#%define rkhVer 1.2.9 #%define rpmRel 2 # We can't let RPM do the dependencies automatic because it'll then pick up # a correct but undesirable perl dependency, which rkhunter does not require # in order to function properly [perl(Digest::MD5) & perl(Digest::SHA1)]. AutoReqProv: no Name: rkhunter Version: 1.3.0 Release: 1 Summary: A host-based tool to scan for rootkits, backdoors and local exploits Packager: Scott R. Shinn Vendor: Atomic Rocket Turtle, http://www.atomicrocketturtle.com Group: Applications/System License: GPL URL: http://easynews.dl.sourceforge.net/sourceforge/%{name}/%{name}-%{version}.tar.gz Source0: rkhunter-%{version}.tar.gz # cron script and rkhunter for sysconfig Source1: rkhunter-auto_scan.tar.gz # deprecated #Source2: rkhunter-%{version}.src.sha #Source3: hashupd.sh #Source4: hashupd.README # changes the /usr/local stuff Patch0: rkhunter-1.2.9-default_settings-conf.patch Patch1: rkhunter-1.1.8-showfiles.patch #Patch2: rkhunter-1.1.9-shared_man_search.patch Patch3: rkhunter-1.2.9-app_check_default.patch Patch4: rkhunter-1.2.7-datestamp.patch Patch5: rkhunter-1.2.9-append_log.patch #Patch6: rkhunter-1.2.7-group_log.patch Patch7: rkhunter-1.2.7-manpage.patch Patch8: rkhunter-1.2.9-allow-promiscuous.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: /bin/sh, coreutils, binutils, modutils, findutils, grep, mktemp Requires: e2fsprogs, procps, lsof, prelink, iproute, net-tools, wget Requires: perl, perl(strict), perl(IO::Socket), mailx %description Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone. This tool scans for rootkits, backdoors and local exploits by running tests like: - MD5 hash compare - Look for default files used by rootkits - Wrong file permissions for binaries - Look for suspected strings in LKM and KLD modules - Look for hidden files - Optional scan within plaintext and binary files - Software version checks - Application tests Rootkit Hunter is released as a GPL licensed project and is free for everyone to use. %prep # This optional check is for verification of original sources # DURING the binary build process (sha1 canary check) #[ ! -e %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha.orig ] \ # && %{__perl} -pi.orig -e ' # s|../SOURCES|%{_sourcedir}|g; # ' %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha #sha1sum --check %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha || exit $? #%{__rm} -f %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha #%{__mv} %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha.orig \ # %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha %setup -q %setup -q -D -T -a 1 %patch0 -b .orig %{__perl} -pi.0001 -e ' s|^#(INSTALLDIR=).+$|$1%{_prefix}|; s|^#(TMPDIR=).+$|$1%{_var}/%{name}/tmp|; s|^#(DBDIR=).