From 51edd0594c34949c7681e695e52961eb5f61ac4e Mon Sep 17 00:00:00 2001
From: Eugeni Dodonov <eugeni@mandriva.org>
Date: Thu, 25 Jun 2009 19:31:42 +0000
Subject: Redesigned auditing code, added support for plugins and better
 logging.

---
 cron-sh/scripts/04_rootkit.sh | 49 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100755 cron-sh/scripts/04_rootkit.sh

(limited to 'cron-sh/scripts/04_rootkit.sh')

diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh
new file mode 100755
index 0000000..b83e727
--- /dev/null
+++ b/cron-sh/scripts/04_rootkit.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# msec: rootkit security check
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+        # variables are set in security.sh and propagated to the subscripts
+        echo "Error: this check should be run by the main msec security check!"
+        echo "       do not run it directly unless you know what you are doing."
+        return 1
+fi
+
+export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today"
+CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday"
+CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff"
+
+### chkrootkit checks
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+    if [ -x /usr/sbin/chkrootkit ]; then
+        # do not check on NFS
+        /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY}
+    fi
+fi
+
+### chkrootkit checks
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+
+    if [[ -s ${CHKROOTKIT_TODAY} ]]; then
+        printf "\nChkrootkit report:\n" >> ${SECURITY}
+        cat ${CHKROOTKIT_TODAY} >> ${SECURITY}
+    fi
+fi
+
+### Changed chkrootkit
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+
+    if [[ -f ${CHKROOTKIT_YESTERDAY} ]]; then
+       diff -u ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_TODAY} 1> ${CHKROOTKIT_DIFF}
+       if [ -s ${CHKROOTKIT_DIFF} ]; then
+           printf "\nSecurity Warning: There are modifications for chkrootkit results :\n" >> ${DIFF}
+           grep '^+' ${CHKROOTKIT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+               printf "\t\t-  Added : ${file}\n"
+           done >> ${DIFF}
+           grep '^-' ${CHKROOTKIT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+               printf "\t\t- Removed  : ${file}\n"
+           done >> ${DIFF}
+        fi
+    fi
+fi
+
-- 
cgit v1.2.1