chkrootkit.sh
を/etc/cron.daily/chkrootkit.sh
に置くchmod 700 /etc/cron.daily/chkrootkit.sh
- rpm
- mailutils
chkrootkit.sh
を /etc/cron.daily/chkrootkit.sh
に置くchmod 700 /etc/cron.daily/chkrootkit.sh
#!/bin/sh | |
PATH=/usr/bin:/bin:/root/bin | |
LOGNAME=`date +'%Y%m%d-%H%M%S'` | |
LOG=/var/log/chkrootkit/$LOGNAME.log | |
chkrootkit 2>&1 | tee $LOG | |
cat $LOG | logger -t $LOGNAME | |
# false positive for bindshell of SMTPS | |
if [ ! -z "$(grep 465 $LOG)" ] && \ | |
[ -z $(/usr/sbin/lsof -i:465 | grep bindshell) ]; then | |
sed -i '/465/d' $LOG | |
fi | |
# false positive for Suckit when `upstart` package was updated | |
if [ ! -z "$(grep Suckit $LOG)" ] && \ | |
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then | |
sed -i '/Suckit/d' $LOG | |
fi | |
if [ ! -z "$(grep INFECTED $LOG)" ]; then | |
grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root | |
fi |