changelog

在网络安全中经常会遇到rootkit

####################################################################
#
# CHANGELOG
#
####################################################################

 !! Important notices !!:

 - Dates in this file are formatted as DD/MM/YYYY (European format)
 - The rkhunter configuration file (default /etc/rkhunter.conf) will
   not be overwritten when using the rkhunter installer.
   Be sure you compare your existing configuration file against the
   one delivered in this package, in order to optimize the file for
   your machine.


 -- 

 * 1.3.2 (27/02/2008)

 New:
 - Added support for the socklog and rsyslog (syslog) daemons.
 - Added support for IRIX/IRIX64 systems.
 - If the user wishes to force RKH to use the 'stat' or 'readlink'
   supplied scripts, then this can be set in the configuration file.
   The options STAT_CMD and READLINK_CMD, respectively, can be given
   the value of BUILTIN to achieve this. For the 'stat' script, perl
   must be present.

 Changes:
 - Improved the 'unsupported language' error message so that the user is
   told exactly what command to run in order to see the list of supported
   languages. Added a similar comment in the configuration file.
 - Errors from applications during the application version check are mostly
   now ignored. Improved checking that a valid version has been found.
 - The ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1 options in the configuration
   file can now be set to 'unset' and '2' respectively. These values indicate
   that the SSH configuration file have no specific value set for the
   corresponding SSH option ('PermitRootLogin' and 'Protocol'). RKH will show
   the test result in green and as 'Not set'.
 - Application names, in the application check, can now be completely
   whitelisted. Previously only specific versions were whitelisted, and
   RKH had to run the application to find the version. By whitelisting
   the application completely, RKH does not have to run it.
 - The use of the 'pflog' network interface is now checked for on all *BSD
   systems (not just OpenBSD).
 - Allow i18n language filenames to contain characters other than just letters.

 Bugfixes:
 - Scanning the /dev directory in LAZY mode corrupted the pathname being
   tested. Also RKH now handles filenames (in /dev) with spaces correctly.
 - During the test of files in /dev, MAKEDEV was not being automatically
   whitelisted if it exists as an actual file (not a symlink).
 - Ensure the suspscan test removes any files it creates.
 - The MAIL-ON-WARNING configuration file option and the --no-verbose-logging
   command-line option, are now only logged if the system is being checked.
 - Root equivalent and passwordless account names are now shown correctly.
   Previously, names which contained spaces, for example if the account had
   been manually commented out, were only shown up to the first space character.
 - Whitelisted passwordless account names are now logged.
 - Suspscan warnings were being ignored by the rkhunter summary and return code.
 - Corrected obtaining process names in Solaris for the network ports and
   deleted files tests. Previously they did not report the name correctly, if
   at all.
 - Use of the '--debug' option with the Korn shell was not working correctly.
 - Reset the SIGPIPE handler to its default to avoid pipe output errors.
 - Language files may contain backticks. These are now escaped during
   processing.
 - Unset the MANPATH in the spec file to allow the RPM to be built on
   OpenSuSE systems.
 - The hidden files/directories test would try and run even if no 'file'
   command was present.
 - Cater for *BSD systems using the fdesc/fdescfs filesystem on /dev/fd.

 -- 

 * 1.3.0 (22/09/2007)

