Commit eca1837f authored by Francois Marier's avatar Francois Marier

New upstream version 1.4.4

parent c459dfa4
......@@ -32,6 +32,9 @@ Julien Valroff Bug reports, ideas and fixes
Dick Gevers For packaging and hosting skdet
Jan Iven Bug reports, ideas and fixes
CaPaCuL Turkish translations
Mitsuhiri Yoshida Japanese translation
Alexander Wittig BSDng package manager code
Patrick G. IPCS whitelisting code
And thanks to all others who contributed to Rootkit Hunter:
......
......@@ -7,7 +7,7 @@
!! Important notices !!
- Dates in this file are formatted as DD/MM/YYYY (European format)
- Dates in this file are formatted as DD/MM/YYYY (European format).
- The rkhunter configuration file (default /etc/rkhunter.conf) will
not be overwritten when using the rkhunter installer, unless
specifically requested to do so (using the '--overwrite' option).
......@@ -18,6 +18,98 @@
--
* 1.4.4 (29/06/2017)
New:
- Added the GLOBSTAR configuration file option. This will set the
shells globstar option to allow recursive checks of directories.
By default this option is disabled.
- Added a Japanese translation file.
- Added support for the 'BSDng' package manager option. This can
be used by those *BSD systems which have the 'pkg' command
available (currently later FreeBSD systems).
- The BSD package manager will now try the 'pkg_info' command '-W'
option if the '-F' option fails.
- Added the LOCKDIR configuration option. It is now possible to
specify the directory rkhunter will use to store the lock file
(if USE_LOCKING has been set). The default is unset, and this
will cause rkhunter to look for a directory to use. Details are
in the configuration file.
- Added the ALLOWIPCPROC configuration file option. This can be
used to whitelist suspicious processes using shared memory
segments (found during the 'ipc_shared_mem' check).
Changes:
- The DISABLE_UNHIDE option has been removed from the configuration
file. It is no longer required as disabling the 'hidden_procs' or
'hidden_ports' tests has the same effect.
- The installer now installs directories and executable files with
mode 700, other files are set as mode 600. The man page is left
at mode 644. The documentation directory is mode 755, and the
files within it are mode 644. The 'rkhunter' program itself will
set the mode of copied files to 600 (for example log files, and
the passwd/group files).
- By default the 'apps' test is now disabled in the configuration
file.
- The default hash function for the file properties test, given by
the HASH_CMD option in the configuration file, has now changed
to SHA256. It was previously SHA1, or MD5 if SHA1 was not found.
- Previously the lock file (if locking was used) was just an empty
file. It now contains the PID of the running process.
- The 'system_configs' test name has now been changed into a test
group consisting of the two tests 'system_configs_ssh' and
'system_configs_syslog'. Each test may now be enabled or disabled
individually.
- The 'other_malware' test name has been removed, and replaced by
the 'login_backdoors', 'sniffer_logs', 'tripwire', 'susp_dirs'
and 'ipc_shared_mem' test names. These are now all part of the
'malware' test group.
Bugfixes:
- Ensure that 'lsof' errors are not displayed.
- Ensure that 'ipcs' errors and the locale are handled correctly.
- Correct broken pipe errors in some commands.
- For Solaris users set the 'awk' command very early on so that
option processing works correctly.
- The ALLOWPROCDELFILE option was not handling multiple pathnames
or wildcards correctly. It was also not handling the option
pathnames correctly.
- The SCANROOTKITMODE configuration option was never actually read
as a configuration option.
- The '--config-check'/'-C' option could produce incorrect error
messages in certain circumstances.
- Setting the ALLOW_SSH_PROT_V1 option to '2' could cause warning
messages when SSH protocol 1 was allowed.
- Allow Linux 'grep' to work correctly with binary (i18n) files.
- Multiple UID0_ACCOUNTS and PWDLESS_ACCOUNTS options were not being
handled correctly.
- Uppercase test names were not being handled correctly.
- Changed the 'logger' command tag from 'Rootkit Hunter' to 'rkhunter'
to avoid problems with spaces.
- Ensure that 'fdescfs' filesystems are correctly detected.
- To try and avoid colour escape sequences being logged, both of
the variables CLICOLOR and CLICOLOR_FORCE are unset for *BSD and
SunOS systems.
- The 'startup_malware' and 'possible_rkt_strings' checks will now
check systemd startup scripts if they are located in the
'/etc/systemd/system' directory.
- The 'sockstat' command output on BSD systems can become corrupted
if a username is very long. This is now detected, and processed
correctly.
- The 'shared_libs' test now recognises comments in the preload file.
- The ALLOWPROMISCIF configuration option was not handling multiple
occurrences correctly. This has now been corrected.
- Tighten up the input verification check on the mirror file to
ensure that only URL's are used as a mirror. (CVE-2017-7480)
- The BSD package manager seemed to be needlessly stripping out
parts of package names on NetBSD systems. It no longer does this.
- In certain cases it was possible for certain tests to not display
any output. This has now been corrected.
- The installer did not always add the 'rkhunter.d' directory, if
it existed, to the main configuration file for monitoring.
--
* 1.4.2 (24/02/2014)
New:
......
......@@ -363,8 +363,9 @@ A. See the README file for information about the test names.
3.5) Can rkhunter handle filenames with spaces in them?
A. Generally yes. Some tests still may not like filenames
with the colon (:) character in them though.
A. Generally yes for the tests themselves, but not for configuration options.
Additionally, Some tests may not like filenames with the colon (:) character
in them.
