JFIFxxC      C  " }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr#!/bin/sh -ue ## Run chkrootkit daily and email results to the user # This is run by the systemd timer or cron # note that all variables can be changed by editing $CONFIG CONFIG=/etc/chkrootkit/chkrootkit.conf CHKROOTKIT=/usr/sbin/chkrootkit LOG_DIR=/var/log/chkrootkit OUTPUT="$LOG_DIR/log.today" RAW_OUTPUT="$OUTPUT.raw" EXPECTED_OUTPUT="$LOG_DIR/log.expected" # If you do not want to use ionice, set IONICE="" in $CONFIG if [ -x /usr/bin/ionice ] && /usr/bin/ionice -c3 true 2>/dev/null; then IONICE="/usr/bin/ionice -c3" else IONICE="" fi RUN_DAILY=false # $CONFIG should set this to 'true' DIFF_MODE=false RUN_DAILY_OPTS="" MAILTO="" # CONFIG should set this to an email address/username to have the output sent SUBJECT="[chkrootkit] alert for $(hostname --fqdn 2>/dev/null || hostname --short 2>/dev/null || echo "localhost")" ## lines matching patterns in here are omitted entirely from the output, if the file exists. IGNORE_FILE="/etc/chkrootkit/chkrootkit.ignore" ## The output (after any IGNORE_FILE) is passed through $FILTER) FILTER="sed -re 's![[:alnum:]]+: PACKET SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'" if [ -r "$CONFIG" ]; then . "$CONFIG" fi # support upgrades from bullseye where $OLD_CONFIG was used OLD_CONFIG=/etc/chkrootkit.conf if [ -r "$OLD_CONFIG" ]; then echo "WARNING: $OLD_CONFIG is deprecated. Please put your settings in $CONFIG instead: $OLD_CONFIG will be ignored in a future release and should be deleted." . "$OLD_CONFIG" fi if [ "$RUN_DAILY" = "false" ]; then exit 0 fi if [ ! -r "$IGNORE_FILE" ]; then IGNORE_FILE=/dev/null fi if [ -z "$FILTER" ]; then # explicitly disabled FILTER=cat elif ! echo "test" | eval "$FILTER" >/dev/null 2>&1; then echo "Ignoring invalid \$FILTER='$FILTER'" FILTER=cat fi # Run, filter, and save output run(){ eval "$IONICE" "$CHKROOTKIT" "$RUN_DAILY_OPTS" 2>&1 \ | tee "$RAW_OUTPUT" 2>&1 \ | eval "$FILTER" \ | grep -E -v -f "$IGNORE_FILE" 2>&1 \ > "$OUTPUT" 2>&1 || true # show results if [ "$DIFF_MODE" = "false" ]; then cat "$OUTPUT" 2>&1 || true elif [ ! -f "$EXPECTED_OUTPUT" ]; then echo "No file $LOG_DIR/log.expected" echo "This file should contain expected output from chkrootkit" echo echo "Today's run produced the following output:" echo "--- [ BEGIN: cat $OUTPUT ] ---" cat "$LOG_DIR/log.today" 2>&1 || true echo "--- [ END: cat $OUTPUT ] ---" echo echo "To create this file containing all output from today's run, do (as root)" echo "# cp -a $OUTPUT $EXPECTED_OUTPUT" echo "# (note that unedited output is in $RAW_OUTPUT)" elif ! diff -q "$EXPECTED_OUTPUT" "$OUTPUT" > /dev/null 2>&1; then echo "chkrootkit output was not as expected." echo echo "The difference is:" echo "--- [ BEGIN: diff -u $EXPECTED_OUTPUT $OUTPUT ] ---" diff -u "$EXPECTED_OUTPUT" "$OUTPUT" 2>&1 || true echo "--- [ END: diff -u $EXPECTED_OUTPUT $OUTPUT ] ---" echo echo "To update the expected output, run (as root)" echo "# cp -a -f $OUTPUT $EXPECTED_OUTPUT" echo "# (note that unedited output is in $RAW_OUTPUT)" fi } FILE="$LOG_DIR/chkrootkit-daily.log" run > "$FILE" if [ -s "$FILE" ]; then if [ -n "$MAILTO" ]; then if [ -n "${STARTED_BY_SYSTEMD-}" ]; then # run by systemd: product a line on stdout for the journal echo "sending alert to $MAILTO: $SUBJECT" fi mail -s "$SUBJECT" "$MAILTO" < "$FILE" else # output on stdout - this will end up in the journal (systemd) # or if running under cron will be emailed cat "$FILE" fi fi