 New:
 - Created an ACKNOWLEDGMENTS file.
 - Added configuration file option MAIL_CMD when MAIL-ON-WARNING is used.
   This can specify the 'mail' command to use and the subject line.
 - The log file can be appended to. This can be set in the config file or
   by using the --append-log command line option.
 - A second colour set has been added for users using rkhunter with black
   characters on a white screen. The command-line option --cs2 will enable it.
 - Added special config file and command-line option, -x/-X, to detect if X
   is in use. If detected then second colour set will be used.
 - Added '--propupd' option. This allows a user to create the rkhunter.dat
   file. This file contains the O/S name, file hash values and other bits of
   information. If the file hash values change, perhaps due to new versions
   of software, then the user simply runs rkhunter with the option again. If
   the user has not run rkhunter with this option, then the file properties
   checks are skipped. This option obsoletes the 'hashupd.sh' script previously
   recommended to users. If use of the '--propupd' option is suggested by
   the program, then the log file will contain a warning message to the
   user that they must ensure that the commands checked on their system must
   have been installed and verified as being genuine. The file properties
   check consists of two main parts - the file attributes (permissions, uid
   etc), and the hash value. Both are stored in rkhunter.dat. Either part, or
   both, can be disabled using the '--disable' option.
 - Added the '--hash' command-line option, and the HASH_FUNC option to the
   configuration file. This allows a user to select the hash function command
   they want to use for the file hash value check and the properties update.
   By default SHA1 will be used, or MD5 if SHA1 cannot be found. For prelinked
   systems the function must be either MD5 or SHA1. A value of NONE can be used
   to disable the hash check or to stop the hash values being recorded in the
   rkhunter.dat file.
 - Added the HASH_FLD_IDX option to the configuration file. This specifies the
   field of the HASH_FUNC command output which contains the hash value. A
   default of 1 is used, except for *BSD systems where 4 will be used.
 - The files for the file hash checks are now 'looked for'. The code will
   search the command directories, and check the relevant files in all the
   directories. Additional commands and directories are used for Solaris,
   MAC OS X, NetBSD and FreeBSD systems. Overall more commands will be checked.
 - Added support for Ubuntu, and the 'dash' and 'ash' shells.
 - If the O/S name, architecture or prelinking status changes from one rkhunter
   run to the next, then a warning message is written to the log file and the
   file properties prerequisite check will fail. The change may well cause the
   file hash checks to show false positives. (The user should rerun rkhunter
   with the --propupd option.)
 - Rkhunter will now check that certain commands are present before starting
   any checks. This avoids spurious 'command not found' type messages
   suddenly appearing.
 - Added basic internationalization (i18n) functionality. The messages
   displayed during test processing are obtained from an indexed file.
   This file can be translated in to other languages, keeping the index
   the same. To see which languages are provided use the new
   '--list languages' option. Chinese translation provided.
 - Added two new command-line and configuration file options, '--enable'
   and '--disable' to specify which tests are to be carried out and which
   are to be ignored. Use of either option will automatically assume '--check'.
 - To list the available test names, use the new '--list tests' option.
 - The '--update' and --versioncheck' options can now use commands other than
   wget to download files. Supported commands are now wget, curl, elinks,
   links, lynx, bget and GET. Once a command has been found, it will be used
   for all downloads. Since bget and GET are perl commands, checks will be
   made that any required perl modules are also present on the system.
 - (SF Tracker 1616395) Added '--syslog' cli option, configuration file option
   USE_SYSLOG. This will allow the --check option start and finish time to
   be logged via syslog. The facility/priority are user configurable.
 - Added --debug cli option, and allow commands to be configured in the
   configuration file. Both of these additions are for the developers, but
   may be used when debugging user problems.
 - Added command-line options '--summary/--nosummary' (--ns). These control
   whether the system checks summary is shown. By default it is shown.
   The '--summary' option, as well as the '--report-warnings-only' option,
   will override the '--quiet' option if they are specified. However, no
   other information will be displayed if '--quiet' is used.
 - Added SunOS SInAR rootkit check.
 - Added '--verbose-logging/--no-verbose-logging' options. This cuts down on
   some of the logging for some of the tests. By default verbose logging is
   enabled.
 - The inetd and xinetd configuration file pathnames can now be specified
   in the rkhunter configuration file. Also, enabled inetd and xinetd
   services can now be whitelisted.
 - Added support for Solaris 10 inetd mechanism (inetadm).
 - The directory containing the SSH configuration file can now be specified
   in the rkhunter config file.
 - The pathname to the syslog configuration file can now be specified
   in the rkhunter config file.
 - The use of syslog remote logging can be allowed in the configuration file.
 - The pathnames to the local system startup file (rc.local), and the
   startup directory (/etc/rc.d) can now be specified in the rkhunter
   config file.
 - Files in /dev can now be whitelisted.
 - Application version numbers can now be whitelisted. This caters for those
   distributions that may patch a 'known bad' version, but without updating
   the original version number.
 - Added 'suspscan' to malware tests. Suspscan attempts to scan files in 
   directories containing temporary files for signs of malicious activity, and
   could be of use on (publicly accessable) web servers running for instance 
   PHP-based applications. Please note that in it's current state suspscan is 
   prone to reporting false positives, and is CPU and I/O intensive to boot.
   Therefore suspscan is disabled by default. Please do not enable suspscan
   unless you have good reasons to use it. Review the settings in the configu-
   ration file, and test before deploying it on production servers.
 - Added the command-line option '--pkgmgr', and the configuration file option
   PKGMGR. These provide support for package managers when using the
   '--propupd' and '--check' options. Currently supported package managers are
   'RPM' for RedHat/RPM-based systems, 'DPKG' for Debian-based systems, and
   'BSD' for *BSD systems. Additionally, 'NONE' can be used to indicate that
   no package manager is to be used. The default is 'NONE'. See the README file
   for more details.
 - It is now possible to configure rkhunter to use local or remote mirrors,
   rather than just the SourceForge one. This applies when either the
   '--update' or the '--versioncheck' option is used. The default is to use
   all defined mirrors. The README file has more details about this.
 - It is possible to configure rkhunter to not rotate the mirrors.dat file.
   It is also possible to configure the mirrors file not to be updated when
   the '--update' option is used. Both of these options can be useful when
   defining local mirrors. The README file has more details about this.
 - Added a file size check to the file properties checks. This will only occur
   for non-prelinked files, files not part of a package, or packaged files
   when the RPM package manager is being used.
 - Network ports listed in the backdoorports.dat file can now be whitelisted.
   Specific protocol/port pairs, or pathnames to allowed executables, may be
   used. Additionally, an asterisk may be used to indicate that trusted
   pathnames will be allowed. The configuration file has more details about this.
 - The O/S 'release' file pathname may now be configured. This option should only
   be necessary for those systems on which rkhunter cannot automatically
   determine the O/S name or version.
 - Rootkit files and directories, including those with spaces, may now be
   whitelisted in the configuration file.

