#%define rkhVer 1.2.9 #%define rpmRel 2 # We can't let RPM do the dependencies automatic because it'll then pick up # a correct but undesirable perl dependency, which rkhunter does not require # in order to function properly [perl(Digest::MD5) & perl(Digest::SHA1)]. AutoReqProv: no Name: rkhunter Version: 1.3.0 Release: 1 Summary: A host-based tool to scan for rootkits, backdoors and local exploits Packager: Scott R. Shinn Vendor: Atomic Rocket Turtle, http://www.atomicrocketturtle.com Group: Applications/System License: GPL URL: http://easynews.dl.sourceforge.net/sourceforge/%{name}/%{name}-%{version}.tar.gz Source0: rkhunter-%{version}.tar.gz # cron script and rkhunter for sysconfig Source1: rkhunter-auto_scan.tar.gz # deprecated #Source2: rkhunter-%{version}.src.sha #Source3: hashupd.sh #Source4: hashupd.README # changes the /usr/local stuff Patch0: rkhunter-1.2.9-default_settings-conf.patch Patch1: rkhunter-1.1.8-showfiles.patch #Patch2: rkhunter-1.1.9-shared_man_search.patch Patch3: rkhunter-1.2.9-app_check_default.patch Patch4: rkhunter-1.2.7-datestamp.patch Patch5: rkhunter-1.2.9-append_log.patch #Patch6: rkhunter-1.2.7-group_log.patch Patch7: rkhunter-1.2.7-manpage.patch Patch8: rkhunter-1.2.9-allow-promiscuous.patch Patch9: rkhunter-1.3.0-installer.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: /bin/sh, coreutils, binutils, modutils, findutils, grep, mktemp Requires: e2fsprogs, procps, lsof, prelink, iproute, net-tools, wget Requires: perl, perl(strict), perl(IO::Socket), mailx %description Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone. This tool scans for rootkits, backdoors and local exploits by running tests like: - MD5 hash compare - Look for default files used by rootkits - Wrong file permissions for binaries - Look for suspected strings in LKM and KLD modules - Look for hidden files - Optional scan within plaintext and binary files - Software version checks - Application tests Rootkit Hunter is released as a GPL licensed project and is free for everyone to use. %prep # This optional check is for verification of original sources # DURING the binary build process (sha1 canary check) #[ ! -e %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha.orig ] \ # && %{__perl} -pi.orig -e ' # s|../SOURCES|%{_sourcedir}|g; # ' %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha #sha1sum --check %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha || exit $? #%{__rm} -f %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha #%{__mv} %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha.orig \ # %{_sourcedir}/%{name}-%{rkhVer}-%{rpmRel}.src.sha %setup -q #%setup -q -D -T -a 1 #%patch0 -b .orig # #%{__perl} -pi.0001 -e ' # s|^#(INSTALLDIR=).+$|$1%{_prefix}|; # s|^#(TMPDIR=).+$|$1%{_var}/%{name}/tmp|; # s|^#(DBDIR=).+$|$1%{_var}/%{name}/db|; # ' files/%{name}.conf # #%{__perl} -pi.orig -e ' # s|\@TMPDIR\@|%{_var}/%{name}/tmp|g; # s|\@STDIR\@|%{_localstatedir}|g; # s|\@CFGDIR\@|%{_sysconfdir}|g; # s|\@SCDIR\@|%{_sysconfdir}/sysconfig|g; # s|\@ITDIR\@|%{_initrddir}|g; # s|\@RKEXE\@|%{_bindir}/%{name}|g; # s|\@HASHEXE\@|%{_bindir}/hashupd.sh|g; # s|\@RKHSH\@|%{_bindir}/%{name}-scan.sh|g; # s|\@LGDIR\@|%{_localstatedir}/log|g; # ' 01-%{name} #%patch1 -b .orig #%patch2 -b .orig #%patch3 -b .0001 #%patch4 -b .0002 #%patch5 -b .0003 #%patch6 -b .0004 #%patch7 -b .orig #%patch8 -b .orig %patch9 %{__cat} <<'EOF' >%{name}.logrotate %{_localstatedir}/log/%{name}.log { weekly notifempty create 640 root root } EOF %build %install [ "$RPM_BUILD_ROOT" != "/" ] && %{__rm} -rf $RPM_BUILD_ROOT %{__mkdir} -p ${RPM_BUILD_ROOT} sh ./installer.sh --layout RPM --install # Make a cron.daily file to mail us the reports %{__mkdir} -p "${RPM_BUILD_ROOT}/%{_sysconfdir}/cron.daily" %{__cat} > "${RPM_BUILD_ROOT}/%{_sysconfdir}/cron.daily/01-rkhunter" </dev/null 2>&1 || : %{__cp} -p /etc/group /var/lib/rkhunter/tmp >/dev/null 2>&1 || : /bin/touch %{_localstatedir}/log/%{name}.log /bin/echo -e "------------------- `/bin/date -R` -------------------\n" \ >> %{_localstatedir}/log/%{name}.log %{_bindir}/%{name} --version >> %{_localstatedir}/log/%{name}.log /bin/echo -e "\n------------------------------ Installed ------------------------------\n" \ >> %{_localstatedir}/log/%{name}.log /bin/chown root.root %{_localstatedir}/log/%{name}.log /bin/chmod 640 %{_localstatedir}/log/%{name}.log fi %postun if [ $1 -eq 0 ]; then [ ! -d %{_var}/%{name} ] || %{__rm} -rf %{_var}/%{name} [ ! -d %{_prefix}/lib/%{name} ] || %{__rm} -rf %{_prefix}/lib/%{name} %{__rm} -f /var/log/rkhunter.log /var/log/rkhunter.log.old >/dev/null 2>&1 %{__rm} -rf /var/lib/rkhunter/* >/dev/null 2>&1 fi %clean if [ "$RPM_BUILD_ROOT" = "/" ]; then echo Invalid Build root \'"$RPM_BUILD_ROOT"\' exit 1 else %{__rm} -rf $RPM_BUILD_ROOT fi %define docdir %{_prefix}/share/doc/%{name}-%{version} %files %defattr(-,root,root) %attr(640,root,root) %config(noreplace) %{_sysconfdir}/%{name}.conf %attr(750,root,root) %{_prefix}/bin/%{name} %attr(750,root,root) %dir %{_libdir}/%{name} %attr(750,root,root) %dir %{_libdir}/%{name}/scripts %attr(750,root,root) %{_libdir}/%{name}/scripts/*.pl %attr(750,root,root) %{_libdir}/%{name}/scripts/*.sh %attr(644,root,root) %doc %{_prefix}/share/man/man8/%{name}.8 %attr(755,root,root) %dir %{docdir} %attr(644,root,root) %doc %{docdir}/* %attr(750,root,root) %dir %{_var}/lib/%{name} %attr(750,root,root) %dir %{_var}/lib/%{name}/db %attr(640,root,root) %{_var}/lib/%{name}/db/*.dat %attr(750,root,root) %dir %{_var}/lib/%{name}/db/i18n %attr(640,root,root) %{_var}/lib/%{name}/db/i18n/* %attr(750,root,root) %dir %{_var}/lib/%{name}/tmp %{_sysconfdir}/cron.daily/01-rkhunter %changelog * Fri Oct 12 2007 Scott R. Shinn 1.3.0-1 - initial test build of 1.3.0 * Tue Jan 9 2007 Scott R. Shinn 1.2.9-7 - added in the ability to disable promiscous mode checks * Wed Dec 6 2006 Scott R. Shinn 1.2.9-6 - update to 1.2.9 - added in hashupd.sh - ported 1.2.8 fixes forward - modified rkhunter job to only alert when things change in default mode - updated config settings on rkhunter.conf and sysconfig/rkhunter - added a hashupd.sh event to run when it detects an upgrade - tweaked a MAILTO condition that could result in multiple emails sent for the same alert - improved reporting - fixed logging append mode * Sat Mar 18 2006 Greg Houlette - 1.2.8-3 - Made an RPM transparent change to move the sha1 canary check file out of CVS and into the external lookaside cache (whose filename changes with every new package release anyway...) * Fri Mar 17 2006 Greg Houlette - 1.2.8-2 - Fixed architectural dependency during package creation eliminating use of _libdir configure macro (x86_64 /usr/lib64 mis-targeting) * Tue Mar 7 2006 Greg Houlette - 1.2.8-1 - New package version release - reworked the .spec file to support optional dist tag - Updated the application check default patchfile (chunk failure) - Changed to SHA1 for optional message digest (canary check) - Added a couple of suggested skip entries to rkhunter.conf * Mon Jun 11 2005 Greg Houlette - 1.2.7-1 - Added signature auto-updating to CRON scan (new script) - Removed BOOTSCAN pending rewrite to full SysV Init scan in background - Added the --append-log command line option - Added Date Stamping to output - Fixed bug in /etc/group missing report - New package version release * Sun Jan 2 2005 Greg Houlette - 0:1.1.9-1 - New package version release - Added the --run-application-check command line option to listing in command help - Replaced 'Here' Doc editing of rkhunter.conf file with