#!/bin/sh

#
# rkhunter -- Scan the system for rootkits and other known security issues.
#
# Copyright (c) 2003-2012, Michael Boelen ( michael AT rootkit DOT nl )
#
#     This program is free software; you can redistribute it and/or modify
#     it under the terms of the GNU General Public License as published by
#     the Free Software Foundation; either version 2 of the License, or
#     (at your option) any later version.
#
#     This program is distributed in the hope that it will be useful,
#     but WITHOUT ANY WARRANTY; without even the implied warranty of
#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#     GNU General Public License for more details.
#
#     You should have received a copy of the GNU General Public License
#     along with this program; if not, write to the Free Software
#     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111, USA.
#


#
# Unfortunately we must do some O/S checks at the very beginning,
# otherwise SunOS will complain about some of the ksh/bash syntax.
# By default the SunOS root account uses a simple Bourne shell,
# which does not work with RKH. So we exec to use the Bash shell
# if it is present, or the Korn shell which is usually installed
# by default on Solaris systems.
#

BSDOS=0
SUNOS=0

OPERATING_SYSTEM=`uname 2>/dev/null`

case "${OPERATING_SYSTEM}" in
*BSD|DragonFly)
	BSDOS=1
	;;
SunOS)
	SUNOS=1
	;;
esac

if [ $SUNOS -eq 1 ]; then
	# Simple SunOS test of RANDOM to see if we are now running bash or ksh.
	if [ -z "$RANDOM" ]; then
		# If the 'which' output contains a space, then it is probably an error.
		if [ -n "`which bash 2>/dev/null | grep -v ' '`" ]; then
			exec bash $0 $*
		elif [ -n "`which ksh 2>/dev/null | grep -v ' '`" ]; then
			exec ksh $0 $*
		else
			echo "Unable to find the bash or ksh shell to run rkhunter."
			exit 1
		fi

		exit 0
	fi
fi


#
# Check to see if we are using the '--debug' option. If so, then
# we exec to log everything to the debug file.
#

if [ -n "`echo \"$*\" | grep '\-\-debug'`" ]; then
	RKHDEBUGBASE="/tmp/rkhunter-debug"

	#
	# Ensure we create a random file name.
	#

	if [ -n "`which mktemp 2>/dev/null | grep -v ' '`" ]; then
		RKHDEBUGFILE=`mktemp ${RKHDEBUGBASE}.XXXXXXXXXX`
	elif [ -n "$RANDOM" ]; then
		RKHDEBUGFILE="${RKHDEBUGBASE}.$RANDOM"
	elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%N%s%N`"
	else
		RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%Y%m%d%H%M%S`"
	fi

	if [ -e "${RKHDEBUGFILE}" ]; then
		if [ -f "${RKHDEBUGFILE}" -a ! -h "${RKHDEBUGFILE}" ]; then
			rm -f ${RKHDEBUGFILE} >/dev/null 2>&1
		else
			echo "Cannot use '--debug' option. \"${RKHDEBUGFILE}\" already exists, but it is not a file."
			exit 1
		fi
	fi

	DEBUG_OPT=1

	exec 1>${RKHDEBUGFILE} 2>&1
	chmod 600 ${RKHDEBUGFILE} >/dev/null 2>&1
	set -x
else
	DEBUG_OPT=0
fi


#
# Now we must determine if we are using the Korn shell or not. If so,
# then we alias the 'echo' command and set ECHOOPT. For other shells,
# we try and determine the real shell being used, and test to see if
# the 'echo -e' command is valid or not. We set ECHOOPT accordingly.
#

#
# Unfortunately *BSD doesn't seem to allow capturing of unknown commands.
# So we must alias 'print' to something valid, but which will fail.
#

test $BSDOS -eq 1 && alias print=false

if [ "`print "rkh-ksh-string-test" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	alias echo='print'
	ECHOOPT="--"
	MYSHELL=ksh
elif [ $SUNOS -eq 1 ]; then
	# For Solaris, if we are not running ksh, then it must be bash.
	MYSHELL=bash
	ECHOOPT="-e"
else
	#
	# We want to get the actual shell used by this program, and
	# so we need to test /bin/sh.
	#

	MYSHELL=/bin/sh
	test -h ${MYSHELL} && MYSHELL=`readlink ${MYSHELL} 2>/dev/null`
	MYSHELL=`basename ${MYSHELL} 2>/dev/null`

	# Assume 'bash' if we have problems finding the real shell.
	test -z "${MYSHELL}" && MYSHELL=bash

	#
	# Now test the 'echo -e' command.
	#

	if [ "`echo -e \"rkh-ksh\tstring-test\" 2>/dev/null`" = "rkh-ksh	string-test" ]; then
		ECHOOPT="-e"
	else
		ECHOOPT=""
	fi
fi


#
# We now perform a similar test to see if 'echo -n', or "\c", is valid
# or not. Unfortunately on some systems both '-e' and '-n' are valid,
# but not together. The "\c" option works in these cases. So we set
# ECHON accordingly.
#

if [ "`echo -n -e \"rkh-ksh-string-test\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	ECHON="-n"
elif [ "`echo -e \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	ECHON="c"
elif [ "`echo \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then
	ECHON="c"
else
	ECHON=""
fi


#
# Finally, we need to test the 'head' and 'tail' commands
# to see if they understand the '-n' option or not.
#

if head -n 1 </dev/null >/dev/null 2>&1; then
	HEAD_OPT="-n "
else
	HEAD_OPT="-"
fi

if tail -n 1 </dev/null >/dev/null 2>&1; then
	TAIL_OPT="-n "
else
	TAIL_OPT="-"
fi


######################################################################
#
# Global function definitions
#
######################################################################


display() {

	#
	# This function is used to display text messages on to the
	# users screen, as well as in to the log file. The same
	# message is written to both. However, the screen may have
	# a coloured result (green for good, red for bad, etc), and
	# the log file will have the time prefixed to the message and,
	# optionally, additional information messages after the main
	# message. All the messages are indexed in the language file.
	#
	# Syntax: display --to <destination> --type <type>
	#		  [--screen-indent <n>] [--log-indent <n>]
	#		  [--nl [<n>]] [--nl-after] [--log-nl] [--screen-nl] [--nonl]
	#		  [--result <result> --color <colour>]
	#		  <message index> [optional message arguments]
	#
	# where the destination can be one of SCREEN, LOG or SCREEN+LOG.
	# The type can be one of PLAIN, INFO or WARNING.
	# The language file will have all the current values.
	#
	# The --screen-indent and --log-indent options are used to
	# forcibly indent a message.
	# The --nl option causes a blank-line to be output before the
	# message both on the screen and in the log file. A following
	# number can be used to indicate how many blank lines should
	# be displayed on the screen.
	# The --log-nl option outputs a blank line only in the log file.
	# The --screen-nl option outputs a blank line on the screen
	# regardless of whether SCREEN was specified or not.
	# The --nl-after option outputs a blank line on the screen after
	# the message.
	# The --nonl option is only to be used in special cases where we
	# want the output of more than one message to appear on the same
	# line. This is currently only used when trying to obtain the
	# lock file. It only applies to PLAIN messages, and may not be
	# supported on all systems (depending on whether 'echo -n' works
	# or not).
	#


	#
	# We first initialize some variables and then
	# process the switches used.
	#

	WARN_MSG=0; NL=0; NLAFTER=0; LOGINDENT=0; SCREENINDENT=0
	LOGNL=0; SCREENNL=0
	WRITETO=''; TYPE=''; RESULT=''; COLOR=''; MSG=''
	LINE1=''; LOGLINE1=''; SPACES=''; NONL=''

	DISPLAY_LINE="display $*"

	if [ $# -le 0 ]; then
		echo "Error: Invalid display call - no arguments given"
		return
	fi

	while [ $# -ge 1 ]; do
		case "$1" in
		--to)
			case "$2" in
			SCREEN|LOG|SCREEN+LOG)
				WRITETO=$2
				;;
			*)
				echo "Error: Invalid display destination: $2   Display line: ${DISPLAY_LINE}"
				return
				;;
			esac

			shift
			;;
		--type)
			TYPE=`eval echo "\\$MSG_TYPE_$2"`

			if [ -z "${TYPE}" -a "$2" != "PLAIN" ]; then
				if [ $RKHLANGUPDT -eq 0 ]; then
					echo "Error: Invalid display type: $2   Display line: ${DISPLAY_LINE}"
					return
				fi
			fi

			test "$2" = "WARNING" && WARN_MSG=1

			shift
			;;
		--result)
			RESULT=`eval echo "\\$MSG_RESULT_$2"`

			if [ -z "${RESULT}" ]; then
				if [ $RKHLANGUPDT -eq 0 ]; then
					echo "Error: Invalid display result: $2   Display line: ${DISPLAY_LINE}"
					return
				fi
			fi

			shift
			;;
		--color)
			if [ $COLORS -eq 1 ]; then
				test -n "$2" && COLOR=`eval "echo \\${$2}"`

				if [ -z "${COLOR}" ]; then
					echo "Error: Invalid display color: $2   Display line: ${DISPLAY_LINE}"
					return
				fi
			fi

			shift
			;;
		--log-indent)
			LOGINDENT=$2

			if [ -z "${LOGINDENT}" ]; then
				echo "Error: No --log-indent value given.   Display line: ${DISPLAY_LINE}"
				return
			elif [ -z "`echo ${LOGINDENT} | grep '^[0-9]*$'`" ]; then
				echo "Error: Invalid '--log-indent' value given: $2   Display line: ${DISPLAY_LINE}"
				return
			fi

			shift
			;;
		--screen-indent)
			SCREENINDENT=$2

			if [ -z "${SCREENINDENT}" ]; then
				echo "Error: No --screen-indent value given.   Display line: ${DISPLAY_LINE}"
				return
			elif [ -z "`echo ${SCREENINDENT} | grep '^[0-9]*$'`" ]; then
				echo "Error: Invalid '--screen-indent' value given: $2   Display line: ${DISPLAY_LINE}"
				return
			fi

			shift
			;;
		--nl)
			NL=1

			case "$2" in
			[0-9])
				NL=$2
				shift
				;;
			esac
			;;
		--log-nl)
			LOGNL=1
			;;
		--screen-nl)
			SCREENNL=1
			;;
		--nl-after)
			NLAFTER=1
			;;
		--nonl)
			NONL=$ECHON
			;;
		-*)
			echo "Error: Invalid display option given: $1   Display line: ${DISPLAY_LINE}"
			return
			;;
		*)
			MSG=$1
			shift
			break
			;;
		esac

		shift
	done


	#
	# Before anything we must record if this is a warning message.
	#

	test $WARN_MSG -eq 1 && WARNING_COUNT=`expr ${WARNING_COUNT} + 1`


	#
	# For simplicity we now set variables as to whether the output
	# goes to the screen and/or the log file. In some cases we do
	# not need to output anything, and so can just return.
	#

	if [ $NOLOG -eq 1 ]; then
		test "${WRITETO}" = "LOG" && return

		test "${WRITETO}" = "SCREEN+LOG" && WRITETO="SCREEN"
	fi

	if [ $NOTTY -eq 1 ]; then
		test "${WRITETO}" = "SCREEN" && return

		test "${WRITETO}" = "SCREEN+LOG" && WRITETO="LOG"
	fi


	test "${WRITETO}" = "SCREEN" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOTTY=1 || WRITETOTTY=0

	test "${WRITETO}" = "LOG" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOLOG=1 || WRITETOLOG=0


