESC=`echo "${RKHTMPVAR}" | cut -d% -f2`
VERSION=`echo "${RKHTMPVAR}" | cut -d% -f3`
if [ -z "${VERSION}" ]; then
WHOLE_VERSION=`echo "${RKHTMPVAR}" | cut -d% -f5- | tr '%' '\n'`
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
if [ -n "${WHOLE_VERSION}" ]; then
display --to LOG --type INFO APPS_CHECK_WHOLE_VERSION_USED "${APPLICATION}" "${WHOLE_VERSION}"
else
display --to LOG --type INFO APPS_CHECK_VERSION_UNKNOWN "${APPLICATION}"
fi
elif [ "${VERSION}" = "-1" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO APPS_NOT_FOUND "${APPLICATION}"
fi
else
ISBAD=`echo "${RKHTMPVAR}" | cut -d% -f4`
if [ -n "`echo $ECHOOPT \"${ISBAD}\" | grep '[^-0-9]'`" ]; then
display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
display --to LOG --type INFO APPS_CHECK_VERSION_UNKNOWN "${APPLICATION}"
elif [ $ISBAD -eq -2 ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO APPS_CHECK_WL "${APPLICATION}"
fi
elif [ $ISBAD -eq -1 ]; then
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO APPS_CHECK_VERSION_WL "${APPLICATION}" "${VERSION}"
fi
elif [ $ISBAD -eq 1 ]; then
display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
display --to LOG --type WARNING APPS_CHECK_FOUND "${APPLICATION}" "${VERSION}"
else
display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO APPS_CHECK_VERSION_FOUND "${APPLICATION}" "${VERSION}"
fi
fi
fi
done
IFS=$RKHIFS
fi
display --to LOG --type INFO APPS_TOTAL_COUNT $APPS_COUNT $APPS_TOTAL_COUNT
return
}
display_check_summary() {
#
# This function displays a short summary of some of the
# groups of checks performed.
#
if [ $QUIET -eq 0 -o \( $SHOWWARNINGSONLY -eq 1 -a $WARNING_COUNT -gt 0 \) ]; then
RKHTMPVAR=2
else
RKHTMPVAR=1
fi
display --to SCREEN+LOG --type PLAIN --nl ${RKHTMPVAR} SUMMARY_TITLE1
display --to SCREEN+LOG --type PLAIN SUMMARY_TITLE2
#
# Do file properties summary.
#
display --to SCREEN+LOG --type PLAIN --nl SUMMARY_PROP_SCAN
if `check_test properties`; then
if [ $SUMMARY_PROP_REQCMDS -eq 1 ]; then
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_REQCMDS
fi
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_COUNT $PROP_FILE_LIST_COUNT
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_FAILED $PROP_FAILED_COUNT
else
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
fi
#
# Do rootkit checks summary.
#
display --to SCREEN+LOG --type PLAIN --nl SUMMARY_RKT_SCAN
if `check_test rootkits || check_test startup_files` || test $ROOTKIT_COUNT -gt 0; then
RKHTMPVAR2=""
if [ -n "${ROOTKIT_FAILED_NAMES}" ]; then
ROOTKIT_FAILED_NAMES=`echo "${ROOTKIT_FAILED_NAMES}" | sed -e 's/, */,/g; s/,$//'`
IFS=","
for RTKT_NAME in ${ROOTKIT_FAILED_NAMES}; do
if [ -z "`echo \" ${RKHTMPVAR2},\" | grep \" ${RTKT_NAME},\"`" ]; then
RKHTMPVAR2="${RKHTMPVAR2}${RTKT_NAME}, "
else
ROOTKIT_FAILED_COUNT=`expr $ROOTKIT_FAILED_COUNT - 1`
fi
done
IFS=$RKHIFS
RKHTMPVAR2=`echo "${RKHTMPVAR2}" | sed -e 's/, $//'`
fi
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_COUNT $ROOTKIT_COUNT
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_FAILED $ROOTKIT_FAILED_COUNT
test -n "${RKHTMPVAR2}" && display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_NAMES "${RKHTMPVAR2}"
else
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
fi
#
# Do application check summary.
#
display --to SCREEN+LOG --type PLAIN --nl SUMMARY_APPS_SCAN
if `check_test apps`; then
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_APPS_COUNT $APPS_COUNT
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_APPS_FAILED $APPS_FAILED_COUNT
else
display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
fi
#
# Display the amount of time the system check took.
#
if [ $SHOW_SUMMARY_TIME -gt 0 ]; then
if [ $SHOW_SUMMARY_TIME -eq 1 ]; then
RKHTMPVAR="SCREEN"
elif [ $SHOW_SUMMARY_TIME -eq 2 ]; then
RKHTMPVAR="LOG"
else
RKHTMPVAR="SCREEN+LOG"
fi
if [ $BEGINTIME -eq 0 ]; then
display --to ${RKHTMPVAR} --type PLAIN --nl SUMMARY_NO_SCAN_TIME
else
display --to ${RKHTMPVAR} --type PLAIN --nl SUMMARY_SCAN_TIME "${TOTAL_SCANTIME}"
fi
fi
#
# Display where the log file is located, if there is one.
#
if [ $NOLOG -eq 0 ]; then
display --to SCREEN --type PLAIN --nl --nl-after SUMMARY_LOGFILE "${RKHLOGFILE}"
else
display --to SCREEN --type PLAIN --nl --nl-after SUMMARY_NO_LOGFILE
fi
return
}
do_system_check() {
#
# This function performs the various rootkit and security checks
# for the program. We start by initialising variables used for
# the rootkit checks.
#
display --to LOG --type PLAIN --nl CHECK_START
do_system_check_initialisation
#
# Next, for Solaris we see if we are running Solaris 10 or not.
# This can be useful to know in some of the tests since we will
# use different mechanisms on Solaris 10 from those on Solaris
# 9 and before.
#
SOL_PROC=0
SOLARISX=""
if [ $SUNOS -eq 1 ]; then
#
# If we are running Solaris 10, then see if we have the
# command pathname available.
#
# Solaris 10 and above should have the 'a.out' file
# present. We use the PID of 1 here since it should exist
# on all systems.
#
# If we are running Solaris 10 (or above), then we add
# the '-X' option to the 'lsof' command in order to get
# the deleted files.
#
if [ -h "/proc/1/path/a.out" ]; then
SOLARISX='-X'
test $HAVE_READLINK -eq 1 && SOL_PROC=1
fi
fi
#
# Record the start time if we can. The total time taken for
# scanning will only be calculated and displayed if the
# start time can be set.
#
BEGINTIME=0
ENDTIME=0
if [ -n "$SECONDS" ]; then
BEGINTIME=`echo $SECONDS | cut -d. -f1`
elif [ $BSDOS -eq 1 -o $BUSYBOX -eq 1 ]; then
BEGINTIME=`date +%s`
elif [ -n "${PERL_CMD}" ]; then
BEGINTIME=`${PERL_CMD} -e 'printf "%d\n", time;'`
fi
#
# Send a start message to syslog if the user requested that.
#
if [ -n "${USE_SYSLOG}" ]; then
${LOGGER_CMD} -t "${LOGGER_TAG}" -p ${USE_SYSLOG} "Rootkit hunter check started (version ${PROGRAM_version})"
fi
#
# We start with checks of some of the commands (binaries) and
# libraries on the system, to make sure that they have not
# been tampered with.
#
do_system_commands_checks
#
# Next are the rootkit checks.
#
do_rootkit_checks
#
# Next are some network port, and interface checks.
#
do_network_checks
#
# Next are checks of the files for the local host.
#
do_local_host_checks
#
# Next are checks on specific applications.
#
do_app_checks
#
# Now record the end time.
#
if [ $BEGINTIME -ne 0 ]; then
if [ -n "$SECONDS" ]; then
ENDTIME=`echo $SECONDS | cut -d. -f1`
elif [ $BSDOS -eq 1 -o $BUSYBOX -eq 1 ]; then
ENDTIME=`date +%s`
else
ENDTIME=`${PERL_CMD} -e 'printf "%d\n", time;'`
fi
TOTAL_SCANTIME=`expr ${ENDTIME} - ${BEGINTIME}`
TOTALMINS=`expr ${TOTAL_SCANTIME} / 60`
TOTALSECS=`expr ${TOTAL_SCANTIME} % 60`
if [ $TOTALMINS -gt 0 ]; then
if [ $TOTALMINS -eq 1 ]; then
TOTAL_SCANTIME="${TOTALMINS} minute and "
else
TOTAL_SCANTIME="${TOTALMINS} minutes and "
fi
else
TOTAL_SCANTIME=""
fi
if [ $TOTALSECS -eq 1 ]; then
TOTAL_SCANTIME="${TOTAL_SCANTIME}${TOTALSECS} second"
else
TOTAL_SCANTIME="${TOTAL_SCANTIME}${TOTALSECS} seconds"
fi
fi
#
# Display the summary of the results.
#
RKH_WARN_DISPLYD=0
if [ $SHOW_SUMMARY -eq 1 ]; then
#
# Unfortunately we need to do a kludge here!
# The user may have used the '--quiet' option,
# so we need to force the summary to be displayed.
# By resetting the NOTTY variable we can get
# the output shown.
#
OLD_NOTTY=$NOTTY
test $SHOW_SUMMARY_OPT -eq 1 && NOTTY=0
display_check_summary
if [ $SHOW_SUMMARY_WARNINGS_NUMBER -eq 0 ]; then
if [ $WARNING_COUNT -eq 0 ]; then
display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_NOT_FOUND
else
RKH_WARN_DISPLYD=1
display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND
fi
else
if [ $WARNING_COUNT -eq 0 ]; then
display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_NOT_FOUND0
else
RKH_WARN_DISPLYD=1
if [ $WARNING_COUNT -eq 1 ]; then
display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_NUMBER1
else
display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_NUMBER "$WARNING_COUNT"
fi
fi
fi
if [ $WARNING_COUNT -gt 0 ]; then
if [ $NOLOG -eq 1 ]; then
display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_FOUND_RERUN
else
display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
fi
fi
NOTTY=$OLD_NOTTY
fi
#
# Send a finish message to syslog if the user requested that.
#
if [ -n "${USE_SYSLOG}" ]; then
${LOGGER_CMD} -t "${LOGGER_TAG}" -p ${USE_SYSLOG} "Scanning took ${TOTAL_SCANTIME}"
fi
#
# If some warning or error has been seen, then make sure the
# user is told about it. We also set the return code, to allow
# the user to detect it being non-zero.
#
if [ $WARNING_COUNT -gt 0 ]; then
if [ $SHOWWARNINGSONLY -eq 1 -a $RKH_WARN_DISPLYD -eq 0 ]; then
#
# Unfortunately we need to do a kludge again!
# By requesting that only warnings are shown,
# the following output would not normally be
# displayed (because they are not warnings).
#
OLD_NOTTY=$NOTTY
NOTTY=0
if [ $SHOW_SUMMARY_WARNINGS_NUMBER -eq 0 ]; then
display --to SCREEN --type PLAIN --nl CHECK_WARNINGS_FOUND
else
if [ $WARNING_COUNT -eq 1 ]; then
display --to SCREEN --type PLAIN --nl CHECK_WARNINGS_FOUND_NUMBER1
else
display --to SCREEN --type PLAIN --nl CHECK_WARNINGS_FOUND_NUMBER "$WARNING_COUNT"
fi
fi
if [ $NOLOG -eq 1 ]; then
display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_RERUN
else
display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
fi
NOTTY=$OLD_NOTTY
fi
if [ -n "${USE_SYSLOG}" ]; then
${LOGGER_CMD} -t "${LOGGER_TAG}" -p ${USE_SYSLOG} "Please inspect this machine, because it may be infected."
