rkhunter

在网络安全中经常会遇到rootkit

		#

		if [ -f "${RKHROOTDIR}/etc/ld.so.preload" ]; then
			LIBSAFE_TEST1=`grep libsafe ${RKHROOTDIR}/etc/ld.so.preload 2>&1`
		fi

		if [ -n "${LDD_CMD}" -a -f "${RKHROOTDIR}/lib/libdl.so.?" ]; then
			LIBSAFE_TEST2=`${LDD_CMD} ${RKHROOTDIR}/lib/libdl.so.? | grep libsafe 2>&1`
		fi

		if [ -z "${PRELINK_CMD}" ]; then
			SKIP_HASH_MSG=1
		elif [ -z "${LIBSAFE_TEST1}" -a -z "${LIBSAFE_TEST2}" ]; then
			PRELINKED=1

			#
			# Only use 'runcon' if SELinux is enabled.
			#

			SESTATUS_CMD=`find_cmd sestatus`

			if [ -n "${SESTATUS_CMD}" ]; then
				if [ -n "`${SESTATUS_CMD} 2>/dev/null | grep ' status: *enabled$'`" ]; then
					SELINUX_ENABLED=1
					RUNCON_CMD=`find_cmd runcon`
					test -n "${RUNCON_CMD}" && USE_RUNCON=1
				fi
			fi
		elif [ -n "${LIBSAFE_TEST1}" -a -n "${LIBSAFE_TEST2}" ]; then
			SKIP_HASH_MSG=3
		fi
	fi

	return
}


get_md5_hash_function() {

	#
	# This is a short function to try and locate
	# an MD5 hash function command.
	#
	# The first parameter simply indicates if we are
	# setting the hash function (parameter is 1) or
	# just looking for an MD5 command to support a
	# package manager (parameter is 0).
	#

	if [ $PRELINKED -eq 1 ]; then
		test $1 -eq 1 && PRELINK_HASH="MD5"

		if [ $USE_RUNCON -eq 1 ]; then
			echo "${RUNCON_CMD} -t unconfined_t -- ${PRELINK_CMD} --verify --md5"
		else
			echo "${PRELINK_CMD} --verify --md5"
		fi
	else
		HFUNC=`find_cmd md5sum`

		test -z "${HFUNC}" && HFUNC=`find_cmd md5`

		if [ -z "${HFUNC}" -a -n "${PERL_CMD}" ]; then
			MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Digest::MD5 2>&1 | grep 'Digest::MD5 installed'`

			test -n "${MOD_INSTALLED}" && echo "${PERL_CMD} ${SCRIPT_PATH}/filehashmd5.pl"
		else
			echo "${HFUNC}"
			MD5_CMD="${HFUNC}"
		fi
	fi

	return
}


get_hash_function() {

	#
	# Get the option from the configuration file, and do a simple
	# check on whether it is empty or a space.
	#

	if [ -n "${HASH_FUNC}" ]; then
		HASH_FUNC=`echo "${HASH_FUNC}" | tr -d '"' | tr -d "'" | tr '	' ' ' | tr -s ' '`
		HASH_FUNC=`echo "${HASH_FUNC}" | sed -e 's/^ //' | sed -e 's/ $//'`

		if [ -z "${HASH_FUNC}" ]; then
			echo "Invalid --hash option - no hash function given."
			exit 1
		elif [ -n "`echo \"${HASH_FUNC}\" | egrep -i '^(MD5|SHA1|NONE)$'`" ]; then
			HASH_FUNC=`echo "${HASH_FUNC}" | tr '[a-z]' '[A-Z]'`
		fi
	else
		HASH_FUNC=`get_option 2 single HASH_FUNC` || exit 1
	fi


	#
	# At this point we have either been given a hash function
	# command, one of the reserved words 'SHA1', 'MD5' or 'NONE',
	# or nothing. For the SHA1 and MD5 reserved words we must
	# find the SHA1 or MD5 command or use the supplied perl scripts.
	#

	if [ -z "${HASH_FUNC}" -o "${HASH_FUNC}" = "SHA1" ]; then
		if [ $PRELINKED -eq 1 ]; then
			PRELINK_HASH="SHA1"

			if [ $USE_RUNCON -eq 1 ]; then
				HASH_FUNC="${RUNCON_CMD} -t unconfined_t -- ${PRELINK_CMD} --verify --sha"
			else
				HASH_FUNC="${PRELINK_CMD} --verify --sha"
			fi
		else
			HF=`find_cmd sha1sum`

			test -z "${HF}" && HF=`find_cmd sha1`

			if [ -z "${HF}" -a -n "${PERL_CMD}" ]; then
				MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Digest::SHA1 2>&1 | grep 'Digest::SHA1 installed'`

				if [ -n "${MOD_INSTALLED}" ]; then
					HASH_FUNC="${PERL_CMD} ${SCRIPT_PATH}/filehashsha1.pl"
				else
					HASH_FUNC=""
				fi
			else
				HASH_FUNC=$HF
			fi
		fi
	fi


	#
	# If we still have no hash function, then look for an MD5 command.
	#

	if [ -z "${HASH_FUNC}" -o "${HASH_FUNC}" = "MD5" ]; then
		HASH_FUNC=`get_md5_hash_function 1`
	fi


	#
	# A final check that the command is actually executable.
	# This will ensure that the sha1/md5 perl scripts have been
	# installed correctly, should they be needed.
	#

	if [ "${HASH_FUNC}" = "NONE" ]; then
		:
	elif [ -n "${HASH_FUNC}" ]; then
		HCMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`
		HF=`find_cmd ${HCMD}`

		if [ -n "${HF}" ]; then
			#
			# We rebuild the command to use the full pathname.
			#

			HCMD=`echo "${HASH_FUNC}" | cut -d' ' -f2-`

			if [ -z "${HCMD}" -o "${HCMD}" = "${HASH_FUNC}" ]; then
				HASH_FUNC=$HF
			else
				HASH_FUNC="${HF} ${HCMD}"
			fi
		else
			echo "Invalid HASH_FUNC configuration option - command '${HCMD}' is non-existent or not executable."
			exit 1
		fi
	else
		echo "Invalid HASH_FUNC configuration option - option not specified and no hash command or perl modules could be found."
		exit 1
	fi


	#
	# Now we get the hash field index. We will assume a field value
	# of one, but this value must be configurable since we allow
	# the user to specify the hash function to use.
	#

	RKHTMPVAR=`get_option 1 single HASH_FLD_IDX` || exit 1

	if [ -n "${RKHTMPVAR}" ]; then
		if [ -z "`echo \"${RKHTMPVAR}\" | grep '^[1-9][0-9]*$'`" ]; then
			echo "Invalid HASH_FLD_IDX configuration option: not a number: ${RKHTMPVAR}"
			exit 1
		else
			HASH_FLD_IDX=${RKHTMPVAR}
		fi
	fi


	#
	# Next we get the package manager to use for the file
	# properties hash check and update. If a file is not owned
	# as part of a package, the hash function defined above
	# will be used instead.
	#

	if [ -n "${PKGMGR}" ]; then
		PKGMGR=`echo "${PKGMGR}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${PKGMGR}" ]; then
			echo "Invalid --pkgmgr option - no package manager given."
			exit 1
		fi
	else
		PKGMGR=`get_option 1 single PKGMGR` || exit 1
	fi

	PKGMGR=`echo "${PKGMGR}" | tr '[a-z]' '[A-Z]'`

	test "${PKGMGR}" = "NONE" && PKGMGR=""


	#
	# Now check that the package manager we have been given is valid.
	#

	case "${PKGMGR}" in
	"")
		;;
	RPM)
		RPM_CMD=`find_cmd rpm`

		if [ -z "${RPM_CMD}" ]; then
			echo "Unable to find 'rpm' command for package manager 'RPM'."
			exit 1
		fi
		;;
	DPKG)
		DPKG_CMD=`find_cmd dpkg-query`

		test -z "${DPKG_CMD}" && DPKG_CMD=`find_cmd dpkg`

		if [ -z "${DPKG_CMD}" ]; then
			echo "Unable to find 'dpkg-query' or 'dpkg' commands for package manager 'DPKG'."
			exit 1
		fi

		if [ ! -d "/var/lib/dpkg/info" ]; then
			echo "Unable to find package database directory (/var/lib/dpkg/info) for package manager 'DPKG'."
			exit 1
		fi

		if [ $CHECK -eq 1 ]; then
			PKGMGR_MD5_HASH=`get_md5_hash_function 0`

			if [ -z "${PKGMGR_MD5_HASH}" ]; then
				echo "Unable to find an MD5 hash function command to assist package manager 'DPKG'."
				exit 1
			fi
		fi
		;;
	BSD)
		PKG_CMD=`find_cmd pkg_info`

		if [ -z "${PKG_CMD}" ]; then
			echo "Unable to find 'pkg_info' command for package manager 'BSD'."
			exit 1
		fi

		if [ ! -d "/var/db/pkg" ]; then
			echo "Unable to find package database directory (/var/db/pkg) for package manager 'BSD'."
			exit 1
		fi

		if [ $CHECK -eq 1 ]; then
			PKGMGR_MD5_HASH=`get_md5_hash_function 0`

			if [ -z "${PKGMGR_MD5_HASH}" ]; then
				echo "Unable to find an MD5 hash function command to assist package manager 'BSD'."
				exit 1
			fi
		fi
		;;
	*)
		echo "Invalid package manager given - ${PKGMGR}"
		exit 1
		;;
	esac

	return
}


get_scan_mode_dev_option() {

	#
	# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
	# The two allowed options are "commented out" or LAZY.
	# If commented out, the default, we do a thorough scan which
	# will increase the runtime of rkhunter.
	#

	#
	# See if the option is specified in the configuration file.
	#

	SCAN_MODE_DEV=`get_option 1 single SCAN_MODE_DEV` || exit 1

	if [ -n "${SCAN_MODE_DEV}" ]; then
		SCAN_MODE_DEV=`echo "${SCAN_MODE_DEV}" | tr '[a-z]' '[A-Z]'`

		case "${SCAN_MODE_DEV}" in
		THOROUGH|LAZY)
			;;
		*)	# Don't make this fatal.
			echo "Invalid SCAN_MODE_DEV configuration option: ${SCAN_MODE_DEV}"
			echo "Defaulting to THOROUGH mode."

			SCAN_MODE_DEV="THOROUGH"
			;;
		esac
	else
		SCAN_MODE_DEV="THOROUGH"
	fi

	return
}


get_rc_options() {

	#
	# This function gets some of the system startup 'rc'
	# files and directories from the configuration file.
	# There are no defaults.
	#

	RC_FILE=`get_option 2 single LOCAL_RC_PATH` || exit 1

	if [ -n "${RC_FILE}" ]; then
		#
		# Check that the given files are useable.
		#

		for RKHTMPVAR in ${RC_FILE}; do
			if [ ! -f "${RKHROOTDIR}${RKHTMPVAR}" ]; then
				echo "Local system startup file does not exist: ${RKHROOTDIR}${RKHTMPVAR}"
				exit 1
			elif [ -h "${RKHROOTDIR}${RKHTMPVAR}" ]; then
				echo "Local system startup file is a symbolic link: ${RKHROOTDIR}${RKHTMPVAR}"
				exit 1
			elif [ ! -r "${RKHROOTDIR}${RKHTMPVAR}" ]; then
				echo "Local system startup file is not readable: ${RKHROOTDIR}${RKHTMPVAR}"
				exit 1
			elif [ ! -s "${RKHROOTDIR}${RKHTMPVAR}" ]; then
				echo "Local system startup file is empty: ${RKHROOTDIR}${RKHTMPVAR}"
				exit 1
			fi
		done
	fi


	RC_DIR=`get_option 1 single SYSTEM_RC_DIR` || exit 1

	if [ -n "${RC_DIR}" ]; then
		#
		# Check that the given directory is useable.
		#

		if [ ! -d "${RKHROOTDIR}${RC_DIR}" ]; then
			echo "Local system startup directory does not exist: ${RKHROOTDIR}${RC_DIR}"
			exit 1
		elif [ -h "${RKHROOTDIR}${RC_DIR}" ]; then
			echo "Local system startup directory is a symbolic link: ${RKHROOTDIR}${RC_DIR}"
			exit 1
		elif [ ! -r "${RKHROOTDIR}${RC_DIR}" ]; then
			echo "Local system startup directory is not readable: ${RKHROOTDIR}${RC_DIR}"
			exit 1
		fi
	fi

	return
}


get_rtkt_whitelist_options() {

	#
	# This function gets any whitelisted rootkit files
	# and directories from the configuration file.
	# There are no defaults.
	#

	RTKT_FILE_WHITELIST=`get_option 2 single RTKT_FILE_WHITELIST` || exit 1

	if [ -n "${RTKT_FILE_WHITELIST}" ]; then
		#
		# Check that the given files are useable.
		#

		FOUND=0

		for RKHTMPVAR2 in ${RTKT_FILE_WHITELIST}; do
			RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

			if [ ! -f "${RKHTMPVAR}" ]; then
				FOUND=1
				echo "Whitelisted rootkit file does not exist: ${RKHTMPVAR2}"
			fi
		done

		test $FOUND -eq 1 && exit 1

		RTKT_FILE_WHITELIST=" ${RTKT_FILE_WHITELIST} "
	fi


	RTKT_DIR_WHITELIST=`get_option 2 single RTKT_DIR_WHITELIST` || exit 1

	if [ -n "${RTKT_DIR_WHITELIST}" ]; then
		#
		# Check that the given directories are useable.
		#

		FOUND=0

		for RKHTMPVAR2 in ${RTKT_DIR_WHITELIST}; do
			RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

			if [ ! -d "${RKHTMPVAR}" ]; then
				FOUND=1
				echo "Whitelisted rootkit directory does not exist: ${RKHTMPVAR2}"
			fi
		done

		test $FOUND -eq 1 && exit 1

		RTKT_DIR_WHITELIST=" ${RTKT_DIR_WHITELIST} "
	fi

	return
}


get_mirror_options() {

	#
	# This function gets the mirror file options.
	#
	# First we see if the mirrors.dat file
	# should be rotated when it is used.
	#

	ROTATE_MIRRORS=`get_option 1 single ROTATE_MIRRORS` || exit 1

	if [ -n "${ROTATE_MIRRORS}" ]; then
		if [ "${ROTATE_MIRRORS}" != "0" -a "${ROTATE_MIRRORS}" != "1" ]; then
			echo "Invalid ROTATE_MIRRORS configuration option: not a number: ${ROTATE_MIRRORS}"
			exit 1
		fi
	else
		ROTATE_MIRRORS=1
	fi


	#
	# Next we see if the mirror file is to be updated when
	# we use the '--update' option.
	#

	if [ $UPDATE -eq 1 ]; then
		UPDATE_MIRRORS=`get_option 1 single UPDATE_MIRRORS` || exit 1

		if [ -n "${UPDATE_MIRRORS}" ]; then
			if [ "${UPDATE_MIRRORS}" != "0" -a "${UPDATE_MIRRORS}" != "1" ]; then
				echo "Invalid UPDATE_MIRRORS configuration option: not a number: ${UPDATE_MIRRORS}"
				exit 1
			fi
		else
			UPDATE_MIRRORS=1
		fi
	fi


	#
	# Finally, we see which mirrors are to be used.
	#

	MIRRORS_MODE=`get_option 1 single MIRRORS_MODE` || exit 1

	if [ -n "${MIRRORS_MODE}" ]; then
		if [ "${MIRRORS_MODE}" != "0" -a "${MIRRORS_MODE}" != "1" -a "${MIRRORS_MODE}" != "2" ]; then
			echo "Invalid MIRRORS_MODE configuration option: not a number: ${MIRRORS_MODE}"
			exit 1
		fi
	else
		MIRRORS_MODE=0
	fi

	return
}


get_os_version_option() {

	#
	# This function gets the O/S 'release' file pathname
	# from the configuration file. There is no default.
	#

	OS_VERSION_FILE=`get_option 1 single OS_VERSION_FILE` || exit 1

	if [ -n "${OS_VERSION_FILE}" ]; then
		#
		# Check that the given file is useable.
		#

		if [ ! -f "${RKHROOTDIR}${OS_VERSION_FILE}" ]; then
			echo "O/S release file does not exist: ${RKHROOTDIR}${OS_VERSION_FILE}"
			exit 1
		elif [ -h "${RKHROOTDIR}${OS_VERSION_FILE}" ]; then
			echo "O/S release file is a symbolic link: ${RKHROOTDIR}${OS_VERSION_FILE}"
			exit 1
		elif [ ! -r "${RKHROOTDIR}${OS_VERSION_FILE}" ]; then
			echo "O/S release file is not readable: ${RKHROOTDIR}${OS_VERSION_FILE}"