3.6) What does the following warning mean:
......
......@@ -2,7 +2,7 @@
THE ROOTKIT HUNTER PROJECT
==========================
Copyright (c) 2003-2014, Michael Boelen
Copyright (c) 2003-2017, Michael Boelen
See the LICENSE file for conditions of use and distribution.
It is recommended that all users of RootKit Hunter (RKH) join the
......@@ -22,12 +22,12 @@ Please note that RKH has some requirements:
'cat', 'sed', 'head', 'tail', etc. If a command is missing then
RKH will not run.
2) Some tests require commands such as stat, readlink, md5/md5sum or
sha1/sha1sum. If these are not present, then RKH has perl
scripts which will automatically be used instead. However, this
requires perl, and certain modules, being present. If they are
not, then the tests will be skipped. Readlink is provided as a
script itself, and does not use perl. Other tests will use other
2) Some tests require commands such as stat, readlink, sha256 or
sha256sum. If these are not present, then RKH has perl scripts
which will automatically be used instead. However, this requires
perl, and certain modules, being present. If they are not, then
the tests will be skipped. Readlink is provided as a script
itself, and does not use perl. Other tests will use other
commands. If the relevant command is not found on the system,
then the test will be skipped.
......@@ -51,9 +51,6 @@ Please note that RKH has some requirements:
- Unhide and unhide-tcp (C versions)
Finds hidden ports and processes.
http://unhide.sourceforge.net
- Unhide (Ruby version)
Finds hidden processes.
https://launchpad.net/unhide.rb
If the relevant tool is not found, then the test is skipped.
......@@ -91,14 +88,21 @@ you chose using the '--layout' switch. You can either edit the main
configuration file itself, or create a 'local' configuration file
for your own settings. This file, which must be called
'rkhunter.conf.local', must reside in the same directory as the main
configuration file. Alternatively you can create a directory, named
'rkhunter.d', in the same directory as the main configuration file.
Within 'rkhunter.d' you can then create further configuration files.
The only restriction is that the file names end in '.conf'.
configuration file. Alternatively, or in addition if wished, you can
create a directory, named 'rkhunter.d', in the same directory as the
main configuration file. Within 'rkhunter.d' you can then create
further configuration files. The only restriction is that the file
names end in '.conf'.
You should edit the configuration file(s) according to your own
system requirements.
Note: If the installer detects an existing 'rkhunter.conf.local' file,
or an 'rkhunter.d' directory, then these will be added to the main
configuration file for monitoring by rkhunter. The installer will also
add the 'rkhunter.conf' file itself to be monitored. By doing this, any
changes to the rkhunter configuration file(s) will be detected.
If the installer encounters an existing 'rkhunter.conf' file, it will
not be overwritten. Instead the installer creates a new configuration
file, but with a unique number as its suffix. Please inspect the new
......@@ -294,7 +298,8 @@ sub-directory).
During uninstallation, the installer will remove the initial configuration
file (usually '/etc/rkhunter.conf'). However, any other files beginning with
'rkhunter.conf' are not removed. These may be removed manually if wished.
'rkhunter.conf' are not removed. Similarly, any 'rkhunter.d' directory is
not removed. These may be removed manually if wished.
When installing RKH, some directories may have been created. However,
RKH is unaware of this when being uninstalled. As such, and especially
......@@ -430,26 +435,26 @@ that a file has changed when in fact it has been automatically updated by the
system.
The currently available package managers are 'RPM' for RedHat/RPM-based
systems, 'DPKG' for Debian-based systems, 'BSD' for *BSD systems, and
'SOLARIS' for Solaris systems. It is also possible to specify 'NONE' to
indicate not to use a package manager. The program default is 'NONE'.
systems, 'DPKG' for Debian-based systems, 'BSD' (using the 'pkg_info' command)
and 'BSDng' (using the 'pkg' command) for *BSD systems, and 'SOLARIS' for
Solaris systems. It is also possible to specify 'NONE' to indicate not to use
a package manager. The program default is 'NONE'.
Any file which is not part of a package is treated as before, that is,
the HASH_CMD configuration file option, or the '--hash' command-line
option, will be used.
It should be noted that all the package managers, except 'SOLARIS', provide
an MD5 hash value for a file. However, the 'RPM' and 'SOLARIS' package
managers can provide other file property values as well, such as the file
permissions, uid, gid, modification time and so on. During the file
properties check all of these values will be used, rather than the ones
stored in the rkhunter.dat file. The Solaris package manager does store a
16-bit hash value, but this is not used by default. If it is wished to
use the stored value, then the USE_SUNSUM configuration option must be
enabled.
It should also be noted that the 'DPKG' and 'BSD' package manager options
only provide the files MD5 hash value. As such, during the file properties
a hash value for a file. However, the 'RPM' and 'SOLARIS' package managers
can provide other file property values as well, such as the file permissions,
uid, gid, modification time and so on. During the file properties check all
of these values will be used, rather than the ones stored in the rkhunter.dat
file. The Solaris package manager does store a 16-bit hash value, but this is
not used by default. If it is wished to use the stored value, then the
USE_SUNSUM configuration option must be enabled.
It should also be noted that the 'DPKG', 'BSD' and 'BSDng' package manager
options only provide a files hash value. As such, during the file properties
check, all the other current file properties will be re-calculated as before,
and compared against the values in the rkhunter.dat file. Hence, only the 'RPM'
and 'SOLARIS' package managers offer any real benefits in using a package manager.
......