 Changes:
 - Improved command-line and config file option checking.
 - The log file is now created by default, it can be disabled in the config
   file or by using the --nolog command line option. The log file is created
   with permissions 600.
 - The log file cannot be a symlink.
 - Multiple recipients may be specified with the MAIL-ON-WARNING config option.
 - Added BINDIR and ROOTDIR options to the config file.
 - Split out the README file in to README and FAQ files.
 - Solaris will now use the bash shell if available.
 - Expanded the command PATH used to include the /opt/sfw and /usr/sfw
   directories for Solaris users.
 - Expanded the command PATH used to include the /usr/pkg directory for
   NetBSD users.
 - Expanded the command PATH used to include the /System/Links/Executables
   directory for GoboLinux users.
 - Versioncheck now checks the versions numerically.
 - The HASHWHITELIST configuration file option has been removed. It is no
   longer required because users can now create their own file of hash
   values using the '--propupd' option.
 - The '--checkall' option has been changed to '--check'. The old option is
   still recognised, but will be deprecated at some time.
 - If a logfile is to be written, but not appended to, then the old log file
   is moved to '<logfile name>.old' now. The same happens to the rkhunter.dat
   file if the --propupd option is used.
 - The previous 'known good' hash check now also checks the files inode, uid,
   gid, permissions and modification date/time, for any changes. The latter
   is only for non-prelinked systems. As before, in all cases, the file hash
   is checked. (This is now the file properties check.)
 - Improved the O/S detection mechanism. Rather than requiring users to send
   us details, rkhunter actively looks at the 'release' file(s) to find the
   O/S name. Included support for some lesser-known Linuxes - GoboLinux,
   Lunar Linux, Rock Linux, Source Mage Linux, Kanotix, Sidux and Zenwalk.
 - If the --propupd or --update options are used, as well as the system
   check option --check, then the update checks are performed before the
   system is checked. Previously the update occurred after the system was
   checked.
 - Hidden file search now checks /usr/share/man directories.
 - Improved NetBSD support.
 - The supplied perl scripts, providing the stat, md5 and sha1 commands,
   can now be executed without perl being in the default directory (/usr/bin).
 - If a perl script is to be used, then a check is made that required modules
   are installed on the system. If they are not, then it is treated the same
   as if perl was not present.
 - Included the /usr/share/man directories when looking for hidden files.
 - Check for symbol entries in kallsyms file if ksyms does not exist.
 - Enabled sockstat/netstat test for all BSD variants (not just FreeBSD).
 - Enabled backdoor port test for all systems which have either the 'lsof'
   or 'netstat' command. However, if the netstat syntax is not understood
   on the O/S, then an error is shown. (The user can configure the test to
   be disabled to avoid the error.)
 - The TMPDIR configuration option and --tmpdir command-line option cannot
   be set to /tmp or /var/tmp because files will be copied and left there.
   It cannot be set to /etc either because files will be deleted from there.
 - Removed the '--scan-knownbad-files' option. This test was considered to
   be obsolete.
 - Removed the '--disable-md5-check' option. This is now the 'hashes' test
   name, and can be disabled by the '--disable' option.
 - Removed the '--allow-ssh-root-user' option from the command-line. This
   can still be set/unset in the configuration file. This option must now
   be set to the value of the 'PermitRootLogin' option in the SSH config
   file. This then allows root access to be set, but will check to see if
   the option has changed. A default value of "no" is used. 
 - The --rootdir/ROOTDIR configuration option has been changed to be more
   intuitive. Previously the specified ROOTDIR had to end in a slash (e.g.
   '/abc/'). Now this is not necessary, a normal directory name can be used
   (e.g. '/abc').
 - The '--versioncheck' option now rotates the mirror file. It also assumes
   program defaults if the mirror file is missing or empty, or if no mirrors