+$|$1%{_var}/%{name}/db|; ' files/%{name}.conf %{__perl} -pi.orig -e ' s|\@TMPDIR\@|%{_var}/%{name}/tmp|g; s|\@STDIR\@|%{_localstatedir}|g; s|\@CFGDIR\@|%{_sysconfdir}|g; s|\@SCDIR\@|%{_sysconfdir}/sysconfig|g; s|\@ITDIR\@|%{_initrddir}|g; s|\@RKEXE\@|%{_bindir}/%{name}|g; s|\@HASHEXE\@|%{_bindir}/hashupd.sh|g; s|\@RKHSH\@|%{_bindir}/%{name}-scan.sh|g; s|\@LGDIR\@|%{_localstatedir}/log|g; ' 01-%{name} %patch1 -b .orig #%patch2 -b .orig #%patch3 -b .0001 #%patch4 -b .0002 #%patch5 -b .0003 #%patch6 -b .0004 #%patch7 -b .orig #%patch8 -b .orig %{__cat} <<'EOF' >%{name}.logrotate %{_localstatedir}/log/%{name}.log { weekly notifempty create 640 root root } EOF %build #%%configure # We have nothing to configure... yet... %install %{__rm} -rf $RPM_BUILD_ROOT %{__mkdir} -m755 -p ${RPM_BUILD_ROOT}%{_bindir} %{__mkdir} -m755 -p ${RPM_BUILD_ROOT}%{_sysconfdir}/{cron.daily,sysconfig,logrotate.d} %{__mkdir} -m750 -p ${RPM_BUILD_ROOT}%{_prefix}/lib/%{name}/scripts %{__mkdir} -m755 -p ${RPM_BUILD_ROOT}%{_docdir}/%{name}-%{version} %{__mkdir} -m755 -p ${RPM_BUILD_ROOT}%{_mandir}/man8 %{__mkdir} -m750 -p ${RPM_BUILD_ROOT}%{_var}/%{name}/{db,tmp} %{__install} -m750 -p files/%{name} ${RPM_BUILD_ROOT}%{_bindir}/ #%{__install} -m750 -p %{SOURCE3} ${RPM_BUILD_ROOT}%{_bindir}/ %{__install} -m640 -p files/backdoorports.dat ${RPM_BUILD_ROOT}%{_var}/%{name}/db/ %{__install} -m640 -p files/defaulthashes.dat ${RPM_BUILD_ROOT}%{_var}/%{name}/db/ %{__install} -m640 -p files/md5blacklist.dat ${RPM_BUILD_ROOT}%{_var}/%{name}/db/ %{__install} -m640 -p files/mirrors.dat ${RPM_BUILD_ROOT}%{_var}/%{name}/db/ %{__install} -m640 -p files/os.dat ${RPM_BUILD_ROOT}%{_var}/%{name}/db/ %{__install} -m640 -p files/programs_bad.dat ${RPM_BUILD_ROOT}%{_var}/%{name}/db/ %{__install} -m640 -p files/programs_good.dat ${RPM_BUILD_ROOT}%{_var}/%{name}/db/ %{__install} -m644 -p files/CHANGELOG ${RPM_BUILD_ROOT}%{_docdir}/%{name}-%{version}/ %{__install} -m644 -p files/LICENSE ${RPM_BUILD_ROOT}%{_docdir}/%{name}-%{version}/ %{__install} -m644 -p files/README ${RPM_BUILD_ROOT}%{_docdir}/%{name}-%{version}/ %{__install} -m644 -p files/WISHLIST ${RPM_BUILD_ROOT}%{_docdir}/%{name}-%{version}/ #%{__install} -m644 -p %{SOURCE4} ${RPM_BUILD_ROOT}%{_docdir}/%{name}-%{version}/ %{__install} -m644 -p files/development/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/ %{__install} -m750 -p files/check_modules.pl ${RPM_BUILD_ROOT}%{_prefix}/lib/%{name}/scripts/ %{__install} -m750 -p files/check_port.pl ${RPM_BUILD_ROOT}%{_prefix}/lib/%{name}/scripts/ %{__install} -m750 -p files/check_update.sh ${RPM_BUILD_ROOT}%{_prefix}/lib/%{name}/scripts/ %{__install} -m750 -p files/filehashmd5.pl ${RPM_BUILD_ROOT}%{_prefix}/lib/%{name}/scripts/ %{__install} -m750 -p files/filehashsha1.pl ${RPM_BUILD_ROOT}%{_prefix}/lib/%{name}/scripts/ %{__install} -m750 -p files/showfiles.pl ${RPM_BUILD_ROOT}%{_prefix}/lib/%{name}/scripts/ %{__install} -m750 -p 01-%{name} ${RPM_BUILD_ROOT}%{_sysconfdir}/cron.daily/ %{__install} -m644 -p %{name}.logrotate ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name} %{__install} -m640 -p files/%{name}.conf ${RPM_BUILD_ROOT}%{_sysconfdir}/ %{__install} -m640 -p %{name}.sysconfig ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/%{name} %clean %{__rm} -rf $RPM_BUILD_ROOT # Autoclean for rpmbuild -bb #cd .. #[ ! -d %{name} ] || %{__rm} -rf %{name} %post /bin/touch %{_localstatedir}/log/%{name}.log /bin/echo -e "------------------- `/bin/date -R` -------------------\n" \ >> %{_localstatedir}/log/%{name}.log %{_bindir}/%{name} --version >> %{_localstatedir}/log/%{name}.log /bin/echo -e "\n------------------------------ Installed ------------------------------\n" \ >> %{_localstatedir}/log/%{name}.log /bin/chown root.root %{_localstatedir}/log/%{name}.log /bin/chmod 640 %{_localstatedir}/log/%{name}.log # run hashupd if the package is being upgraded if [ "$1" -eq "2" ]; then /usr/bin/hashupd.sh > /dev/null 2>&1 fi %postun if [ "$1" = 0 ]; then [ ! -d %{_var}/%{name} ] || %{__rm} -rf %{_var}/%{name} [ ! -d %{_prefix}/lib/%{name} ] || %{__rm} -rf %{_prefix}/lib/%{name} fi %files %defattr(-,root,root,-) %{_bindir}/%{name} %{_bindir}/hashupd.sh %dir %{_prefix}/lib/%{name} %{_prefix}/lib/%{name}/scripts %{_sysconfdir}/cron.daily/01-%{name} %{_sysconfdir}/logrotate.d/%{name} %dir %{_var}/%{name} %{_var}/%{name}/db %dir %{_var}/%{name}/tmp %config(noreplace) %{_sysconfdir}/%{name}.conf %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %dir %{_docdir}/%{name}-%{version} %doc %{_docdir}/%{name}-%{version}/* %{_mandir}/man8/* %changelog * Tue Jan 9 2007 Scott R. Shinn 1.2.9-7 - added in the ability to disable promiscous mode checks * Wed Dec 6 2006 Scott R. Shinn 1.2.9-6 - update to 1.2.9 - added in hashupd.sh - ported 1.2.8 fixes forward - modified rkhunter job to only alert when things change in default mode - updated config settings on rkhunter.conf and sysconfig/rkhunter - added a hashupd.sh event to run when it detects an upgrade - tweaked a MAILTO condition that could result in multiple emails sent for the same alert - improved reporting - fixed logging append mode * Sat Mar 18 2006 Greg Houlette - 1.2.8-3 - Made an RPM transparent change to move the sha1 canary check file out of CVS and into the external lookaside cache (whose filename changes with every new package release anyway...) * Fri Mar 17 2006 Greg Houlette - 1.2.8-2 - Fixed architectural dependency during package creation eliminating use of _libdir configure macro (x86_64 /usr/lib64 mis-targeting) * Tue Mar 7 2006 Greg Houlette - 1.2.8-1 - New package version release - reworked the .spec file to support optional dist tag - Updated the application check default patchfile (chunk failure) - Changed to SHA1 for optional message digest (canary check) - Added a couple of suggested skip entries to rkhunter.conf * Mon Jun 11 2005 Greg Houlette - 1.2.7-1 - Added signature auto-updating to CRON scan (new script) - Removed BOOTSCAN pending rewrite to full SysV Init scan in background - Added the --append-log command line option - Added Date Stamping to output - Fixed bug in /etc/group missing report - New package version release * Sun Jan 2 2005 Greg Houlette - 0:1.1.9-1 - New package version release - Added the --run-application-check command line option to listing in command help - Replaced 'Here' Doc editing of rkhunter.conf file with in-place Perl edit - tweaked rpmbuild -bb Autoclean * Fri Oct 15 2004 Greg Houlette - 0:1.1.8-0.fdr.1 (revisited) - Removed redundant buildrequires /bin/sh, coreutils and perl - Revise postun scriptlet - Added /usr/share/doc/rkhunter-1.1.8/ to files list * Mon Oct 11 2004 Greg Houlette - 0:1.1.8-0.fdr.1 - Changed Release Tag to 0.fdr.1 (testing) for QA - Removed wget from dependencies - Hid (temporarily) the --skip-application-check command line option from being listed in help - Fixed the spec files list, again! * Fri Oct 8 2004 Greg