Version:2013112401
Version:2017062301
#
# We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each
......@@ -108,6 +108,7 @@ HASH_PKGMGR_OLD_UNSET:Stored hash values did not use a package manager
HASH_PKGMGR:Using package manager '$1' for file property checks
HASH_PKGMGR_MD5:Using MD5 hash function command '$1' to assist package manager verification
HASH_PKGMGR_SHA:Using SHA hash function command '$1' to assist package manager verification
HASH_PKGMGR_SUM:Using the stored 16-bit checksum for package verification
HASH_PKGMGR_NOT_SPEC:No package manager specified: using hash function '$1'
HASH_PKGMGR_NOT_SPEC_PRELINKED:No package manager specified: using prelink command with '$1'
......@@ -212,7 +213,8 @@ PROPUPD_START:Starting file properties data update...
PROPUPD_OSINFO_START:Collecting O/S info...
PROPUPD_ARCH_FOUND:Found system architecture: $1
PROPUPD_REL_FILE:Found release file: $1
PROPUPD_NO_REL_FILE:Unable to find a release file: LS output shows:
PROPUPD_NO_REL_FILE_NO_OUTPUT:Unable to find an O/S release file.
PROPUPD_NO_REL_FILE:Unable to find an O/S release file: LS output shows:
PROPUPD_OSNAME_FOUND:Found O/S name: $1
PROPUPD_ERROR:Error installing new 'rkhunter.dat' file. Code $1
PROPUPD_NEW_DAT_FILE:New 'rkhunter.dat' file installed in '$1'
......@@ -389,45 +391,41 @@ ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Command: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Pathname: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Possible Rootkit: $1
ROOTKIT_MALWARE_HIDDEN_PROCS:Checking for hidden processes
ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE:The use of '$1' has been disabled at the users request
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:Found 'unhide' command version: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:Using command '$1'
ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' not executed: invalid configured test names: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR:The 'unhide.rb' command gave an error:
ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Hidden processes found:
ROOTKIT_MALWARE_DELETED_FILES:Checking running processes for deleted files
ROOTKIT_MALWARE_DELETED_FILES_FOUND:The following processes are using deleted files:
ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:Process: $1 PID: $2 File: $3
ROOTKIT_MALWARE_DELETED_FILES_WL:Found process '$1' using file '$2': it is whitelisted.
ROOTKIT_MALWARE_LOGIN_BDOOR:Checking for login backdoors
ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:Performing check for login backdoors
ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:Checking for '$1'
ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Found login backdoor file: $1
ROOTKIT_MALWARE_SUSP_DIR:Checking for suspicious directories
ROOTKIT_MALWARE_SUSP_DIR_LOG:Performing check for suspicious directories
ROOTKIT_MALWARE_SUSP_DIR_FOUND:Found suspicious directory: $1
ROOTKIT_MALWARE_SFW_INTRUSION:Checking for software intrusions
ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:The file '$1' contains the string '$2'. Possible rootkit: SHV5
ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Check skipped - tripwire not installed
ROOTKIT_MALWARE_SNIFFER:Checking for sniffer log files
ROOTKIT_MALWARE_SNIFFER_LOG:Performing check for sniffer log files
ROOTKIT_MALWARE_SNIFFER_FOUND:Found possible sniffer log file: $1
ROOTKIT_MALWARE_IPCS:Suspicious Shared Memory segments
ROOTKIT_MALWARE_IPCS:Checking for suspicious shared memory segments
ROOTKIT_MALWARE_IPCS_FOUND:The following suspicious shared memory segments have been found:
ROOTKIT_MALWARE_IPCS_DETAILS:Process: $1 PID: $2 Owner: $3
ROOTKIT_MALWARE_IPCS_WL:Found process pathname '$1': it is whitelisted.
ROOTKIT_TROJAN_START:Performing trojan specific checks
ROOTKIT_TROJAN_INETD:Checking for enabled inetd services
ROOTKIT_TROJAN_INETD_SKIP:Check skipped - file '$1' does not exist.
ROOTKIT_TROJAN_INETD_FOUND:Found enabled inetd service: $1
ROOTKIT_TROJAN_XINETD:Checking for enabled xinetd services
ROOTKIT_TROJAN_XINETD_LOG:Performing check for enabled xinetd services
ROOTKIT_TROJAN_XINETD_ENABLED:Checking '$1' for enabled services
ROOTKIT_TROJAN_XINETD_INCLUDE:Found 'include $1' directive
ROOTKIT_TROJAN_XINETD_INCLUDEDIR:Found 'includedir $1' directive
ROOTKIT_TROJAN_XINETD_ENABLED_FOUND:Found enabled xinetd service: $1
ROOTKIT_TROJAN_XINETD_WHITELIST:Found service '$1': it is $2 whitelisted.
ROOTKIT_TROJAN_APACHE:Checking for Apache backdoor
ROOTKIT_TROJAN_APACHE_SKIPPED:Apache backdoor check skipped: Apache modules and configuration directories not found.
ROOTKIT_TROJAN_APACHE_SKIPPED:Check skipped - no Apache module or configuration directories found.
ROOTKIT_TROJAN_APACHE_FOUND:Apache backdoor module 'mod_rootme' found: $1
ROOTKIT_OS_START:Performing $1 specific checks
......@@ -633,6 +631,9 @@ LIST_PERL:Perl module installation status:
LIST_RTKTS:Rootkits checked for:
LOCK_USED:Locking is being used: timeout is $1 seconds
LOCK_DIR:Using '$1' as the locking directory
LOCK_UNUSED:Locking is not being used
LOCK_WAIT:Waiting for lock file
LOCK_FAIL:Unable to get the lock file: rkhunter has not run!