	#
	# Now check that the options we have been given make sense.
	#

	if [ $WRITETOTTY -eq 0 -a $WRITETOLOG -eq 0 ]; then
		echo "Error: Invalid display destination: Display line: ${DISPLAY_LINE}"
		return
	elif [ $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a -n "${RESULT}" -a -z "${COLOR}" ]; then
		echo "Error: Invalid display - no color given: Display line: ${DISPLAY_LINE}"
		return
	fi

	#
	# We only allow no newline for PLAIN messages.
	#

	test -n "${TYPE}" && NONL=""


	#
	# If we want whitelisted results to be shown as white, or
	# black for colour set two users, then change the colour now.
	#

	if [ $WLIST_IS_WHITE -eq 1 -a $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a "${RESULT}" = "${MSG_RESULT_WHITELISTED}" ]; then
		COLOR=$WHITE
	fi


	#
	# We set the variable LINE1 to contain the first line of the message.
	# For the log file we use the variable LOGLINE1. We also set
	# where the language file is located. If a message cannot be found
	# in the file, then we look in the English file. This will allow RKH
	# to still work even when the language files change.
	#

	LANG_FILE="${DB_PATH}/i18n/${LANGUAGE}"

	if [ -n "${MSG}" ]; then
		LINE1=`grep "^${MSG}:" ${LANG_FILE} 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-`

		if [ $RKHCHKLOCALE -eq 1 ]; then
			LINE1=`echo "${LINE1}" | ${ICONV_CMD} -f UTF-8 -t ${RKHCHRMAP} 2>/dev/null`
			test $? -ne 0 && LINE1=""
		fi

		if [ -z "${LINE1}" ]; then
			LANG_FILE="${DB_PATH}/i18n/en"
			LINE1=`grep "^${MSG}:" ${LANG_FILE} 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-`

			if [ -z "${LINE1}" ]; then
				echo "Error: Invalid display - keyword cannot be found: Display line: ${DISPLAY_LINE}"
				return
			fi
		else
			LINE1=`echo "${LINE1}" | sed -e 's/\`/\\\\\`/g'`
		fi

		test -n "${LINE1}" && LINE1=`eval "echo \"${LINE1}\" | sed -e 's/;/\\;/g'"`
	fi


	#
	# At this point LINE1 is the text of the message. We have to
	# see if the message is to be indented, and must prefix the
	# time to log file messages. We must do the log file first
	# because it uses LINE1.
	#

	if [ $WRITETOLOG -eq 1 ]; then
		LOGLINE1=`date '+[%H:%M:%S]'`

		test $NL -gt 0 -o $LOGNL -eq 1 && echo "${LOGLINE1}" >>${RKHLOGFILE}

		if [ -n "${TYPE}" ]; then
			LOGLINE1="${LOGLINE1} ${TYPE}: ${LINE1}"
		else
			test $LOGINDENT -gt 0 && SPACES=`echo "${BLANK_LINE}" | cut -c1-$LOGINDENT`

			LOGLINE1="${LOGLINE1} ${SPACES}${LINE1}"
		fi
	fi

	if [ $WRITETOTTY -eq 1 -a $SCREENINDENT -gt 0 ]; then
		SPACES=`echo "${BLANK_LINE}" | cut -c1-$SCREENINDENT`
		LINE1="${SPACES}${LINE1}"
	fi


	#
	# We now check to see if a result is to be output. If it is,
	# then we need to space-out the line and color the result.
	#

	if [ -n "${RESULT}" ]; then
		if [ $WRITETOTTY -eq 1 ]; then
			LINE1_NUM=`echo "${LINE1}" | wc -c | tr -d ' '`
			NUM_SPACES=`expr 62 - ${LINE1_NUM}`
			test $NUM_SPACES -lt 1 && NUM_SPACES=1

			if [ $COLORS -eq 0 ]; then
				SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`
				LINE1="${LINE1}${SPACES}[ ${RESULT} ]"
			else
				LINE1="${LINE1}\033[${NUM_SPACES}C[ ${COLOR}${RESULT}${NORMAL} ]"
			fi
		fi

		if [ $WRITETOLOG -eq 1 ]; then
			LOGLINE1_NUM=`echo "${LOGLINE1}" | wc -c | tr -d ' '`
			NUM_SPACES=`expr 62 - ${LOGLINE1_NUM}`
			test $NUM_SPACES -lt 1 && NUM_SPACES=1
			SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`

			LOGLINE1="${LOGLINE1}${SPACES}[ ${RESULT} ]"
		fi
	elif [ $WRITETOTTY -eq 1 -a -n "${COLOR}" ]; then
		LINE1="${COLOR}${LINE1}${NORMAL}"
	fi


	#
	# We can now output the message. We start with any required blank
	# lines, and then the first line. If this is a warning message we
	# write to the log file any additional lines.
	#

	if [ $SCREENNL -eq 1 ]; then
		test $QUIET -eq 0 -a $SHOWWARNINGSONLY -eq 0 -a $NOTTY -eq 0 && echo ""
	fi

	if [ $WRITETOTTY -eq 1 ]; then
		NLLOOP=$NL
		while test $NLLOOP -gt 0; do
			echo ""
			NLLOOP=`expr ${NLLOOP} - 1`
		done

		if [ "${NONL}" = "c" ]; then
			echo $ECHOOPT "${LINE1}\c"
		else
			echo $NONL $ECHOOPT "${LINE1}"
		fi
	fi

	if [ $WRITETOLOG -eq 1 ]; then
		echo $ECHOOPT "${LOGLINE1}" >>${RKHLOGFILE}

		if [ $WARN_MSG -eq 1 ]; then
			test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2-

			LINE1=1
			OLDIFS="${IFS}"
			IFS=$IFSNL

			for LOGLINE1 in `grep "^${MSG}:" ${LANG_FILE} 2>/dev/null | cut -d: -f2-`; do
				if [ $LINE1 -eq 1 ]; then
					LINE1=0
					continue
				else
					test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT "         ${LOGLINE1}"
					echo $ECHOOPT "           ${LOGLINE1}" >>${RKHLOGFILE}
				fi
			done

			IFS="${OLDIFS}"
		elif [ $SHOWWARNINGSONLY -eq 1 -a -n "`echo \"${LOGLINE1}\" | grep '^\[[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\]         '`" ]; then
			echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2-
		fi
	fi

	#
	# Output a final blank line if requested to do so.
	#

	test $WRITETOTTY -eq 1 -a $NLAFTER -eq 1 && echo ""

	return
}


keypresspause() {

	#
	# This function will display a prompt message to the user.
	#

	if [ $SKIP_KEY_PRESS -eq 0 -a $QUIET -eq 0 ]; then
		display --to SCREEN --type PLAIN --nl PRESSENTER
		read RKHTMPVAR

		test "${RKHTMPVAR}" = "s" -o "${RKHTMPVAR}" = "S" && SKIP_KEY_PRESS=1
	fi

	return
}


get_option() {

	#
	# This function is used to process configuration file options.
	#
	# Syntax: get_option <option type> [single | multi] <option name>
	#
	# Since different options require different needs, the first
	# parameter is the 'type' of option we are processing. The second
	# parameter is the word 'single' or 'multi'. This indicates if
	# the option can occur on one or more lines in the configuration
	# file. The third parameter is the option name.
	#
	# There are currently two types defined:
	#
	# Type 1: A number, single word or pathname.
	# Type 2: A space-separated word list.
	#
	# Typically, single and double-quotes, spaces and tabs will be
	# removed. For type 2 options, tabs are converted to spaces, and
	# all spaces are squeezed into one. Leading and trailing spaces
	# are removed. All other types of options are processed separately.
	#
	# The function will output the final modified option.
	#
	# NOTE: This function is currently implemented such that if it returns
	# a non-zero code, then RKH will exit at the relevant point with a
	# return code of 1. However, the function does not currently return a
	# non-zero code at any time.
	#

	OPTTYPE="$1"
	OPTMULTI="$2"
	OPTV="$3"


	#
	# First see if the option is in the configuration file, and if
	# it is then process it according to the multi-line argument.
	#

	if [ -z "`grep -h \"^${OPTV}=\" ${CONFIGFILE} ${LOCALCONFIGFILE}`" ]; then
		echo ""
		return 0
	else
		case "${OPTMULTI}" in
		single)
			OPTVAR=`grep -h "^${OPTV}=" ${CONFIGFILE} ${LOCALCONFIGFILE} | tail ${TAIL_OPT}1 | sed -e "s/${OPTV}=//"`
			;;
		multi)
			OPTVAR=`grep -h "^${OPTV}=" ${CONFIGFILE} ${LOCALCONFIGFILE} | sed -e "s/${OPTV}=//"`
			;;
		*)
			echo "Error: Invalid multi-line argument in get_option function: $*" >&2

			# Treat this as a single-line option.
			OPTVAR=`grep -h "^${OPTV}=" ${CONFIGFILE} ${LOCALCONFIGFILE} | tail ${TAIL_OPT}1 | sed -e "s/${OPTV}=//"`
			;;
		esac
	fi


	#
	# Now process the option.
	#

	case "$OPTTYPE" in
	1)
		OPTVAR=`echo "${OPTVAR}" | tr -d '" 	' | tr -d "'"`
		;;
	2)
		OPTVAR=`echo "${OPTVAR}" | tr -s '	 ' '  '`

		#
		# We must handle the MAIL_CMD option specially because it may
		# contain quote characters, and we do not want to remove these.
		# We also change any NL characters to spaces. This causes 'multi'
		# options to become one line of space-separated items.
		#

		if [ "${OPTV}" != "MAIL_CMD" ]; then
			OPTVAR=`echo "${OPTVAR}" | sed -e 's/^ *"* *//; s/ *"* *$//' | sed -e "s/^ *'* *//; s/ *'* *$//"`

			#
			# For 'multi' options, which are allowed to be on more than one
			# line, we join the lines together and remove any leading or
			# trailing spaces.
			#
			# Note: Do not combine these two lines. Sun 'sed' won't like it!
			#

			OPTVAR=`echo "${OPTVAR}" | tr '\n' ' '`
			OPTVAR=`echo "${OPTVAR}" | sed -e 's/^ *//; s/ *$//'`
		fi
		;;
	*)
		echo "Error: Invalid option type in get_option function: $*" >&2
		;;
	esac


	echo "${OPTVAR}"

	return 0
}


check_paths() {

	#
	# This function will check a supplied list of pathnames to
	# ensure the files and directories exist. It will also
	# check that directories such as '/' (root) are not present,
	# nor are pathnames with unwanted characters.
	#
	# The function only checks the pathnames. It is not possible
	# to modify the list in any way. The variable ERRCODE must be
	# set to zero before this function is called, and will be
	# set to one if any pathname fails a check.
	#
	# The first parameter is the list of pathnames to check. The
	# second parameter is the option name to be used in the error
	# messages. The third parameter is whether to be 'STRICT' or
	# not on the pathname. 'Strict' means that the entry must not
	# have any wildcard characters, and that it must exist.
	#