Houlette - 0:1.1.8-0.fdr.0.2.beta2 - Unified and disabled the md5 canary check in prep (check is now optional) removing the sha1 cross-check - Fixed the spec files list, adding the /var/rkhunter directory and the /usr/bin/rkhunter executable - Fixed missing dependencies (rkh uses runtime checks) - Disabled "auto-clean" for rpmbuild -bb - Changed Application version scan default to disabled awaiting backport fix in upstream sources - Fixed shared_man_search.patch, configuration files verify and added postun(install) cleanup * Fri Oct 1 2004 Greg Houlette - 0:1.1.8-0.fdr.0.1.beta1 - More cosmetic patchwork - Changed Release Tag to beta1 (pre-release) for QA submit * Tue Sep 28 2004 Greg Houlette - 0:1.1.8-0.fdr.1 - Removed hidden_search.patch (1.1.7) after it was merged into upstream source by Michael Boelen - Removed .spec file from md5 and sha1 file checks (it must be modifiable by Fedora QA release build) - Added BOOTSCAN description file to documentation - Restructured dynamic file creation ('Here' Docs) moving them to the "prep" stage so that *_ALL_* files are available prior to the "build" stage (for inspection purposes) - Added a /etc/sysconfig/rkhunter parameters file * Sun Aug 29 2004 Greg Houlette - 0:1.1.7-0.fdr.1 - Cosmetic patchwork * Sat Aug 21 2004 Greg Houlette - 0:1.1.6-0.fdr.1 - Moderate reworking of .spec file for packaging standards - Added md5 and sha1 file checks to prep procedure for source .rpm - Included an optional rc.local replacement for scan on boot (with full logging) * Tue Aug 10 2004 Michael Boelen - 1.1.5 - Added update script - Extended description * Sun Aug 08 2004 Greg Houlette - 1.1.5 - Changed the install procedure eliminating the specification of destination filenames (only needed if you are renaming during install) - Changed the permissions for documentation files (root only overkill) - Added the installation of the rkhunter Man Page - Added the installation of the programs_{bad, good}.dat database files - Added the installation of the LICENSE documentation file - Added the chmod for root only to the /var/rkhunter/db directory * Sun May 23 2004 Craig Orsinger (cjo) - version 1.1.0-1.cjo - changed installation in accordance with new rootkit installation procedure - changed installation root to conform to LSB. Use standard macros. - added recursive remove of old build root as prep for install phase * Wed Apr 28 2004 Doncho N. Gunchev - 1.0.9-0.mr700 - dropped Requires: perl - rkhunter works without it - dropped the bash alignpatch (check the source or contact me) - various file mode fixes (.../tmp/, *.db) - optimized the %%files section - any new files in the current dirs will be fine - just %%{__install} them. * Mon Apr 26 2004 Michael Boelen - 1.0.8-0 - Fixed missing md5blacklist.dat * Mon Apr 19 2004 Doncho N. Gunchev - 1.0.6-1.mr700 - added missing /usr/local/rkhunter/db/md5blacklist.dat - patched to align results in --cronjob, I think rpm based distros have symlink /bin/sh -> /bin/bash - added --with/--without alignpatch for conditional builds (in case previous patch breaks something) * Sat Apr 03 2004 Michael Boelen / Joe Klemmer - 1.0.6-0 - Update to 1.0.6 * Mon Mar 29 2004 Doncho N. Gunchev - 1.0.0-0 - initial .spec file