LINUX_ONLY:Check skipped - this check is only for Linux systems.
This diff is collapsed.
Version:2010111601
httpd: 1.3a1 1.3b1 1.3b3 1.3b4 1.3b5 1.3b6 1.3b7 1.3.0 1.3.1 1.3.2 1.3.3 1.3.4 1.3.6 1.3.9 1.3.10 1.3.11 1.3.12 1.3.14 1.3.17 1.3.19 1.3.20 1.3.21 1.3.22 1.3.23 1.3.24 1.3.25 1.3.26 1.3.27 1.3.28 1.3.29 1.3.30 1.3.31 1.3.32 1.3.33 1.3.34 1.3.35 1.3.36 1.3.37 1.3.39 1.3.40 2.0a1 2.0a2 2.0a3 2.0a4 2.0a5 2.0a6 2.0a7 2.0a8 2.0a9 2.0.11 2.0.12 2.0.13 2.0.14 2.0.15 2.0.16 2.0.17 2.0.18 2.0.19 2.0.20 2.0.21 2.0.22 2.0.23 2.0.24 2.0.25 2.0.26 2.0.27 2.0.28 2.0.29 2.0.30 2.0.31 2.0.32 2.0.33 2.0.34 2.0.35 2.0.36 2.0.37 2.0.38 2.0.39 2.0.40 2.0.41 2.0.42 2.0.43 2.0.44 2.0.45 2.0.46 2.0.47 2.0.48 2.0.49 2.0.50 2.0.51 2.0.52 2.0.53 2.0.54 2.0.55 2.0.56 2.0.57 2.0.58 2.0.59 2.0.61 2.0.62 2.2.0 2.2.1 2.2.2 2.2.3 2.2.4 2.2.6 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.16
sshd: 2.1.1p4 2.2.0p1 2.3.0p1 2.5.1p1 2.5.1p2 2.5.2p1 2.5.2p2 2.9.9p1 2.9.9p2 2.9p1 2.9p2 3.0.1p1 3.0.2p1 3.0p1 3.1p1 3.2.2p1 3.2.3p1 3.3p1 3.4p1 3.5p1 3.6.1p1 3.6.1p2 3.6p1 3.7.1p1 3.7.1p2 3.7p1 3.8.1p1 3.8p1 3.9p1 4.0p1 4.1p1 4.2p1 4.3p1 4.3p2 4.4p1 4.5p1 4.6p1 4.7p1 4.9p1 5.0p1 5.1p1 5.2p1 5.5p1
Version:2014042901
httpd: 1.3a1 1.3b1 1.3b3 1.3b4 1.3b5 1.3b6 1.3b7 1.3.0 1.3.1 1.3.2 1.3.3 1.3.4 1.3.6 1.3.9 1.3.10 1.3.11 1.3.12 1.3.14 1.3.17 1.3.19 1.3.20 1.3.21 1.3.22 1.3.23 1.3.24 1.3.25 1.3.26 1.3.27 1.3.28 1.3.29 1.3.30 1.3.31 1.3.32 1.3.33 1.3.34 1.3.35 1.3.36 1.3.37 1.3.39 1.3.40 2.0a1 2.0a2 2.0a3 2.0a4 2.0a5 2.0a6 2.0a7 2.0a8 2.0a9 2.0.11 2.0.12 2.0.13 2.0.14 2.0.15 2.0.16 2.0.17 2.0.18 2.0.19 2.0.20 2.0.21 2.0.22 2.0.23 2.0.24 2.0.25 2.0.26 2.0.27 2.0.28 2.0.29 2.0.30 2.0.31 2.0.32 2.0.33 2.0.34 2.0.35 2.0.36 2.0.37 2.0.38 2.0.39 2.0.40 2.0.41 2.0.42 2.0.43 2.0.44 2.0.45 2.0.46 2.0.47 2.0.48 2.0.49 2.0.50 2.0.51 2.0.52 2.0.53 2.0.54 2.0.55 2.0.56 2.0.57 2.0.58 2.0.59 2.0.61 2.0.62 2.0.63 2.0.64 2.0.62 2.2.0 2.2.1 2.2.2 2.2.3 2.2.4 2.2.6 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.16 2.2.17 2.2.18 2.2.19 2.2.20 2.2.21 2.2.22 2.2.23 2.2.24 2.2.25 2.2.26 2.4.2 2.4.3 2.4.4 2.4.6 2.4.7
sshd: 2.1.1p4 2.2.0p1 2.3.0p1 2.5.1p1 2.5.1p2 2.5.2p1 2.5.2p2 2.9.9p1 2.9.9p2 2.9p1 2.9p2 3.0.1p1 3.0.2p1 3.0p1 3.1p1 3.2.2p1 3.2.3p1 3.3p1 3.4p1 3.5p1 3.6.1p1 3.6.1p2 3.6p1 3.7.1p1 3.7.1p2 3.7p1 3.8.1p1 3.8p1 3.9p1 4.0p1 4.1p1 4.2p1 4.3p1 4.3p2 4.4p1 4.5p1 4.6p1 4.7p1 4.9p1 5.0p1 5.1p1 5.2p1 5.5p1 5.6p1 5.7p1 5.8p1 5.8p2 5.9p1 6.0p1 6.1p1 6.2p1 6.2p2 6.3p1 6.4p1 6.5p1
exim: 4.20 4.21 4.22 4.23 4.24 4.30 4.31 4.32 4.33 4.34 4.40 4.41 4.42 4.43 4.44 4.50 4.51 4.52 4.53 4.54 4.60 4.61 4.62 4.63 4.64 4.65 4.66 4.67 4.68 4.69 4.70 4.71
php: 4.1.2 4.3.0 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 4.3.8 4.3.9 4.3.10 4.3.9RC2 5.0.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.2.0 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.3.0 5.3.1 5.3.2