	OPT_VALUE=$1
	OPT_NAME=$2
	STRICT=$3

	test -z "${OPT_NAME}" && OPT_NAME=${OPT_VALUE}
	test -z "${STRICT}" && STRICT=0 || STRICT=1

	RKHTMPVAR=`eval echo \"\\$${OPT_VALUE}\"`

	test -z "${RKHTMPVAR}" && return


	#
	# We must check the strict entries first because the 'for' command
	# will expand it. Secondly, the strict option is usually going to be
	# used for single pathnames. So this should not look odd.
	#

	if [ $STRICT -eq 1 ]; then
		if [ -n "`echo \"${RKHTMPVAR}\" | grep '[][?*]'`" ]; then
			ERRCODE=1
			test $CONFIG_CHECK -eq 1 && RET_CODE=1
			echo "Invalid ${OPT_NAME} configuration option: Invalid pathname: ${RKHTMPVAR}"
			return
		fi
	fi


	#
	# Now check each pathname in the option.
	#

	for FNAME in ${RKHTMPVAR}; do
		#
		# For some options we may have to remove the leading character.
		#

		if [ "${OPT_NAME}" = "BINDIR" ]; then
			if [ -n "`echo \"${FNAME}\" | grep '^\+'`" ]; then
				FNAME=`echo "${FNAME}" | cut -c2-`
			fi
		elif [ "${OPT_NAME}" = "USER_FILEPROP_FILES_DIRS" ]; then
			if [ -n "`echo \"${FNAME}\" | grep '^!'`" ]; then
				FNAME=`echo "${FNAME}" | cut -c2-`
				# Re-expand the name in case it has globbing characters.
				FNAME=`echo ${FNAME}`
			fi
		elif [ "${OPT_NAME}" = "RTKT_FILE_WHITELIST" ]; then
			FNAME=`echo "${FNAME}" | cut -d: -f1`
			FNAME=`echo "${FNAME}" | tr '%' ' '`
		else
			case "${OPT_NAME}" in
			RTKT_DIR_WHITELIST|ALLOWDEVFILE|ALLOWHIDDENFILE|ALLOWHIDDENDIR)
				FNAME=`echo "${FNAME}" | tr '%' ' '`
				;;
			esac
		fi

		#
		# First check for anything which contains just dots.
		# Also check that '/' has not been set.
		#

		if [ -n "`echo \"${FNAME}\" | egrep '(^[./]*$)|[;&]|/\.\./'`" ]; then
			ERRCODE=1
			test $CONFIG_CHECK -eq 1 && RET_CODE=1
			echo "Invalid ${OPT_NAME} configuration option: Invalid pathname: ${FNAME}"
			continue
		fi

		#
		# For the user file properties list none of the filenames may
		# contain a colon character, because they are going to be
		# stored in a colon-separated record.
		#

		if [ "${OPT_NAME}" = "USER_FILEPROP_FILES_DIRS" ]; then
			if [ -n "`echo \"${FNAME}\" | grep ':'`" ]; then
				ERRCODE=1
				test $CONFIG_CHECK -eq 1 && RET_CODE=1
				echo "Invalid ${OPT_NAME} configuration option: Invalid pathname: ${FNAME}"
				continue
			fi
		fi

		#
		# Next we check to see if it is a relative pathname.
		#

		if [ -n "`echo \"${FNAME}\" | grep '^[^/].*/'`" ]; then
			ERRCODE=1
			test $CONFIG_CHECK -eq 1 && RET_CODE=1
			echo "Invalid ${OPT_NAME} configuration option: Invalid pathname: ${FNAME}"
		elif [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
			#
			# Now we check to see if it is a simple file name.
			#

			#
			# Simple file names are allowed for some options.
			#

			case "${OPT_NAME}" in
			USER_FILEPROP_FILES_DIRS|HASH_FUNC|WEBCMD|*_CMD)
				continue
				;;
			esac

			ERRCODE=1
			test $CONFIG_CHECK -eq 1 && RET_CODE=1
			echo "Invalid ${OPT_NAME} configuration option: Invalid pathname: ${FNAME}"
		else
			#
			# It's an absolute pathname. This could be a file, a directory,
			# some other file type, or a non-existent name.
			#

			#
			# This is as far as we go for some options. These pathnames may,
			# or may not exist, or may be things other than just files and
			# directories.
			#

			case "${OPT_NAME}" in
			EXISTWHITELIST|ALLOWDEVFILE|PKGMGR_NO_VRFY)
				continue
				;;
			esac

			#
			# Now test for the different file types.
			#

			if [ -f "${FNAME}" ]; then
				case "${OPT_NAME}" in
				ALLOWHIDDENDIR|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|SSH_CONFIG_DIR|SUSPSCAN_DIRS|SUSPSCAN_TEMP)
					ERRCODE=1
					test $CONFIG_CHECK -eq 1 && RET_CODE=1
					echo "Invalid ${OPT_NAME} configuration option: Not a directory: ${FNAME}"
					;;
				esac
			elif [ -d "${FNAME}" ]; then
				#
				# For the ALLOWHIDDENFILE option we need to allow
				# a hidden symbolic link to a directory.
				#

				test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue


				case "${OPT_NAME}" in
				WRITEWHITELIST|IMMUTWHITELIST|SCRIPTWHITELIST|ALLOWHIDDENFILE|LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|RTKT_FILE_WHITELIST|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|WEBCMD|*_CMD)
					ERRCODE=1
					test $CONFIG_CHECK -eq 1 && RET_CODE=1
					echo "Invalid ${OPT_NAME} configuration option: Not a file: ${FNAME}"
					;;
				esac
			elif [ -h "${FNAME}" ]; then
				#
				# Generally we will accept broken links since the code will
				# simply not be able to use them. However, for strict paths
				# these are not allowed. We make an exception for BINDIR because
				# it is possible for the system to end up with a broken link,
				# which causes no harm.
				#

				test "${OPT_NAME}" = "BINDIR" && continue

				if [ $STRICT -eq 1 ]; then
					ERRCODE=1
					test $CONFIG_CHECK -eq 1 && RET_CODE=1
					echo "Invalid ${OPT_NAME} configuration option: Broken link found: ${FNAME}"
				fi
			elif [ -e "${FNAME}" ]; then
				#
				# This is as far as we go for the hidden files. A hidden
				# 'file' can actually be anything other than a directory.
				# Similarly, a rootkit 'file' could be something other than
				# a regular file. So we allow them.
				#

				test "${OPT_NAME}" = "ALLOWHIDDENFILE" -o "${OPT_NAME}" = "RTKT_FILE_WHITELIST" && continue

				ERRCODE=1
				test $CONFIG_CHECK -eq 1 && RET_CODE=1

				case "${OPT_NAME}" in
				ALLOWHIDDENDIR|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|SSH_CONFIG_DIR|RTKT_DIR_WHITELIST|SUSPSCAN_DIRS|SUSPSCAN_TEMP)
					RKHTMPVAR2="directory"
					;;
				LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|WEBCMD|*_CMD)
					RKHTMPVAR2="file"
					;;
				*)
					RKHTMPVAR2="file or directory"
					;;
				esac

				echo "Invalid ${OPT_NAME} configuration option: Not a ${RKHTMPVAR2}: ${FNAME}"
			else
				#
				# Some 'strict' things don't need to exist.
				#

				case "${OPT_NAME}" in
				LOGFILE|BINDIR|SUSPSCAN_DIRS)
					continue
					;;
				esac

				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

				if [ -z "`echo \"${EXISTWHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
					if [ $STRICT -eq 1 ]; then
						ERRCODE=1
						test $CONFIG_CHECK -eq 1 && RET_CODE=1
						echo "Invalid ${OPT_NAME} configuration option: Non-existent pathname: ${FNAME}"
					fi
				fi
			fi
		fi
	done

	return
}


check_is_digit() {

	#
	# This function checks to see if an option is a valid
	# number or not. Typically it must be 0 or 1.
	#
	# The first parameter is the variable name to check. The
	# second parameter is the option name to be used in the error
	# messages. An optional third parameter may be given to specify
	# that other values are allowed. If this is set to 'ANY', then
	# any positive number is allowed. If it is set to 'ANY1', then
	# the number must be greater than zero.
	#

	OPT_VALUE=$1
	OPT_NAME=$2
	OTHERS=$3

	test -z "${OPT_NAME}" && OPT_NAME=${OPT_VALUE}
	test -z "${OTHERS}" && OTHERS=0

	RKHTMPVAR=`eval echo "\"\\$${OPT_VALUE}\""`

	test -z "${RKHTMPVAR}" && return


	#
	# If ANY1 is given, then 0 is not a valid number.
	#

	if [ "${RKHTMPVAR}" = "0" -a "${OTHERS}" = "ANY1" ]; then
		ERRCODE=1
		test $CONFIG_CHECK -eq 1 && RET_CODE=1
		echo "Invalid ${OPT_NAME} configuration option: not a valid number: ${RKHTMPVAR}"
	elif [ "${RKHTMPVAR}" != "0" -a "${RKHTMPVAR}" != "1" ]; then
		#
		# Some options may allow a slightly different value.
		#

		if [ -n "${OTHERS}" ]; then
			if [ "${OTHERS}" = "ANY" -a -n "`echo \"${RKHTMPVAR}\" | grep '^[0-9][0-9]*$'`" ]; then
				return
			elif [ "${OTHERS}" = "ANY1" -a -n "`echo \"${RKHTMPVAR}\" | grep '^[1-9][0-9]*$'`" ]; then
				return
			elif [ "${RKHTMPVAR}" = "${OTHERS}" ]; then
				return
			fi
		fi

		ERRCODE=1
		test $CONFIG_CHECK -eq 1 && RET_CODE=1
		echo "Invalid ${OPT_NAME} configuration option: not a valid number: ${RKHTMPVAR}"
	fi

	return
}


get_temp_file() {

	#
	# This function will create an empty, unique temporary file.
	#
	# It takes one parameter which is the pathname for the file,
	# excluding the suffix. The function will return the pathname
	# in TEMPFILE.
	#

	TEMPFILE=""

	TEMPFILE_BASE=$1


	if [ -n "${MKTEMP_CMD}" ]; then
		TEMPFILE=`${MKTEMP_CMD} ${TEMPFILE_BASE}.XXXXXXXXXX`
	elif [ -n "$RANDOM" ]; then
		TEMPFILE="${TEMPFILE_BASE}.$RANDOM"
	elif [ $BSDOS -eq 1 ]; then
		TEMPFILE="${TEMPFILE_BASE}.`date +%s`"
	elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		TEMPFILE="${TEMPFILE_BASE}.`date +%N%s%N`"
	else
		TEMPFILE="${TEMPFILE_BASE}.`date +%Y%m%d%H%M%S`"
	fi


	#
	# Remove the file just in case it already exists!
	#

	rm -f ${TEMPFILE} >/dev/null 2>&1

	return
}


suckit_extra_checks() {

	#
	# This function carries out some extra checks of the suckit rootkit.
	# There are 3 extra checks, but we only display the result after
	# all the checks have completed. As such we store the result of
	# each check in a variable, and display the final result based on
	# the value of those variables.
	#

