aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh/scripts/04_rootkit.sh
diff options
context:
space:
mode:
authorEugeni Dodonov <eugeni@mandriva.org>2009-06-25 19:31:42 +0000
committerEugeni Dodonov <eugeni@mandriva.org>2009-06-25 19:31:42 +0000
commit51edd0594c34949c7681e695e52961eb5f61ac4e (patch)
treefe01f3347899e6f206803c0850ef17622251bd9c /cron-sh/scripts/04_rootkit.sh
parentc0fe6aeecc246ef9a514fe34c1095d7fc6ef39a8 (diff)
downloadmsec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar
msec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar.gz
msec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar.bz2
msec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar.xz
msec-51edd0594c34949c7681e695e52961eb5f61ac4e.zip
Redesigned auditing code, added support for plugins and better logging.
Diffstat (limited to 'cron-sh/scripts/04_rootkit.sh')
-rwxr-xr-xcron-sh/scripts/04_rootkit.sh49
1 files changed, 49 insertions, 0 deletions
diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh
new file mode 100755
index 0000000..b83e727
--- /dev/null
+++ b/cron-sh/scripts/04_rootkit.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# msec: rootkit security check
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+ # variables are set in security.sh and propagated to the subscripts
+ echo "Error: this check should be run by the main msec security check!"
+ echo " do not run it directly unless you know what you are doing."
+ return 1
+fi
+
+export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today"
+CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday"
+CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff"
+
+### chkrootkit checks
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+ if [ -x /usr/sbin/chkrootkit ]; then
+ # do not check on NFS
+ /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY}
+ fi
+fi
+
+### chkrootkit checks
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+
+ if [[ -s ${CHKROOTKIT_TODAY} ]]; then
+ printf "\nChkrootkit report:\n" >> ${SECURITY}
+ cat ${CHKROOTKIT_TODAY} >> ${SECURITY}
+ fi
+fi
+
+### Changed chkrootkit
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+
+ if [[ -f ${CHKROOTKIT_YESTERDAY} ]]; then
+ diff -u ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_TODAY} 1> ${CHKROOTKIT_DIFF}
+ if [ -s ${CHKROOTKIT_DIFF} ]; then
+ printf "\nSecurity Warning: There are modifications for chkrootkit results :\n" >> ${DIFF}
+ grep '^+' ${CHKROOTKIT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Added : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${CHKROOTKIT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Removed : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+fi
+
generated by cgit v1.2.1 (git 2.21.0) at 2024-07-16 07:22:52 +0000