gpg: 1.0.2 1.0.4 1.0.6 1.0.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.3 1.3.4 1.4.0 1.4.1 1.4.2 2.0.12 2.0.11 2.0.10 2.0.8 1.4.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.1 2.0 1.4.4 1.4.3 1.9.19 1.4.2 1.9.17 1.9.16 1.4.9 1.4.10
gpg: 1.0.2 1.0.4 1.0.6 1.0.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.3 1.3.4 1.4.0 1.4.1 1.4.2 2.0.12 2.0.11 2.0.10 2.0.8 1.4.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.1 2.0 1.4.4 1.4.3 1.9.19 1.4.2 1.9.17 1.9.16 1.4.9 1.4.10 1.4.11 1.4.12 1.4.13 1.4.14 1.4.15
named: 8.1 8.1.1 8.1.2 8.2 8.2.1 8.2.2 8.2.2-P3 8.2.2-P5 8.2.2-P7 8.2.3 8.2.4 8.2.5 8.2.6 8.2.7 8.3.0 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6 8.3.7 8.4.0 8.4.1 8.4.2 8.4.3 8.4.4 8.4.5 8.4.6 8.4.7 8.4.7-P1 9.0.0 9.0.0b1 9.0.0b2 9.0.0b3 9.0.0b4 9.1.0b1 9.1.0b2 9.2.0a1 9.2.0a2 9.2.0a3 9.2.0b1 9.2.0b2 9.2.0rc1 9.5.0a1 9.5.0a2 9.5.0a3 9.5.0a4 9.5.0a5 9.5.0a6 9.5.0a7 9.5.0b1 9.6.0a1 9.6.0b1 9.6.0rc1 9.7.0a1 9.7.0a2 9.7.0a3 9.7.0b1 9.7.0b2 9.7.0b3 9.7.0rc1 9.7.0rc2 9.7.0 9.7.1b1 9.7.1rc1 9.7.1 9.7.2b1 9.7.2rc1 9.7.2 9.7.2-P1
procmail: 1.00 1.01 1.02 1.10 1.20 1.21 1.30 1.35 1.99 2.00 2.01 2.02 2.03 2.10 2.11 2.30 2.31 2.40 2.50 2.60 2.61 2.70 2.71 2.80 2.81 2.90 2.91 3.00 3.01 3.02 3.03 3.04 3.05 3.06 3.10 3.11pre3 3.11pre4 3.11pre7 3.12 3.13 3.14 3.15 3.20 3.21
proftpd: 1.2.10rc1 1.2.10rc2 1.2.10rc3 1.2.5 1.2.6 1.2.8p 1.2.9 1.3.0a 1.3.1 1.3.1rc1 1.3.1rc2 1.3.1rc3 1.3.2 1.3.2rc1 1.3.2rc2 1.3.2rc3 1.3.2rc4 1.3.2 1.3.2a 1.3.2b 1.3.2c 1.3.2d 1.3.3rc1 1.3.3rc2 1.3.3rc3 1.3.3rc4 1.3.3 1.3.3a 1.3.3b
openssl: 0.9.3 0.9.3a 0.9.4 0.9.5 0.9.5a 0.9.6 0.9.6a 0.9.6a 0.9.6b 0.9.6b 0.9.6c 0.9.6c 0.9.6d 0.9.6d 0.9.6e 0.9.6e 0.9.6f 0.9.6f 0.9.6g 0.9.6g 0.9.6h 0.9.6h 0.9.7 0.9.6i 0.9.6i 0.9.7a 0.9.6j 0.9.6j 0.9.7b 0.9.6k 0.9.6k 0.9.7c 0.9.6l 0.9.6l 0.9.6m 0.9.6m 0.9.7d 0.9.7e 0.9.7f 0.9.7g 0.9.8 0.9.7h 0.9.8a 0.9.7i 0.9.7j 0.9.8b 0.9.7k 0.9.8c 0.9.7l 0.9.8d 0.9.7m 0.9.8e 0.9.8f 0.9.8g 0.9.8h 0.9.8i 0.9.8j 0.9.8k 0.9.8l 0.9.8m 0.9.8n 0.9.8o 0.9.8n 1.0.0 1.0.0a
openssl: 0.9.3 0.9.3a 0.9.4 0.9.5 0.9.5a 0.9.6 0.9.6a 0.9.6a 0.9.6b 0.9.6b 0.9.6c 0.9.6c 0.9.6d 0.9.6d 0.9.6e 0.9.6e 0.9.6f 0.9.6f 0.9.6g 0.9.6g 0.9.6h 0.9.6h 0.9.7 0.9.6i 0.9.6i 0.9.7a 0.9.6j 0.9.6j 0.9.7b 0.9.6k 0.9.6k 0.9.7c 0.9.6l 0.9.6l 0.9.6m 0.9.6m 0.9.7d 0.9.7e 0.9.7f 0.9.7g 0.9.8 0.9.7h 0.9.8a 0.9.7i 0.9.7j 0.9.8b 0.9.7k 0.9.8c 0.9.7l 0.9.8d 0.9.7m 0.9.8e 0.9.8f 0.9.8g 0.9.8h 0.9.8i 0.9.8j 0.9.8k 0.9.8l 0.9.8m 0.9.8n 0.9.8o 0.9.8p 0.9.8q 0.9.8r 0.9.8s 0.9.8t 0.9.8u 0.9.8v 0.9.8w 0.9.8x 1.0.0 1.0.0a 1.0.0b 1.0.0c 1.0.0d 1.0.0e 1.0.0f 1.0.0g 1.0.0h 1.0.0i 1.0.0j 1.0.0k 1.0.1 1.0.1a 1.0.1b 1.0.1c 1.0.1d 1.0.1e 1.0.1f
This diff is collapsed.