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent 2 --nl ROOTKIT_ADD_SUCKIT_LOG
	fi


	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	#
	# The first check tests the link count of the /sbin/init file.
	# We use the NLINKS variable to indicate the test result:
	#	-1 means that no stat command was available
	#	 0 means that the stat command gave an error
	#	 1 is okay
	#	>1 means that suckit may be installed
	#

	NLINKS=-1

	if [ -n "${STAT_CMD}" ]; then
		if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
			NLINKS=`${STAT_CMD} --nlink /sbin/init 2>/dev/null`
		else
			NLINKS=`${STAT_CMD} -c %h /sbin/init 2>/dev/null`
		fi

		test -z "${NLINKS}" && NLINKS=0

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			if [ $NLINKS -eq 0 ]; then
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_LINK_COUNT "/sbin/init"
			elif [ $NLINKS -eq 1 ]; then
				display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_LINK_COUNT "/sbin/init"
			else
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_LINK_COUNT "/sbin/init"
			fi
		fi
	else
		display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_LINK_COUNT "/sbin/init"
	fi


	#
	# The next test checks to see if certain files are being
	# hidden. These files have the '.xrk' or '.mem' suffix.
	# The HIDDEN variable will be used to indicate the result:
	#	<null> is okay
	#	'xrk' means that the 'xrk' suffix is hidden
	#	'mem' means that the 'mem' suffix is hidden
	#

	HIDDEN=""

	for EXT in xrk mem; do
		get_temp_file "${RKHTMPDIR}/suckitexttest"

		touch ${TEMPFILE}
		rm -f ${TEMPFILE}.${EXT} >/dev/null 2>&1
		mv ${TEMPFILE} ${TEMPFILE}.${EXT}

		if [ ! -f "${TEMPFILE}.${EXT}" ]; then
			if [ -n "${HIDDEN}" ]; then
				HIDDEN="${HIDDEN} and ${EXT}"
			else
				HIDDEN=${EXT}
			fi
		fi

		rm -f "${TEMPFILE}.${EXT}" >/dev/null 2>&1
	done

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		if [ -z "${HIDDEN}" ]; then
			display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
		else
			display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
		fi
	fi


	#
	# Finally we perform a check using the skdet command, if it
	# is present. The SKDET variable will be used to indicate
	# the result:
	#	-1 means that skdet is not available
	#	 0 means that skdet found nothing
	#	 1 means that skdet found something
	#	 2 means that the version of skdet is unknown
	#
	# The variable SKDET_OUTPUT will contain any output from
	# the command.
	#

	SKDET=-1
	SKDET_OUTPUT=""
	SKDET_CMD=`find_cmd skdet`

	if [ -n "${SKDET_CMD}" ]; then
		display --to LOG --type INFO FOUND_CMD 'skdet' "${SKDET_CMD}"

		#
		# We need to check the skdet version first.
		#

		SKDET=0
		SKDETOPT=""
		SKDETVER=`${SKDET_CMD} -v 2>&1 | grep '^skdet.v' | awk -F'.' '{ print $1 }'`

		case "${SKDETVER}" in
		*v0)
			SKDETOPT="-a"
			;;
		*v1)
			SKDETOPT="-c"
			;;
		*)
			SKDET=2
			SKDET_OUTPUT=`${SKDET_CMD} -v 2>&1`
			;;
		esac

		if [ $SKDET -eq 0 ]; then
			SKDET_OUTPUT=`${SKDET_CMD} ${SKDETOPT} 2>&1 | tr -s ' ' | grep -i 'invis'`

			test -n "${SKDET_OUTPUT}" && SKDET=1
		fi

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			if [ $SKDET -eq 0 ]; then
				display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
			else
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
		display --to LOG --type INFO NOT_FOUND_CMD 'skdet'
	fi


	#
	# Now we can display the results.
	#

	if [ $NLINKS -eq 1 -a -z "${HIDDEN}" -a $SKDET -le 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}Suckit Rookit (additional checks), "

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT

		if [ $NLINKS -eq -1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_NOCMD
		elif [ $NLINKS -eq 0 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_LINK_COUNT_CMDERR "${STAT_CMD}" "/sbin/init"
		elif [ $NLINKS -gt 1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_FOUND "$NLINKS"
		fi

		if [ -n "${HIDDEN}" ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_EXT_FOUND "${HIDDEN}"
		fi

		if [ $SKDET -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_FOUND "${SKDET_OUTPUT}"
		elif [ $SKDET -eq 2 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_VER "${SKDET_OUTPUT}"
		fi
	fi

	return
}


scanrootkit() {

	#
	# This function performs the actual check for a rootkit.
	# It uses the variables SCAN_ROOTKIT, SCAN_FILES, SCAN_DIRS
	# and SCAN_KSYMS. These will have been set before the
	# function is called.
	#

	SCAN_STATUS=0

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
	fi


	#
	# First check to see if any of the known files exist.
	#

	FILE_FOUND=""

	for RKHTMPVAR2 in ${SCAN_FILES}; do
		RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

		#
		# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
		# will search (on a per rootkit basis) for filenames in all of the directories (as defined
		# by the result of running 'find / -xdev'). While still not optimal, as it 
		# still searches for only file names as opposed to file contents, this is one step away
		# from the rigidity of searching in known (evidence) or default (installation) locations.
		#
		# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
		#
		# You should only activate this feature as part of a more thorough investigation which
		# should be based on relevant best practices and procedures. 
		# Apart from ameliorating the case with respect to functionality (e.g. reporting) this feature does not
		# concern itself with efficiency so asking for improvements like whitelisting, de-duping or false-positives is 
		# out of the question.
		#
		# Enabling this feature implies you have the knowledge to interpret the results properly.
		#

		case "${SCANROOTKITMODE}" in
		THOROUGH) # Search the whole filesystem
				test -n "${BASENAME_CMD}" && FNAME=`${BASENAME_CMD} "${RKHTMPVAR}"` || FNAME=`echo "${RKHTMPVAR}" | sed -e 's:^.*/::'`

				FILENAMES=`find / -xdev -name "${FNAME}"`

				if [ -z "${FILENAMES}" ]; then
					test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "${RKHTMPVAR}"
				else
					FOUND=0

					IFS=$IFSNL

					for FNAME in ${FILENAMES}; do
						if [ \( -f "${FNAME}" -a -s "${FNAME}" \) -o -b "${FNAME}" -o -c "${FNAME}" -o -h "${FNAME}" -o -p "${FNAME}" -o -S "${FNAME}" ]; then
							FOUND=1
							SCAN_STATUS=1
							FILE_FOUND="${FILE_FOUND}
${FNAME}"
						fi
					done

					IFS=$RKHIFS

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						test $FOUND -eq 0 && FOUND="NOT_FOUND" || FOUND="FOUND"
						display --to LOG --type PLAIN --result ${FOUND} --log-indent 2 ROOTKIT_FILES_DIRS_FILE "${RKHTMPVAR}"
					fi
				fi
				;;
			*) # Scan ze old vay
				if [ -f "${RKHTMPVAR}" ]; then
					#
					# We first check to see if the file is whitelisted. Note that we use
					# the un-translated file name. This allows us to check for filenames
					# with spaces, but without causing problems for our space-delimited test.
					#

					FNAMEGREP=`echo "${RKHTMPVAR2}" | sed -e 's/\./\\\./g'`

					if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
						display --to LOG --type INFO FILE_PROP_WL "${RKHTMPVAR}" known_rkts
					else
						SCAN_STATUS=1
						FILE_FOUND="${FILE_FOUND}
${RKHTMPVAR}"
					fi

					test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "${RKHTMPVAR}"
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "${RKHTMPVAR}"
				fi
				;;
		esac
	done


	#
	# Next check to see if any of the directories exist.
	#

	DIR_FOUND=""

	for RKHTMPVAR2 in ${SCAN_DIRS}; do
		RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

		if [ -d "${RKHTMPVAR}" ]; then
			#
			# We first check to see if the directory is whitelisted. Note that we use
			# the un-translated directory name. This allows us to check for directory
			# names with spaces, but without causing problems for our space-delimited test.
			#

			FNAMEGREP=`echo "${RKHTMPVAR2}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				display --to LOG --type INFO FILE_PROP_WL_DIR "${RKHTMPVAR}" known_rkts
			else
				SCAN_STATUS=1
				DIR_FOUND="${DIR_FOUND}
${RKHTMPVAR}"
			fi

			test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${RKHTMPVAR}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${RKHTMPVAR}"
		fi
	done


	#
	# Next check the ksyms or kallsyms file.
	#

	KSYM_FOUND=""

	if [ -n "${SCAN_KSYMS}" ]; then
		for KS in ${SCAN_KSYMS}; do
			if [ -n "${KSYMS_FILE}" ]; then
				FNAMEGREP=`echo "${KS}" | sed -e 's/\./\\\./g'`

				if [ -n "`grep \"${FNAMEGREP}\" ${KSYMS_FILE}`" ]; then
					SCAN_STATUS=1
					KSYM_FOUND="${KSYM_FOUND}
${KS}"

					test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND  --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
			fi
		done
	fi


	#
	# Now display the results.
	#

	if [ $SCAN_STATUS -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"


		#
		# Log any files, directories or ksyms found.
		#

		IFS=$IFSNL

		FILE_FOUND=`echo "${FILE_FOUND}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FILE_FOUND}; do
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_FILE_FOUND "${RKHTMPVAR}"
		done

		DIR_FOUND=`echo "${DIR_FOUND}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${DIR_FOUND}; do
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_DIR_FOUND "${RKHTMPVAR}"
		done

		KSYM_FOUND=`echo "${KSYM_FOUND}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${KSYM_FOUND}; do
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_KSYM_FOUND "${RKHTMPVAR}"
		done

		IFS=$RKHIFS
	fi

	return
}


check_required_commands() {

	#
	# This function checks that the required commands are present
	# on the system. The function is called twice: initially to check
	# that we can at least start running rkhunter; and the second
	# time after we have processed BINDIR to ensure that all the
	# required commands are present. It takes one parameter used
	# to indicate which list of commands to check.
	#

	LEAVE=0

	if [ $1 -eq 1 ]; then
		CMDDIR="${RKHROOTPATH}"
		CMDNAMES="${ABSOLUTELY_REQUIRED_CMDS}"
	else
		CMDDIR="${BINPATHS}"
		CMDNAMES="${REQCMDS}"
	fi

	for CMD in ${CMDNAMES}; do
		SEEN=0

		for DIR in ${CMDDIR}; do
			if [ -f "${DIR}/${CMD}" -a -x "${DIR}/${CMD}" ]; then
				SEEN=1
				break
			fi
		done

		if [ $SEEN -eq 0 ]; then
			LEAVE=1
			echo "The command '${CMD}' must be present on the system in order to run rkhunter."
		fi
	done

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


check_commands() {

	#
	# We check for some commands used in the tests. If the command
	# is found then a variable including the command name is set.
	# These commands are not 'required', so nothing happens if the
	# command is not found. The commands can be defined in the
	# configuration file, and a value of 'DISABLED' will cause a
	# command to not exist. A value of 'BUILTIN' may be used for
	# the 'stat' and 'readlink' commands, to indicate that the
	# supplied scripts should be used. We have to handle the 'stat'
	# command in a special way so that the perl module does not get
	# used if the command is to be disabled.
	#

