rkhunter

在网络安全中经常会遇到rootkit

		#

		MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f1`
		MC=`find_cmd ${MCMD}`

		if [ -n "${MC}" ]; then
			#
			# We rebuild the command to use the full pathname.
			#

			MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f2-`

			if [ -z "${MCMD}" -o "${MCMD}" = "${MAIL_CMD}" ]; then
				MAIL_CMD=$MC
			else
				MAIL_CMD="${MC} ${MCMD}"
			fi
		else
			echo "Invalid MAIL_CMD configuration option - command '${MCMD}' is non-existent or not executable."
			exit 1
		fi
	fi

	return
}


get_syslog_option() {

	#
	# First see if we want to use syslog or not from the command-line
	# or configuration file.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		USE_SYSLOG=`echo "${USE_SYSLOG}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${USE_SYSLOG}" ]; then
			echo "Invalid --syslog option - no facility/priority names given."
			exit 1
		fi
	else
		USE_SYSLOG=`get_option 1 single USE_SYSLOG` || exit 1
	fi


	#
	# If we are to use syslog, then get the facility and priority levels.
	# Additionally, test that they are valid.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		USE_SYSLOG=`echo "${USE_SYSLOG}" | tr '[A-Z]' '[a-z]'`

		if [ "${USE_SYSLOG}" = "none" ]; then
			# The value of 'none' will be processed later on.
			return
		elif [ -z "`echo \"${USE_SYSLOG}\" | grep '^[a-z][a-z0-7]*\.[a-z][a-z]*$'`" ]; then
			echo "Invalid syslog facility/priority value: ${USE_SYSLOG}"
			exit 1
		fi

		FOUND=0

		SYSLOG_F=`echo "${USE_SYSLOG}" | cut -d. -f1`
		SYSLOG_P=`echo "${USE_SYSLOG}" | cut -d. -f2`

		for RKHTMPVAR in auth authpriv cron daemon kern user local0 local1 local2 local3 local4 local5 local6 local7; do
			if [ "${SYSLOG_F}" = "${RKHTMPVAR}" ]; then
				FOUND=1
				break
			fi
		done

		if [ $FOUND -eq 0 ]; then
			echo "Invalid syslog facility name: ${SYSLOG_F}"
			exit 1
		fi


		FOUND=0

		for RKHTMPVAR in debug info notice warning err crit alert emerg; do
			if [ "${SYSLOG_P}" = "${RKHTMPVAR}" ]; then
				FOUND=1
				break
			fi
		done

		if [ $FOUND -eq 0 ]; then
			echo "Invalid syslog priority name: ${SYSLOG_P}"
			exit 1
		fi
	fi

	return
}


get_ssh_options() {

	#
	# We check some SSH options in this function. They can only
	# be set in the configuration file.
	#

	#
	# See if the ALLOW_SSH_ROOT_USER option is specified in the
	# configuration file. The value should match what has been set
	# in the SSH configuration file for the PermitRootLogin option.
	# As such it's value is not just zero or one.
	#

	ALLOW_SSH_ROOT_USER=`get_option 1 single ALLOW_SSH_ROOT_USER` || exit 1

	if [ -n "${ALLOW_SSH_ROOT_USER}" ]; then
		ALLOW_SSH_ROOT_USER=`echo "${ALLOW_SSH_ROOT_USER}" | tr '[A-Z]' '[a-z]'`
	else
		#
		# By default SSH tends to allow root access. However, we
		# do not. By setting this option to 'no', the user will
		# receive a warning unless they set the options the same.
		#

		ALLOW_SSH_ROOT_USER="no"
	fi


	#
	# See if the ALLOW_SSH_PROT_V1 option is specified in the
	# configuration file.
	#

	ALLOW_SSH_PROT_V1=`get_option 1 single ALLOW_SSH_PROT_V1` || exit 1

	if [ -n "${ALLOW_SSH_PROT_V1}" ]; then
		if [ "${ALLOW_SSH_PROT_V1}" != "0" -a "${ALLOW_SSH_PROT_V1}" != "1" -a "${ALLOW_SSH_PROT_V1}" != "2" ]; then
			echo "Invalid ALLOW_SSH_PROT_V1 configuration option: not a valid number: ${ALLOW_SSH_PROT_V1}"
			exit 1
		fi
	else
		ALLOW_SSH_PROT_V1=0
	fi