fi
if [ -n "${MAILONWARNING}" ]; then
eval "echo 'Please inspect this machine, because it may be infected.' | ${MAIL_CMD} ${MAILONWARNING}"
fi
RET_CODE=1
fi
return
}
check_os_info() {
#
# This function checks the current O/S information against
# that stored in the rkhunter.dat file. Any change could
# mean that the file properties checks could give several
# false-positive answers. As such we warn users that
# a change has occurred.
#
OS_CHANGED=0
display --to LOG --type PLAIN --nl OSINFO_START
#
# First check if the host name has changed.
#
if [ $WARN_ON_OS_CHANGE -eq 1 ]; then
IND_COUNT=9
OSINFO_WARNING="WARNING"
else
IND_COUNT=6
OSINFO_WARNING="INFO"
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO FILE_PROP_NO_OS_WARNING
fi
fi
OLD_HOST=`grep '^Host:' "${RKHDAT_FILE}" | cut -d: -f2-`
if [ "${HOST_NAME}" != "${OLD_HOST}" ]; then
OS_CHANGED=1
display --to LOG --type "${OSINFO_WARNING}" OSINFO_HOST_CHANGE1
display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_HOST_CHANGE2 "${OLD_HOST}" "${HOST_NAME}"
fi
#
# Next check if the O/S name has changed.
#
OLD_OSNAME=`grep '^OS:' "${RKHDAT_FILE}" | cut -d: -f2-`
if [ "${OSNAME}" != "${OLD_OSNAME}" ]; then
OS_CHANGED=1
display --to LOG --type "${OSINFO_WARNING}" OSINFO_OSVER_CHANGE1
display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_OSVER_CHANGE2 "${OLD_OSNAME}" "${OSNAME}"
fi
#
# Check if the prelinking status has changed.
#
if [ -z "`grep '^Prelinked:Yes' \"${RKHDAT_FILE}\"`" ]; then
OLD_PRELINK=0
else
OLD_PRELINK=1
fi
if [ $PRELINKED -ne $OLD_PRELINK ]; then
OS_CHANGED=1
if [ $PRELINKED -eq 1 ]; then
display --to LOG --type "${OSINFO_WARNING}" OSINFO_PRELINK_CHANGE ''
else
display --to LOG --type "${OSINFO_WARNING}" OSINFO_PRELINK_CHANGE 'not '
fi
fi
#
# Check if the system architecture has changed. We treat
# the i386-type architectures as the same. We also treat
# the sun-type archictures the same as 'sparc'.
#
OLD_ARCH=`grep '^Arch:' "${RKHDAT_FILE}" | cut -d: -f2-`
if [ -n "`echo ${OLD_ARCH} | grep 'i[0-9]86'`" ]; then
OLD_ARCH_TYPE="i386"
elif [ -n "`echo ${OLD_ARCH} | grep 'sun[0-9][a-z]'`" -o -n "`echo ${OLD_ARCH} | grep 'sparc'`" ]; then
OLD_ARCH_TYPE="sparc"
else
OLD_ARCH_TYPE=$OLD_ARCH
fi
if [ -n "`echo ${ARCH} | grep 'i[0-9]86'`" ]; then
ARCH_TYPE="i386"
elif [ -n "`echo ${ARCH} | grep 'sun[0-9][a-z]'`" -o -n "`echo ${ARCH} | grep 'sparc'`" ]; then
ARCH_TYPE="sparc"
else
ARCH_TYPE=$ARCH
fi
if [ "${OLD_ARCH_TYPE}" != "${ARCH_TYPE}" ]; then
OS_CHANGED=1
display --to LOG --type "${OSINFO_WARNING}" OSINFO_ARCH_CHANGE1
display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_ARCH_CHANGE2 "${OLD_ARCH}" "${ARCH}"
fi
if [ $OS_CHANGED -eq 1 ]; then
display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_MSG1
if [ $UPDT_ON_OS_CHANGE -eq 0 ]; then
display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_MSG2
test $WARN_ON_OS_CHANGE -eq 1 && display --to LOG --type WARNING --nl PROPUPD_WARN
else
PROP_UPDATE=1
display --to LOG --type INFO OSINFO_DO_UPDT
fi
else
display --to LOG --type INFO OSINFO_END
fi
return
}
set_file_prop_dirs_files() {
#
# This function sets up the list of directories we look in,
# and the list of files we look for, in order to perform
# the file properties checks.
#
# Any non-existent files are simply left in for the checks
# to skip over. However, any symbolic links are expanded and
# the result of the link is added to the list. This avoids
# any attempt to simply replace a link, and avoid it being
# detected by the file hash value check.
#
# We also check to see if any of the directories are links.
# If it is then we add the link target directory.
#
PROP_DIR_LIST=""
#
# We have to change BINDIR to a newline-separated list here
# because USER_DIR_LIST is one. If USER_DIR_LIST contained
# a space anywhere, then the directories would not be searched.
#
BINPS=`echo ${BINPATHS} | tr ' ' '\n'`
IFS=$IFSNL
for DIR in ${BINPS} ${USER_DIR_LIST}; do
test ! -d "${DIR}" && continue
if [ -h "${DIR}" -a $HAVE_READLINK -eq 1 ]; then
LINKDIR=`${READLINK_CMD} ${READLINK_OPT} "${DIR}"`
else
LINKDIR="${DIR}"
fi
if [ -z "`echo \"${PROP_DIR_LIST}\" | grep \"^${LINKDIR}$\"`" ]; then
PROP_DIR_LIST="${PROP_DIR_LIST}
${LINKDIR}"
fi
done
IFS=$RKHIFS
PROP_FILE_LIST="adduser amd awk basename bash bget cat chattr checkproc
chkconfig chmod chown chroot cp cron csh curl cut date depmod df
diff dirname dmesg dpkg dpkg-query du echo ed egrep elinks env fgrep
file find fsck fuser GET grep groupadd groupdel groupmod groups grpck head id
ifconfig ifdown ifstatus ifup inetd init insmod ip ipcs kallsyms kill
killall ksyms kudzu last lastlog ldd less links locate logger login
ls lsattr lsmod lsof lynx mail md5 md5sum mktemp mlocate modinfo
modload modprobe modstat modunload more mount mv netstat newgrp
newsyslog nologin passwd perl pgrep ping pkg pkgdb pkg_info pkill prelink ps pstree
pwck pwd readlink rkhunter rmmod route rpm rsyslogd runcon runlevel sed sestatus sh
sha1 sha1sum sha224 sha224sum sha256 sha256sum sha384 sha384sum sha512
sha512sum size skdet slocate sockstat sort ssh sshd stat strace strings su sudo
sulogin sysctl syslogd systat tail tcpd telnet test top touch tr uname
uniq useradd userdel usermod users vipw vmstat w watch wc wget whatis
whereis which who whoami xinetd"
#
# We add in some extra commands to check depending on the O/S.
#
case "${OPERATING_SYSTEM}" in
SunOS)
PROP_FILE_LIST="${PROP_FILE_LIST} gawk gbasename gcat gchmod gchown
gcksum gcp gcut gdate gdiff gdiff3 gdirname gdu gecho
gegrep genv gfile gfind ggrep ggroups ghead gid glocate
gls gmd5sum gmv gpwd gsed gsize gsort gstrings gsum
gtail gtest gtouch guname guniq gusers gwc gwho gwhoami
inetadm nawk truss unhide unhide-posix unhide-tcp"
;;
FreeBSD|DragonFly)
PROP_FILE_LIST="${PROP_FILE_LIST} fstat kldload kldstat kldunload procstat
unhide unhide-posix unhide-tcp"
;;
*BSD)
PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-posix unhide-tcp"
;;
Linux)
PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-linux unhide-posix unhide-tcp numfmt"
if [ -n "`echo \"${UNAME_R}\" | grep '^2\.6'`" ]; then
PROP_FILE_LIST="${PROP_FILE_LIST} unhide-linux26"
fi
;;
Darwin)
PROP_FILE_LIST="${PROP_FILE_LIST} shasum launchctl dscl gnumfmt"
;;
esac
#
# Next we quickly loop through the user supplied list of files,
# and ignore any that are already in the builtin list. At this
# point we also change PROP_FILE_LIST from a space-separated
# list to a newline-separated one. We have to do this because
# we are about to add in the user-supplied pathnames.
#
PROP_FILE_LIST=`echo ${PROP_FILE_LIST} | tr ' ' '\n'`
if [ -n "${USER_SIMPLE_FILE_LIST}" ]; then
RKHTMPVAR=""
IFS=$IFSNL
for FNAME in ${USER_SIMPLE_FILE_LIST}; do
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
test -z "`echo \"${PROP_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" && RKHTMPVAR="${RKHTMPVAR}
${FNAME}"
done
IFS=$RKHIFS
USER_SIMPLE_FILE_LIST=`echo "${RKHTMPVAR}" | sed -e '/^$/d'`
if [ -n "${USER_SIMPLE_FILE_LIST}" ]; then
PROP_FILE_LIST="${PROP_FILE_LIST}
${USER_SIMPLE_FILE_LIST}"
fi
fi
#
# Now loop through the file list and look for any
# symbolic links. If a link is found, then add on
# the file and directory that the link points to.
#
if [ $HAVE_READLINK -eq 1 ]; then
EXTRA_DIRS=""
EXTRA_FILES=""
IFS=$IFSNL
for DIR in ${PROP_DIR_LIST}; do
for FNAME in ${PROP_FILE_LIST}; do
if [ -h "${DIR}/${FNAME}" ]; then
RKHTMPVAR=`${READLINK_CMD} ${READLINK_OPT} "${DIR}/${FNAME}"`
test ! -f "${RKHTMPVAR}" && continue
#
# Get the link target directory name.
#
test -n "${DIRNAME_CMD}" && LINKDIR=`${DIRNAME_CMD} "${RKHTMPVAR}"` || LINKDIR=`echo "${RKHTMPVAR}" | sed -e 's:/[^/]*$::'`
#
# Now see if we already have the directory listed.
# If not, then we add it on.
#
RKHTMPVAR3="${PROP_DIR_LIST}
${EXTRA_DIRS}"
if [ -z "`echo \"${RKHTMPVAR3}\" | grep \"^${LINKDIR}$\"`" ]; then
EXTRA_DIRS="${EXTRA_DIRS}
${LINKDIR}"
fi
#
# Now get the link target file name.
#
LINKFNAME=`echo "${RKHTMPVAR}" | sed -e 's:^.*/::'`
FNAMEGREP=`echo "${LINKFNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
#
# And finally check if we already have it listed.
#
RKHTMPVAR3="${PROP_FILE_LIST}
${EXTRA_FILES}"
if [ -z "`echo \"${RKHTMPVAR3}\" | grep \"^${FNAMEGREP}$\"`" ]; then
EXTRA_FILES="${EXTRA_FILES}
${LINKFNAME}"
fi
fi
done
done
IFS=$RKHIFS
EXTRA_DIRS=`echo "${EXTRA_DIRS}" | sed -e '/^$/d'`
EXTRA_FILES=`echo "${EXTRA_FILES}" | sed -e '/^$/d'`
test -n "${EXTRA_DIRS}" && PROP_DIR_LIST="${PROP_DIR_LIST}
${EXTRA_DIRS}"
test -n "${EXTRA_FILES}" && PROP_FILE_LIST="${PROP_FILE_LIST}
${EXTRA_FILES}"
fi
PROP_FILE_LIST_TOTAL=`echo "${PROP_FILE_LIST}" | wc -l | tr -d ' '`
return
}
check_test() {
#
# This function will check whether a given test name should
# be run or not. It returns 0 if the test is to be run,
# and 1 if it is not.
#
if [ "${ENABLE_TESTS}" = "all" -o -n "`echo \" ${ENABLE_TESTS} \" | grep \" $1 \"`" ]; then
if [ "${DISABLE_TESTS}" = "none" -o -z "`echo \" ${DISABLE_TESTS} \" | grep \" $1 \"`" ]; then
return 0
fi
fi
return 1
}
display_tests() {
#
# This function is used to simply output all the available
# tests and test group names. If a group name itself contains
# a group name, then that second group name is omitted. It
# could be confusing if it was included.
#
RKHTMPVAR2=`echo "all none ${KNOWN_TESTS}" | tr ' ' '\n' | sort | tr '\n' ' '`
GROUPED_TESTS=`echo "${GROUPED_TESTS}" | tr ' ' '\n' | sort | tr '\n' ' '`
display --to SCREEN --type PLAIN --nl LIST_TESTS
while test -n "${RKHTMPVAR2}"; do
STR=`echo ${RKHTMPVAR2} | cut -d' ' -f1-6`
RKHTMPVAR2=`echo ${RKHTMPVAR2} | cut -d' ' -f7-`
echo " ${STR}"
test "${STR}" = "${RKHTMPVAR2}" && RKHTMPVAR2=""
done
display --to SCREEN --type PLAIN --nl LIST_GROUPED_TESTS
#
# Sort out the maximum group name length, so we can do some
# simple formatting of the output.
#
MAX=0
for STR in ${GROUPED_TESTS}; do
LEN=`echo "${STR}" | cut -d: -f1 | wc -c | tr -d ' '`
test $LEN -gt $MAX && MAX=$LEN
done
#
# Now loop through the group names.
#
RKHTMPVAR2=" `echo ${GROUPED_TESTS}`"
for STR in ${GROUPED_TESTS}; do
TEST_NAMES=""