	ERRCODE=0

	for CMD in ${CMDLIST}; do
		CMDNAME=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
		CMDNAME="${CMDNAME}_CMD"


		#
		# See if the user has defined the command in
		# the configuration file.
		#

		CFG_CMD=`get_option 2 single "${CMDNAME}"` || exit 1

		if [ -n "${CFG_CMD}" ]; then
			if [ "${CFG_CMD}" = "DISABLED" -o "${CFG_CMD}" = "BUILTIN" ]; then
				eval ${CMDNAME}=\"${CFG_CMD}\"
			else
				MCMD=`echo "${CFG_CMD}" | cut -d' ' -f1`

				#
				# We must first check that the command name is valid.
				# The user may have included globbing characters, or
				# used multiple dots, and we do not allow that.
				#

				check_paths MCMD "${CMDNAME}" STRICT

				test $ERRCODE -eq 1 && continue

				#
				# Check that the command is executable.
				#

				if [ -n "`find_cmd ${MCMD}`" ]; then
					eval ${CMDNAME}=\"${CFG_CMD}\"
				else
					CFG_CMD=""
				fi
			fi
		fi


		#
		# If the command has not been predefined, or is not
		# executable, then go find the command to use.
		#

		test -z "${CFG_CMD}" && eval ${CMDNAME}=`find_cmd ${CMD}`
	done

	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
			return
		fi
	fi


	#
	# If we cannot find a 'stat' command, or the supplied script is to
	# be used, then we must check to see if perl is available. If it is,
	# then the supplied 'stat' script can be used.
	#

	if [ -n "${PERL_CMD}" -a "${PERL_CMD}" != "DISABLED" ]; then
		if [ -z "${STAT_CMD}" -o "${STAT_CMD}" = "BUILTIN" ]; then
			if [ -r "${SCRIPT_PATH}/check_modules.pl" ]; then
				MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl File::stat Getopt::Long 2>/dev/null | grep 'NOT installed'`
			else
				MOD_INSTALLED="module not found"
			fi

			if [ -z "${MOD_INSTALLED}" -a -r "${SCRIPT_PATH}/stat.pl" ]; then
				STAT_CMD="${PERL_CMD} ${SCRIPT_PATH}/stat.pl"
			else
				STAT_CMD=""
			fi
		fi
	elif [ "${STAT_CMD}" = "BUILTIN" ]; then
		STAT_CMD=""
	fi


	#
	# If the readlink command cannot be found, or it does not support
	# the '-f' option, then we must use the supplied shell script.
	#

	if [ -z "${READLINK_CMD}" -o "${READLINK_CMD}" = "BUILTIN" ]; then
		test -x "${SCRIPT_PATH}/readlink.sh" && READLINK_CMD="${SCRIPT_PATH}/readlink.sh" || READLINK_CMD=""
	elif [ -n "`${READLINK_CMD} -f ${SCRIPT_PATH}/readlink.sh 2>&1 >/dev/null`" ]; then
		test -x "${SCRIPT_PATH}/readlink.sh" && READLINK_CMD="${SCRIPT_PATH}/readlink.sh" || READLINK_CMD=""
	fi

	test -n "${READLINK_CMD}" && HAVE_READLINK=1


	#
	# For Solaris systems we should use the 'gstrings' command
	# rather than 'strings', if it is available.
	#

	if [ $SUNOS -eq 1 -a "${STRINGS_CMD}" != "DISABLED" ]; then
		RKHTMPVAR=`find_cmd gstrings`
		test -n "${RKHTMPVAR}" && STRINGS_CMD="${RKHTMPVAR}"
	fi


	#
	# Finally we must remove all the DISABLED commands.
	#

	for CMD in ${CMDLIST}; do
		RKHTMPVAR=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
		RKHTMPVAR="${RKHTMPVAR}_CMD"
		RKHTMPVAR2=`eval echo "\\$${RKHTMPVAR}"`

		test "${RKHTMPVAR2}" = "DISABLED" -o "${RKHTMPVAR2}" = "BUILTIN" && eval ${RKHTMPVAR}=\"\"
	done

	return
}


get_installdir_option() {

	#
	# This function obtains the RKH installation directory. It must
	# be set by the installer script, and has no default.
	#

	LEAVE=0

	RKHINSTALLDIR=`get_option 1 single INSTALLDIR` || exit 1

	if [ -z "${RKHINSTALLDIR}" ]; then
		LEAVE=1
		echo "Invalid INSTALLDIR configuration option - no installation directory specified."
	elif [ ! -d "${RKHINSTALLDIR}" ]; then
		LEAVE=1
		echo "Installation directory does not exist: ${RKHINSTALLDIR}"
	elif [ ! -r "${RKHINSTALLDIR}" ]; then
		LEAVE=1
		echo "Installation directory is not readable: ${RKHINSTALLDIR}"
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_language_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0

	if [ -n "${LANGUAGE}" ]; then
		LANGUAGE=`echo "${LANGUAGE}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${LANGUAGE}" ]; then
			LEAVE=1
			echo "Invalid '--language' option - no language given."
		fi
	else
		LANGUAGE=`get_option 1 single LANGUAGE` || exit 1
	fi

	#
	# If no language has been set, then use English.
	#

	test -z "${LANGUAGE}" && LANGUAGE="en"


	#
	# Now check that the language is available.
	#

	if [ ! -d "${DB_PATH}/i18n" ]; then
		LEAVE=1
		echo "The internationalisation directory does not exist: ${DB_PATH}/i18n"
	fi

	#
	# If we are using the '--update' option, then the language files
	# will be installed if they are missing. As such, we cannot check
	# them here.
	#

	if [ $LEAVE -eq 0 ]; then
		if [ ! -s "${DB_PATH}/i18n/${LANGUAGE}" -a "${LANGUAGE}" != "en" ]; then
			if [ $UPDATE_ONLY -eq 1 ]; then
				RKHLANGUPDT=1
			else
				LEAVE=1
				echo "The language specified is not available: ${LANGUAGE}"
				echo "Use the command 'rkhunter --lang en --list languages' to see the list of available languages."
			fi
		elif [ ! -s "${DB_PATH}/i18n/en" ]; then
			if [ $UPDATE_ONLY -eq 1 ]; then
				RKHLANGUPDT=1
			else
				LEAVE=1
				echo "The English language file must be present: ${DB_PATH}/i18n/en"
				echo "If it has been deleted, then you will need to run 'rkhunter --update' with no other options."
			fi
		fi
	fi

	#
	# Next sort out the locale used if the language is German.
	#

	if [ "${LANGUAGE}" = "de" ]; then
		ICONV_CMD=`find_cmd iconv`
		LOCALE_CMD=`find_cmd locale`

		if [ -n "${ICONV_CMD}" -a -n "${LOCALE_CMD}" ]; then
			RKHCHRMAP=`${LOCALE_CMD} charmap 2>/dev/null`
			test -n "${RKHCHRMAP}" && RKHCHKLOCALE=1
		fi
	fi

	#
	# Finally, find out what languages the user wants to be updated.
	# We add in the default language, and 'en', if they have not
	# been specified.
	#

	if [ $UPDATE -eq 1 ]; then
		UPDATE_LANG=`get_option 2 single UPDATE_LANG` || exit 1

		if [ -n "${UPDATE_LANG}" ]; then
			if [ -z "`echo \" ${UPDATE_LANG} \" | grep \" ${LANGUAGE} \"`" ]; then
				UPDATE_LANG="${UPDATE_LANG} ${LANGUAGE}"
			fi

			if [ -z "`echo \" ${UPDATE_LANG} \" | grep ' en '`" ]; then
				UPDATE_LANG="${UPDATE_LANG} en"
			fi
		fi
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_logfile_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${RKHLOGFILE}" ]; then
		RKHLOGFILE=`echo "${RKHLOGFILE}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "Invalid '--logfile' option - no logfile name given."
		fi
	else
		RKHLOGFILE=`get_option 1 single LOGFILE` || exit 1

		check_paths RKHLOGFILE LOGFILE STRICT

		if [ $ERRCODE -eq 0 ]; then
			if [ -z "${RKHLOGFILE}" ]; then
				RET_CODE=1
				RKHLOGFILE="${DFLT_LOGFILE}"
				echo "The default logfile will be used: ${RKHLOGFILE}"
			fi
		else
			LEAVE=1
		fi
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ "${RKHLOGFILE}" = "/dev/null" ]; then
		APPEND_LOG=0
	else
		LOGDIR=`echo "${RKHLOGFILE}" | sed -e 's:/[^/][^/]*$::'`

		if [ -z "`echo \"${LOGDIR}\" | grep '/'`" ]; then
			LOGDIR="."
		fi

		if [ "${LOGDIR}" = "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "No log filename given: ${RKHLOGFILE}"
		elif [ ! -d "${LOGDIR}" ]; then
			LEAVE=1
			echo "Logfile directory does not exist: ${RKHLOGFILE}"
		elif [ ! -w "${LOGDIR}" ]; then
			LEAVE=1
			echo "Logfile directory is not writable: ${RKHLOGFILE}"
		elif [ ! -r "${LOGDIR}" ]; then
			LEAVE=1
			echo "Logfile directory is not readable: ${RKHLOGFILE}"
		elif [ -h "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "Logfile is a symbolic link: ${RKHLOGFILE}"
			echo "This is a security problem. The link points to another file, and that file is about to be modified by rkhunter."
		elif [ -e "${RKHLOGFILE}" -a ! -f "${RKHLOGFILE}" ]; then
			LEAVE=1
			echo "Logfile already exists but it is not a file: ${RKHLOGFILE}"
		fi


		#
		# Now check whether we should append to the logfile
		# or overwrite it. We check the configuration file
		# option, if it is given, and ensure that it is valid.
		#

		if [ $APPEND_OPT -eq 0 ]; then
			APPEND_LOG=`get_option 1 single APPEND_LOG` || exit 1

			if [ -n "${APPEND_LOG}" ]; then
				check_is_digit APPEND_LOG
			else
				APPEND_LOG=0
			fi
		fi


		#
		# Finally, check if the logfile should be copied if
		# there were any errors or warnings. Obviously no
		# copy is done if no logfile is used.
		#