.\" rkhunter - RootKit Hunter
.TH rkhunter 8 "January 2014"
.TH rkhunter 8 "June 2017"
.SH NAME
rkhunter \- RootKit Hunter
......@@ -158,13 +158,19 @@ This command option displays the help screen menu, and then exits.
.SH OPTIONS
\fBrkhunter\fP uses a configuration file, named \fIrkhunter.conf\fP, for many of
its configuration options. It will also use a local configuration file, named
\fIrkhunter.conf.local\fP, if it is present. However, some options can also be
specified on the command\-line, and these will override the configuration file
options. The configuration file options are well documented within the main
configuration file itself. The following are the command\-line options. The
defaults mentioned here are the program defaults, unless explicitly stated as
the configuration file default.
its configuration options. It can also use a local configuration file, named
\fIrkhunter.conf.local\fP, and a directory named \fIrkhunter.d\fP if it is present.
Both the local configuration file, and the local directory, must be in the same
directory as the main configuration file. The installer does not create the local
file or directory, but one, or both, can be created by the user if required.
If a directory is used, then within the directory any file ending in \fI.conf\fP
will be treated as a local configuration file.
Some options can also be specified on the command\-line, and these will
override the equivalent configuration file options. The configuration file options are well
documented within the main configuration file itself. The following are the
command\-line options. The defaults mentioned here are the program defaults,
unless explicitly stated as the configuration file default.
.PP
......@@ -195,8 +201,8 @@ The installation process will automatically tell \fBrkhunter\fP where its
configuration file is located. However, if necessary, this option can be used
to specify a different pathname.
If a local configuration file is to be used, then it must reside in the same
directory as the configuration file specified by this option.
If a local configuration file, or directory, is to be used, then it must
reside in the same directory as the configuration file specified by this option.
.IP \fB\-\-cronjob\fP
This is similar to the \fB\-\-check\fP command option, but it disables several
......@@ -245,8 +251,7 @@ options will look for the relevant command, and, if not found, a perl support
script will then be used to see if a perl module supporting the function has been
installed. Alternatively, a specific \fIcommand\fP may be specified. A value of
\fINONE\fP can be used to indicate that the hash values should not be obtained
or used as part of the file properties check. The default is \fISHA1\fP, or
\fIMD5\fP if no SHA1 command can be found.
or used as part of the file properties check. The default is \fISHA256\fP.
Systems using prelinking must use either MD5, SHA1 or NONE.
......@@ -305,7 +310,7 @@ option reduces the amount of logging, and so can improve the performance of
\fBrkhunter\fP. However, the log file will contain less information should any
warnings occur. By default verbose logging is enabled.
.IP "\fB\-\-pkgmgr {RPM | DPKG | BSD | SOLARIS | NONE}\fP"
.IP "\fB\-\-pkgmgr {RPM | DPKG | BSD | BSDng | SOLARIS | NONE}\fP"
This option is used during the file properties check or when the
\fB\-\-propupd\fP command option is given. It tells \fBrkhunter\fP that the
current file property values should be obtained from the relevant package manager.
......@@ -440,7 +445,7 @@ RootKit Hunter is licensed under the GPL, copyright Michael Boelen.
See the LICENSE file for details of GPL licensing.
.SH CONTACT INFORMATION
RootKit Hunter is under active development by the RootKit Hunter
project team. For reporting bugs, updates, patches, comments and
questions, please go to http://rkhunter.sourceforge.net/
This software was developed by the RootKit Hunter project team.
To report bugs, patches, comments and questions, please go to:
http://rkhunter.sourceforge.net/
.fi
This diff is collapsed.