GROUP_NAME=`echo "${STR}" | cut -d: -f1`
#
# Add on spaces to expand the group name to the maximum.
#
LEN=`echo "${GROUP_NAME}" | wc -c | tr -d ' '`
LEN=`expr $MAX - $LEN`
test $LEN -gt 0 && GROUP_NAME="${GROUP_NAME} `echo \"${BLANK_LINE}\" | cut -d' ' -f1-$LEN`"
#
# Check through the list of tests for this group name.
# If the test name is a group name itself, then go to
# the next test name, otherwise add it to our list of
# test names.
#
for TEST in `echo "${STR}" | cut -d: -f2- | tr ':' ' '`; do
RKHTMPVAR=`echo "${RKHTMPVAR2}" | grep " ${TEST}:"`
if [ -z "${RKHTMPVAR}" ]; then
TEST_NAMES="${TEST_NAMES}:${TEST}"
else
continue
fi
done
#
# Finally, sort our list of test names and display them.
#
TEST_NAMES=`echo "${TEST_NAMES}" | sed -e 's/^://' | tr ':' '\n' | sort | tr '\n' ' '`
echo " ${GROUP_NAME} => ${TEST_NAMES}"
done
return
}
display_languages() {
#
# This function is used to simply output all the available
# languages in a basic format of 10 per line.
#
KNOWN_LANGS=`ls -1 ${DB_PATH}/i18n 2>/dev/null | sort`
display --to SCREEN --type PLAIN --nl LIST_LANGS
while test -n "${KNOWN_LANGS}"; do
STR=`echo ${KNOWN_LANGS} | cut -d' ' -f1-10`
KNOWN_LANGS=`echo ${KNOWN_LANGS} | cut -d' ' -f11-`
echo " ${STR}"
test "${STR}" = "${KNOWN_LANGS}" && KNOWN_LANGS=""
done
return
}
display_perl_modules() {
#
# This function is used to display the status of
# the installed perl modules which may be required.
#
display --to SCREEN --type PLAIN --nl LIST_PERL
for MODNAME in perl ${LIST_MODULES}; do
if [ "${MODNAME}" = "perl" ]; then
MODNAME="perl command"
test -n "${PERL_CMD}" && MOD_INSTALLED="" || MOD_INSTALLED="NOT installed"
else
MOD_INSTALLED=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" ${MODNAME} 2>/dev/null | grep 'NOT installed'`
fi
MODLEN=`echo "${MODNAME}" | wc -c | tr -d ' '`
NUM_SPACES=`expr 28 - ${MODLEN}`
test $NUM_SPACES -lt 1 && NUM_SPACES=1
SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`
if [ -z "${MOD_INSTALLED}" ]; then
echo $ECHOOPT " ${MODNAME}${SPACES}Installed"
else
echo $ECHOOPT " ${MODNAME}${SPACES} MISSING"
fi
test "${MODNAME}" = "perl command" -a -z "${PERL_CMD}" && break
done
return
}
display_propfiles() {
#
# This function is used to display the list of files which
# would be searched for when using the '--propupd' function.
#
# Get any user-supplied files and directories.
get_user_fileprop_list
# Get the builtin list of files and directories.
set_file_prop_dirs_files
# Create the file of entries used by the '--propupd' function.
create_rkh_file_prop_list
# Finally just dump out the list of file names.
${AWK_CMD} -F'/' '{ print $NF }' "${RKH_FILEPROP_LIST}" | sort | uniq
return
}
display_rootkits() {
#
# This function is used to simply output all the rootkit
# names which rkhunter will check for.
#
RKHTMPVAR2=`echo ${KNOWN_ROOTKITS} | sed -e 's/^,*//; s/,$//'`
display --to SCREEN --type PLAIN --nl LIST_RTKTS
while test -n "${RKHTMPVAR2}"; do
STR=`echo ${RKHTMPVAR2} | cut -d',' -f1-6`
RKHTMPVAR2=`echo ${RKHTMPVAR2} | cut -d',' -f7-`
if [ "${STR}" = "${RKHTMPVAR2}" -o -z "${RKHTMPVAR2}" ]; then
RKHTMPVAR2=""
else
STR="${STR},"
fi
echo " ${STR}"
done
return
}
get_lock() {
#
# This function attempts to get the lock file. If it cannot
# get the lock then it waits for 10 seconds, and then tries
# again. It repeats this until the timeout has passed.
#
# We cannot log anything at this time, but we can use
# 'display' to display messages on the users screen.
#
RKHTMPVAR=0
while test $RKHTMPVAR -lt $LOCK_TIMEOUT; do
if [ -f "${LOCKDIR}/rkhunter.LCK" ]; then
test $SHOW_LOCK_MSGS -eq 1 -a $RKHTMPVAR -eq 0 && display --to SCREEN --type PLAIN --nonl LOCK_WAIT
sleep 10;
RKHTMPVAR=`expr ${RKHTMPVAR} + 10`
test $SHOW_LOCK_MSGS -eq 1 && display --to SCREEN --type PLAIN --nonl NAME "..${RKHTMPVAR}"
else
break
fi
done
if [ $RKHTMPVAR -lt $LOCK_TIMEOUT -o ! -f "${LOCKDIR}/rkhunter.LCK" ]; then
echo "$$" >"${LOCKDIR}/rkhunter.LCK"
test $SHOW_LOCK_MSGS -eq 1 -a $RKHTMPVAR -gt 0 -a $NOTTY -eq 0 && echo ""
#
# We handle any subsequent exit conditions by setting a trap.
#
trap "rm -f \"${LOCKDIR}/rkhunter.LCK\" >/dev/null 2>&1" 0 >/dev/null 2>&1
else
#
# We need to be careful here. We do not want to display the message if the user
# has explicitly requested not to, but we must display it if the user has set
# the '--report-warnings-only' option (we treat it as a warning), or the
# '--cronjob' option. If we did not, then the user may think that rkhunter has
# run and that there were no warnings. If the user used the '--quiet' option,
# then this message won't be displayed. However, that is okay because they
# should be checking the return-code.
#
if [ $SHOWWARNINGSONLY -eq 1 -o $CRONJOB -eq 1 ]; then
NOTTY=0
RKHTMPVAR=""
else
RKHTMPVAR="--nl"
fi
test $SHOW_LOCK_MSGS -eq 1 -o $NOTTY -eq 0 && display --to SCREEN --type PLAIN ${RKHTMPVAR} LOCK_FAIL
exit 1
fi
return
}
help() {
#
# This function outputs the help menu.
#
echo $ECHOOPT ""
echo $ECHOOPT "Usage: rkhunter {--check | --unlock | --update | --versioncheck |"
echo $ECHOOPT " --propupd [{filename | directory | package name},...] |"
echo $ECHOOPT " --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |"
echo $ECHOOPT " --config-check | --version | --help} [options]"
echo $ECHOOPT ""
echo $ECHOOPT "Current options are:"
echo $ECHOOPT " --append-log Append to the logfile, do not overwrite"
echo $ECHOOPT " --bindir <directory>... Use the specified command directories"
echo $ECHOOPT " -c, --check Check the local system"
echo $ECHOOPT " -C, --config-check Check the configuration file(s), then exit"
echo $ECHOOPT " --cs2, --color-set2 Use the second color set for output"
echo $ECHOOPT " --configfile <file> Use the specified configuration file"
echo $ECHOOPT " --cronjob Run as a cron job"
echo $ECHOOPT " (implies -c, --sk and --nocolors options)"
echo $ECHOOPT " --dbdir <directory> Use the specified database directory"
echo $ECHOOPT " --debug Debug mode"
echo $ECHOOPT " (Do not use unless asked to do so)"
echo $ECHOOPT " --disable <test>[,<test>...] Disable specific tests"
echo $ECHOOPT " (Default is to disable no tests)"
echo $ECHOOPT " --display-logfile Display the logfile at the end"
echo $ECHOOPT " --enable <test>[,<test>...] Enable specific tests"
echo $ECHOOPT " (Default is to enable all tests)"
echo $ECHOOPT " --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |"
echo $ECHOOPT " NONE | <command>} Use the specified file hash function"
echo $ECHOOPT " (Default is SHA256)"
echo $ECHOOPT " -h, --help Display this help menu, then exit"
echo $ECHOOPT " --lang, --language <language> Specify the language to use"
echo $ECHOOPT " (Default is English)"
echo $ECHOOPT " --list [tests | languages | List the available test names, languages,"
echo $ECHOOPT " rootkits | perl | rootkit names, perl module status"
echo $ECHOOPT " propfiles] or file properties database, then exit"
echo $ECHOOPT " -l, --logfile [file] Write to a logfile"
echo $ECHOOPT " (Default is $DFLT_LOGFILE)"
echo $ECHOOPT " --noappend-log Do not append to the logfile, overwrite it"
echo $ECHOOPT " --nocf Do not use the configuration file entries"
echo $ECHOOPT " for disabled tests (only valid with --disable)"
echo $ECHOOPT " --nocolors Use black and white output"
echo $ECHOOPT " --nolog Do not write to a logfile"
echo $ECHOOPT "--nomow, --no-mail-on-warning Do not send a message if warnings occur"
echo $ECHOOPT " --ns, --nosummary Do not show the summary of check results"
echo $ECHOOPT " --novl, --no-verbose-logging No verbose logging"
echo $ECHOOPT " --pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain"
echo $ECHOOPT " BSDng | SOLARIS | or verify file property values."
echo $ECHOOPT " NONE} (Default is NONE)"
echo $ECHOOPT " --propupd [file | directory | Update the entire file properties database,"
echo $ECHOOPT " package]... or just for the specified entries"
echo $ECHOOPT " -q, --quiet Quiet mode (no output at all)"
echo $ECHOOPT " --rwo, --report-warnings-only Show only warning messages"
echo $ECHOOPT " --sk, --skip-keypress Don't wait for a keypress after each test"
echo $ECHOOPT " --summary Show the summary of system check results"
echo $ECHOOPT " (This is the default)"
echo $ECHOOPT " --syslog [facility.priority] Log the check start and finish times to syslog"
echo $ECHOOPT " (Default level is $SYSLOG_DFLT_PRIO)"
echo $ECHOOPT " --tmpdir <directory> Use the specified temporary directory"
echo $ECHOOPT " --unlock Unlock (remove) the lock file"
echo $ECHOOPT " --update Check for updates to database files"
echo $ECHOOPT " --vl, --verbose-logging Use verbose logging (on by default)"
echo $ECHOOPT " -V, --version Display the version number, then exit"
echo $ECHOOPT " --versioncheck Check for latest version of program"
echo $ECHOOPT " -x, --autox Automatically detect if X is in use"
echo $ECHOOPT " -X, --no-autox Do not automatically detect if X is in use"
echo $ECHOOPT ""
return
}
######################################################################
#
# Initialisation
#
######################################################################
#
# Unfortunately, for the Korn shell if we are debugging then
# we need to enable tracing in each of the functions.
#
if [ $DEBUG_OPT -eq 1 -a "${MYSHELL}" = "ksh" ]; then
RKHTMPVAR=`typeset +f`
for RKHTMPVAR2 in ${RKHTMPVAR}; do
typeset -ft ${RKHTMPVAR2}
done
fi
#
# We reset the SIGPIPE signal to its default
# to try and avoid any output write errors.
#
trap - 13 >/dev/null 2>&1
#
# Initialise the variables used throughout the program.
#
RKH_VER_MAJ="1"
RKH_VER_MIN="4"
PROGRAM_NAME="Rootkit Hunter"
PROGRAM_version="${RKH_VER_MAJ}.${RKH_VER_MIN}.6"
PROGRAM_copyright_owner="Michael Boelen"
PROGRAM_copyright="Copyright (c) 2003-2018, ${PROGRAM_copyright_owner}"
PROGRAM_blurb="
This software was developed by the ${PROGRAM_NAME} project team.
Please review your rkhunter configuration files before using.
Please review the documentation before posting bug reports or questions.
To report bugs, provide patches or comments, please go to:
http://rkhunter.sourceforge.net
To ask questions about rkhunter, please use the rkhunter-users mailing list.
Note this is a moderated list: please subscribe before posting.
${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the
terms of the GNU General Public License. See the LICENSE file for details.