		RKHTMPVAR=`get_option 1 single COPY_LOG_ON_ERROR` || exit 1

		if [ -n "${RKHTMPVAR}" ]; then
			check_is_digit RKHTMPVAR COPY_LOG_ON_ERROR

			test $ERRCODE -eq 0 && COPY_LOG_ON_ERROR=$RKHTMPVAR
		fi
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_tmpdir_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${RKHTMPDIR}" ]; then
		RKHTMPDIR=`echo "${RKHTMPDIR}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${RKHTMPDIR}" ]; then
			LEAVE=1
			echo "Invalid '--tmpdir' option - no directory name given."
		fi
	else
		RKHTMPDIR=`get_option 1 single TMPDIR` || exit 1

		check_paths RKHTMPDIR TMPDIR STRICT

		if [ $ERRCODE -eq 0 ]; then
			if [ -z "${RKHTMPDIR}" ]; then
				RET_CODE=1
				RKHTMPDIR="${RKHINSTALLDIR}/lib/rkhunter/tmp"
				echo "The default temporary directory will be used: ${RKHTMPDIR}"
			fi
		else
			LEAVE=1
		fi
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ ! -d "${RKHTMPDIR}" ]; then
		LEAVE=1
		echo "Temporary directory does not exist: ${RKHTMPDIR}"
	elif [ ! -w "${RKHTMPDIR}" ]; then
		LEAVE=1
		echo "Temporary directory is not writable: ${RKHTMPDIR}"
	elif [ ! -r "${RKHTMPDIR}" ]; then
		LEAVE=1
		echo "Temporary directory is not readable: ${RKHTMPDIR}"
	elif [ "${RKHTMPDIR}" = "/tmp" -o "${RKHTMPDIR}" = "/var/tmp" ]; then
		LEAVE=1
		echo "Do not use ${RKHTMPDIR} as the temporary directory."
		echo "This directory will be used by rkhunter to contain system files, so it must be secure."
	elif [ "${RKHTMPDIR}" = "/etc" ]; then
		LEAVE=1
		echo "Do not use ${RKHTMPDIR} as the temporary directory."
		echo "This directory will be used by rkhunter to copy and delete certain system files."
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_dbdir_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ -n "${DB_PATH}" ]; then
		DB_PATH=`echo "${DB_PATH}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${DB_PATH}" ]; then
			LEAVE=1
			echo "Invalid '--dbdir' option - no directory name given."
		fi
	else
		DB_PATH=`get_option 1 single DBDIR` || exit 1

		check_paths DB_PATH DBDIR STRICT

		if [ $ERRCODE -eq 0 ]; then
			if [ -z "${DB_PATH}" ]; then
				RET_CODE=1
				DB_PATH="${RKHINSTALLDIR}/lib/rkhunter/db"
				echo "The default database directory will be used: ${DB_PATH}"
			fi
		else
			LEAVE=1
		fi
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ ! -d "${DB_PATH}" ]; then
		LEAVE=1
		echo "Database directory does not exist: ${DB_PATH}"
	elif [ ! -r "${DB_PATH}" ]; then
		LEAVE=1
		echo "Database directory is not readable: ${DB_PATH}"
	elif [ $PROP_UPDATE -eq 1 -o $UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		if [ ! -w "${DB_PATH}" ]; then
			LEAVE=1
			echo "Database directory is not writable: ${DB_PATH}"
		fi
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	RKHDAT_FILE="${DB_PATH}/rkhunter.dat"
	RKH_FILEPROP_LIST="${DB_PATH}/rkhunter_prop_list.dat"

	return
}


add_extra_dirs() {

	#
	# This functions takes care of any additional directories
	# that may exist on some systems. After the function is called
	# the value of EXTRA_DIRS must be added to whatever variable
	# is being used.
	#

	EXTRA_DIRS=""

	if [ $SUNOS -eq 1 ]; then
		#
		# Add in some other directories, and those which
		# contain the Sun 'companion' software.
		#

		test -d /usr/gnu && EXTRA_DIRS="${EXTRA_DIRS} /usr/gnu/bin /usr/gnu/sbin /usr/gnu/libexec"
		test -d /usr/sfw && EXTRA_DIRS="${EXTRA_DIRS} /usr/sfw/bin /usr/sfw/sbin /usr/sfw/libexec"
		test -d /opt/sfw && EXTRA_DIRS="${EXTRA_DIRS} /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec"
		test -d /usr/xpg4/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/xpg4/bin"
		test -d /usr/ccs/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/ccs/bin"
		test -d /usr/5bin -a ! -h /usr/5bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/5bin"
		test -d /usr/ucb && EXTRA_DIRS="${EXTRA_DIRS} /usr/ucb"


		#
		# OpenSolaris distributions (e.g. BeleniX) may use
		# other directories.
		#

		test -d /usr/foss && EXTRA_DIRS="${EXTRA_DIRS} /usr/foss/bin /usr/foss/sbin /usr/foss/libexec"
	elif [ $BSDOS -eq 1 ]; then
		test -d /usr/pkg && EXTRA_DIRS="${EXTRA_DIRS} /usr/pkg/bin /usr/pkg/sbin /usr/pkg/libexec"
	elif [ $MACOSX -eq 1 ]; then
		#
		# Cater for Fink (Mac OS X) additional software.
		#

		test -d /sw && EXTRA_DIRS="${EXTRA_DIRS} /sw/bin /sw/sbin"
	elif [ $IRIXOS -eq 1 ]; then
		test -d /usr/ucb && EXTRA_DIRS="${EXTRA_DIRS} /usr/ucb"
		test -d /usr/freeware && EXTRA_DIRS="${EXTRA_DIRS} /usr/freeware/bin /usr/freeware/sbin"
		test -d /usr/xpg4/bin && EXTRA_DIRS="${EXTRA_DIRS} /usr/xpg4/bin"
	elif [ -f "/etc/GoboLinuxVersion" ]; then
		#
		# We have no other easy way of detecting GoboLinux.
		# It has a peculiar filesystem layout, so we need to
		# add in this little bit of support to help it work
		# with RKH.
		#

		test -d "/System/Links/Executables" && EXTRA_DIRS="/System/Links/Executables"
	fi


	#
	# Finally check if there are any optional
	# bin and sbin directories present.
	#

	test -d /opt && EXTRA_DIRS="${EXTRA_DIRS} /opt/bin /opt/sbin"
	test -d /usr/opt && EXTRA_DIRS="${EXTRA_DIRS} /usr/opt/bin /usr/opt/sbin"

	return
}


get_bindir_option() {

	#
	# First get the option from the command-line or the
	# configuration file, and do a simple check on whether
	# it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ $BINDIR_OPT -eq 1 ]; then
		BINPATHS=`echo "${BINPATHS}" | tr -d '"' | tr -d "'" | tr -s '	 ' '  '`

		if [ "${BINPATHS}" = " " ]; then
			LEAVE=1
			echo "Invalid '--bindir' option - no directory names given."
		fi
	else
		BINPATHS=`get_option 2 multi BINDIR` || exit 1

		check_paths BINPATHS BINDIR STRICT

		if [ $ERRCODE -eq 0 ]; then
			if [ -z "${BINPATHS}" ]; then
				BINPATHS="${DFLT_BINPATHS}"


				#
				# Under some OS's /bin is a link to /usr/bin, so
				# there is no need to look in it.
				#

				if [ $SUNOS -eq 1 -o $IRIXOS -eq 1 -o "${OPERATING_SYSTEM}" = "AIX" ]; then
					if [ -h "/bin" ]; then
						RKHTMPVAR=""

						for DIR in ${BINPATHS}; do
							test "${DIR}" != "/bin" && RKHTMPVAR="${RKHTMPVAR} ${DIR}"
						done

						BINPATHS=`echo ${RKHTMPVAR}`
					fi
				fi


				add_extra_dirs
				BINPATHS="${BINPATHS}${EXTRA_DIRS}"
			fi
		else
			LEAVE=1
		fi
	fi


	#
	# The BINPATHS list is prepended with the root PATH. However,
	# any specified BINDIR directories beginning with a '+' will
	# be prepended before the root PATH.
	#
	# Once that has been done, we check that each directory begins
	# with a '/'. We remove any non-existent directories, but we do
	# not flag this as an error. We also remove any duplicate directories.
	#

	if [ $LEAVE -eq 0 ]; then
		RKHTMPVAR=""
		PREPEND_PATHS=""

		for DIR in ${BINPATHS}; do
			if [ -n "`echo ${DIR} | grep '^\+'`" ]; then
				DIR=`echo ${DIR} | cut -c2-`
				PREPEND_PATHS="${PREPEND_PATHS} ${DIR}"
			fi
		done

		PREPEND_PATHS=`echo ${PREPEND_PATHS}`


		for DIR in ${PREPEND_PATHS} ${RKHROOTPATH} ${BINPATHS}; do
			if [ -n "`echo ${DIR} | grep '^\+'`" ]; then
				# These will already be in PREPEND_PATHS.
				continue
			elif [ -z "`echo ${DIR} | grep '^/'`" ]; then
				LEAVE=1
				test $BINDIR_OPT -eq 1 && RKHTMPVAR2="'--bindir'" || RKHTMPVAR2="BINDIR configuration"
				echo "Invalid ${RKHTMPVAR2} option: Invalid directory found: ${DIR}"
			elif [ -e "${DIR}" ]; then
				if [ -d "${DIR}" ]; then
					DIR=`echo "${DIR}" | tr -s '/' | sed -e 's:/$::'`

					if [ -z "`echo \" ${RKHTMPVAR} \" | grep \" ${DIR} \"`" ]; then
						RKHTMPVAR="${RKHTMPVAR} ${DIR}"
					fi
				else
					LEAVE=1
					test $BINDIR_OPT -eq 1 && RKHTMPVAR2="'--bindir'" || RKHTMPVAR2="BINDIR configuration"
					echo "Invalid ${RKHTMPVAR2} option: Not a directory: ${DIR}"
				fi
			fi
		done

		BINPATHS=`echo ${RKHTMPVAR}`
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_scriptdir_option() {

	#
	# Get the value from the configuration file, and do a simple
	# check on whether it is empty or a space.
	#
	# Note: The installer will set this option. As such there
	# is no default.
	#

	LEAVE=0
	ERRCODE=0

	SCRIPT_PATH=`get_option 1 single SCRIPTDIR` || exit 1

	check_paths SCRIPT_PATH SCRIPTDIR STRICT

	if [ $ERRCODE -eq 0 ]; then
		if [ -z "${SCRIPT_PATH}" ]; then
			LEAVE=1
			echo "The SCRIPTDIR configuration option has not been set by the installer."
		fi
	else
		LEAVE=1
	fi

	#
	# Now check that the given option is usable.
	#

	if [ $LEAVE -eq 1 ]; then
		:
	elif [ ! -r "${SCRIPT_PATH}" ]; then
		LEAVE=1
		echo "Script directory is not readable: ${SCRIPT_PATH}"
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


find_cmd() {

	#
	# This function performs a search of the BINPATHS directories
	# looking for the requested command. The full pathname is
	# returned if the command is found.
	#
	# If a full pathname is provided then we simply check that
	# it is executable.
	#

	CMD=$1

	test -z "${CMD}" && return

	if [ -n "`echo ${CMD} | grep '/'`" ]; then
		test -f "${CMD}" -a -x "${CMD}" && echo "${CMD}"
	else
		for CMDDIR in ${BINPATHS}; do
			if [ -f "${CMDDIR}/${CMD}" -a -x "${CMDDIR}/${CMD}" ]; then
				echo "${CMDDIR}/${CMD}"
				return
			fi
		done
	fi

	return
}


get_rootdir_option() {

	RKHTMPVAR=`get_option 1 single ROOTDIR` || exit 1

	if [ -n "${RKHTMPVAR}" ]; then
		echo "The ROOTDIR configuration option is now deprecated."
	fi

	return
}


get_existwl_option() {

	#
	# This function gets the configuration option used to whitelist
	# files and directories from existing on the system. That is, they
	# may or may not exist at the time of checking, but either way it
	# will not cause an error.
	#
	# This option must be processed before other options because it will
	# be used to whitelist some subsequent configuration option pathnames.
	#