......@@ -6,7 +6,7 @@
#%%dump
%define name rkhunter
%define ver 1.4.1
%define ver 1.4.4
%define rel 1
%define epoch 0
......@@ -69,7 +69,7 @@ sh ./installer.sh --layout RPM --install
( %{_bindir}/rkhunter --cronjob --update --rwo && echo "" ) | /bin/mail -s "Rkhunter daily run on `uname -n`" root
exit 0
EOF
%{__chmod} a+rwx,g-w,o-rwx ${RPM_BUILD_ROOT}%{_sysconfdir}/cron.daily/rkhunter
%{__chmod} u+rwx,g-rwx,o-rwx ${RPM_BUILD_ROOT}%{_sysconfdir}/cron.daily/rkhunter
%post
......@@ -100,25 +100,34 @@ fi
%define docdir %{_prefix}/share/doc/%{name}-%{version}
%files
%defattr(-,root,root)
%attr(640,root,root) %config(noreplace) %{_sysconfdir}/%{name}.conf
%attr(750,root,root) %{_prefix}/bin/%{name}
%attr(750,root,root) %dir %{_libdir}/%{name}
%attr(750,root,root) %dir %{_libdir}/%{name}/scripts
%attr(750,root,root) %{_libdir}/%{name}/scripts/*.pl
%attr(750,root,root) %{_libdir}/%{name}/scripts/*.sh
%attr(600,root,root) %config(noreplace) %{_sysconfdir}/%{name}.conf
%attr(700,root,root) %{_prefix}/bin/%{name}
%attr(700,root,root) %dir %{_libdir}/%{name}
%attr(700,root,root) %dir %{_libdir}/%{name}/scripts
%attr(700,root,root) %{_libdir}/%{name}/scripts/*.pl
%attr(700,root,root) %{_libdir}/%{name}/scripts/*.sh
%attr(644,root,root) %doc %{_prefix}/share/man/man8/%{name}.8
%attr(755,root,root) %dir %{docdir}
%attr(644,root,root) %doc %{docdir}/*
%attr(750,root,root) %dir %{_var}/lib/%{name}
%attr(750,root,root) %dir %{_var}/lib/%{name}/db
%attr(640,root,root) %verify(not md5 size mtime) %{_var}/lib/%{name}/db/*.dat
%attr(750,root,root) %dir %{_var}/lib/%{name}/db/i18n
%attr(640,root,root) %verify(not md5 size mtime) %{_var}/lib/%{name}/db/i18n/*
%attr(750,root,root) %dir %{_var}/lib/%{name}/tmp
%attr(700,root,root) %dir %{_var}/lib/%{name}
%attr(700,root,root) %dir %{_var}/lib/%{name}/db
%attr(600,root,root) %verify(not md5 size mtime) %{_var}/lib/%{name}/db/*.dat
%attr(700,root,root) %dir %{_var}/lib/%{name}/db/i18n
%attr(600,root,root) %verify(not md5 size mtime) %{_var}/lib/%{name}/db/i18n/*
%attr(700,root,root) %dir %{_var}/lib/%{name}/tmp
%{_sysconfdir}/cron.daily/rkhunter
%changelog
* Thu Jun 29 2017 jhorne - 1.4.4
- Updated for release 1.4.4
* Sun Dec 27 2015 jhorne - 1.4.2
- Changed file permissions mode to 700 for executables, and 600
for others. Directories are now set to mode 700. The man page
is left at 644. The documentation directory is left at 755 and
644 for the files within it.
* Tue May 01 2012 unSpawn - 1.4.0
- Spec sync, see CHANGELOG.
......
RKH_BillGates;Target:6;(0&1&2&3&4&5&6&7&8&9&10&11);2f6574632f726325642e642f5325642573;2f686f6d2f6d6f6e69746f722f6761746573;2f746d702f62696c6c2e6c6f636b;2f746d702f67617465732e6c6f636b;2f746d702f6d6f6e692e6c6f636b;2f746d702f6e6f746966792e66696c65;2f7573722f62696e2f706f6a6965;2f7573722f6c69622f6c6962616d706c6966792e736f;2f6574632f696e69742e642f;23212f62696e2f62617368;6c6e202d73202f6574632f696e69742e642f2573202573;555058
RKH_MMD-0028-2014;Target:0;(0&1&2&3&4&5&6&7&8&9&10&11&12&13&14&15&16&17&18&19&20&21&22&23&24&25);4849535446494c453d2f6465762f6e756c6c;4d5953514c5f4849535446494c453d2f6465762f6e756c6c;232063686b636f6e6669673a203132333435203930203930;232044656661756c742d53746172743a09312032203320342035;2f6574632f63726f6e2e686f75726c792f63726f6e2e7368;54656e63656e7454726176656c6572;2f6c69622f756465762f75646576;2f6c69622f756465762f6465627567;3131342e3131342e3131342e313134;382e382e382e38;786f726b657973;6279706173735f69707461626c6573;48696465506964506f7274;4869646546696c65;646563727970745f72656d6f7465737472;6175746f72756e2e63;2f686f6d652f78696e677765692f4465736b746f702f64646f73;656e63727970745f636f6465;786f726b657973;436865636b4c4b4d;4869646544617461;656e63727970742e63;657865637061636b65742e63;686964652e63;687474702e63;6b696c6c2e63
RKH_iptablex;Target:0;(0|1)|(2&3&4&5&6&7&8&9&10&11&12&13&14&15&16&17);49707461624c6578;49707461624c6573;53796e466c6f6f6453656e64546872656164;446e73466c6f6f6453656e64546872656164;4368616e6765446e73;446e73466c6f6f644275696c64546872656164;4368616e676553796e;53796e466c6f6f64546872656164;53796e466c6f6f644275696c64546872656164;446e73466c6f6f64546872656164;48624372656174654c6f636b73;4862437265617465546872656164;6b696c6c70656f666e616d6573;4d79526576696365;5f4765744c616e5370656564;53656e64436865636b466f72676f744970;696e69745f6461656d6f6e;73656e644c6f67696e496e666f
......@@ -11,12 +11,13 @@
################################################################################
INSTALLER_NAME="Rootkit Hunter installer"
INSTALLER_VERSION="1.2.17"
INSTALLER_COPYRIGHT="Copyright 2003-2014, Michael Boelen"
INSTALLER_VERSION="1.2.20"
INSTALLER_COPYRIGHT="Copyright 2003-2017, Michael Boelen"
INSTALLER_LICENSE="
Under active development by the Rootkit Hunter project team. For reporting
bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net
This software was developed by the Rootkit Hunter project team.