in-place Perl edit - tweaked rpmbuild -bb Autoclean * Fri Oct 15 2004 Greg Houlette - 0:1.1.8-0.fdr.1 (revisited) - Removed redundant buildrequires /bin/sh, coreutils and perl - Revise postun scriptlet - Added /usr/share/doc/rkhunter-1.1.8/ to files list * Mon Oct 11 2004 Greg Houlette - 0:1.1.8-0.fdr.1 - Changed Release Tag to 0.fdr.1 (testing) for QA - Removed wget from dependencies - Hid (temporarily) the --skip-application-check command line option from being listed in help - Fixed the spec files list, again! * Fri Oct 8 2004 Greg Houlette - 0:1.1.8-0.fdr.0.2.beta2 - Unified and disabled the md5 canary check in prep (check is now optional) removing the sha1 cross-check - Fixed the spec files list, adding the /var/rkhunter directory and the /usr/bin/rkhunter executable - Fixed missing dependencies (rkh uses runtime checks) - Disabled "auto-clean" for rpmbuild -bb - Changed Application version scan default to disabled awaiting backport fix in upstream sources - Fixed shared_man_search.patch, configuration files verify and added postun(install) cleanup * Fri Oct 1 2004 Greg Houlette - 0:1.1.8-0.fdr.0.1.beta1 - More cosmetic patchwork - Changed Release Tag to beta1 (pre-release) for QA submit * Tue Sep 28 2004 Greg Houlette - 0:1.1.8-0.fdr.1 - Removed hidden_search.patch (1.1.7) after it was merged into upstream source by Michael Boelen - Removed .spec file from md5 and sha1 file checks (it must be modifiable by Fedora QA release build) - Added BOOTSCAN description file to documentation - Restructured dynamic file creation ('Here' Docs) moving them to the "prep" stage so that *_ALL_* files are available prior to the "build" stage (for inspection purposes) - Added a /etc/sysconfig/rkhunter parameters file * Sun Aug 29 2004 Greg Houlette - 0:1.1.7-0.fdr.1 - Cosmetic patchwork * Sat Aug 21 2004 Greg Houlette - 0:1.1.6-0.fdr.1 - Moderate reworking of .spec file for packaging standards - Added md5 and sha1 file checks to prep procedure for source .rpm - Included an optional rc.local replacement for scan on boot (with full logging) * Tue Aug 10 2004 Michael Boelen - 1.1.5 - Added update script - Extended description * Sun Aug 08 2004 Greg Houlette - 1.1.5 - Changed the install procedure eliminating the specification of destination filenames (only needed if you are renaming during install) - Changed the permissions for documentation files (root only overkill) - Added the installation of the rkhunter Man Page - Added the installation of the programs_{bad, good}.dat database files - Added the installation of the LICENSE documentation file - Added the chmod for root only to the /var/rkhunter/db directory * Sun May 23 2004 Craig Orsinger (cjo) - version 1.1.0-1.cjo - changed installation in accordance with new rootkit installation procedure - changed installation root to conform to LSB. Use standard macros. - added recursive remove of old build root as prep for install phase * Wed Apr 28 2004 Doncho N. Gunchev - 1.0.9-0.mr700 - dropped Requires: perl - rkhunter works without it - dropped the bash alignpatch (check the source or contact me) - various file mode fixes (.../tmp/, *.db) - optimized the %%files section - any new files in the current dirs will be fine - just %%{__install} them. * Mon Apr 26 2004 Michael Boelen - 1.0.8-0 - Fixed missing md5blacklist.dat * Mon Apr 19 2004 Doncho N. Gunchev - 1.0.6-1.mr700 - added missing /usr/local/rkhunter/db/md5blacklist.dat - patched to align results in --cronjob, I think rpm based distros have symlink /bin/sh -> /bin/bash - added --with/--without alignpatch for conditional builds (in case previous patch breaks something) * Sat Apr 03 2004 Michael Boelen / Joe Klemmer - 1.0.6-0 - Update to 1.0.6 * Mon Mar 29 2004 Doncho N. Gunchev - 1.0.0-0 - initial .spec file