	ERRCODE=0

	EXISTWHITELIST=`get_option 2 multi EXISTWHITELIST` || exit 1

	if [ -n "${EXISTWHITELIST}" ]; then
		#
		# We 'echo' the variable so that any wildcards get expanded.
		#

		EXISTWHITELIST=`echo ${EXISTWHITELIST}`

		check_paths EXISTWHITELIST

		if [ $ERRCODE -eq 0 ]; then
			EXISTWHITELIST=" ${EXISTWHITELIST} "
		else
			if [ $CONFIG_CHECK -eq 0 ]; then
				exit 1
			else
				RET_CODE=1
			fi
		fi
	fi

	return
}


get_mailonwarn_option() {

	#
	# Get the option from the configuration file. If it is set,
	# then we get the MAIL_CMD option as well.
	#

	LEAVE=0
	ERRCODE=0

	MAILONWARNING=`get_option 2 single MAIL-ON-WARNING` || exit 1

	if [ -n "${MAILONWARNING}" ]; then
		MAIL_CMD=`get_option 2 single MAIL_CMD` || exit 1

		test -z "${MAIL_CMD}" && MAIL_CMD="mail -s \"[rkhunter] Warnings found for \${HOST_NAME}\""

		MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f1`

		check_paths MCMD MAIL_CMD STRICT

		if [ $ERRCODE -eq 0 ]; then
			#
			# Check that the mail command is executable.
			#

			MC=`find_cmd ${MCMD}`

			if [ -n "${MC}" ]; then
				#
				# We rebuild the command to use the full pathname.
				#

				MCMD=`echo "${MAIL_CMD}" | cut -d' ' -f2-`

				if [ -z "${MCMD}" -o "${MCMD}" = "${MAIL_CMD}" ]; then
					MAIL_CMD=$MC
				else
					MAIL_CMD="${MC} ${MCMD}"
				fi
			else
				LEAVE=1
				echo "Invalid MAIL_CMD configuration option - command '${MCMD}' is non-existent or not executable."
			fi
		else
			LEAVE=1
		fi

		if [ $LEAVE -eq 1 ]; then
			if [ $CONFIG_CHECK -eq 0 ]; then
				exit 1
			else
				RET_CODE=1
			fi
		fi
	elif [ -z "`grep -h \"^MAIL-ON-WARNING=\" ${CONFIGFILE} ${LOCALCONFIGFILE}`" ]; then
		RET_CODE=1
		echo "No MAIL-ON-WARNING option has been configured."
	fi

	return
}


get_webcmd_option() {

	#
	# Get the option from the configuration file. If it is set,
	# then we set the RKHWEBCMD_OPTS option as well if necessary.
	#
	# For backwards compatability we will also check for WEBCMD.
	#

	LEAVE=0
	ERRCODE=0

	RKHWEBCMD=`get_option 2 single WEB_CMD` || exit 1

	if [ -z "${RKHWEBCMD}" ]; then
		RKHWEBCMD=`get_option 2 single WEBCMD` || exit 1
	fi

	if [ -n "${RKHWEBCMD}" ]; then
		WCMD=`echo "${RKHWEBCMD}" | cut -d' ' -f1`

		check_paths WCMD WEB_CMD STRICT

		#
		# Check that the command is executable.
		#

		if [ $ERRCODE -eq 0 ]; then
			WC=`find_cmd ${WCMD}`

			if [ -n "${WC}" ]; then
				#
				# We find if there any command options, and set
				# the command to use the full pathname.
				#

				RKHWEBCMD_OPTS=`echo "${RKHWEBCMD}" | cut -d' ' -f2-`

				test "${RKHWEBCMD_OPTS}" = "${RKHWEBCMD}" && RKHWEBCMD_OPTS=""

				RKHWEBCMD="${WC}"
				test -n "${BASENAME_CMD}" && RKHWEBCMD_BASE=`${BASENAME_CMD} ${WC}` || RKHWEBCMD_BASE=`echo "${WC}" | sed -e 's:^.*/::'`
			else
				LEAVE=1
				echo "Invalid WEB_CMD configuration option - command '${WCMD}' is non-existent or not executable."
			fi
		else
			LEAVE=1
		fi
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_syslog_option() {

	#
	# First see if we want to use syslog or not from the command-line
	# or configuration file.
	#

	LEAVE=0

	if [ -n "${USE_SYSLOG}" ]; then
		USE_SYSLOG=`echo "${USE_SYSLOG}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${USE_SYSLOG}" ]; then
			LEAVE=1
			echo "Invalid '--syslog' option - no facility/priority names given."
		fi
	else
		USE_SYSLOG=`get_option 1 single USE_SYSLOG` || exit 1
	fi


	#
	# If we are to use syslog, then get the facility and priority levels.
	# Additionally, test that they are valid.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		USE_SYSLOG=`echo "${USE_SYSLOG}" | tr '[:upper:]' '[:lower:]'`

		if [ "${USE_SYSLOG}" = "none" ]; then
			# The value of 'none' will be processed later on.
			if [ $LEAVE -eq 1 ]; then
				if [ $CONFIG_CHECK -eq 0 ]; then
					exit 1
				else
					RET_CODE=1
					return
				fi
			fi
		elif [ -z "`echo \"${USE_SYSLOG}\" | grep '^[a-z][a-z0-7]*\.[a-z][a-z]*$'`" ]; then
			LEAVE=1
			echo "Invalid syslog facility/priority value: ${USE_SYSLOG}"
		fi

		if [ $LEAVE -eq 0 ]; then
			FOUND=0

			SYSLOG_F=`echo "${USE_SYSLOG}" | cut -d. -f1`
			SYSLOG_P=`echo "${USE_SYSLOG}" | cut -d. -f2`

			for RKHTMPVAR in auth authpriv cron daemon kern user local0 local1 local2 local3 local4 local5 local6 local7; do
				if [ "${SYSLOG_F}" = "${RKHTMPVAR}" ]; then
					FOUND=1
					break
				fi
			done

			if [ $FOUND -eq 0 ]; then
				LEAVE=1
				echo "Invalid syslog facility name: ${SYSLOG_F}"
			else
				FOUND=0

				for RKHTMPVAR in debug info notice warning err crit alert emerg; do
					if [ "${SYSLOG_P}" = "${RKHTMPVAR}" ]; then
						FOUND=1
						break
					fi
				done

				if [ $FOUND -eq 0 ]; then
					LEAVE=1
					echo "Invalid syslog priority name: ${SYSLOG_P}"
				fi
			fi
		fi
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_ssh_options() {

	#
	# We check some SSH options in this function. They can only
	# be set in the configuration file.
	#

	#
	# See if the ALLOW_SSH_ROOT_USER option is specified in the
	# configuration file. The value should match what has been set
	# in the SSH configuration file for the PermitRootLogin option.
	# As such it's value is not just zero or one.
	#

	LEAVE=0

	ALLOW_SSH_ROOT_USER=`get_option 1 single ALLOW_SSH_ROOT_USER` || exit 1

	if [ -n "${ALLOW_SSH_ROOT_USER}" ]; then
		ALLOW_SSH_ROOT_USER=`echo "${ALLOW_SSH_ROOT_USER}" | tr '[:upper:]' '[:lower:]'`
	else
		#
		# By default SSH tends to allow root access. However, we
		# do not. By setting this option to 'no', the user will
		# receive a warning unless they set the options the same.
		#

		ALLOW_SSH_ROOT_USER="no"
	fi


	#
	# See if the ALLOW_SSH_PROT_V1 option is specified in the
	# configuration file.
	#

	ERRCODE=0

	ALLOW_SSH_PROT_V1=`get_option 1 single ALLOW_SSH_PROT_V1` || exit 1

	if [ -n "${ALLOW_SSH_PROT_V1}" ]; then
		check_is_digit ALLOW_SSH_PROT_V1 ALLOW_SSH_PROT_V1 2

		test $ERRCODE -eq 1 && LEAVE=1
	else
		ALLOW_SSH_PROT_V1=0
	fi


	#
	# See if the directory of the SSH configuration file has been set.
	#

	ERRCODE=0

	SSH_CONFIG_DIR=`get_option 1 single SSH_CONFIG_DIR` || exit 1

	if [ -n "${SSH_CONFIG_DIR}" ]; then
		check_paths SSH_CONFIG_DIR SSH_CONFIG_DIR STRICT

		if [ $ERRCODE -eq 0 ]; then
			if [ ! -r "${SSH_CONFIG_DIR}" ]; then
				LEAVE=1
				echo "The SSH configuration file directory is not readable: ${SSH_CONFIG_DIR}"
			fi
		else
			LEAVE=1
		fi
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_syslog_config_options() {

	#
	# We check some syslog configuration options in this function.
	# They can only be set in the configuration file.
	#

	#
	# See if the ALLOW_SYSLOG_REMOTE_LOGGING option is specified
	# in the configuration file.
	#

	ERRCODE=0

	ALLOW_SYSLOG_REMOTE_LOGGING=`get_option 1 single ALLOW_SYSLOG_REMOTE_LOGGING` || exit 1

	if [ -n "${ALLOW_SYSLOG_REMOTE_LOGGING}" ]; then
		check_is_digit ALLOW_SYSLOG_REMOTE_LOGGING
	else
		ALLOW_SYSLOG_REMOTE_LOGGING=0
	fi


	#
	# See if the pathname to the syslog configuration file has been set.
	#

	SYSLOG_CONFIG_FILE=`get_option 2 multi SYSLOG_CONFIG_FILE` || exit 1

	if [ -n "${SYSLOG_CONFIG_FILE}" ]; then
		if [ -n "`echo \"${SYSLOG_CONFIG_FILE}\" | grep -i '^none$'`" ]; then
			SYSLOG_CONFIG_FILE="NONE"
		else
			check_paths SYSLOG_CONFIG_FILE SYSLOG_CONFIG_FILE STRICT
		fi
	fi


	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_auto_x_option() {

	#
	# For the second colour set we first see if the auto X detect option
	# has been set. If it is set, and X is in use, then the second colour
	# set is used. If X is not in use, or the auto detect option is not
	# set, then we only use the second colour set if the command-line
	# option is used or it is configured in the configuration file.
	#

	LEAVE=0
	ERRCODE=0

	if [ $AUTO_X_OPT -eq 0 ]; then
		AUTO_X_DTCT=`get_option 1 single AUTO_X_DETECT` || exit 1

		if [ -n "${AUTO_X_DTCT}" ]; then
			check_is_digit AUTO_X_DTCT AUTO_X_DETECT

			test $ERRCODE -eq 1 && LEAVE=1
		else
			AUTO_X_DTCT=0
		fi
	fi


	if [ $AUTO_X_DTCT -eq 1 -a -n "$DISPLAY" ]; then
		CLRSET2=1
	fi


	if [ $CLRSET2 -eq 0 ]; then
		ERRCODE=0

		CLRSET2=`get_option 1 single COLOR_SET2` || exit 1

		if [ -n "${CLRSET2}" ]; then
			check_is_digit CLRSET2 COLOR_SET2

			test $ERRCODE -eq 1 && LEAVE=1
		else
			CLRSET2=0
		fi
	fi


	#
	# Finally, we get the option to see if whitelisted
	# results are to be shown as white rather than green.
	#

	ERRCODE=0

	WLIST_IS_WHITE=`get_option 1 single WHITELISTED_IS_WHITE` || exit 1

	if [ -n "${WLIST_IS_WHITE}" ]; then
		check_is_digit WLIST_IS_WHITE WHITELISTED_IS_WHITE

		test $ERRCODE -eq 1 && LEAVE=1
	else
		WLIST_IS_WHITE=0
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_locking_options() {

