From c8b3b1d19e3781c4e30ad6642b48942e9d930219 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20P=C3=A0mies?= <roger@estudiset.cat>
Date: Thu, 29 Sep 2022 12:27:20 +0200
Subject: [PATCH] upload scan scripts and update README

---
 README.md    | 22 +++++++++++++++++++++-
 scan_chk.sh  | 22 ++++++++++++++++++++++
 scan_clam.sh | 32 ++++++++++++++++++++++++++++++++
 scan_rkh.sh  | 14 ++++++++++++++
 4 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 scan_chk.sh
 create mode 100644 scan_clam.sh
 create mode 100644 scan_rkh.sh

diff --git a/README.md b/README.md
index c7fd4e5..77a55fa 100644
--- a/README.md
+++ b/README.md
@@ -4,4 +4,24 @@
 
 Send markdown notifications to gotify channel throught curl
 
-`Usage: ./gotifypush.sh <title> <message> <priority> <token> <clickurl>`
+* Usage: `./gotifypush.sh <title> <message> <priority> <token> <clickurl>`
+
+## scan_chk.sh
+
+Scan rootkits into system with chkrootkit
+
+* Usage: `./scan_chk.sh`
+
+## scan_rkh.sh
+
+Scan rootkits into system with rkhunter
+
+* Usage: `./scan_rkh.sh`
+
+## scan_clam.sh
+
+Scan virus and malware into system with clamav
+
+* Usage: `./scan_clam.sh`
+
+**NOTE:** Need set paths (DIRTOSCAN variable) to scan
diff --git a/scan_chk.sh b/scan_chk.sh
new file mode 100644
index 0000000..b4037c9
--- /dev/null
+++ b/scan_chk.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+PATH=$PATH:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
+
+# vars gotify
+readonly TOKEN="<TOKEN_GOTIFY_APP>"
+
+#vars chkrootkit
+SNIFFERS_WHITELIST="dhclient"
+FILES_WHITELIST="/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document "
+FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/.htaccess "
+FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/.htpasswd "
+FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/*/.htaccess "
+FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/*/.htpasswd"
+
+OUT=$(chkrootkit -q -s "$SNIFFERS_WHITELIST" -e "$FILES_WHITELIST")
+if [ -n "$OUT" ]
+then
+        sh ~/gotifypush.sh "CHK Scan handycat cloud" "$OUT" 5 $TOKEN
+else
+        echo "[chkrootkit] system clean"
+fi
diff --git a/scan_clam.sh b/scan_clam.sh
new file mode 100644
index 0000000..0396698
--- /dev/null
+++ b/scan_clam.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+LOGDIR="/var/log/clamav/scan/";
+LOGFILE="clamav-$(date +'%Y-%m-%d').log";
+DIRTOSCAN="/path/to/folder/to/scan"; #multiple folders separate by space
+readonly TOKEN="<TOKEN_GOTIFY_APP>";
+LOG_PRESERVE_DAYS=30;
+
+mkdir -p $LOGDIR
+
+for S in ${DIRTOSCAN}; do
+ DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
+
+ echo "Starting a daily scan of "$S" directory. Amount of data to be scanned is "$DIRSIZE".";
+
+ clamscan -ri "$S" >> "$LOGDIR$LOGFILE";
+ echo "Scanned folder: "$S >> "$LOGDIR$LOGFILE";
+
+ # get the value of "Infected lines"
+ MALWARE=$(tail "$LOGDIR$LOGFILE"|grep Infected|cut -d" " -f3);
+
+ # if the value is not equal to zero, send an email with the log file attached
+ if [ "$MALWARE" -ne "0" ];then
+   sh ~/gotifypush.sh "CLAMAV Scan Kerodes Studi7" "Scanned folder: **$S**  \r $MALWARE" 5 $TOKEN
+ else
+   echo "[clamav] No infected files found."
+ fi
+done
+
+#clean old logs files
+find $LOGDIR -maxdepth 1 -mtime +$LOG_PRESERVE_DAYS -exec "rm" -R {} \;
+
+exit 0
diff --git a/scan_rkh.sh b/scan_rkh.sh
new file mode 100644
index 0000000..8b1f76d
--- /dev/null
+++ b/scan_rkh.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+PATH=$PATH:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
+
+#vars rkhunter
+readonly TOKEN="<TOKEN_GOTIFY_APP>"
+
+OUT=$(rkhunter -c -sk --rwo)
+if [ -n "$OUT" ]
+then
+        sh ~/gotifypush.sh "RKH Scan handycat cloud" "$OUT" 5 $TOKEN
+else
+        echo "[rkhunter] system clean"
+fi