"
PROGRAM_license="
${PROGRAM_NAME} ${PROGRAM_version}, ${PROGRAM_copyright}
${PROGRAM_blurb}
"
LOGGER_TAG="rkhunter"
LEAVE=0
ERRCODE=0
# Set to run as a cron job.
CRONJOB=0
CHECK=0
# Set to display the logfile at the end.
CATLOGFILE=0
NOLOG=0
RKHLOGFILE=""
DFLT_LOGFILE="/var/log/rkhunter.log"
# Set to have the logfile appended to rather than overwritten.
APPEND_LOG=0
APPEND_OPT=0
# Set to have the logfile copied if there was an error.
COPY_LOG_ON_ERROR=0
# Set to have rkhunter start/finish messages, and warnings,
# logged to syslog. The priority/severity can be set on the
# command-line or in the configuration file.
USE_SYSLOG=""
SYSLOG_DFLT_PRIO="authpriv.notice"
# By default do not send a mail-on-warning message.
NOMOW=0
MAILONWARNING=""
HASH_FUNC=""
OLD_HASH_FUNC=""
PKGMGR=""
OLD_PKGMGR=""
OLD_ATTRUPD=""
HASH_OPT=0
SHA_SIZE=0
HASH_FLD_IDX=1
PROP_DIR_LIST=""
PROP_FILE_LIST=""
PROP_FILE_LIST_COUNT=0
PROP_FILE_LIST_TOTAL=0
PRELINKED=0
PRELINK_CMD=""
PRELINK_HASH=""
PKGMGR_MD5_HASH=""
PKGMGR_SHA_HASH=""
MD5_CMD=""
EPOCH_DATE_CMD=""
PKGMGRNOVRFY=""
UPDATE=0
PROP_UPDATE=0
PROPUPD_OPT=""
VERSIONCHECK=0
# By default use coloured output.
COLORS=1
CLRSET2=0
# Are whitelisted results to be shown as white?
WLIST_IS_WHITE=0
# Set to automatically detect if X is in use, and
# hence use the second colour set.
AUTO_X_DTCT=0
AUTO_X_OPT=0
# Set to be quiet. No output, but the return code will be set.
QUIET=0
# Set to only show warnings.
SHOWWARNINGSONLY=0
# This will be set if the file properties hash value check
# or the file attributes check is to be performed.
HASH_CHECK_ENABLED=0
SKIP_HASH_MSG=0
# Users can reset this to a new temporary directory.
RKHTMPDIR=""
# Users can reset this to a new database directory.
DB_PATH=""
# Users can reset this to a new configuration file.
CONFIGFILE=""
# Users cannnot reset this. The local config file must
# be in the same directory as the main config file.
LOCALCONFIGFILE=""
# Users cannot reset this. The rkhunter.d directory must
# be in the same directory as the main config file.
LOCALCONFIGDIR=""
# Users cannot reset this. The rkhunter.d config files
# can only be stored in the local config directory.
LOCALCONFDIRCOUNT=0
LOCALCONFDIRFILES=""
# This will be set similar to the current root PATH. Users can
# include new command directories to use as well.
BINPATHS=""
DFLT_BINPATHS="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
BINDIR_OPT=0
# This will be set if any of the command directories is a symbolic link.
BINISLINK=0
# Default 'id' and 'awk' commands. Solaris may reset these.
ID_CMD='id'
AWK_CMD='awk'
# Set if we don't want to wait for a keypress after each test.
SKIP_KEY_PRESS=0
# Does 'grep' need an extra option to check binary files?
GREP_OPT=""
# Set the O/S type if necessary.
BSDOS=0
SUNOS=0
IRIXOS=0
MACOSX=0
LINUXOS=0
case "${OPERATING_SYSTEM}" in
Linux)
LINUXOS=1
GREP_OPT="-a"
;;
*BSD|DragonFly)
BSDOS=1
HASH_FLD_IDX=4
GREP_OPT="-a"
;;
SunOS)
SUNOS=1
;;
IRIX*)
IRIXOS=1
;;
Darwin)
MACOSX=1
;;
esac
# This will be set if the local host or O/S has changed in some way.
OS_CHANGED=0
# By default we want a warning if the O/S has changed.
WARN_ON_OS_CHANGE=1
# If set, then automatically perform a properties update if the O/S changes.
UPDT_ON_OS_CHANGE=0
# These SSH options can only be set in the configuration file.
ALLOW_SSH_PROT_V1=0
ALLOW_SSH_ROOT_USER=""
SSH_CONFIG_DIR=""
# These syslog options can only be set in the configuration file.
ALLOW_SYSLOG_REMOTE_LOGGING=0
SYSLOG_CONFIG_FILE=""
# Set check counters to be used by the summary.
ROOTKIT_COUNT=0
ROOTKIT_FAILED_COUNT=0
ROOTKIT_FAILED_NAMES=""
PROP_FAILED_COUNT=0
SUMMARY_PROP_REQCMDS=0
APPS_COUNT=0
APPS_TOTAL_COUNT=0
APPS_FAILED_COUNT=0
# Timers for the system check.
BEGINTIME=0
TOTAL_SCANTIME=""
# This will be set if a warning message is logged.
WARNING_COUNT=0
# This will be set to the kernel symbols file used in some checks.
KSYMS_FILE=""
# Record for logging the command-line being used.
CMD_LINE="$0 $*"
# Create a spaced-separated PATH variable.
RKHROOTPATH=`echo ${PATH} | tr ':' ' '`
# List of commands used during RKH. If a command does not exist, then
# the code may use an alternative method.
CMDLIST="basename diff dirname file find ifconfig ip ipcs ldd lsattr lsmod lsof mktemp netstat numfmt perl pgrep ps pwd readlink stat strings"
# Commands that are required to exist for RKH to run. The absolutely
# required commands are tested early on using just the root PATH. Then
# BINDIR is checked, and finally the rest of the commands are then
# checked using the new PATH from BINDIR.
ABSOLUTELY_REQUIRED_CMDS="cut egrep grep sed tail tr"
REQCMDS="awk cat chmod chown cp cut date egrep grep head ls mv sed sort tail touch tr uname uniq wc"
# This will be set to a list of commands that have been disabled.
DISABLED_CMDS=""
# List of commands used to download files from the web. This list is
# used by the '--update' and '--versioncheck' options. Preferred commands
# are listed first. This can be overridden by the config file.
WEBCMDLIST="wget curl elinks links lynx bget GET"
RKHWEBCMD=""
RKHWEBCMD_OPTS=""
RKHWEBCMD_BASE=""
HOST_NAME=""
# This is the return code for the program actions - update, check, etc.
# Its value may either be 0 (no error) or 1 (an error occurred).
# The '--versioncheck' option may set the return code to 2 to
# indicate that an update is available.
# The '--update' option may set the return code to 2 to
# indicate that an update occurred.
RET_CODE=0
# Initially there is no language, this will be set later.
LANGUAGE=""
UPDATE_LANG=""
LOCALE_CMD=""
ICONV_CMD=""
RKHCHRMAP=""
RKHCHKLOCALE=0
# A space-separated list of test names we recognise.
KNOWN_TESTS="strings properties hashes scripts immutable attributes
deleted_files packet_cap_apps apps rootkits known_rkts
additional_rkts malware local_host network passwd_changes
group_changes possible_rkt_files possible_rkt_strings
system_commands shared_libs shared_libs_path running_procs
hidden_procs trojans os_specific startup_malware
startup_files group_accounts system_configs system_configs_ssh
system_configs_syslog filesystem suspscan ports hidden_ports
promisc loaded_modules avail_modules login_backdoors
sniffer_logs tripwire susp_dirs ipc_shared_mem"
# A space-separated list of test 'group names'. This list allows test
# names to be grouped together. For example, 'system_commands' can include
# the specific tests of 'strings' and 'hashes'. Both test
# group names, and specific test names, can be used with the test
# enable/disable options. In this list group names are colon-separated
# from the specific test names.
#
GROUPED_TESTS="system_commands:properties:strings:hashes:scripts:shared_libs:shared_libs_path:immutable:attributes
properties:hashes:scripts:immutable:attributes
shared_libs:shared_libs_path
rootkits:known_rkts:additional_rkts:possible_rkt_files:possible_rkt_strings:malware:running_procs:hidden_procs:deleted_files:trojans:os_specific:suspscan:loaded_modules:avail_modules:login_backdoors:sniffer_logs:tripwire:susp_dirs:ipc_shared_mem
additional_rkts:possible_rkt_files:possible_rkt_strings
network:packet_cap_apps:ports:hidden_ports:promisc
malware:running_procs:hidden_procs:deleted_files:suspscan:login_backdoors:sniffer_logs:tripwire:susp_dirs:ipc_shared_mem
local_host:startup_files:passwd_changes:group_changes:startup_malware:group_accounts:system_configs:filesystem:system_configs_ssh:system_configs_syslog
startup_files:startup_malware
os_specific:loaded_modules:avail_modules
group_accounts:passwd_changes:group_changes
system_configs:system_configs_ssh:system_configs_syslog"
# A comma-separated list of rootkits we check for.
# NOTE: This is a COMMA separated list. Any single quotes need to be handled specially - i.e.
# put between double-quotes.
KNOWN_ROOTKITS='55808 Trojan - Variant A, AjaKit, aPa Kit, Adore, Apache Worm, Ambient (ark),
Balaur, BeastKit, beX2, BOBKit, Boonana (Koobface.A), cb, CiNIK Worm (Slapper.B variant), CX,
Danny-Boy'"'"'s Abuse Kit, Devil, Diamorphine LKM, Dica, Dreams, Duarawkz, Ebury, Enye LKM, Flea Linux, FreeBSD, Fu,
Fuck`it, GasKit, Heroin LKM, HjC Kit, ignoKit, iLLogiC, Inqtana-A, Inqtana-B, Inqtana-C,
IntoXonia-NG, Irix, Jynx, Jynx2, KBeast, Keydnap, Kitko, Knark, Komplex, ld-linuxv.so, Li0n Worm, Lockit/LJK2, Mokes,
Mood-NT, MRK, Ni0, Ohhara, Optic Kit (Tux), OSXRK, Oz, Phalanx, Phalanx2, Portacelo, Proton, R3dstorm Toolkit,
RH-Sharpe'"'"'s, RSHA'"'"'s, Scalper Worm, Shutdown, SHV4, SHV5, Sin, SInAR, Slapper,
Sneakin, Solaris Wanuk, Spanish, Suckit, SunOS / NSDAP, SunOS Rootkit, Superkit, TBD (Telnet BackDoor),
TeLeKiT, Togroot, T0rn, trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire, VcKit, Volc, w00tkit,
weaponX, Xzibit, X-Org SunOS, zaRwT.KiT, ZK'
# A space-separated list of perl modules that may be required.
LIST_MODULES="File::stat Getopt::Long Crypt::RIPEMD160 Digest::MD5 Digest::SHA Digest::SHA1 Digest::SHA256
Digest::SHA::PurePerl Digest::Whirlpool LWP URI HTTP::Status HTTP::Date Socket Carp"
# A list of configuration options which are space-separated lists.
SPACE_LIST_OPTS="ALLOWIPCPID ALLOWIPCUSER ALLOWPROMISCIF APP_WHITELIST BINDIR DISABLE_TESTS EMPTY_LOGFILES
ENABLE_TESTS IGNORE_PRELINK_DEP_ERR INETD_ALLOWED_SVC MAIL-ON-WARNING MISSING_LOGFILES
PORT_WHITELIST PWDLESS_ACCOUNTS SHARED_LIB_WHITELIST STARTUP_PATHS SUSPSCAN_DIRS
SYSLOG_CONFIG_FILE UID0_ACCOUNTS UNHIDE_TESTS UNHIDETCP_OPTS UPDATE_LANG
XINETD_ALLOWED_SVC"
SPACE_LIST_OPTS=" `echo ${SPACE_LIST_OPTS}` "
# A list of configuration options which are newline-separated lists.
NEWLINE_LIST_OPTS="ALLOWDEVFILE ALLOWHIDDENDIR ALLOWHIDDENFILE ALLOWPROCDELFILE ALLOWIPCPROC
ALLOWPROCLISTEN ATTRWHITELIST EXCLUDE_USER_FILEPROP_FILES_DIRS EXISTWHITELIST
IMMUTWHITELIST PKGMGR_NO_VRFY PORT_PATH_WHITELIST RTKT_DIR_WHITELIST
RTKT_FILE_WHITELIST SCRIPTWHITELIST SUSPSCAN_WHITELIST USER_FILEPROP_FILES_DIRS
WRITEWHITELIST"
NEWLINE_LIST_OPTS=" `echo ${NEWLINE_LIST_OPTS}` "
# The program defaults of which tests to perform will be set later.
ENABLE_TESTS=""
DISABLE_TESTS=""
CL_ENABLE_TESTS=""
CL_DISABLE_TESTS=""
CONFIG_DISABLE_TESTS=""
