Commit 0236244e authored by Julien Valroff's avatar Julien Valroff

Imported Upstream version 1.3.8

parent cecc7464
This diff is collapsed.
......@@ -3,7 +3,7 @@ ROOTKIT HUNTER FREQUENTLY ASKED QUESTIONS (FAQ)
===============================================
The latest version of this FAQ can be found at the RKH web site.
(http://sourceforge.net/docman/?group_id=155034)
(http://rkhunter.cvs.sourceforge.net/viewvc/*checkout*/rkhunter/rkhunter/files/FAQ)
===========================================================
......@@ -68,6 +68,7 @@ The latest version of this FAQ can be found at the RKH web site.
installed. How it this possible?
5.2) Can I be notified when a new release will be available?
6. WHITELISTING EXAMPLES
6.1) Common whitelisting examples
......@@ -156,7 +157,6 @@ A. The RKH source contains an rkhunter.spec file which will
A. Prior to any incident it is recommended that you have read
"Intruder Detection Checklist". This is available from
http://www.cert.org/tech_tips/intruder_detection_checklist.html or
http://web.archive.org/web/20080109214340/http://www.cert.org/tech_tips/intruder_detection_checklist.html
This document will tell you what to check, and makes it easier
for you to find out and answer any questions.
......@@ -220,7 +220,7 @@ A. Prior to any incident it is recommended that you have read
Read "Steps for Recovering from a UNIX or NT System Compromise".
This is available from
http://www.cert.org/tech_tips/root_compromise.html
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
A clean install of the system is recommended after backing up
the full system. To do this follow these steps:
......@@ -387,7 +387,7 @@ A. The first run of rkhunter after an installation will usually give
exist until rkhunter is run with the '--propupd' option. There is
also a check to see if any commands have been replaced by a script.
To avoid these warning messages you can whitelist the commands in
your rkhunter.conf file. Similarly if there are warnings about
your configuration file. Similarly if there are warnings about
hidden files or directories, then these can be whitelisted. Look in
the configuration file and you will find examples of these.
......@@ -505,7 +505,7 @@ A. You have a choice:
example, 'yum' or 'apt-get').
2) You may be able to disable the check by adding its test
name to your rkhunter.conf file. (See the README file
name to your configuration file. (See the README file
for more information about the test names.)
3) If you are sure that the relevant command is present on
......@@ -514,7 +514,7 @@ A. You have a choice:
is using. If the directory containing the command isn't
listed, then you can set the command directories to use
by using the '--bindir' command-line option, or the BINDIR
option in the rkhunter.conf file.
option in the configuration file.
4.3) I get warnings from PHP like:
......@@ -600,12 +600,13 @@ A. Yes, you can join the rkhunter-announce mailing list. This is
6. WHITELISTING EXAMPLES
========================
6.1) After Rootkit Hunter has run you may encounter items in the log file
you would like to whitelist. First verify that the entries are
safe to add. The results of running these commands can be added to
your rkhunter.conf. Please adjust the commands and the location of
your rkhunter.log and verify the results before adding them. Do not
automate adding whitelist entries to your rkhunter.conf.
6.1) After Rootkit Hunter has run you may encounter items in the log
file you would like to whitelist. First verify that the entries
are safe to add. The results of running these commands can be
added to your 'rkhunter.conf.local' configuration file. Please
adjust the commands, and the location of your 'rkhunter.log' log
file, and verify the results before adding them. Do not automate
adding whitelist entries to your configuration file.
Allow script replacements ("properties" test):
awk -F"'" '/replaced by a script/ {print "SCRIPTWHITELIST="$2}' rkhunter.log
......
......@@ -2,7 +2,7 @@
THE ROOTKIT HUNTER PROJECT
==========================
Copyright (c) 2003-2009, Michael Boelen
Copyright (c) 2003-2010, Michael Boelen
See the LICENSE file for conditions of use and distribution.
It is recommended that all users of RootKit Hunter (RKH) join the
......@@ -15,7 +15,7 @@ A copy of the RKH FAQ is also available from the web site.
ROOTKIT HUNTER REQUIREMENTS
===========================
Please note RKH has some requirements:
Please note that RKH has some requirements:
1) Before RKH starts it will check that certain required commands
are present on the system. These are typical commands such as
......@@ -25,10 +25,11 @@ Please note RKH has some requirements:
2) Some tests require commands such as stat, readlink, md5/md5sum or
sha1/sha1sum. If these are not present, then RKH has perl
scripts which will automatically be used instead. However, this
requires perl being present. If it is not, then the tests will
be skipped. Readlink is provided as a script itself, and does
not use perl. Other tests will use other commands. If the relevant
command is not found on the system, then the test will be skipped.
requires perl, and certain modules, being present. If they are
not, then the tests will be skipped. Readlink is provided as a
script itself, and does not use perl. Other tests will use other
commands. If the relevant command is not found on the system,
then the test will be skipped.
3) A tool should be present with which to download file updates.
Currently wget, curl, (e)links, lynx and GET are supported. If your
......@@ -40,16 +41,19 @@ Please note RKH has some requirements:
configured in the RKH configuration file.
4) Some tests require single-purpose tools. RKH does not depend on
these, but it will use them, after you have run '--propupd', if it
finds them - they can enhance RKH's detection capabilities.
these, but it will use them if it finds them. They can enhance
RKH's detection capabilities.
