#!/bin/bash # uncomment when use script from cron PATH=$PATH:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # variables readonly LOGFILE="$(hostname)_chkrootkit-$(date +'%Y-%m-%d').txt" readonly NC_USER="log" readonly NC_PASS="t1todelogs" readonly NC_URL_WEBDAV="https://cloud.studi7.com/remote.php/dav/files" readonly GOTIFY_TOKEN="A4w5ShWUHxcTLbx" readonly GOTIFY_HOST="https://push.studi7.com" readonly GOTIFY_PRIORITY=5 GOTIFY_MESSAGE="Scan init: **"`date +"%d/%m/%Y %H:%M:%S"`"** \r" # vars chkrootkit SNIFFERS_WHITELIST="dhclient" SNIFFERS_WHITELIST="${SNIFFERS_WHITELIST} enp3s0" FILES_WHITELIST="/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/.htaccess " FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/.htpasswd " FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/*/.htaccess " FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/*/*/.htpasswd" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/debug/.build-id" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/libreoffice/share/.registry" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/glances/outputs/static/.gitignore" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/matplotlib/tests/tinypages/_static/.gitignore" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/matplotlib/tests/tinypages/.gitignore" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.eslintrc.js" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierignore" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/python3/dist-packages/matplotlib/backends/web_backend/.prettierrc" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document" FILES_WHITELIST="${FILES_WHITELIST} /usr/lib/debug/.build-id" # disable tests because always generate output: z2 chkutmp ACTIVE_TESTS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd" ACTIVE_TESTS="${ACTIVE_TESTS} inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write" OUT=$(chkrootkit -q -s "$SNIFFERS_WHITELIST" -e "$FILES_WHITELIST" $ACTIVE_TESTS) if [ -n "$OUT" ] then issues=$(echo "$OUT" | wc -l) OUT=$(echo "$OUT" | sed -z 's/\n/\\n/g') echo $OUT > "./$LOGFILE" #send log to nextcloud folder │ GOTIFY_MESSAGE="${GOTIFY_MESSAGE} [LogFile]($LOG_URL)" curl -u $NC_USER:$NC_PASS -T "./$LOGFILE" "$NC_URL_WEBDAV/$NC_USER/" # delete local log rm $LOGFILE GOTIFY_MESSAGE="${GOTIFY_MESSAGE} Scan end: **"`date +"%d/%m/%Y %H:%M:%S"`"** \r" GOTIFY_MESSAGE="${GOTIFY_MESSAGE} There are **$issues** security issues \r" GOTIFY_MESSAGE="${GOTIFY_MESSAGE} [LogFile]($NC_URL_WEBDAV/$NC_USER/$LOGFILE)" # send gotify notification TITLE="CHK Scan $(hostname)" EXTRAS="{\"client::display\": {\"contentType\": \"text/markdown\"}, \"client::notification\": {\"click\": { \"url\": \"$NC_URL_WEBDAV/$NC_USER/$LOGFILE\"}}}" curl -X POST "$GOTIFY_HOST/message?token=$GOTIFY_TOKEN" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"message\": \"${GOTIFY_MESSAGE}\", \"priority\": ${GOTIFY_PRIORITY}, \"title\": \"${TITLE}\", \"extras\": ${EXTRAS} }" else echo "[chkrootkit] system clean" fi