20090607

Dealing with rkhunter warnings

rkhunter often warns on file property changes after upgrade and such, and sometimes you just aren't sure whether it is due to recent upgrades, or because you really were compromised. The following script was written to compare the checksum of all files rkhunter warns about against the originals in a debian repository.

The latest version of this is available in my script.git respos.

#!/bin/bash
desc="
This script will verify whether files for which rkhunter has logged a 
warning for is still valid. It does this by finding which debian package
it came out of, and downloads them, unpacks them, then checks
the checksums.

Run it by supplying a rkhunter log file as first argument
"

HASHER="sha256sum"

IFS="
"
function find_suspect_files
{
 echo "parsing $1 for suspect files" 1>&2
 grep -1 Warning "$1"| grep File | sed 's|.*File: ||'
}

function find_packages
{
 echo "finding packages" 1>&2
 for suspect_file in $1
 do
  package=$(dpkg -S $suspect_file|awk '{print $1}'|sed 's/.$//')
  echo "suspect file $suspect_file found in $package" 1>&2
  echo $package
 done

}

function make_aptitude_args
{
 echo "generating aptitude arguments" 1>&2
 for package in $1
 do
  version=$(dpkg -p $package | grep Version | awk '{print $2}')
  echo $package=$version
 done
}

function cleanup
{
 echo "cleaning up"
 popd
 rm -rf tmp
 exit $1
}

function setup
{
 echo "setting up"
 rm -rf tmp
 mkdir tmp
 pushd tmp
}

if [ $# -ne 1 ];
then
 echo "$desc"
 exit 1
fi

suspect_files=$(find_suspect_files "$1")

packages=$(find_packages "$suspect_files" | sort | uniq)

if [ -z "$packages" ];
then
 echo "***WARNING****"
 echo "No packages contain any of the suspect files!"
 cleanup 1
fi

aptitude_args=$(make_aptitude_args "$packages")

setup

echo "downloading packages"
aptitude download $aptitude_args 1>/dev/null
if [ $? -ne 0 ];
then
 echo "aptitude download failed!"
 echo "args=$aptitude_args"
 cleanup 1
fi

echo "unpacking"
for deb_file in *.deb
do
 ar -x $deb_file
 tar zxf data.tar.gz 
 rm -rf data.tar.gz control.tar.gz
done

for suspect_file in $suspect_files
do
 if [ ! -f ".$suspect_file" ]
 then
  echo "***WARNING****"
  echo "For some reason .$suspect_file does not exis!"
  continue
 fi
 echo -n "verifying $suspect_file... "
 suspect_sum=$($HASHER $suspect_file | awk '{print $1}')
 clean_sum=$($HASHER ".$suspect_file" | awk '{print $1}')
 if [ $suspect_sum == $clean_sum ];
 then
  echo "OK"
 else
  echo
  echo "***WARNING****"
  echo "Checksum mistmatch for $suspect_file!!!"
  echo "Should be: $clean_sum"
  echo "Is: $suspect_sum"
 fi
done
cleanup

Cheers,
Steve

Labels: , ,


// posted by steve @ 3:22 PM
Comments: Post a Comment



Links to this post:

Create a Link



<< Home

This page is powered by Blogger. Isn't yours?