# These get set if the '--enable' or '--disable' command-line options have been used.
ENDIS_OPT=0
ENABLE_OPT=0
# This gets set to zero if the '--nocf' command-line option is used.
USECF=1
# This gets set if the '--list' command-line option is used.
LIST_OPT=""
# Space-filled line used for the display function.
BLANK_LINE=" "
# Initially say that we are connected to a terminal.
NOTTY=0
# By default show the system check summary.
SHOW_SUMMARY=1
SHOW_SUMMARY_OPT=0
SHOW_SUMMARY_TIME=3
SHOW_SUMMARY_WARNINGS_NUMBER=0
# By default log most things that are checked.
VERBOSE_LOGGING=1
# We copy the original IFS value, and set RKHIFS to space, tab, newline.
# IFSNL is set to just a newline.
ORIGIFS=$IFS
RKHIFS="
"
IFSNL="
"
IFS=$RKHIFS
# No default set for the system startup files and directories.
STARTUP_PATHS=""
STARTUP_PATHS_LOGGED=0
# Set a default for the inetd configuration file.
INETD_CONF_PATH="/etc/inetd.conf"
INETDALLOWEDSVCS=""
# Set a default for the xinetd configuration file.
XINETD_CONF_PATH="/etc/xinetd.conf"
XINETDALLOWEDSVCS=""
# Set if only the '--update' option is used.
UPDATE_ONLY=0
# Set if UPDATE_ONLY is set, and some language files are missing.
RKHLANGUPDT=0
# By default we rotate the mirrors in the mirrors.dat file,
# and we update the file when the '--update' option is used.
# The default MIRRORS_MODE is set such that we use both local
# and remote mirrors.
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0
# Set the default suspscan settings.
SUSPSCAN_DEBUG=0
SUSPSCAN_DFLT_DIRS="/tmp /var/tmp"
SUSPSCAN_DFLT_TMP="/dev/shm"
SUSPSCAN_DFLT_THRESH=200
SUSPSCAN_DFLT_MAXSIZE=1024000
SUSPSCAN_WL_OPT=""
# SELinux runcon usage as determined by get_if_prelinked.
USE_RUNCON=0
SELINUX_ENABLED=0
# These get set if any network ports are to be whitelisted.
PORT_WHITELIST=""
PORT_PATH_WHITELIST=""
PORT_WHITELIST_ALL_TRUSTED=0
# This will be set to the shadow file location if required.
SHADOW_FILE=""
HAVE_TCB_SHADOW=0
# The O/S 'release' file location.
OS_VERSION_FILE=""
# By default no rootkit files or directories are whitelisted.
RTKT_DIR_WHITELIST=""
RTKT_FILE_WHITELIST=""
# The full pathname of the 'rkhunter.dat' file.
RKHDAT_FILE=""
# The full pathname of the 'rkhunter_prop_list.dat' file.
RKH_FILEPROP_LIST=""
# This gets set if we have a working readlink command.
HAVE_READLINK=0
# By default no commands are to be exempt from dependency errors.
PRELINK_DEP_ERR_CMDS=""
# User provided files/dirs for the file properties check.
USER_FILE_LIST=""
USER_SIMPLE_FILE_LIST=""
USER_DIR_LIST=""
USER_EXCLUDE_PROP=""
# This gets set if any shared libraries are to be whitelisted.
SHARED_LIB_WHITELIST=""
# If used, these lock values must be set in the config file.
USE_LOCKING=0
LOCKDIR=""
LOCK_TIMEOUT=0
SHOW_LOCK_MSGS=1
# This gets set if the '--unlock' command-line option is used.
UNLOCK=0
# This gets set if any files or directories need
# whitelisting from 'existence' checks.
EXISTWHITELIST=""
# This will be set if we are just doing a config file check.
CONFIG_CHECK=0
# Network interface whitelist.
IFWLIST=""
# This will be set to any allowed processes listening on the network.
ALLOWPROCLIST_OPT=""
# This option will be set if the shell globstar option is to be set.
GLOBSTAR=0
# The default value for the minimum shared memory segement size.
DFLT_SEG_SIZE=1048576
# This gets set if we have the numfmt command.
HAVE_NUMFMT=0
# Record the running kernel release.
UNAME_R=`uname -r 2>/dev/null`
######################################################################
#
# Command-line option processing
#
######################################################################
#
# Display the help menu if no options were given.
#
if [ $# -eq 0 ]; then
help
exit 0
fi
#
# Check the command-line options. If set, these will override the
# configuration file options.
#
while [ $# -ge 1 ]; do
case "$1" in
--append-log | --appendlog)
APPEND_LOG=1
APPEND_OPT=1
;;
--bindir)
RKHTMPVAR="$2"
case "${RKHTMPVAR}" in
"")
;;
-*)
RKHTMPVAR=""
;;
*)
shift
BINPATHS="${BINPATHS} ${RKHTMPVAR}"
BINDIR_OPT=1
;;
esac
if [ -z "${RKHTMPVAR}" ]; then
echo "No command directories specified with '--bindir' option."
exit 1
fi
;;
-c | --check | --checkall | --check-all)
CHECK=1
;;
-C | --config-check | --configcheck | --check-config | --checkconfig)
CONFIG_CHECK=1
;;
--configfile)
CONFIGFILE=""
case "$2" in
"")
;;
-*)
;;
*)
shift
CONFIGFILE="$1"
;;
esac
if [ -z "${CONFIGFILE}" ]; then
echo "No configuration file specified with '--configfile' option."
exit 1
fi
;;
--cronjob)
CHECK=1
CRONJOB=1
COLORS=0
SKIP_KEY_PRESS=1
;;
--cs2 | --colorset2 | --color-set2)
CLRSET2=1
;;
--dbdir)
DB_PATH=""
case "$2" in
"")
;;
-*)
;;
*)
shift
DB_PATH="$1"
;;
esac
if [ -z "${DB_PATH}" ]; then
echo "No database directory specified with '--dbdir' option."
exit 1
fi
;;
--debug)
SKIP_KEY_PRESS=1
;;
--display-logfile | --displaylogfile | --display-log | --displaylog | --showlog)
CATLOGFILE=1
;;
--disable)
RKHTMPVAR="$2"
case "${RKHTMPVAR}" in
"")
;;
-*)
RKHTMPVAR=""
;;
*)
shift
CHECK=1
ENDIS_OPT=1
CL_DISABLE_TESTS="${CL_DISABLE_TESTS} ${RKHTMPVAR}"
;;
esac
if [ -z "${RKHTMPVAR}" ]; then
echo "No tests specified with '--disable' option."
exit 1
fi
;;
--enable)
RKHTMPVAR="$2"
case "${RKHTMPVAR}" in
"")
;;
-*)
RKHTMPVAR=""
;;
*)
shift
CHECK=1
ENDIS_OPT=1
ENABLE_OPT=1
CL_ENABLE_TESTS="${CL_ENABLE_TESTS} ${RKHTMPVAR}"
;;
esac
if [ -z "${RKHTMPVAR}" ]; then
echo "No tests specified with '--enable' option."
exit 1
fi
;;
--hash)
HASH_FUNC=""
case "$2" in
"")
;;
-*)
;;
*)
shift
HASH_FUNC="$1"
HASH_OPT=1
;;
esac
if [ -z "${HASH_FUNC}" ]; then
echo "No hash function specified with '--hash' option."
exit 1
fi
;;
-h | --help)
help
exit 0
;;
-l | --log | --logfile | --createlogfile | --createlog | --create-log | --create-logfile)
RKHLOGFILE="${DFLT_LOGFILE}"
case "$2" in
"")
;;
-*)
;;
*)
shift
RKHLOGFILE="$1"
;;
esac
;;
--lang | --language)
LANGUAGE=""
case "$2" in
"")
;;
-*)
;;
*)
shift
LANGUAGE="$1"
;;
esac
if [ -z "${LANGUAGE}" ]; then
echo "No language specified with '$1' option."
exit 1
fi
;;
--list)
case "$2" in
test | tests | check | checks)
shift
LIST_OPT="${LIST_OPT} tests "
;;
lang | langs | language | languages)
shift
LIST_OPT="${LIST_OPT} languages "
;;
rootkit | rootkits)
shift
LIST_OPT="${LIST_OPT} rootkits "
;;
perl | modules)
shift
LIST_OPT="${LIST_OPT} perl "
;;
propfiles)
shift
LIST_OPT="${LIST_OPT} propfiles "
;;
"")
LIST_OPT="${LIST_OPT} tests languages rootkits perl "
;;
*)
echo "Invalid '--list' option specified: $2"
exit 1
;;
esac
;;
--noappend-log | --no-append-log | --noappendlog)
APPEND_LOG=0
APPEND_OPT=1
;;
--nocf)
USECF=0
;;
--nocolors | --no-colors | --nocolor | --no-color)
COLORS=0
;;
--nolog | --no-log)
RKHLOGFILE="/dev/null"
;;
--nomow | --no-mow | --no-mailonwarning | --no-mail-on-warning)
NOMOW=1
;;
--novl | --noverboselogging | --no-verbose-logging)
VERBOSE_LOGGING=0
;;
--ns | --nosummary | --no-summary)
SHOW_SUMMARY=0
SHOW_SUMMARY_OPT=1
;;
--pkgmgr)
PKGMGR=""
case "$2" in
"")
;;
-*)
;;
*)
shift
PKGMGR="$1"
;;
esac
if [ -z "${PKGMGR}" ]; then
echo "No package manager specified with '--pkgmgr' option."
exit 1
fi
;;
--propupd | --prop-update | --propupdate | --properties-update | --hashupd)
PROP_UPDATE=1
PROPUPD_OPT=""
case "$2" in
"")
;;
-*)
;;
*)
shift
PROPUPD_OPT="$1"
;;
esac
;;
-q | --quiet)
QUIET=1
;;
--rwo | --swo | --report-warnings-only | --show-warnings-only)
QUIET=1
SHOWWARNINGSONLY=1
;;
-r | --rootdir)
echo "The '$1' option is now deprecated."
shift
;;
-sk | --sk | --skip-keypress | --skipkeypress)
SKIP_KEY_PRESS=1
;;
--summary)
SHOW_SUMMARY=1
SHOW_SUMMARY_OPT=1
;;
--syslog)
USE_SYSLOG="${SYSLOG_DFLT_PRIO}"
case "$2" in
"")
;;
-*)
;;
*)
shift
USE_SYSLOG="$1"
;;
esac
;;
--tmpdir)
RKHTMPDIR=""
case "$2" in
"")
;;
-*)
;;
*)
shift
RKHTMPDIR="$1"
;;
esac
if [ -z "${RKHTMPDIR}" ]; then
echo "No temporary directory specified with '--tmpdir' option."
exit 1
fi
;;
--unlock)
UNLOCK=1
;;
--update)
UPDATE=1
;;
--vl | --verboselogging | --verbose-logging)
VERBOSE_LOGGING=1
;;
-V | --version)
echo "${PROGRAM_NAME} ${PROGRAM_version}"
echo "${PROGRAM_blurb}"
exit 0
;;
--versioncheck | --version-check)
VERSIONCHECK=1
;;
-x | --autox)
AUTO_X_OPT=1
AUTO_X_DTCT=1
;;
-X | --no-autox)
AUTO_X_OPT=1
AUTO_X_DTCT=0
;;
*)
echo "Invalid option specified: $1"
exit 1
;;
esac
shift
done
#
# We check that we are root. If we are not, then only the
# help and version command-line options are valid.
#
if [ $SUNOS -eq 1 ]; then
test -x /usr/xpg4/bin/id && ID_CMD="/usr/xpg4/bin/id"
#
# Unfortunately we need the AWK_CMD set this early on so
# that the option processing works. As such this is a bit
# of a hack. AWK_CMD will be set properly later on.
#
RKHTMPVAR=`which gawk 2>/dev/null | grep -v ' '`
if [ -n "${RKHTMPVAR}" ]; then
AWK_CMD="${RKHTMPVAR}"
else
RKHTMPVAR=`which nawk 2>/dev/null | grep -v ' '`
if [ -n "${RKHTMPVAR}" ]; then
AWK_CMD="${RKHTMPVAR}"
elif [ -x "/usr/xpg4/bin/awk" ]; then
AWK_CMD="/usr/xpg4/bin/awk"
fi
fi
fi
RKHTMPVAR=`${ID_CMD} -u 2>/dev/null`
if [ -z "${RKHTMPVAR}" ]; then
RKHTMPVAR=`whoami 2>/dev/null`
if [ -z "${RKHTMPVAR}" ]; then
RKHTMPVAR=`who am i 2>/dev/null | cut -d' ' -f1`
if [ -z "${RKHTMPVAR}" ]; then
RKHTMPVAR=`who -m 2>/dev/null | cut -d' ' -f1`
fi
fi
fi
if [ -z "${RKHTMPVAR}" ]; then
echo "Unable to determine if you are root."
exit 1
elif [ "${RKHTMPVAR}" != "0" -a "${RKHTMPVAR}" != "root" ]; then
echo "You must be the root user to run this program."
exit 1
fi
#
# We need to see if we are to run a check before we get to the
# configuration file processing code. Basically if either of the
# '--enable' or '--disable' options are used, then we will do a
# check.
#
if [ $ENDIS_OPT -eq 1 ]; then
CL_ENABLE_TESTS=`echo ${CL_ENABLE_TESTS} | tr -d '"' | tr -d "'" | tr ',' ' ' | tr '[:upper:]' '[:lower:]'`
CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS} | tr -d '"' | tr -d "'" | tr ',' ' ' | tr '[:upper:]' '[:lower:]'`
CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS}`
# The '--nocf' option is only for disabled tests.
test -z "${CL_DISABLE_TESTS}" && USECF=1
else
USECF=1
fi
#
# See if only the '--update' option has been used.
#
test $UPDATE -eq 1 -a $CHECK -eq 0 -a $PROP_UPDATE -eq 0 -a $VERSIONCHECK -eq 0 && UPDATE_ONLY=1
#
# Before going too much further we need to ensure that some basic
# commands are present on the system. We cannot do this using
# the BINDIR option because that requires processing the configuration
# file, which in turn requires the commands we want to check on. As
# such we use the default command directory list. We do not assign
# these commands to variables, but will do for other commands which we
# look for later on.
#
check_required_commands 1
######################################################################
#
# Configuration file processing
#
######################################################################
#
# Now we check for the configuration file. We then see if there is a
# local configuration file, and/or a local directory, present in the
# same directory, and finally check the various options within them.
#
# NOTE: Do not change the format of the following 'if' statement.
# The installer script will modify it directly during installation.
#
if [ -z "${CONFIGFILE}" ]; then
if [ -f /etc/rkhunter.conf ]; then
CONFIGFILE="/etc/rkhunter.conf"
else
CONFIGFILE="/usr/local/etc/rkhunter.conf"
fi
fi
if [ ! -f "${CONFIGFILE}" ]; then
echo "Unable to find configuration file: ${CONFIGFILE}"
exit 1
elif [ ! -r "${CONFIGFILE}" ]; then
echo "Configuration file is not readable: ${CONFIGFILE}"
exit 1
elif [ ! -s "${CONFIGFILE}" ]; then
echo "Configuration file is empty: ${CONFIGFILE}"
exit 1
fi
RKHTMPVAR=`echo "${CONFIGFILE}" | sed -e 's:/[^/]*$::'`
test -f "${RKHTMPVAR}/rkhunter.conf.local" -a ! -h "${RKHTMPVAR}/rkhunter.conf.local" -a -r "${RKHTMPVAR}/rkhunter.conf.local" && LOCALCONFIGFILE="${RKHTMPVAR}/rkhunter.conf.local"
if [ -d "${RKHTMPVAR}/rkhunter.d" ]; then
LOCALCONFIGDIR="${RKHTMPVAR}/rkhunter.d"
for FNAME in ${LOCALCONFIGDIR}/*.conf; do
test ! -f "${FNAME}" -o -h "${FNAME}" -o ! -r "${FNAME}" && continue
LOCALCONFDIRCOUNT=`expr ${LOCALCONFDIRCOUNT} + 1`
LOCALCONFDIRFILES="${LOCALCONFDIRFILES} ${FNAME}"
done
fi
get_configfile_options
#
# If we are doing a configuration file
# check, then this is as far as we go.
#
if [ $CONFIG_CHECK -eq 1 ]; then
do_config_file_check
exit $RET_CODE
fi
######################################################################
#
# Option processing
#
######################################################################
#
# Next we check some of the options to make sure we can proceed. We
# also set up some final variables based on the combination of options
# we have been given.
#
#
# First we process the '--list' option if it has been given.
#
if [ -n "${LIST_OPT}" ]; then
for RKHTMPVAR in ${LIST_OPT}; do
case "${RKHTMPVAR}" in
tests)
display_tests
;;
languages)
display_languages
;;
perl)
display_perl_modules
;;
propfiles)
display_propfiles
;;
*)
display_rootkits
;;
esac
done
exit 0
fi
#
# Next we must see if we are doing an update only, and if there were
# some language file problems. If so, then we must not log or display
# anything.
#
if [ $RKHLANGUPDT -eq 1 ]; then
QUIET=1
COLORS=0
RKHLOGFILE="/dev/null"
fi
#
# If the logfile has been disabled, then we cannot let the
# program run when certain options are used. If we did, the user
# would see no output and might assume that all was well.
#
if [ "${RKHLOGFILE}" = "/dev/null" ]; then
NOLOG=1
VERBOSE_LOGGING=0
COPY_LOG_ON_ERROR=0
if [ $SHOWWARNINGSONLY -eq 1 ]; then
echo "The logfile has been disabled - unable to report warnings."
exit 1
elif [ $CATLOGFILE -eq 1 ]; then
echo "The logfile has been disabled - unable to display the log file."
exit 1
fi
fi
#
# Set up the colors to be used.
#
if [ $COLORS -eq 1 ]; then
NORMAL="[0;39m" # Foreground colour to default
if [ $CLRSET2 -eq 0 ]; then
RED="[1;31m" # Bright red
GREEN="[1;32m" # Bright green
YELLOW="[1;33m" # Bright yellow
WHITE="[1;37m" # White
else
RED="[1;31m" # Bright red
GREEN="[0;32m" # Green
YELLOW="[0;35m" # Purple
WHITE="[0;30m" # Black
fi
fi
if [ $CHECK -eq 1 ]; then
#
# Check if we have a kernel symbols file.
#
if [ -f "/proc/ksyms" ]; then
KSYMS_FILE="/proc/ksyms"
elif [ -f "/proc/kallsyms" ]; then
KSYMS_FILE="/proc/kallsyms"
elif [ -f "/boot/System.map-${UNAME_R}" ]; then
KSYMS_FILE="/boot/System.map-${UNAME_R}"
fi
fi
if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 ]; then
if [ -e "${RKHDAT_FILE}" ]; then
if [ -h "${RKHDAT_FILE}" ]; then
echo "The rkhunter.dat file is a symbolic link: ${RKHDAT_FILE}"
echo "This is a security problem. The link points to another file, and that file may be modified by rkhunter."
exit 1
elif [ ! -f "${RKHDAT_FILE}" ]; then
echo "The rkhunter.dat file is not a file: ${RKHDAT_FILE}"
exit 1
fi
fi
if [ -e "${RKH_FILEPROP_LIST}" ]; then
if [ -h "${RKH_FILEPROP_LIST}" ]; then
echo "The rkhunter_prop_list.dat file is a symbolic link: ${RKH_FILEPROP_LIST}"
echo "This is a security problem. The link points to another file, and that file may be modified by rkhunter."
exit 1
elif [ ! -f "${RKH_FILEPROP_LIST}" ]; then
echo "The rkhunter_prop_list.dat file is not a file: ${RKH_FILEPROP_LIST}"
exit 1
fi
fi
#
# Check if the file properties option has been set. If so, then
# check that the files and directories are valid. Once that has
# been done, we can then set up the file properties check directories
# and file names.
#
if [ -n "${PROPUPD_OPT}" ]; then
if [ ! -f "${RKHDAT_FILE}" ]; then
echo "The file properties file does not exist: ${RKHDAT_FILE}"
exit 1
fi
#
# We need the current 'rkhunter.dat' file format.
#
FMTVERSION=`grep '^FormatVersion:' "${RKHDAT_FILE}" | cut -d: -f2`
test -z "${FMTVERSION}" && FMTVERSION=0
LEAVE=0
RKHTMPVAR=""
PROPUPD_OPT=`echo "${PROPUPD_OPT}" | tr ',' "\n" | sed -e '/^$/d'`
test "${PROPUPD_OPT}" = "/" && PROPUPD_OPT=""
IFS=$IFSNL
for FNAME in ${PROPUPD_OPT}; do
if [ -n "`echo \"${FNAME}\" | grep '^[^/].*/'`" ]; then
# Filename is relative
LEAVE=1
echo "Relative file or directory name specified: ${FNAME}"
elif [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
# Filename is absolute
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ $FMTVERSION -eq 0 ]; then
RKHTMPVAR2=`grep "^File:${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
else
COLON_COUNT=`echo "${FNAME}" | tr -c -d ':' | wc -c | tr -d ' '`
RKHTMPVAR2=`grep "^File:${COLON_COUNT}:${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null`
test -n "${RKHTMPVAR2}" && RKHTMPVAR2="${FNAME}"
fi
if [ -z "${RKHTMPVAR2}" ]; then
if [ -d "${FNAME}" ]; then
# Filename is a directory
if [ $FMTVERSION -eq 0 ]; then
RKHTMPVAR2=`grep "^File:${FNAMEGREP}/[^:]*:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
else
PATHS=""
IFS=$IFSNL
for RKHLINE in `grep "^File:[0-9]*:${FNAMEGREP}/" "${RKHDAT_FILE}"`; do
COLON_COUNT=`echo "${RKHLINE}" | cut -d: -f2`
COLON_COUNT=`expr 3 + $COLON_COUNT`
PATHNAME=`echo "${RKHLINE}" | cut -d: -f3-$COLON_COUNT`
PATHS="${PATHS}
${PATHNAME}"
done
IFS=$RKHIFS
RKHTMPVAR2=`echo "${PATHS}" | sed -e '/^$/d'`
fi
if [ -n "${RKHTMPVAR2}" ]; then
RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
else
LEAVE=1
echo "Directory is not in the \"rkhunter.dat\" file: ${FNAME}"
fi
else
LEAVE=1
echo "Filename is not in the \"rkhunter.dat\" file: ${FNAME}"
fi
else
RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
fi
else
#
# Filename could be a package name.
# The package names are currently in field 11 in the 'rkhunter.dat' file.
#
FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
if [ $FMTVERSION -eq 0 ]; then
RKHTMPVAR2=`grep "^File:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
else
PATHS=""
IFS=$IFSNL
for RKHLINE in `grep "^File:[0-9]*:.*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:${FNAMEGREP}:" "${RKHDAT_FILE}"`; do
COLON_COUNT=`echo "${RKHLINE}" | cut -d: -f2`
COLON_COUNT=`expr 3 + $COLON_COUNT`
PATHNAME=`echo "${RKHLINE}" | cut -d: -f3-$COLON_COUNT`
PATHS="${PATHS}
${PATHNAME}"
done
IFS=$RKHIFS
RKHTMPVAR2=`echo "${PATHS}" | sed -e '/^$/d'`
fi
if [ -z "${RKHTMPVAR2}" ]; then
# Filename is just a plain filename
if [ $FMTVERSION -eq 0 ]; then
RKHTMPVAR2=`grep "^File:[^:]*/${FNAMEGREP}:" "${RKHDAT_FILE}" 2>/dev/null | cut -d: -f2`
else
PATHS=""
IFS=$IFSNL
for RKHLINE in `grep "^File:[0-9]*:.*/${FNAMEGREP}:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:" "${RKHDAT_FILE}"`; do
COLON_COUNT=`echo "${RKHLINE}" | cut -d: -f2`
COLON_COUNT=`expr 3 + $COLON_COUNT`
PATHNAME=`echo "${RKHLINE}" | cut -d: -f3-$COLON_COUNT`
PATHS="${PATHS}
${PATHNAME}"
done
IFS=$RKHIFS
RKHTMPVAR2=`echo "${PATHS}" | sed -e '/^$/d'`
fi
if [ -n "${RKHTMPVAR2}" ]; then
RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
else
LEAVE=1
echo "File or package name is not in the \"rkhunter.dat\" file: ${FNAME}"
fi
else
RKHTMPVAR="${RKHTMPVAR}
${RKHTMPVAR2}"
fi
fi
done
IFS=$RKHIFS
if [ $LEAVE -eq 0 ]; then
PROPUPD_OPT=`echo "${RKHTMPVAR}" | sed -e '/^$/d'`
else
exit 1
fi
fi
if `check_test properties` || test $PROP_UPDATE -eq 1; then
set_file_prop_dirs_files
fi
#
# We need to record the previously used
# hash function and package manager.
#
get_old_prop_attrs "${RKHDAT_FILE}"
fi
if [ $PROP_UPDATE -eq 1 -a $PRELINKED -eq 1 -a -z "${PKGMGR}" -a "${HASH_FUNC}" != "NONE" ]; then
#
# For a hash update on a prelinked system, we must have
# a valid hash function to use.
#
if [ -z "${PRELINK_HASH}" ]; then
if [ -z "`echo \"${HASH_FUNC}\" | egrep '(/filehashsha\.pl Digest::MD5|/filehashsha\.pl .* 1$|shasum -a 1$)'`" ]; then
RKHTMPVAR=`echo "${HASH_FUNC}" | cut -d' ' -f1`
if [ -z "`echo ${RKHTMPVAR} | egrep -i 'sha1|md5'`" ]; then
if [ $HASH_OPT -eq 1 ]; then
echo "This system uses prelinking, but the '--hash' option (${HASH_FUNC}) does not look like SHA1 or MD5."
else
echo "This system uses prelinking, but the hash function (${HASH_FUNC}) does not look like SHA1 or MD5."
fi
exit 1
fi
fi
fi
fi
#
# For the update and versioncheck options, we need to make sure
# we have a command capable of downloading files from the web.
# The first command found is used, unless it has been set in
# the configuration file.
#
if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 ]; then
if [ -z "${RKHWEBCMD}" ]; then
FOUND=0
for CMD in ${WEBCMDLIST}; do
#
# Ignore perl commands if perl is not present, or if
# certain modules are not present.
#
if [ "${CMD}" = "GET" ]; then
test -z "${PERL_CMD}" && continue
RKHTMPVAR=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" LWP URI HTTP::Status HTTP::Date Getopt::Long 2>&1 | grep 'NOT'`
test -n "${RKHTMPVAR}" && continue
elif [ "${CMD}" = "bget" ]; then
test -z "${PERL_CMD}" && continue
RKHTMPVAR=`${PERL_CMD} "${SCRIPT_PATH}/check_modules.pl" Socket Carp 2>&1 | grep 'NOT'`
test -n "${RKHTMPVAR}" && continue
fi
RKHTMPVAR=`find_cmd ${CMD}`
if [ -n "${RKHTMPVAR}" ]; then
FOUND=1
RKHWEBCMD="${RKHTMPVAR}"
RKHWEBCMD_BASE="${CMD}"
break
fi
done
if [ $FOUND -eq 0 ]; then
echo "The '--update' and '--versioncheck' options require a command able to"
echo "download files from the web. No such command can be found on the system."
echo "Examples of commands that could be used are: ${WEBCMDLIST}"
exit 1
fi
fi
fi
#
# If no option is given for the program to action, then say so and exit.
#
if [ $CHECK -eq 0 -a $VERSIONCHECK -eq 0 -a $UPDATE -eq 0 -a $PROP_UPDATE -eq 0 -a $UNLOCK -eq 0 ]; then
echo "You must enter an option for the program to perform."
echo "Type in 'rkhunter --help' to see the available options,"
echo "or read the rkhunter man page."
exit 1
fi
#
# Handle any locking straight away.
#
if [ $UNLOCK -eq 1 ]; then
rm -f "${LOCKDIR}/rkhunter.LCK" >/dev/null 2>&1
# If we are just unlocking the lock file, then exit.
test $CHECK -eq 0 -a $VERSIONCHECK -eq 0 -a $UPDATE -eq 0 -a $PROP_UPDATE -eq 0 && exit 0
fi
#
# Before writing anything to the screen or log file, we need to
# set some variables.
#
# First we set whether we should be displaying anything on the
# screen or not.
#
test $CRONJOB -eq 1 -o $QUIET -eq 1 && NOTTY=1
#
# Next we get the message types and results from the language file,
# and set them to variables. We have to look in the English file since
# that is the definitive one. We then look for the corresponding keyword
# in the actual language file. This allows the language files to work
# even if we add or remove any of the TYPE or RESULT keywords.
#
IFS=$IFSNL
for LINE in `egrep '^MSG_(TYPE|RESULT)_' "${DB_PATH}/i18n/en" 2>/dev/null`; do
TYPE=`echo "${LINE}" | cut -d: -f1`
if [ "${LANGUAGE}" != "en" ]; then
RKHTMPVAR=`grep ${GREP_OPT} "^${TYPE}:" "${DB_PATH}/i18n/${LANGUAGE}" 2>/dev/null`
test -n "${RKHTMPVAR}" && LINE=`echo "${RKHTMPVAR}" | sed -e 's/\`/\\\\\`/g'`
fi
RKHTMPVAR=`echo "${LINE}" | cut -d: -f2-`
eval $TYPE=\"${RKHTMPVAR}\"
done
IFS=$RKHIFS
#
# Before we touch the log file we must see if locking is being used.
#
if [ $USE_LOCKING -eq 1 ]; then
get_lock
fi
#
# Sort out the logfile before we write to it.
#
if [ $NOLOG -eq 0 ]; then
if [ $APPEND_LOG -eq 0 ]; then
if [ -f "${RKHLOGFILE}" ]; then
cp -f -p "${RKHLOGFILE}" "${RKHLOGFILE}.old" >/dev/null 2>&1
# Overwrite the log file with a null string.
if [ "${ECHON}" = "c" ]; then
echo $ECHOOPT "\c" >"${RKHLOGFILE}"
else
echo $ECHON $ECHOOPT "" >"${RKHLOGFILE}"
fi
else
# Create a new log file.
touch "${RKHLOGFILE}" >/dev/null 2>&1
chmod 600 "${RKHLOGFILE}" >/dev/null 2>&1
fi
else
if [ ! -f "${RKHLOGFILE}" ]; then
# Create a new log file.
touch "${RKHLOGFILE}" >/dev/null 2>&1
chmod 600 "${RKHLOGFILE}" >/dev/null 2>&1
fi
echo "" >>"${RKHLOGFILE}"
echo "" >>"${RKHLOGFILE}"
fi
fi
#
# Record the hostname. This will be used at several points
# throughout the program. A specific test will specify if
# a hostname has been found or not, so we don't need to
# do anything special here.
#
HOST_NAME=`hostname 2>/dev/null`
test -z "${HOST_NAME}" && HOST_NAME=`uname -n 2>/dev/null`
test -z "${HOST_NAME}" && HOST_NAME="${HOSTNAME}"
HOST_NAME=`echo ${HOST_NAME} | cut -d. -f1`
######################################################################
#
# Initial logging
#
######################################################################
#
# Write out various information messages to the logfile. The first
# set of messages can be skipped if no logfile is to be created.
#
display --to SCREEN --type PLAIN VERSIONLINE "${PROGRAM_NAME}" "${PROGRAM_version}"
if [ $NOLOG -eq 0 ]; then
if [ -n "${HOST_NAME}" ]; then
display --to LOG --type PLAIN VERSIONLINE2 "${PROGRAM_NAME}" "${PROGRAM_version}" "${HOST_NAME}"
else
display --to LOG --type PLAIN VERSIONLINE3 "${PROGRAM_NAME}" "${PROGRAM_version}"
fi
display --to LOG --type INFO --nl RKH_STARTDATE "`date`"
display --to LOG --type PLAIN --nl CONFIG_CHECK_START
display --to LOG --type INFO OPSYS "${OPERATING_SYSTEM}"
if [ -s "${RKHDAT_FILE}" ]; then
RKHTMPVAR=`grep '^OS:' "${RKHDAT_FILE}" 2>/dev/null | sed -e 's/^OS://'`
if [ -n "${RKHTMPVAR}" ]; then
display --to LOG --type INFO PROPUPD_OSNAME_FOUND "${RKHTMPVAR}"
else
display --to LOG --type INFO UNAME "`uname -a`"
fi
else
display --to LOG --type INFO UNAME "`uname -a`"
fi
display --to LOG --type INFO CONFIG_CMDLINE "${CMD_LINE}"
test $DEBUG_OPT -eq 1 && display --to LOG --type INFO CONFIG_DEBUGFILE "${RKHDEBUGFILE}"
display --to LOG --type INFO CONFIG_ENVSHELL "${SHELL}" "${MYSHELL}"
display --to LOG --type INFO CONFIG_CONFIGFILE "${CONFIGFILE}"
test -n "${LOCALCONFIGFILE}" && display --to LOG --type INFO CONFIG_LOCALCONFIGFILE "${LOCALCONFIGFILE}"
if [ -n "${LOCALCONFIGDIR}" ]; then
test $LOCALCONFDIRCOUNT -eq 1 && RKHTMPVAR="" || RKHTMPVAR="s"
display --to LOG --type INFO CONFIG_LOCALCONFIGDIR "${LOCALCONFIGDIR}" $LOCALCONFDIRCOUNT "${RKHTMPVAR}"
fi
display --to LOG --type INFO CONFIG_INSTALLDIR "${RKHINSTALLDIR}"
display --to LOG --type INFO CONFIG_LANGUAGE "${LANGUAGE}"
display --to LOG --type INFO CONFIG_DBDIR "${DB_PATH}"
display --to LOG --type INFO CONFIG_SCRIPTDIR "${SCRIPT_PATH}"
display --to LOG --type INFO CONFIG_BINDIR "${BINPATHS}"
display --to LOG --type INFO CONFIG_TMPDIR "${RKHTMPDIR}"
if [ $CHECK -eq 1 ]; then
if [ $NOMOW -eq 1 ]; then
display --to LOG --type INFO CONFIG_MOW_DISABLED
elif [ -z "${MAILONWARNING}" ]; then
display --to LOG --type INFO CONFIG_NO_MAIL_ON_WARN
else
display --to LOG --type INFO CONFIG_MAIL_ON_WARN "${MAILONWARNING}" "${MAIL_CMD}"
fi
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
test $AUTO_X_DTCT -eq 1 && display --to LOG --type INFO CONFIG_X_AUTO
test $CLRSET2 -eq 1 && display --to LOG --type INFO CONFIG_CLRSET2
for CMD in ${CMDLIST}; do
RKHTMPVAR=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
RKHTMPVAR=`eval echo "\\$${RKHTMPVAR}_CMD"`
if [ -n "${RKHTMPVAR}" ]; then
display --to LOG --type INFO FOUND_CMD "${CMD}" "${RKHTMPVAR}"
elif [ -n "`echo \"${DISABLED_CMDS}\" | grep \" ${CMD} \"`" ]; then
display --to LOG --type INFO DISABLED_CMD "${CMD}"
else
display --to LOG --type INFO NOT_FOUND_CMD "${CMD}"
fi
done
test -n "${RKHWEBCMD}" && display --to LOG --type INFO FOUND_CMD "${RKHWEBCMD_BASE}" "${RKHWEBCMD}"
fi
fi
if [ $PROP_UPDATE -eq 1 -o $HASH_CHECK_ENABLED -eq 1 ]; then
if [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then
HASH_CHECK_ENABLED=0
DISABLE_TESTS="${DISABLE_TESTS} hashes"
display --to LOG --type INFO HASH_FUNC_DISABLED
fi
if [ $PRELINKED -eq 1 ]; then
display --to LOG --type INFO SYS_PRELINK
display --to LOG --type INFO FOUND_CMD 'prelink' "${PRELINK_CMD}"
if [ -n "${SESTATUS_CMD}" ]; then
display --to LOG --type INFO FOUND_CMD 'sestatus' "${SESTATUS_CMD}"
if [ $SELINUX_ENABLED -eq 1 ]; then
display --to LOG --type INFO SYS_SELINUX
if [ $USE_RUNCON -eq 1 ]; then
display --to LOG --type INFO FOUND_CMD 'runcon' "${RUNCON_CMD}"
else
display --to LOG --type INFO NOT_FOUND_CMD 'runcon'
fi
else
display --to LOG --type INFO SYS_NO_SELINUX
fi
else
display --to LOG --type INFO NOT_FOUND_CMD 'sestatus'
fi
if [ "${HASH_FUNC}" = "NONE" ]; then
if [ -n "${PKGMGR}" ]; then
display --to LOG --type INFO HASH_FUNC_NONE_PKGMGR
else
display --to LOG --type INFO HASH_FUNC_NONE
fi
elif [ -n "${PRELINK_HASH}" ]; then
display --to LOG --type INFO HASH_FUNC_PRELINK "${PRELINK_HASH}"
elif [ -z "`echo \"${HASH_FUNC}\" | egrep -i 'sha1|md5'`" ]; then
SKIP_HASH_MSG=1
else
display --to LOG --type INFO HASH_FUNC "${HASH_FUNC}"
fi
else
display --to LOG --type INFO SYS_NO_PRELINK
if [ "${HASH_FUNC}" = "NONE" ]; then
if [ -n "${PKGMGR}" ]; then
display --to LOG --type INFO HASH_FUNC_NONE_PKGMGR
else
display --to LOG --type INFO HASH_FUNC_NONE
fi
elif [ -n "`echo \"${HASH_FUNC}\" | grep '/filehashsha\.pl '`" ]; then
RKHTMPVAR=`echo "${HASH_FUNC}" | cut -d' ' -f3`
if [ $SHA_SIZE -eq 0 ]; then
display --to LOG --type INFO HASH_FUNC_PERL "${RKHTMPVAR}"
else
display --to LOG --type INFO HASH_FUNC_PERL_SHA "${RKHTMPVAR}" "SHA${SHA_SIZE}"
fi
else
display --to LOG --type INFO HASH_FUNC "${HASH_FUNC}"
fi
fi
if [ -s "${RKHDAT_FILE}" ]; then