	#
	# See if the directory of the SSH configuration file has been set.
	#

	SSH_CONFIG_DIR=`get_option 1 single SSH_CONFIG_DIR` || exit 1

	if [ -n "${SSH_CONFIG_DIR}" ]; then
		if [ ! -d "${SSH_CONFIG_DIR}" ]; then
			echo "The SSH configuration file directory does not exist: ${SSH_CONFIG_DIR}"
			exit 1
		elif [ ! -r "${SSH_CONFIG_DIR}" ]; then
			echo "The SSH configuration file directory is not readable: ${SSH_CONFIG_DIR}"
			exit 1
		fi
	fi

	return
}


get_syslog_config_options() {

	#
	# We check some syslog configuration options in this function.
	# They can only be set in the configuration file.
	#

	#
	# See if the ALLOW_SYSLOG_REMOTE_LOGGING option is specified
	# in the configuration file.
	#

	ALLOW_SYSLOG_REMOTE_LOGGING=`get_option 1 single ALLOW_SYSLOG_REMOTE_LOGGING` || exit 1

	if [ -n "${ALLOW_SYSLOG_REMOTE_LOGGING}" ]; then
		if [ "${ALLOW_SYSLOG_REMOTE_LOGGING}" != "0" -a "${ALLOW_SYSLOG_REMOTE_LOGGING}" != "1" ]; then
			echo "Invalid ALLOW_SYSLOG_REMOTE_LOGGING configuration option: not a number: ${ALLOW_SYSLOG_REMOTE_LOGGING}"
			exit 1
		fi
	else
		ALLOW_SYSLOG_REMOTE_LOGGING=0
	fi


	#
	# See if the pathname to the syslog configuration file has been set.
	#

	SYSLOG_CONFIG_FILE=`get_option 1 single SYSLOG_CONFIG_FILE` || exit 1


	return
}


get_auto_x_option() {

	#
	# For the second colour set we first see if the auto X detect option
	# has been set. If it is set, and X is in use, then the second colour
	# set is used. If X is not in use, or the auto detect option is not
	# set, then we only use the second colour set if the command-line
	# option is used or it is configured in the configuration file.
	#

	if [ $AUTO_X_OPT -eq 0 ]; then
		AUTO_X_DTCT=`get_option 1 single AUTO_X_DETECT` || exit 1

		if [ -n "${AUTO_X_DTCT}" ]; then
			if [ "${AUTO_X_DTCT}" != "0" -a "${AUTO_X_DTCT}" != "1" ]; then
				echo "Invalid AUTO_X_DETECT configuration option: not a number: ${AUTO_X_DTCT}"
				exit 1
			fi
		else
			AUTO_X_DTCT=0
		fi
	fi


	if [ $AUTO_X_DTCT -eq 1 -a -n "$DISPLAY" ]; then
		CLRSET2=1
	fi


	if [ $CLRSET2 -eq 0 ]; then
		CLRSET2=`get_option 1 single COLOR_SET2` || exit 1

		if [ -n "${CLRSET2}" ]; then
			if [ "${CLRSET2}" != "0" -a "${CLRSET2}" != "1" ]; then
				echo "Invalid COLOR_SET2 configuration option: not a number: ${CLRSET2}"
				exit 1
			fi
		else
			CLRSET2=0
		fi
	fi

	return
}


get_enable_option() {

	#
	# If the option is not specified on the command-line, then
	# get it from the configuration file. We validate the test
	# names given against the list of known test names. By default
	# all tests are enabled.
	#

	if [ $ENDIS_OPT -eq 1 ]; then
		if [ -n "${ENABLE_TESTS}" ]; then
			ENABLE_TESTS=`echo "${ENABLE_TESTS}" | tr -d '"' | tr -d "'" | tr ',' ' ' | tr '	' ' ' | tr -s ' '`
			ENABLE_TESTS=`echo "${ENABLE_TESTS}" | sed -e 's/^ //' | sed -e 's/ $//'`

			if [ -z "${ENABLE_TESTS}" ]; then
				echo "Invalid --enable option - no test names given."
				exit 1
			else
				ENABLE_TESTS=`echo "${ENABLE_TESTS}" | tr '[A-Z]' '[a-z]'`
			fi


			#
			# We do a simple test here to see if just one test
			# name was given. If it was then we skip the key
			# press feature since it is most likely that the user
			# doesn't want that. We also check that only the
			# --enable option has been given, and that the test
			# name is not 'all'.
			#

			if [ "${ENABLE_TESTS}" != "all" -a -z "`echo \"${ENABLE_TESTS}\" | grep ' '`" ]; then
				SKIP_KEY_PRESS=1
			fi
		fi
	else
		ENABLE_TESTS=`get_option 2 single ENABLE_TESTS` || exit 1
		ENABLE_TESTS=`echo "${ENABLE_TESTS}" | tr '[A-Z]' '[a-z]'`
	fi

	test -z "${ENABLE_TESTS}" && ENABLE_TESTS="all"


	#
	# We now need to look for group names in our list, and expand
	# them to the individual test names. This allows us to then
	# check against specific test names as well as group names.
	# We also need to check if a given test name is part of a group.
	# If it is, then we must add the group name.
	#

	for TEST_NAME in ${ENABLE_TESTS}; do
		if [ "${TEST_NAME}" = "all" ]; then
			ENABLE_TESTS="all"
			break
		fi

		for RKHTMPVAR in ${GROUPED_TESTS}; do
			GROUP_NAME=`echo "${RKHTMPVAR}" | cut -d: -f1`

			if [ -n "`echo \"${RKHTMPVAR}\" | grep ':'`" ]; then
				GROUP_TESTS=`echo "${RKHTMPVAR}" | cut -d: -f2-`
			else
				GROUP_TESTS=""
			fi

			if [ "${TEST_NAME}" = "${GROUP_NAME}" ]; then
				ENABLE_TESTS="${ENABLE_TESTS} `echo \"${GROUP_TESTS}\" | tr ':' ' '`"
				break
			elif [ -z "${GROUP_TESTS}" ]; then
				continue
			elif [ -n "`echo \"${GROUP_TESTS}\" | egrep \"(^|:)${TEST_NAME}(:|$)\"`" ]; then
				ENABLE_TESTS="${ENABLE_TESTS} ${GROUP_NAME}"
			fi
		done
	done


	#
	# Check that the names we have been given are valid.
	#

	for TEST_NAME in ${ENABLE_TESTS}; do
		if [ "${TEST_NAME}" = "none" ]; then
			echo "'none' cannot be used in the enable test list."
			exit 1
		elif [ -z "`echo \"all ${KNOWN_TESTS}\" | egrep \"(^| )${TEST_NAME}( |$)\"`" ]; then
			echo "Unknown enable test name given: ${TEST_NAME}"
			exit 1
		fi
	done

	return
}


get_disable_option() {

	#
	# If the option is not specified on the command-line, then
	# get it from the configuration file. We validate the test
	# names given against the list of known test names. By default
	# no tests are disabled.
	#
	# Note: disabled tests are always compared against the list
	# of enabled tests. Hence, if we used
	#      'rkhunter -c --enable system_commands --disable apps'
	# then only the system command tests are run. Any other test is
	# not run because it is not in the '--enable' list. As such
	# the '--disable' option in the example above is not necessary.
	#

	if [ $ENDIS_OPT -eq 1 ]; then
		if [ -n "${DISABLE_TESTS}" ]; then
			DISABLE_TESTS=`echo "${DISABLE_TESTS}" | tr -d '"' | tr -d "'" | tr ',' ' ' | tr '	' ' ' | tr -s ' '`
			DISABLE_TESTS=`echo "${DISABLE_TESTS}" | sed -e 's/^ //' | sed -e 's/ $//'`

			if [ -z "${DISABLE_TESTS}" ]; then
				echo "Invalid --disable option - no test names given."
				exit 1
			fi
		fi
	else
		DISABLE_TESTS=`get_option 2 single DISABLE_TESTS` || exit 1
	fi

	if [ -z "${DISABLE_TESTS}" ]; then
		DISABLE_TESTS="none"
	else
		DISABLE_TESTS=`echo "${DISABLE_TESTS}" | tr '[A-Z]' '[a-z]'`
	fi


	#
	# Note that we do not need to check the disabled test names
	# against the group names. If a disabled test name does not appear
	# in the enabled list then it will, by default, be ignored. If
	# a group name appears in the enabled and disabled lists, then
	# it will be disabled.
	#
	# Check that the names we have been given are valid.
	#

	for TEST_NAME in ${DISABLE_TESTS}; do
		if [ "${TEST_NAME}" = "all" ]; then
			echo "'all' cannot be used in the disable test list."
			exit 1
		elif [ "${TEST_NAME}" = "none" ]; then
			DISABLE_TESTS="none"
			break
		elif [ -z "`echo \"all none ${KNOWN_TESTS}\" | egrep \"(^| )${TEST_NAME}( |$)\"`" ]; then
			echo "Unknown disable test name given: ${TEST_NAME}"
			exit 1
		fi
	done

	return
}


get_xinetd_option() {

	#
	# This function obtains the inetd and xinetd configuration
	# file pathnames from the config file. It also get the
	# whitelisted services.
	#

	FNAME=`get_option 1 single INETD_CONF_PATH` || exit 1

	if [ -n "${FNAME}" ]; then
		INETD_CONF_PATH="${FNAME}"

		if [ ! -f "${INETD_CONF_PATH}" ]; then
			echo "Invalid INETD_CONF_PATH configuration option - non-existent pathname specified."
			exit 1
		fi
	fi

	INETDALLOWEDSVCS=`get_option 1 multi INETD_ALLOWED_SVC` || exit 1


	#
	# Now do the same for xinetd.
	#

	FNAME=`get_option 1 single XINETD_CONF_PATH` || exit 1

	if [ -n "${FNAME}" ]; then
		XINETD_CONF_PATH="${FNAME}"

		if [ ! -f "${XINETD_CONF_PATH}" ]; then
			echo "Invalid XINETD_CONF_PATH configuration option - non-existent pathname specified."
			exit 1
		fi
	fi

	XINETDALLOWEDSVCS=`get_option 1 multi XINETD_ALLOWED_SVC` || exit 1

	return
}


get_ports_option() {

	#
	# Get the option from the configuration file, and do some
	# checks that it is valid.
	#

	RKHTMPVAR=`get_option 2 single PORT_WHITELIST` || exit 1

	if [ -n "${RKHTMPVAR}" ]; then
		#
		# Loop through the list checking that it all looks okay.
		#

		FOUND=0

		if [ -n "`echo \"${RKHTMPVAR}\" | grep '\*'`" ]; then
			PORT_WHITELIST_ALL_TRUSTED=1
			RKHTMPVAR=`echo "${RKHTMPVAR}" | tr -d '*'`
		fi

		for RKHTMPVAR2 in ${RKHTMPVAR}; do
			if [ -n "`echo \"${RKHTMPVAR2}\" | grep '^/'`" ]; then
				if [ ! -f "${RKHTMPVAR2}" ]; then
					FOUND=1
					echo "Non-existent pathname specified in PORT_WHITELIST configuration option: ${RKHTMPVAR2}"
				else
					PORT_WHITELIST_PATH="${PORT_WHITELIST_PATH} ${RKHTMPVAR2}"
				fi
			elif [ -n "`echo \"${RKHTMPVAR2}\" | egrep -i '^(TCP|UDP):[1-9][0-9]*$'`" ]; then
				PORT=`echo ${RKHTMPVAR2} | cut -d: -f2`

				if [ $PORT -gt 65535 ]; then
					FOUND=1
					echo "Invalid port specified in PORT_WHITELIST configuration option: ${RKHTMPVAR2}"
				else
					PORT_WHITELIST="${PORT_WHITELIST} ${RKHTMPVAR2}"
				fi
			else
				FOUND=1
				echo "Invalid entry specified in PORT_WHITELIST configuration option: ${RKHTMPVAR2}"
			fi
		done

		test $FOUND -eq 1 && exit 1

		PORT_WHITELIST=`echo " ${PORT_WHITELIST} " | tr '[a-z]' '[A-Z]'`
		PORT_WHITELIST_PATH=" ${PORT_WHITELIST_PATH} "
	fi

	return
}


get_if_prelinked() {

	#
	# If the system appears to be using prelinking, but no
	# prelink command can be found, then we simply skip the
	# file properties hash check.
	#

	LIBSAFE_TEST1=""
	LIBSAFE_TEST2=""

	if [ -f "${RKHROOTDIR}/etc/prelink.cache" ]; then
		PRELINK_CMD=`find_cmd prelink`

		#
		# Test (twice) for existance of Libsafe since this seems to
		# riddle prelink test results with "dependency cycle" errors.
		# Don't test for existance of /lib/libsafe since it may be
		# installed elsewhere.
		# If Libsafe is found *and* this is a prelink system, we'll
		# skip the prelink test.