   are found within it. Additionally if the URL is missing from the
   configuration file, then a program default is used. This allows the option
   to work even if the files have become a bit corrupt. Any missing files or
   mirrors are logged to the log file. If a mirror fails, then the next
   mirror is used, until all the mirrors have been tried. Only then is a
   failure message displayed, and the return code set. The return code will be
   set to 0 if no error occurred, 1 if an error did occur, and 2 if no error
   occurred but a new version is available.
 - The '--update' option will use a default mirror if the mirror file is
   missing or empty. If a mirror fails then the next mirror is used. If a file
   has become corrupted such that the version number cannot be read, then a
   new copy will be downloaded. The return code will be set for this function.
   It will take the value of 0 for no error, 1 for an error, and 2 for no
   error but an update has occurred. This allows a user to use the --quiet
   option, but still check for the return code.
 - The version numbering of the '.dat' database files has changed. This makes
   them incompatable with previous versions of rkhunter, and as such files
   from previous versions will be overwritten if used with this version.
 - The displayed output and logged output are now similar. This allows
   checking the log file to be easier when looking for specific tests. The
   log file will, of course, log more information than is displayed on
   the screen.
 - Script replacement check now checks for any type of script (perl, awk, etc).
   Previous versions only checked for shell scripts. Commands which are
   supposed to be scripts can be whitelisted in the configuration file.
   The 'rkhunter' command itself is an exception, and the check will ensure
   that 'rkhunter' is a shell script. The script check will be automatically
   skipped if a package manager is being used, and the file has already
   passed the file size and hash checks.
 - File permissions check improved to check if 'other' has the 'w' bit set.
   Previous versions only checked if '777' ('rwxrwxrwx') was set. Merged this
   into the file properties checks. Soft links are ignored, as are packaged
   files when the RPM package manager is used.
 - The '--report-mode' option has been removed. It was not seen as being
   useful, and combinations of the other options will provide the same, if
   not better, reporting.
 - The xinetd.conf check now handles the 'include' directive. It also now
   handles the 'includedir' directive in all files, and not just in the
   initial xinetd configuration file.
 - The '--display-logfile' option can now be used after any option. Previously
   the log file was only shown after checking the system.
 - The checks on accounts and the password and shadow files, have been improved.
   The user can configure the pathname to the password and shadow files, as
   well as being able to whitelist accounts with no password or which are root
   equivalent. *BSD support improved.
 - Improved the hidden files and directories checks. Some directories are now
   searched more thoroughly, and checks against the file type are more robust.
 - Apache backdoor test now looks in more places.
 - The application version check no longer checks against known 'good'
   versions. Only a file of bad versions is kept. The previous method was
   impossible to maintain.
 - Enabled the immutable file test for *BSD systems.
 - Soft (symbolic) links for files and directories are now handled correctly.
   Previously the link was dealt with, but not what it pointed to. Soft links
   are dealt with when using the '--propupd' command, and when running the
   file properties checks. For those systems with no 'readlink' command (e.g.
   Solaris), or those in which readlink does not understand the '-f' option
   (e.g. NetBSD), a shell script is now provided to support this.
 - RPM spec file and installer now caters for x86_64 machines. Removing the
   RPM now more fully removes RKH; only the rkhunter.conf file should remain.

 Bugfixes:
 - Command-line options requiring an argument now work correctly under Solaris.
 - The -h/--help option now works as expected.
 - The 'ignoKit rootkit' check was not checking all the required files.