if [ "${OLD_HASH_FUNC}" = "Disabled" ]; then
display --to LOG --type INFO HASH_FUNC_OLD_DISABLED
else
display --to LOG --type INFO HASH_FUNC_OLD "${OLD_HASH_FUNC}"
fi
if [ -z "${OLD_PKGMGR}" ]; then
display --to LOG --type INFO HASH_PKGMGR_OLD_UNSET
else
display --to LOG --type INFO HASH_PKGMGR_OLD "${OLD_PKGMGR}"
fi
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO HASH_FIELD_INDEX "$HASH_FLD_IDX"
fi
if [ $PROP_UPDATE -eq 1 ]; then
if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
display --to LOG --type INFO HASHUPD_DISABLED
elif [ -z "${PKGMGR}" ]; then
if [ $PRELINKED -eq 1 ]; then
if [ -n "${PRELINK_HASH}" ]; then
display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC_PRELINKED "${PRELINK_HASH}"
else
display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC "${HASH_FUNC}"
fi
else
display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC "${HASH_FUNC}"
fi
else
display --to LOG --type INFO HASHUPD_PKGMGR "${PKGMGR}"
case "${PKGMGR}" in
RPM)
display --to LOG --type INFO FOUND_CMD 'rpm' "${RPM_CMD}"
;;
DPKG)
if [ -z "`echo \"${DPKG_CMD}\" | grep '/dpkg$'`" ]; then
display --to LOG --type INFO FOUND_CMD 'dpkg-query' "${DPKG_CMD}"
else
display --to LOG --type INFO FOUND_CMD 'dpkg' "${DPKG_CMD}"
fi
;;
BSD)
display --to LOG --type INFO FOUND_CMD 'pkg_info' "${PKG_CMD}"
;;
BSDNG)
display --to LOG --type INFO FOUND_CMD 'pkg' "${PKG_CMD}"
;;
SOLARIS)
if [ $USE_SUNSUM -eq 1 ]; then
display --to LOG --type INFO HASH_PKGMGR_SUM
display --to LOG --type INFO FOUND_CMD 'sum' "${SUM_CMD}"
fi
;;
esac
fi
fi
if [ $HASH_CHECK_ENABLED -eq 1 ]; then
if [ -z "${PKGMGR}" ]; then
if [ $PRELINKED -eq 1 ]; then
if [ -n "${PRELINK_HASH}" ]; then
display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC_PRELINKED "${PRELINK_HASH}"
else
display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC "${HASH_FUNC}"
fi
else
display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC "${HASH_FUNC}"
fi
else
display --to LOG --type INFO HASH_PKGMGR "${PKGMGR}"
if [ $VERBOSE_LOGGING -eq 1 ]; then
case "${PKGMGR}" in
RPM)
display --to LOG --type INFO FOUND_CMD 'rpm' "${RPM_CMD}"
;;
DPKG)
if [ -z "`echo \"${DPKG_CMD}\" | grep '/dpkg$'`" ]; then
display --to LOG --type INFO FOUND_CMD 'dpkg-query' "${DPKG_CMD}"
else
display --to LOG --type INFO FOUND_CMD 'dpkg' "${DPKG_CMD}"
fi
display --to LOG --type INFO HASH_PKGMGR_MD5 "${PKGMGR_MD5_HASH}"
;;
BSD)
display --to LOG --type INFO FOUND_CMD 'pkg_info' "${PKG_CMD}"
display --to LOG --type INFO HASH_PKGMGR_MD5 "${PKGMGR_MD5_HASH}"
;;
BSDNG)
display --to LOG --type INFO FOUND_CMD 'pkg' "${PKG_CMD}"
display --to LOG --type INFO HASH_PKGMGR_SHA "${PKGMGR_SHA_HASH}"
;;
SOLARIS)
if [ $USE_SUNSUM -eq 1 ]; then
display --to LOG --type INFO HASH_PKGMGR_SUM
display --to LOG --type INFO FOUND_CMD 'sum' "${SUM_CMD}"
fi
;;
esac
fi
fi
fi
fi
RKHTMPVAR=0
test $CHECK -eq 1 && `check_test attributes` && RKHTMPVAR=1
if [ $RKHTMPVAR -eq 1 ]; then
if [ "${OLD_ATTRUPD}" = "Disabled" ]; then
display --to LOG --type INFO ATTRUPD_OLD_DISABLED
elif [ "${OLD_ATTRUPD}" = "Nostatcmd" ]; then
display --to LOG --type INFO ATTRUPD_OLD_NOSTATCMD
else
display --to LOG --type INFO ATTRUPD_OLD_OK
fi
fi
if [ $PROP_UPDATE -eq 1 ]; then
if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
display --to LOG --type INFO ATTRUPD_DISABLED
elif [ -z "${STAT_CMD}" ]; then
display --to LOG --type INFO ATTRUPD_NOSTATCMD
else
display --to LOG --type INFO ATTRUPD_OK
fi
fi
if [ $CHECK -eq 1 ]; then
display --to LOG --type INFO ENABLED_TESTS "${ENABLE_TESTS}"
display --to LOG --type INFO DISABLED_TESTS "${DISABLE_TESTS}"
fi
if `check_test properties` || test $PROP_UPDATE -eq 1; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
if [ -n "${USER_FILE_LIST}" ]; then
display --to LOG --type INFO USER_FILE_LIST
IFS=$IFSNL
for FNAME in ${USER_FILE_LIST}; do
display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
done
IFS=$RKHIFS
fi
if [ $VERBOSE_LOGGING -eq 1 -a -n "${USER_SIMPLE_FILE_LIST}" ]; then
display --to LOG --type INFO USER_CMD_LIST
IFS=$IFSNL
for FNAME in ${USER_SIMPLE_FILE_LIST}; do
display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
done
IFS=$RKHIFS
fi
if [ $VERBOSE_LOGGING -eq 1 -a -n "${USER_DIR_LIST}" ]; then
display --to LOG --type INFO USER_DIR_LIST
IFS=$IFSNL
for FNAME in ${USER_DIR_LIST}; do
display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
done
IFS=$RKHIFS
fi
if [ -n "${USER_EXCLUDE_PROP}" ]; then
display --to LOG --type INFO USER_EXCLUDE_PROP
IFS=$IFSNL
for FNAME in ${USER_EXCLUDE_PROP}; do
display --to LOG --type PLAIN --log-indent 6 NAME "`name2text \"${FNAME}\"`"
done
IFS=$RKHIFS
fi
fi
fi
if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
if [ $ROTATE_MIRRORS -eq 0 ]; then
display --to LOG --type INFO CONFIG_NO_ROTATE_MIRRORS
else
display --to LOG --type INFO CONFIG_ROTATE_MIRRORS
fi
if [ $MIRRORS_MODE -eq 0 ]; then
display --to LOG --type INFO CONFIG_MIRRORS_MODE0
elif [ $MIRRORS_MODE -eq 1 ]; then
display --to LOG --type INFO CONFIG_MIRRORS_MODE1
else
display --to LOG --type INFO CONFIG_MIRRORS_MODE2
fi
if [ $UPDATE -eq 1 ]; then
if [ $UPDATE_MIRRORS -eq 0 ]; then
display --to LOG --type INFO CONFIG_NO_UPDATE_MIRRORS
else
display --to LOG --type INFO CONFIG_UPDATE_MIRRORS
fi
fi
fi
fi
if [ $NOLOG -eq 0 ]; then
test $CHECK -eq 0 -o $SHOW_SUMMARY -eq 0 && display --to LOG --type INFO CONFIG_LOG_FILE "${RKHLOGFILE}"
if [ $VERBOSE_LOGGING -eq 0 ]; then
display --to LOG --type INFO CONFIG_NO_VL
else
test $APPEND_LOG -eq 1 && display --to LOG --type INFO CONFIG_APPEND_LOG
test $COPY_LOG_ON_ERROR -eq 1 && display --to LOG --type INFO CONFIG_COPY_LOG
fi
fi
if [ $CHECK -eq 1 ]; then
if [ -n "${KSYMS_FILE}" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO KSYMS_FOUND "${KSYMS_FILE}"
fi
if [ ! -r "${KSYMS_FILE}" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO KSYMS_UNAVAIL "${KSYMS_FILE}"
fi
KSYMS_FILE=""
fi
elif [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO KSYMS_MISSING
fi
if [ $SHOW_SUMMARY -eq 0 -a $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO CONFIG_NO_SHOW_SUMMARY
fi
#
# To use syslog we must have the logger command present.
#
if [ -n "${USE_SYSLOG}" ]; then
if [ "${USE_SYSLOG}" = "none" ]; then
USE_SYSLOG=""
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO SYSLOG_DISABLED
fi
else
LOGGER_CMD=`find_cmd logger`
if [ -n "${LOGGER_CMD}" ]; then
if [ $VERBOSE_LOGGING -eq 1 ]; then
display --to LOG --type INFO SYSLOG_ENABLED "${USE_SYSLOG}"
display --to LOG --type INFO FOUND_CMD 'logger' "${LOGGER_CMD}"
fi
else
USE_SYSLOG=""
display --to LOG --type INFO SYSLOG_NO_LOGGER
fi
fi
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
if [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
:
elif [ -n "${EPOCH_DATE_CMD}" ]; then
display --to LOG --type INFO FILE_PROP_EPOCH_DATE_CMD "${EPOCH_DATE_CMD}"
elif [ -n "${PERL_CMD}" ]; then
display --to LOG --type INFO FILE_PROP_EPOCH_DATE_CMD "${PERL_CMD}"
fi
fi
#
# If the user wants to run the file properties checks, and the
# rkhunter.dat file exists, then check the O/S info. If the
# rkhunter.dat file does not exist, then this will be logged
# later on.
#
if `check_test properties`; then
if [ -s "${RKHDAT_FILE}" ]; then
#
# We perform a simple check on some of the stored
# O/S information, and compare it to the current
# info. Basically we are just seeing if the system
# has changed at all because it could affect the
# file properties checks.
#
rkh_dat_get_os_info
check_os_info
fi
fi
fi
if [ $VERBOSE_LOGGING -eq 1 ]; then
if [ $USE_LOCKING -eq 1 ]; then
display --to LOG --type INFO LOCK_USED "$LOCK_TIMEOUT"
display --to LOG --type INFO LOCK_DIR "${LOCKDIR}"
else
display --to LOG --type INFO LOCK_UNUSED
fi
fi
######################################################################
#
# Start of program actions and checks
#
######################################################################
#
# We can now start to run the actions the user has requested on
# the command-line. We run the update type commands first before
# doing any full system check.
#
#
# The user wants to update the O/S and the file properties data.
#
test $PROP_UPDATE -eq 1 && do_prop_update
#
# The user wants to update the supplied RKH *.dat files.
#
test $UPDATE -eq 1 && do_update
#
# The user wants to check for the latest program version.
#
test $VERSIONCHECK -eq 1 && do_versioncheck
#
# The user wants to check the local system for anomalies.
#
test $CHECK -eq 1 -o $ENDIS_OPT -eq 1 && do_system_check
#
# If there were errors or warnings, and the
# log file is to be copied, then log it.
#
COPIEDLOG=""
if [ $RET_CODE -gt 0 -o $WARNING_COUNT -gt 0 ]; then
if [ $COPY_LOG_ON_ERROR -eq 1 -a $NOLOG -eq 0 ]; then
COPIEDLOG="${RKHLOGFILE}.`date +%Y-%m-%d_%H:%M:%S`"
display --to LOG --type INFO --nl SUMMARY_LOGFILE_COPIED "${COPIEDLOG}"
fi
fi
display --to LOG --type INFO --nl RKH_ENDDATE "`date`"
#
# Now actually copy the log file.
#
test -n "${COPIEDLOG}" && cp -p "${RKHLOGFILE}" "${COPIEDLOG}"
#
# If the user asked to see the logfile, then show it.
#
test $CATLOGFILE -eq 1 && cat "${RKHLOGFILE}"
IFS=$ORIGIFS
exit $RET_CODE