[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] chkrootkit notify - revisited
- Subject: Re: [cobalt-users] chkrootkit notify - revisited
- From: "Tarun Dua" <tarundua@xxxxxxxxxxxx>
- Date: Thu Aug 8 20:56:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> Bob G7 wrote:
>
> > When I enter sh /etc/cron.daily/chkrootkit.sh to test it I get the
report
> > mailed to me. But I was expecting a report to be created this morning
and
> > mailed to me when cron.daily ran but never got anything.
>
> Did you mark it executable? It won't run from cron.daily unless it's
> marked as executable by the owner (in this case root).
>
Apart from above you can use this small script which you can put into
/usr/local/runchks or any other location.
Just change the $teststring to use INFECTED in lowercase if you need the
mail even if your system is not infected.
See the use of sendmail instead of mail though it doesn't give me the
subject line.
#!/bin/bash
CHKROOTKIT=/usr/local/chkrootkit-pre-0.36/chkrootkit
CURRENTSTATUS=/usr/local/runchks/status.txt
if [ -s $CURRENTSTATUS ]
then
rm -f $CURRENTSTATUS
fi
cd `echo "$CHKROOTKIT" | sed 's/[^/]*$//'`
echo `pwd`
$CHKROOTKIT |tee -a $CURRENTSTATUS
exec 6<&0
exec < $CURRENTSTATUS
while read LINE
do
teststring=`echo $LINE | grep INFECTED`
lengthstring=`echo $teststring | awk '{print length($0)}'`
if [ $lengthstring -ge 1 ]
then
cat $CURRENTSTATUS | /usr/sbin/sendmail tech@yourdomainname
exec 0<&6
echo $lengthstring
echo "Error Message : $teststring"
echo "Exiting after mailing tech"
exit 0
fi
# More Tests on analyzing the results may be included here
done
#End of runchks.sh
#and the corresponding crontab entry has to be appended to the root's
crontab in /var/spool/crontab using crontab -e
4 * * * * /usr/local/runchks/runchks.sh --interval
04h > /usr/local/runchks/runchks.log 2>&1