The tools are:
- Skdet
Tests for SucKIT, Adore, Adore-NG, UNFshit, UNFkmem and
frontkey.
http://www.xs4all.nl/~dvgevers/
- Unhide
- Unhide and unhide-tcp (C versions)
Finds hidden processes.
http://www.security-projects.com/?Unhide
http://unhide.sourceforge.net
- Unhide (Ruby version)
Finds hidden processes.
https://launchpad.net/unhide.rb
If the relevant tool is not found, then the test is skipped.
......@@ -320,19 +324,22 @@ file permissions test, and so it cannot be specifically enabled or disabled.
RKH can be told to enable or disable one or more of the tests by using the
'--enable' and '--disable' command-line options. Alternatively, the RKH
configuration file options 'ENABLE_TESTS' and 'DISABLE_TESTS' can be used.
Note, however, that if either command-line option is used then the
configuration file options, for both enabled and disabled tests, are ignored.
The program defaults if no options are used at all are to enable all tests and
to disable no tests. For this purpose the enable options can use the special
test name 'all', and the disable options can use the name 'none'. To specify
By default, if the command-line '--disable' option is used, then the
configuration file option 'DISABLE_TESTS' is also used to determine which tests
to run. If only the command-line option is to be used to determine which tests
to run, then the '--nocf' option must also be given. The program defaults, if
no options are used at all, are to enable all tests and to disable no tests.
For this purpose the enable options can use the special test name 'all', and
the disable options can use the name 'none'. The enable options cannot use the
name 'none', and the disable options cannot use the name 'all'. To specify
more than one test name, specify them as a comma-separated list. For example:
rkhunter --enable 'rootkits,hashes'
Note that in the above example no disabled test list was specified. As such, it
will default to the program default value - '--disable none'. If multiple use
of the options are given on the command-line, then the last values seen will
be used.
will default to the value of the configuration file option (DISABLE_TESTS), or
ultimately to the program default value of 'none'. The command-line options
'--enable' and '--disable' may be used more than once on the command-line.
The supplied RKH configuration file will have some tests already disabled.
These are generally CPU and/or I/O intensive tests, or ones which may be prone
......@@ -354,8 +361,10 @@ Similarly, to run all the tests except the rootkit tests, then use:
rkhunter --disable rootkits
In this example RKH will assume the enabled test list of '--enable all'. In the
previous example, '--disable none' will have been assumed.
In this example RKH will assume the value of the configuration file option
(ENABLE_TESTS) for the enabled test list, or ultimately the program default
of 'all'. In the previous example, the value of DISABLED_TESTS or, ultimately,
'none' will have been used for the disabled tests list.
If a combination of enabled and disabled tests are specified, then RKH will
disable a test if it is specified in the enable list. So, for example:
......@@ -368,7 +377,7 @@ run is ignored, because that is part of the 'malware' test. RKH will always
look to see what tests to disable first. It will then run any enabled tests
that are left.
By default RKH will log what tests names have been enabled and disabled.
By default RKH will log what test names have been enabled and disabled.
Additionally it will log each test name that it is about to execute. When
initially run RKH may skip some tests due to missing commands or files. It is
usually possible to omit these tests by including them in the DISABLE_TESTS
......@@ -413,25 +422,29 @@ that a file has changed when in fact it has been automatically updated by the
system.
The currently available package managers are 'RPM' for RedHat/RPM-based
systems, 'DPKG' for Debian-based systems, and 'BSD' for *BSD systems. It is
also possible to specify 'NONE' to indicate not to use a package manager.
The program default is 'NONE'.
Any file which is not part of a package is treated as before, that is, the
HASH_FUNC configuration file option, or the '--hash' command-line option, will
be used.
It should be noted that all the package managers provide an MD5 hash value for
a file. However, the 'RPM' package manager can provide other file property
values as well, such as the file permissions, uid, gid, modification time and
so on. During the file properties check all of these values will be used,
rather than the ones stored in the rkhunter.dat file.
systems, 'DPKG' for Debian-based systems, 'BSD' for *BSD systems, and
'SOLARIS' for Solaris systems. It is also possible to specify 'NONE' to
indicate not to use a package manager. The program default is 'NONE'.
Any file which is not part of a package is treated as before, that is,
the HASH_FUNC configuration file option, or the '--hash' command-line
option, will be used.
It should be noted that all the package managers, except 'SOLARIS', provide
an MD5 hash value for a file. However, the 'RPM' and 'SOLARIS' package
managers can provide other file property values as well, such as the file
permissions, uid, gid, modification time and so on. During the file
properties check all of these values will be used, rather than the ones
stored in the rkhunter.dat file. The Solaris package manager does store a
16-bit hash value, but this is not used by default. If it is wished to
use the stored value, then the USE_SUNSUM configuration option must be
enabled.
It should also be noted that the 'DPKG' and 'BSD' package manager options
only provide the files MD5 hash value. As such, during the file properties
check, all the other current file properties will be re-calculated as before,
and compared against the values in the rkhunter.dat file. Hence, only the 'RPM'
package manager offers any real benefit in using a package manager.
and 'SOLARIS' package managers offer any real benefits in using a package manager.
NOTE: It is possible for a package manager database to become maliciously
corrupted. To that extent the use of the package manager options with RKH
......@@ -620,7 +633,7 @@ and version of RKH should always be included.
Please be advised that while you are free to ask for advice in your
favourite IRC channel, all-purpose forum or distribution mailing list,
the demonstrated level of general and security knowledge and exprience,
the demonstrated level of general and security knowledge and experience,
and therefore the quality of responses, may vary (very much).
If you are sure the problem is a bug, or want it considered as a
......