For reporting bugs, patches, comments and questions, please go to:
http://rkhunter.sourceforge.net
Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free
software, and you are welcome to redistribute it under the terms
......@@ -24,10 +25,10 @@ of the GNU General Public License. See LICENSE for details.
"
APPNAME="rkhunter"
APPVERSION="1.4.2"
APPVERSION="1.4.4"
RKHINST_OWNER="0:0"
RKHINST_MODE_EX="0750"
RKHINST_MODE_RW="0640"
RKHINST_MODE_EX="0700"
RKHINST_MODE_RW="0600"
RKHINST_MODE_RWR="0644"
RKHINST_LAYOUT="default"
RKHINST_ACTION=""
......@@ -92,6 +93,7 @@ showHelp() { # Show help / version
echo " (Default is to create a separate configuration file.)"
echo " --show : Show chosen layout."
echo " --remove : Uninstall according to chosen layout."
echo " --uninstall : Alias for the '--remove' option."
echo " --version : Show the installer version."
echo ""
......@@ -731,8 +733,8 @@ doInstall() {
fi
fi
done
umask 027
umask 077
for DIR in ${RKHINST_DIRS_EXCEP}; do
if [ -d "${DIR}" ]; then
if [ -w "${DIR}" ]; then
......@@ -759,6 +761,7 @@ doInstall() {
;;
esac
done
umask 027
#
......@@ -835,11 +838,22 @@ doInstall() {
# Language support files
ERRCODE=0
if [ -d "./files/i18n/CVS" ]; then
rm -rf "./files/i18n/CVS"
fi
for FILE in `find ./files/i18n -type f`; do
cp "${FILE}" "${RKHINST_LANG_DIR}" >/dev/null 2>&1
ERRCODE=$?
test $ERRCODE -ne 0 && break
FNAME=`echo ${FILE} | sed 's|^./files/i18n/||'`
if [ $ERRCODE -eq 0 ]; then
chmod "${RKHINST_MODE_RW}" "${RKHINST_LANG_DIR}/${FNAME}"
else
echo " Installing ${FILE}: FAILED: Code $ERRCODE"
break
fi
done
if [ $ERRCODE -eq 0 ];then
......@@ -853,11 +867,22 @@ doInstall() {
# ClamAV signatures
ERRCODE=0
if [ -d "./files/signatures/CVS" ]; then
rm -rf "./files/signatures/CVS"
fi
for FILE in `find ./files/signatures -type f`; do
cp "${FILE}" "${RKHINST_SIG_DIR}" >/dev/null 2>&1
ERRCODE=$?
test $ERRCODE -ne 0 && break
FNAME=`echo ${FILE} | sed 's|^./files/signatures/||'`
if [ $ERRCODE -eq 0 ]; then
chmod "${RKHINST_MODE_RW}" "${RKHINST_SIG_DIR}/${FNAME}"
else
echo " Installing ${FILE}: FAILED: Code $ERRCODE"
break
fi
done
if [ $ERRCODE -eq 0 ];then
......@@ -940,7 +965,15 @@ doInstall() {
if [ "$FILE" = "rkhunter.conf" ]; then
echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}" >>"${RKHINST_ETC_DIR}/${NEWFILE}"
test -f "${RKHINST_ETC_DIR}/${FILE}.local" && echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}.local" >>"${RKHINST_ETC_DIR}/${NEWFILE}"
if [ -f "${RKHINST_ETC_DIR}/${FILE}.local" ]; then
echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}.local" >>"${RKHINST_ETC_DIR}/${NEWFILE}"
chmod "${RKHINST_MODE_RW}" "${RKHINST_ETC_DIR}/${FILE}.local"
fi
if [ -d "${RKHINST_ETC_DIR}/rkhunter.d" ]; then
echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/rkhunter.d/*.conf" >>"${RKHINST_ETC_DIR}/${NEWFILE}"
fi
fi
case "${RKHINST_LAYOUT}" in
......@@ -961,6 +994,10 @@ doInstall() {
if [ $ERRCODE -eq 0 ]; then
echo " Installing ${FILE}: OK"
chmod "${RKHINST_MODE_RW}" "${RKHINST_ETC_DIR}/${FILE}"
if [ -f "${RKHINST_ETC_DIR}/${FILE}.local" ]; then
chmod "${RKHINST_MODE_RW}" "${RKHINST_ETC_DIR}/${FILE}.local"
fi
else
echo " Installing ${FILE}: FAILED: Code $ERRCODE"
exit 1
......@@ -1132,6 +1169,12 @@ doRemove() {
echo ""
echo "Please remove any ${RKHINST_ETC_DIR}/${FILE}.* files manually."
echo ""
if [ -d "${RKHINST_ETC_DIR}/${FILE}.d" ]; then
echo ""
echo "Please remove any ${RKHINST_ETC_DIR}/${FILE}.d directory manually."
echo ""
fi
done
......@@ -1267,7 +1310,7 @@ while [ $# -ge 1 ]; do
exit 1
fi
;;
--show | --remove | --install)
--show | --remove | --install | --uninstall)
RKHINST_ACTION_SEEN=1
RKHINST_ACTION=`echo "$1" | sed 's/-//g'`
;;
......@@ -1294,7 +1337,7 @@ else
show)
showTemplate $RKHINST_LAYOUT
;;
remove) # Clean active window
remove | uninstall) # Clean active window
selectTemplate $RKHINST_LAYOUT
clear
doRemove
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment