Dealing with rkhunter warnings

rkhunter often warns on file property changes after upgrade and such, and sometimes you just aren't sure whether it is due to recent upgrades, or because you really were compromised. The following script was written to compare the checksum of all files rkhunter warns about against the originals in a debian repository.

The latest version of this is available in my script.git respos.

``` brush:bash

!/bin/bash

desc=" This script will verify whether files for which rkhunter has logged a warning for is still valid. It does this by finding which debian package it came out of, and downloads them, unpacks them, then checks the checksums.

Run it by supplying a rkhunter log file as first argument "

HASHER="sha256sum"

IFS=" " function find_suspect_files { echo "parsing \(1 for suspect files" 1>&2 grep -1 Warning "\)1"| grep File | sed 's|.*File: ||' }

function find_packages { echo "finding packages" 1>&2 for suspect_file in \(1 do package=\)(dpkg -S \(suspect_file|awk '{print $1}'|sed 's/.\)//') echo "suspect file $suspect_file found in $package" 1>&2 echo $package done

}

function make_aptitude_args { echo "generating aptitude arguments" 1>&2 for package in \(1 do version=\)(dpkg -p \(package | grep Version | awk '{print $2}') echo $package=\)version done }

function cleanup { echo "cleaning up" popd rm -rf tmp exit $1 }

function setup { echo "setting up" rm -rf tmp mkdir tmp pushd tmp }

if [ \(# -ne 1 ]; then echo "\)desc" exit 1 fi

suspect_files=\((find_suspect_files "\)1")

packages=\((find_packages "\)suspect_files" | sort | uniq)

if [ -z "$packages" ]; then echo "WARNING*" echo "No packages contain any of the suspect files!" cleanup 1 fi

aptitude_args=\((make_aptitude_args "\)packages")

setup

echo "downloading packages" aptitude download \(aptitude_args 1>/dev/null if [ $? -ne 0 ]; then echo "aptitude download failed!" echo "args=\)aptitude_args" cleanup 1 fi

echo "unpacking" for deb_file in *.deb do ar -x $deb_file tar zxf data.tar.gz rm -rf data.tar.gz control.tar.gz done

for suspect_file in \(suspect_files do if [ ! -f ".\)suspect_file" ] then echo "WARNING" echo "For some reason .\(suspect_file does not exis!" continue fi echo -n "verifying $suspect_file... " suspect_sum=\)(\(HASHER $suspect_file | awk '{print $1}') clean_sum=\)(\(HASHER ".\)suspect_file" | awk '{print $1}') if [ $suspect_sum == $clean_sum ]; then echo "OK" else echo echo "WARNING**" echo "Checksum mistmatch for $suspect_file!!!" echo "Should be: $clean_sum" echo "Is: $suspect_sum" fi done cleanup ```

Cheers,

Steve