Version:2009110901
Version:2010111401
#
# Syntax: <port>:<description>:protocol
#
......@@ -22,6 +22,7 @@ Version:2009110901
25000:Possible Universal Rootkit (URK) component:TCP:
29812:FreeBSD (FBRK) Rootkit default backdoor port:TCP:
31337:Historical backdoor port:TCP:
32982:Solaris Wanuk:TCP:
33369:Volc Rootkit SSH server (divine):TCP:
47107:T0rn:TCP:
47018:Possible Universal Rootkit (URK) component:TCP:
......
#! /usr/bin/perl -w
#
# A simple util to check the lines in the i18n/en file
# exist in the rkhunter program.
#
# Author: John Horne (17-2-07)
#
my $keyword = my $arg = my $found = '';
my $search_string = my $ignore_case = '';
my $dir = '/var/lib/rkhunter/db/i18n';
my $rkh = '/usr/local/bin';
while (@ARGV) {
$arg = shift;
if ($arg =~ /^--?d$/io) {
$dir = shift;
}
elsif ($arg =~ /^--?p$/io) {
$rkh = shift;
}
elsif ($arg =~ /^--?s$/io) {
$search_string = shift;
if (! defined($search_string) || ! $search_string) {
print "No search string given.\n";
exit 1;
}
$ignore_case = '-i' if ($arg =~ /s$/o);
}
elsif ($arg =~ /^--?h$/io) {
print "\nUsage: i18nchk [-d i18n_dir] [-p rkhunter_dir] [-{sS} search_string]\n\n";
exit;
}
else {
print "Unknown option: $arg\n";
exit 1;
}
}
if (! $dir || ! -d $dir) {
print "Unable to find the i18n directory.\n";
exit 1;
}
elsif (! $rkh || ! -d $rkh) {
print "Unable to find the rkhunter program.\n";
exit 1;
}
if ($search_string) {
$found = `grep $ignore_case "$search_string" $dir/en`;
if ($found) {
print $found;
}
else {
print "Search string not found.\n";
}
exit;
}
unless (open(I18N, "$dir/en")) {
print "Unable to open i18n file: $!\n";
exit 1;
}
while (defined($keyword = <I18N>)) {
next if ($keyword =~ /^\s*(#|$)/o);
next if ($keyword =~ /^version:/io);
next if ($keyword eq "MSG_TYPE_PLAIN:\n");
chomp($keyword);
if ($keyword =~ /^([^:]+):\s*\S/o) {
$keyword = $1;
}
else {
print "Keyword $keyword has no value.\n";
}
$keyword = $1 if ($keyword =~ /^MSG_TYPE_(.*)/o);
$keyword = $1 if ($keyword =~ /^MSG_RESULT_(.*)/o);
if ($keyword =~ /[a-z]/o) {
print "Keyword $keyword contains lowercase characters.\n";
}
$found = `egrep -e " $keyword( |\$)" $rkh/rkhunter`;
unless ($found) {
print "Keyword $keyword not found in rkhunter.\n";
}
# print "$keyword\n";
}
close(I18N);
exit;
Some of the tests within RKH use commands which do not have standard options.
An example is the 'ps' command: for GNU linux we would use 'ps aux', but for
SunOS or IRIX we would use 'ps -ef'. As such the test can run for all these
operating systems, but RKH must be coded to handle each of them differently.
In cases were an O/S is not supported by a test, then RKH will usually mark the
test as 'skipped'. The user should look in the log file to see why the test was
skipped. It may be that we can then include code to enable the test for that
O/S, or the user can include it as a disabled test in the configuration file.
The problem is that when we are asked to support a new O/S, we need to find out
which command options are avaiable. We can then see if the test will run on the
new O/S, or if we need to modify RKH to support it.
This file lists those instances in RKH where whichever operating system is
used, RKH will use different commands and/or command options.
==============================================================================
RKH makes the assumtion that certain commands are standard among all UNIX,
Linux and *BSD operating systems. If one or more of these commands are not
present on the system, then RKH will not run.
The current list of required commands is:
awk cat chmod chown cp cut date egrep grep head
ls mv sed sort tail touch tr uname uniq wc
==============================================================================
1) What is the output of the 'uname' command?
This is a very basic command, but it is possible it may not work or may not
provide the information we want.
2) Is the '/bin' directory a link to '/usr/bin'?
In order to cut down on the time repeatedly looking for files in '/bin' and
'/usr/bin', RKH can exclude '/bin' if it is a link to '/usr/bin'. This occurs
on the AIX, IRIX and SunOS operating systems.
3) What is the output of the 'uname -m' command?
Typically 'uname -m' can be used to determine if the system is 32 or 64-bit.
For other operating systems, we have to use other commands. For example,
'sysctl' on FreeBSD and OSX, 'uname -p' on SunOS and AIX.
4) Does 'ls -ld /etc/*release* /etc/*version* /etc/issue' show some sort of 'release' or
version file being present?
In order to find out some information about the O/S, such as its version
number, RKH will look in '/etc' for any one of various files. Typically this
information will come from '/etc/lsb-release', or specific O/S versions such as
'/etc/debian_version' or '/etc/gentoo_release'.
The RKH configuration file contains an option to set the specific file name, if
RKH cannot correctly detect a 'release' file.
5) Does the O/S support setting an 'immutable-bit' on files? If so, then is the
'lsattr' command present?
This is one of the file properties checks. However, at present only Linux and
*BSD support the immutable-bit on files. If the system supports the
immutable-bit, but 'lsattr' is not present, then does 'ls -lno' show the file
attributes?
6) What is the output of the 'netstat -an' command?
RKH may use this output in determining if certain ports are being used.
However, the output from 'netstat' varies wildly amongst different operating
systems. So we need to see the output in order to ensure that RKH handles it
correctly.
7) Does the 'ifconfig' or 'ifconfig -a' command show the available network interfaces?
RKH looks at the network interfaces to see if they are in promiscuous mode.
8) Is the 'ip' command present? If so, then can it show the interfaces present,
and if so how? (Perhaps using 'ip -s link'?)
As above, this is a second check for promiscuous interfaces.
9) Does the file '/proc/net/packet' exist? (It may be zero-sized.) If it does
exist, then is the 'lsof' command present on the system as well?
This is used by RKH to see if there are any applications watching the network
interfaces. The 'lsof' command is used by several tests in RKH.
10) Does the 'ps ax' command display the processes running on the system? If
not, then does 'ps -ef' work instead? If not, what options to the 'ps' command
cause it to show all the current running processes on the system (the output
must include the PID and the process (command) being run by that PID).
RKH uses the 'ps' command for a few tests. However, the output varies a lot
amongst different operating systems, so we have to code RKH according to each
system.
11) Does the 'date +%s' command show the number of seconds since the epoch?
Does it also understand "date --date '5 seconds ago'"? If not then perl
will be needed.
This is used by RKH in order to add to filenames to make them random.
12) Is the 'stat' command present on the system, and if so, does the
'stat -c '%i 0%a %u %g %s %Y:' /etc/motd' command work?
If not try using 'stat -f ...'.
This should display some numbers relating to the ('/etc/motd') file attributes.
If it doesn't work, then we may need to see the man page for the 'stat'
command.
13) Does the grep command need the '-a' option, or some other option, in
order to treat binary (language) files as text files. See GREP_OPT in RKH.
14) Does the 'readlink' command exist, and if so does it support the '-f'
option to get the full pathname. If not, then the builtin command may be
required.
#!/usr/bin/perl
#
# Hashes files (MD5)
#
use Digest::MD5;
# Open file in binary mode
my $file = $ARGV[0];
open(FILE, $file) or die "Sorry. Can't open '$file'";
binmode(FILE);
$md5 = Digest::MD5->new;
# Hash file contents
while (<FILE>) {
$md5->add($_);
}
close(FILE);
print $md5->hexdigest,"\n";
......@@ -8,30 +8,31 @@ my $mod = $ARGV[0];
my $size = $ARGV[1];
my $file = $ARGV[2];
# Open file in binary mode
open(FILE, $file) or die "Can't open file '$file'";
binmode(FILE);
eval "use $mod";
if ($mod eq 'SHA1') {
use Digest::SHA1;
$sha = Digest::SHA1 -> new;
die "Invalid module: $mod" if ($@);
if ($mod eq 'Digest::SHA1' || $mod eq 'Digest::Whirlpool' || $mod eq 'Crypt::RIPEMD160' || $mod eq 'Digest::MD5') {
$sha = $mod -> new;
}
elsif ($mod eq 'SHA256') {
use Digest::SHA256;
elsif ($mod eq 'Digest::SHA256') {
$sha = Digest::SHA256::new($size);
}
else {
use Digest::SHA::PurePerl;
$sha = Digest::SHA::PurePerl -> new($size);
$sha = $mod -> new($size);
}
# Open file in binary mode
open(FILE, $file) or die "Can't open file '$file'";
binmode(FILE);
# Hash file contents
while (<FILE>) {
$sha -> add($_);
}
$sha -> add($_) while (<FILE>);
close(FILE);
$_ = $sha -> hexdigest;
s/ //g;
print $_, "\n";
exit;
#!/usr/bin/perl
use Digest::SHA1;
# Open file in binary mode
my $file = $ARGV[0];
open(FILE, $file) or die "Sorry. Can't open '$file'";
binmode(FILE);
$sha1 = Digest::SHA1->new;
# Hash file contents
while (<FILE>) {
$sha1->add($_);
}
close(FILE);
print $sha1->hexdigest,"\n";
Version:2009091601
Version:2010111401
#
# We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each
......@@ -130,7 +130,7 @@ PRESSENTER:[<ENTER> um fortzufahren]
TEST_SKIPPED_OS:Test '$1' übersprungen wegen des Betriebssystems: $2
SUMMARY_TITLE1:Zusammenfassung der Systemüberprüfung
SUMMARY_TITLE2:=====================
SUMMARY_TITLE2:=====================================
SUMMARY_PROP_SCAN:Dateieigenschaften-Überprüfung...
SUMMARY_PROP_REQCMDS:Überprüfung der erforderlichen Befehle fehlgeschlagen
SUMMARY_PROP_COUNT:Dateien überprüft: $1
......@@ -449,7 +449,7 @@ SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:Der syslog-Daemon wird nicht ausgeführt nicht
SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:Der syslog-Daemon wird nicht ausgeführt, aber ein Metalog-Daemon wurde gefunden.
SYSTEM_CONFIGS_SYSLOG_SOCKLOG_RUNNING:Der syslog-Daemon wird nicht ausgeführt, aer ein socklog-Daemon wurde gefunden.
SYSTEM_CONFIGS_SYSLOG_NO_FILE:Der syslog-Daemon wird ausgeführt, aber es kann keine Konfigurations-Datei gefunden werden.
SYSTEM_CONFIGS_SYSLOG_REMOTE:Überrpüfung, ob entferntes Logging via syslog erlaubt ist
SYSTEM_CONFIGS_SYSLOG_REMOTE:Überprüfung, ob entferntes Logging via syslog erlaubt ist
SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog-Konfiguration erlaubt entferntes Logging: $1
SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED:Rkhunter-Konfigurationsvariable 'ALLOW_SYSLOG_REMOTE_LOGGING' ist aktiviert.
......@@ -460,7 +460,7 @@ FILESYSTEM_DEV_FILE_WL:Datei '$1' gefunden: erlaubt mittels Whitelist.
FILESYSTEM_DEV_FILE_FOUND:Verdächtige Dateitypen in ${1} gefunden:
FILESYSTEM_HIDDEN_DIR_WL:Verstecktes Verzeichnis '$1' gefunden: erlaubt mittels Whitelist.
FILESYSTEM_HIDDEN_FILE_WL:Versteckte Datei '$1' gefunden: erlaubt mittels Whitelist.
FILESYSTEM_HIDDEN_CHECK:Überrpüfe auf versteckte Dateien und Verzeichnisse
FILESYSTEM_HIDDEN_CHECK:Überprüfe auf versteckte Dateien und Verzeichnisse
FILESYSTEM_HIDDEN_DIR_FOUND:Verstecktes Verzeichnis gefunden: $1
FILESYSTEM_HIDDEN_FILE_FOUND:Versteckte Datei gefunden: $1
......
This diff is collapsed.
Version:2009112801
httpd: 1.3a1 1.3b1 1.3b3 1.3b4 1.3b5 1.3b6 1.3b7 1.3.0 1.3.1 1.3.2 1.3.3 1.3.4 1.3.6 1.3.9 1.3.10 1.3.11 1.3.12 1.3.14 1.3.17 1.3.19 1.3.20 1.3.21 1.3.22 1.3.23 1.3.24 1.3.25 1.3.26 1.3.27 1.3.28 1.3.29 1.3.30 1.3.31 1.3.32 1.3.33 1.3.34 1.3.35 1.3.36 1.3.37 1.3.39 1.3.40 2.0a1 2.0a2 2.0a3 2.0a4 2.0a5 2.0a6 2.0a7 2.0a8 2.0a9 2.0.11 2.0.12 2.0.13 2.0.14 2.0.15 2.0.16 2.0.17 2.0.18 2.0.19 2.0.20 2.0.21 2.0.22 2.0.23 2.0.24 2.0.25 2.0.26 2.0.27 2.0.28 2.0.29 2.0.30 2.0.31 2.0.32 2.0.33 2.0.34 2.0.35 2.0.36 2.0.37 2.0.38 2.0.39 2.0.40 2.0.41 2.0.42 2.0.43 2.0.44 2.0.45 2.0.46 2.0.47 2.0.48 2.0.49 2.0.50 2.0.51 2.0.52 2.0.53 2.0.54 2.0.55 2.0.56 2.0.57 2.0.58 2.0.59 2.0.61 2.0.62 2.2.0 2.2.1 2.2.2 2.2.3 2.2.4 2.2.6 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13
sshd: 2.1.1p4 2.2.0p1 2.3.0p1 2.5.1p1 2.5.1p2 2.5.2p1 2.5.2p2 2.9.9p1 2.9.9p2 2.9p1 2.9p2 3.0.1p1 3.0.2p1 3.0p1 3.1p1 3.2.2p1 3.2.3p1 3.3p1 3.4p1 3.5p1 3.6.1p1 3.6.1p2 3.6p1 3.7.1p1 3.7.1p2 3.7p1 3.8.1p1 3.8p1 3.9p1 4.0p1 4.1p1 4.2p1 4.3p1 4.3p2 4.4p1 4.5p1 4.6p1 4.7p1 4.9p1 5.0p1 5.1p1 5.2p1
exim: 4.20 4.21 4.22 4.23 4.24 4.30 4.31 4.32 4.33 4.34 4.40 4.41 4.42 4.43 4.44 4.50 4.51 4.52 4.53 4.54 4.60 4.61 4.62 4.63 4.64 4.65 4.66 4.67 4.68 4.69 4.70
php: 4.1.2 4.3.0 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 4.3.8 4.3.9 4.3.10 4.3.9RC2 5.0.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.2.0 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.3.0
gpg: 1.0.2 1.0.4 1.0.6 1.0.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.3 1.3.4 1.4.0 1.4.1 1.4.2 2.0.12 2.0.11 2.0.10 2.0.8 1.4.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.1 2.0 1.4.4 1.4.3 1.9.19 1.4.2 1.9.17 1.9.16 1.4.9
named: 8.1 8.1.1 8.1.2 8.2 8.2.1 8.2.2 8.2.2-P3 8.2.2-P5 8.2.2-P7 8.2.3 8.2.4 8.2.5 8.2.6 8.2.7 8.3.0 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6 8.3.7 8.4.0 8.4.1 8.4.2 8.4.3 8.4.4 8.4.5 8.4.6 8.4.7 8.4.7-P1 9.0.0 9.0.0b1 9.0.0b2 9.0.0b3 9.0.0b4 9.0.0b5 9.0.0rc1 9.0.0rc2 9.0.0rc3 9.0.0rc4 9.0.0rc5 9.0.0rc6 9.0.1 9.0.1rc1 9.0.1rc2 9.1.0 9.1.0b1 9.1.0b2 9.1.0b3 9.1.0rc1 9.1.1 9.1.1rc1 9.1.1rc2 9.1.1rc3 9.1.1rc4 9.1.1rc5 9.1.1rc6 9.1.1rc7 9.1.2 9.1.2rc1 9.1.3 9.1.3-P2 9.1.3-P3 9.1.3rc1 9.1.3rc2 9.1.3rc3 9.2.0 9.2.0a1 9.2.0a2 9.2.0a3 9.2.0b1 9.2.0b2 9.2.0rc1 9.2.0rc10 9.2.0rc2 9.2.0rc3 9.2.0rc4 9.2.0rc5 9.2.0rc6 9.2.0rc7 9.2.0rc8 9.2.0rc9 9.2.1 9.2.1rc1 9.2.1rc2 9.2.2 9.2.2-P2 9.2.2-P3 9.2.2rc1 9.2.3 9.2.3rc1 9.2.3rc2 9.2.3rc3 9.2.3rc4 9.2.4 9.2.4rc2 9.2.4rc3 9.2.4rc4 9.2.4rc5 9.2.4rc6 9.2.4rc7 9.2.4rc8 9.2.5 9.2.5beta2 9.2.5rc1 9.2.6 9.2.6b1 9.2.6b2 9.2.6-P1 9.2.6-P2 9.2.6rc1 9.2.7 9.2.7b1 9.2.7rc1 9.2.7rc2 9.2.7rc3 9.2.8 9.2.8-P1 9.2.9 9.2.9b1 9.2.9rc1 9.3.0 9.3.0beta2 9.3.0beta3 9.3.0beta4 9.3.0rc1 9.3.0rc2 9.3.0rc3 9.3.0rc4 9.3.1 9.3.1beta2 9.3.1rc1 9.3.2 9.3.2b1 9.3.2b2 9.3.2-P1 9.3.2-P2 9.3.2rc1 9.3.3 9.3.3b1 9.3.3rc1 9.3.3rc2 9.3.3rc3 9.3.4 9.3.4-P1 9.3.5 9.3.5b1 9.3.5-P1 9.3.5-P2 9.3.5-P2-W1 9.3.5-P2-W2 9.3.5rc1 9.3.5rc2 9.3.6 9.3.6b1 9.3.6-P1 9.3.6rc1 9.4.0 9.4.0a5 9.4.0a6 9.4.0b1 9.4.0b2 9.4.0b3 9.4.0b4 9.4.0rc1 9.4.0rc2 9.4.1 9.4.1-P1 9.4.2 9.4.2b1 9.4.2-P1 9.4.2-P2 9.4.2-P2-W1 9.4.2-P2-W2 9.4.2rc1 9.4.2rc2 9.4.3 9.4.3b1 9.4.3b2 9.4.3b3 9.4.3-P1 9.4.3-P3 9.4.3rc1 9.5.0 9.5.0a5 9.5.0a6 9.5.0a7 9.5.0b1 9.5.0b2 9.5.0b3 9.5.0-P1 9.5.0-P2 9.5.0-P2-W1 9.5.0-P2-W2 9.5.0rc1 9.5.1 9.5.1b1 9.5.1b2 9.5.1b3 9.5.1-P1 9.5.1-P3 9.5.1rc1 9.5.1rc2 9.5.2 9.5.2b1 9.5.2rc1 9.6.0 9.6.0a1 9.6.0b1 9.6.0-P1 9.6.0rc1 9.6.0rc2 9.6.1 9.6.1b1 9.6.1-P1 9.6.1rc1 9.7.0a1 9.7.0a2 9.7.0a3 9.7.0b1
Version:20101116
httpd: 1.3a1 1.3b1 1.3b3 1.3b4 1.3b5 1.3b6 1.3b7 1.3.0 1.3.1 1.3.2 1.3.3 1.3.4 1.3.6 1.3.9 1.3.10 1.3.11 1.3.12 1.3.14 1.3.17 1.3.19 1.3.20 1.3.21 1.3.22 1.3.23 1.3.24 1.3.25 1.3.26 1.3.27 1.3.28 1.3.29 1.3.30 1.3.31 1.3.32 1.3.33 1.3.34 1.3.35 1.3.36 1.3.37 1.3.39 1.3.40 2.0a1 2.0a2 2.0a3 2.0a4 2.0a5 2.0a6 2.0a7 2.0a8 2.0a9 2.0.11 2.0.12 2.0.13 2.0.14 2.0.15 2.0.16 2.0.17 2.0.18 2.0.19 2.0.20 2.0.21 2.0.22 2.0.23 2.0.24 2.0.25 2.0.26 2.0.27 2.0.28 2.0.29 2.0.30 2.0.31 2.0.32 2.0.33 2.0.34 2.0.35 2.0.36 2.0.37 2.0.38 2.0.39 2.0.40 2.0.41 2.0.42 2.0.43 2.0.44 2.0.45 2.0.46 2.0.47 2.0.48 2.0.49 2.0.50 2.0.51 2.0.52 2.0.53 2.0.54 2.0.55 2.0.56 2.0.57 2.0.58 2.0.59 2.0.61 2.0.62 2.2.0 2.2.1 2.2.2 2.2.3 2.2.4 2.2.6 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.16
sshd: 2.1.1p4 2.2.0p1 2.3.0p1 2.5.1p1 2.5.1p2 2.5.2p1 2.5.2p2 2.9.9p1 2.9.9p2 2.9p1 2.9p2 3.0.1p1 3.0.2p1 3.0p1 3.1p1 3.2.2p1 3.2.3p1 3.3p1 3.4p1 3.5p1 3.6.1p1 3.6.1p2 3.6p1 3.7.1p1 3.7.1p2 3.7p1 3.8.1p1 3.8p1 3.9p1 4.0p1 4.1p1 4.2p1 4.3p1 4.3p2 4.4p1 4.5p1 4.6p1 4.7p1 4.9p1 5.0p1 5.1p1 5.2p1 5.5p1
exim: 4.20 4.21 4.22 4.23 4.24 4.30 4.31 4.32 4.33 4.34 4.40 4.41 4.42 4.43 4.44 4.50 4.51 4.52 4.53 4.54 4.60 4.61 4.62 4.63 4.64 4.65 4.66 4.67 4.68 4.69 4.70 4.71
php: 4.1.2 4.3.0 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 4.3.8 4.3.9 4.3.10 4.3.9RC2 5.0.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.2.0 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.3.0 5.3.1 5.3.2
gpg: 1.0.2 1.0.4 1.0.6 1.0.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.3 1.3.4 1.4.0 1.4.1 1.4.2 2.0.12 2.0.11 2.0.10 2.0.8 1.4.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.1 2.0 1.4.4 1.4.3 1.9.19 1.4.2 1.9.17 1.9.16 1.4.9 1.4.10
named: 8.1 8.1.1 8.1.2 8.2 8.2.1 8.2.2 8.2.2-P3 8.2.2-P5 8.2.2-P7 8.2.3 8.2.4 8.2.5 8.2.6 8.2.7 8.3.0 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6 8.3.7 8.4.0 8.4.1 8.4.2 8.4.3 8.4.4 8.4.5 8.4.6 8.4.7 8.4.7-P1 9.0.0 9.0.0b1 9.0.0b2 9.0.0b3 9.0.0b4 9.1.0b1 9.1.0b2 9.2.0a1 9.2.0a2 9.2.0a3 9.2.0b1 9.2.0b2 9.2.0rc1 9.5.0a1 9.5.0a2 9.5.0a3 9.5.0a4 9.5.0a5 9.5.0a6 9.5.0a7 9.5.0b1 9.6.0a1 9.6.0b1 9.6.0rc1 9.7.0a1 9.7.0a2 9.7.0a3 9.7.0b1 9.7.0b2 9.7.0b3 9.7.0rc1 9.7.0rc2 9.7.0 9.7.1b1 9.7.1rc1 9.7.1 9.7.2b1 9.7.2rc1 9.7.2 9.7.2-P1
procmail: 1.00 1.01 1.02 1.10 1.20 1.21 1.30 1.35 1.99 2.00 2.01 2.02 2.03 2.10 2.11 2.30 2.31 2.40 2.50 2.60 2.61 2.70 2.71 2.80 2.81 2.90 2.91 3.00 3.01 3.02 3.03 3.04 3.05 3.06 3.10 3.11pre3 3.11pre4 3.11pre7 3.12 3.13 3.14 3.15 3.20 3.21
proftpd: 1.2.10rc1 1.2.10rc2 1.2.10rc3 1.2.5 1.2.6 1.2.8p 1.2.9 1.3.0a 1.3.1 1.3.1rc1 1.3.1rc2 1.3.1rc3 1.3.2 1.3.2rc1 1.3.2rc2 1.3.2rc3 1.3.2rc4 1.3.2 1.3.2a 1.3.3rc1
openssl: 0.9.3 0.9.3a 0.9.4 0.9.5 0.9.5a 0.9.6 0.9.6a 0.9.6a 0.9.6b 0.9.6b 0.9.6c 0.9.6c 0.9.6d 0.9.6d 0.9.6e 0.9.6e 0.9.6f 0.9.6f 0.9.6g 0.9.6g 0.9.6h 0.9.6h 0.9.7 0.9.6i 0.9.6i 0.9.7a 0.9.6j 0.9.6j 0.9.7b 0.9.6k 0.9.6k 0.9.7c 0.9.6l 0.9.6l 0.9.6m 0.9.6m 0.9.7d 0.9.7e 0.9.7f 0.9.7g 0.9.8 0.9.7h 0.9.8a 0.9.7i 0.9.7j 0.9.8b 0.9.7k 0.9.8c 0.9.7l 0.9.8d 0.9.7m 0.9.8e 0.9.8f 0.9.8g 0.9.8h 0.9.8i 0.9.8j 0.9.8k
proftpd: 1.2.10rc1 1.2.10rc2 1.2.10rc3 1.2.5 1.2.6 1.2.8p 1.2.9 1.3.0a 1.3.1 1.3.1rc1 1.3.1rc2 1.3.1rc3 1.3.2 1.3.2rc1 1.3.2rc2 1.3.2rc3 1.3.2rc4 1.3.2 1.3.2a 1.3.2b 1.3.2c 1.3.2d 1.3.3rc1 1.3.3rc2 1.3.3rc3 1.3.3rc4 1.3.3 1.3.3a 1.3.3b
openssl: 0.9.3 0.9.3a 0.9.4 0.9.5 0.9.5a 0.9.6 0.9.6a 0.9.6a 0.9.6b 0.9.6b 0.9.6c 0.9.6c 0.9.6d 0.9.6d 0.9.6e 0.9.6e 0.9.6f 0.9.6f 0.9.6g 0.9.6g 0.9.6h 0.9.6h 0.9.7 0.9.6i 0.9.6i 0.9.7a 0.9.6j 0.9.6j 0.9.7b 0.9.6k 0.9.6k 0.9.7c 0.9.6l 0.9.6l 0.9.6m 0.9.6m 0.9.7d 0.9.7e 0.9.7f 0.9.7g 0.9.8 0.9.7h 0.9.8a 0.9.7i 0.9.7j 0.9.8b 0.9.7k 0.9.8c 0.9.7l 0.9.8d 0.9.7m 0.9.8e 0.9.8f 0.9.8g 0.9.8h 0.9.8i 0.9.8j 0.9.8k 0.9.8l 0.9.8m 0.9.8n 0.9.8o 0.9.8n 1.0.0 1.0.0a
This diff is collapsed.
.\" rkhunter - RootKit Hunter
.TH rkhunter 8 "September, 2008"
.TH rkhunter 8 "August, 2010"
.SH NAME
rkhunter \- RootKit Hunter
.SH SYNOPSIS
\fBrkhunter\fP {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [tests | {lang | languages} | rootkits] |
--version | --help} [options]
--list [tests | {lang | languages} | rootkits | perl] |
--config\-check | --version | --help} [options]
.SH DESCRIPTION
\fBrkhunter\fP is a shell script which carries out various checks on the local
......@@ -110,13 +110,34 @@ new version is available.
.IP
.IP "\fB\-\-list [tests | {lang | languages} | rootkits]\fP"
.IP "\fB\-\-list [tests | {lang | languages} | rootkits | perl]\fP"
This command option will list some of the supported capabilities of the
program, and then exit. The \fItests\fP option lists the currently available
test names (see the README file for more details about test names). The
\fIlanguages\fP option lists the currently available languages, and the
\fIrootkits\fP option lists the rootkits that \fBrkhunter\fP will search for.
If no specific option is given, then all the lists are displayed.
The \fIperl\fP option lists the installation status of perl modules that may
be used by some of the tests. Note that it is not \fIrequired\fP to install
these modules. However, if rkhunter is forced to use perl to execute a test
then the module must be present. If no specific option is given, then all the
lists are displayed.
.IP
.IP "\fB\-C, \-\-config\-check\fP"
This command option causes \fBrkhunter\fP to check its configuration
file(s), and then exit. The program will run through its normal
configuration checks as specified by the enable and disable options
on the command\-line and in the configuration files. That is, only the
configuration options for tests which would normally run are checked. In
order to check all the configured options, then use the \fB--enable all
--disable none\fP options on the command line. Additionally, the program will
check to see if there are any unrecognised configuration options. If any
configuration problems are found, then they will be displayed and the return
code will be set to 1.
It is suggested that this option is used whenever the configuration
file(s) have been changed.
.IP
......@@ -151,10 +172,12 @@ This option tells \fBrkhunter\fP to append to the existing log file. If the
log file does not exist, then it will be created.
.IP "\fB\-\-bindir <directory>...\fP"
This option tells \fBrkhunter\fP which directories to look in to find the
various commands it requires. The default is the current PATH environment
variable, and the typical command directories of /bin, /usr/bin, /sbin and so
on.
This option modifies which directories \fBrkhunter\fP looks in to find the
various commands it requires (that is, its PATH). The default is the root
PATH, and an internal list of some common command directories. By default
a specified directory will be appended to the default list. However, if the
directory name begins with the '+' character, then it will be prepended to
the list (that is, it will be put at the start of the list).
.IP "\fB\-\-cs2, \-\-color\-set2\fP"
By default \fBrkhunter\fP will display its test results in color. The colors
......@@ -209,7 +232,7 @@ option is used, and \fB\-\-propupd\fP is not specified, then the
\fB\-\-check\fP command option is assumed. If only one test name, other than
\fIall\fP, is given, then the \fB\-\-skip\-keypress\fP option is also assumed.
Read the README file for more information about test names. By default all
tests are enabled. All tests will be listed below under TESTS.
tests are enabled. All the test names are listed below under TESTS.
.IP "\fB\-\-hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |\fP"
\fB NONE | <command>}\fP
......@@ -247,6 +270,14 @@ it is run. Any previously existing logfile is moved out of the way, and has
This option reverts \fBrkhunter\fP to its default behaviour of creating a new
log file rather than appending to it.
.IP \fB\-\-nocf\fP
.br
This option is only valid when the command\-line \fB\-\-disable\fP option is used.
When the \fB\-\-disable\fP option is used, by default, the configuration file
option to disable tests is also used to determine which tests to run. If only the
\fB\-\-disable\fP option is to be used to determine which tests to run, then
\fB\-\-nocf\fP must be given.
.IP \fB\-\-nocolors\fP
This option causes the result of each test to not be displayed in a specific
color. The default color, usually the reverse of the background color, will be
......@@ -273,7 +304,7 @@ option reduces the amount of logging, and so can improve the performance of
\fBrkhunter\fP. However, the log file will contain less information should any
warnings occur. By default verbose logging is enabled.
.IP "\fB\-\-pkgmgr {RPM | DPKG | BSD | NONE}\fP"
.IP "\fB\-\-pkgmgr {RPM | DPKG | BSD | SOLARIS | NONE}\fP"
This option is used during the file properties check or when the
\fB\-\-propupd\fP command option is given. It tells \fBrkhunter\fP that the
current file property values should be obtained from the relevant package manager.
......@@ -362,6 +393,7 @@ THREE=three,three. Simple globbing (/dev/shm/file-*) works.
.IP \fBgroup_accounts\fP
.IP \fBgroup_changes\fP
.IP \fBhashes\fP
.IP \fBhidden_ports\fP
.IP \fBhidden_procs\fP
.IP \fBimmutable known_rkts\fP
.IP \fBloaded_modules\fP
......
This diff is collapsed.
......@@ -6,7 +6,7 @@
#%%dump
%define name rkhunter
%define ver 1.3.6