	#
	# This function gets the configuration options to see if locking
	# should be used when RKH is run. The mechanism for locking uses
	# a simple timer, and will display some basic messages while RKH
	# is trying to get the lock.
	#
	# All of these options can only be set in the configuration file.
	#

	LEAVE=0
	ERRCODE=0

	USE_LOCKING=`get_option 1 single USE_LOCKING` || exit 1

	if [ -n "${USE_LOCKING}" ]; then
		check_is_digit USE_LOCKING

		if [ $ERRCODE -eq 1 ]; then
			LEAVE=1
			USE_LOCKING=0
		fi
	else
		USE_LOCKING=0
	fi

	test $USE_LOCKING -eq 0 && return


	#
	# Now get the lock timeout value. This must be a positive integer.
	# The default value is 300 seconds (5 minutes).
	#

	ERRCODE=0

	LOCK_TIMEOUT=`get_option 1 single LOCK_TIMEOUT` || exit 1

	if [ -n "${LOCK_TIMEOUT}" ]; then
		check_is_digit LOCK_TIMEOUT LOCK_TIMEOUT ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		LOCK_TIMEOUT=300
	fi


	#
	# Finally, we get the option to see if any lock messages should
	# be shown or not. If the user has used the '--quiet' option,
	# then we cannot display the lock messages. Otherwise, these are
	# only shown on the screen, and not logged anywhere. The default
	# is to show the messages.
	#

	ERRCODE=0

	SHOW_LOCK_MSGS=`get_option 1 single SHOW_LOCK_MSGS` || exit 1

	if [ -n "${SHOW_LOCK_MSGS}" ]; then
		check_is_digit SHOW_LOCK_MSGS

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SHOW_LOCK_MSGS=1
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	test $QUIET -eq 1 && SHOW_LOCK_MSGS=0

	return
}


sort_test_lists() {

	#
	# This function is used to sort the list of test names for
	# enabled and disabled tests. The first parameter determines
	# which list is to be sorted:
	#
	#	1: enabled tests
	#	2: disabled tests
	#

	RKHTMPVAR=$1

	test $RKHTMPVAR -eq 1 && ENABLE_TESTS=`echo ${ENABLE_TESTS} | tr ' ' '\n' | sort | uniq`
	test $RKHTMPVAR -eq 2 && DISABLE_TESTS=`echo ${DISABLE_TESTS} | tr ' ' '\n' | sort | uniq`

	ENABLE_TESTS=`echo ${ENABLE_TESTS}`
	DISABLE_TESTS=`echo ${DISABLE_TESTS}`


	#
	# Finally, test to see if the current lists are the same.
	#

	if [ "${ENABLE_TESTS}" = "${DISABLE_TESTS}" ]; then
		test $ENDIS_OPT -eq 0 && RKHTMPVAR=" configured" || RKHTMPVAR=""
		echo "The${RKHTMPVAR} enabled and disabled tests are the same."

		if [ $ENDIS_OPT -eq 1 -o $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


check_test_options() {

	#
	# This function is called after we have obtained the enabled and
	# disabled test names. It will check that the test names are valid,
	# and remove any enabled test names from the disabled list.
	#

	#
	# First we loop through the enabled and disabled test names, and see
	# if the special names of 'all' or 'none' are used. If so, then these
	# will either override all the other test names in the list, or be an
	# error. We also look for any invalid test names.
	#

	SEEN=0
	LEAVE=0

	RKHTMPVAR=" `echo ${KNOWN_TESTS}` "

	for TEST_NAME in ${ENABLE_TESTS}; do
		if [ "${TEST_NAME}" = "all" ]; then
			SEEN=1
		elif [ "${TEST_NAME}" = "none" ]; then
			if [ $ENABLE_OPT -eq 1 ]; then
				echo "'none' cannot be used in the enabled test list."
				exit 1
			else
				LEAVE=1
				echo "'none' cannot be used in the configured enabled test list."
			fi
		elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
			LEAVE=1
			echo "Unknown enabled test name given: ${TEST_NAME}"
		fi
	done

	test $SEEN -eq 1 && ENABLE_TESTS="all"


	#
	# For the disabled tests we need to loop through the
	# command-line and configuration file test names separately.
	#

	SEEN=0

	for TEST_NAME in ${CL_DISABLE_TESTS}; do
		if [ "${TEST_NAME}" = "none" ]; then
			SEEN=1
		elif [ "${TEST_NAME}" = "all" ]; then
			echo "'all' cannot be used in the disabled test list."
			exit 1
		elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
			LEAVE=1
			echo "Unknown disabled test name given: ${TEST_NAME}"
		fi
	done

	if [ $USECF -eq 1 ]; then
		for TEST_NAME in ${CONFIG_DISABLE_TESTS}; do
			if [ "${TEST_NAME}" = "none" ]; then
				SEEN=1
			elif [ "${TEST_NAME}" = "all" ]; then
				LEAVE=1
				echo "'all' cannot be used in the configured disabled test list."
			elif [ -z "`echo \"${RKHTMPVAR}\" | grep \" ${TEST_NAME} \"`" ]; then
				LEAVE=1
				echo "Unknown disabled test name in the configuration file: ${TEST_NAME}"
			fi
		done
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
			return
		fi
	fi

	test $SEEN -eq 1 && DISABLE_TESTS="none"


	#
	# If we are to run all the tests, then we use whatever
	# disabled tests the user has given us.
	#

	test "${ENABLE_TESTS}" = "all" && return


	#
	# Now we can loop through the command-line enabled specific test names,
	# and remove them from the disabled list. We need to do this otherwise
	# the tests would not run. We don't bother to do this for the configuration
	# file enabled tests because we assume the user has already checked this.
	#

	if [ $ENABLE_OPT -eq 1 -a "${DISABLE_TESTS}" != "none" ]; then
		#
		# First get a list of just the group test names.
		#

		GROUP_TEST_NAMES=""

		for RKHTMPVAR in ${GROUPED_TESTS}; do
			GROUP_TEST_NAMES="${GROUP_TEST_NAMES} `echo "${RKHTMPVAR}" | cut -d: -f1`"
		done

		GROUP_TEST_NAMES=" `echo ${GROUP_TEST_NAMES}` "


		#
		# Now loop through the specific test names.
		#

		DISABLE_TESTS=" ${DISABLE_TESTS} "

		for TEST_NAME in ${ENABLE_TESTS}; do
			if [ -z "`echo \"${GROUP_TEST_NAMES}\" | grep \" ${TEST_NAME} \"`" ]; then
				if [ -n "`echo \"${DISABLE_TESTS}\" | grep \" ${TEST_NAME} \"`" ]; then
					DISABLE_TESTS=`echo "${DISABLE_TESTS}" | sed -e "s/ ${TEST_NAME} / /"`
				fi
			fi
		done

		DISABLE_TESTS=`echo ${DISABLE_TESTS}`

		if [ -z "${DISABLE_TESTS}" ]; then
			DISABLE_TESTS="none"
		else
			sort_test_lists 2
		fi
	fi


	#
	# Next we expand the enabled test group names. This will leave us
	# with a list of specific test names, and their associated group test
	# names. We also need to check if a given test name is part of a
	# group. If it is, then we must add the group name.
	#

	for TEST_NAME in ${ENABLE_TESTS}; do
		for RKHTMPVAR in ${GROUPED_TESTS}; do
			GROUP_NAME=`echo "${RKHTMPVAR}" | cut -d: -f1`

			if [ -n "`echo \"${RKHTMPVAR}\" | grep ':'`" ]; then
				GROUP_TESTS=`echo "${RKHTMPVAR}" | cut -d: -f2-`
			else
				GROUP_TESTS=""
			fi

			if [ "${TEST_NAME}" = "${GROUP_NAME}" ]; then
				ENABLE_TESTS="${ENABLE_TESTS} `echo \"${GROUP_TESTS}\" | tr ':' ' '`"
				break
			elif [ -z "${GROUP_TESTS}" ]; then
				continue
			elif [ -n "`echo \":${GROUP_TESTS}:\" | grep \":${TEST_NAME}:\"`" ]; then
				ENABLE_TESTS="${ENABLE_TESTS} ${GROUP_NAME}"
			fi
		done
	done

	ENABLE_TESTS=`echo ${ENABLE_TESTS}`

	sort_test_lists 1


	#
	# Finally, we temporarily expand the disabled test names and temporarily
	# remove any matching names from the enabled test list. Although these
	# tests would never run, we need to do this in order to see if the user
	# has given us an invalid list of tests.
	#

	if [ "${DISABLE_TESTS}" != "none" ]; then
		TEMP_EN_TESTS="${ENABLE_TESTS}"
		TEMP_DIS_TESTS="${DISABLE_TESTS}"

		for TEST_NAME in ${TEMP_DIS_TESTS}; do
			for RKHTMPVAR in ${GROUPED_TESTS}; do
				GROUP_NAME=`echo "${RKHTMPVAR}" | cut -d: -f1`

				if [ -n "`echo \"${RKHTMPVAR}\" | grep ':'`" ]; then
					GROUP_TESTS=`echo "${RKHTMPVAR}" | cut -d: -f2-`
				else
					GROUP_TESTS=""
				fi

				if [ "${TEST_NAME}" = "${GROUP_NAME}" ]; then
					TEMP_DIS_TESTS="${TEMP_DIS_TESTS} `echo \"${GROUP_TESTS}\" | tr ':' ' '`"
					break
				elif [ -z "${GROUP_TESTS}" ]; then
					continue
				elif [ -n "`echo \":${GROUP_TESTS}:\" | grep \":${TEST_NAME}:\"`" ]; then
					TEMP_DIS_TESTS="${TEMP_DIS_TESTS} ${GROUP_NAME}"
				fi
			done
		done

		TEMP_DIS_TESTS=" `echo ${TEMP_DIS_TESTS}` "


		#
		# Now loop through the enabled tests and remove any matches.
		#

		for TEST_NAME in ${TEMP_EN_TESTS}; do
			if [ -n "`echo \"${TEMP_DIS_TESTS}\" | grep \" ${TEST_NAME} \"`" ]; then
				TEMP_EN_TESTS=`echo " ${TEMP_EN_TESTS} " | sed -e "s/ ${TEST_NAME} / /"`
			fi
		done

		TEMP_EN_TESTS=`echo ${TEMP_EN_TESTS}`

		if [ -z "${TEMP_EN_TESTS}" ]; then
			if [ $ENABLE_OPT -eq 1 ]; then
				echo "Invalid enabled test list - no tests to run."
				exit 1
			else
				echo "Invalid configured enabled test list - no tests to run."

				if [ $CONFIG_CHECK -eq 0 ]; then
					exit 1
				else
					RET_CODE=1
				fi
			fi
		fi
	fi

	return
}


get_enable_option() {

	#
	# This function gets the enabled test names from the command-line
	# or the configuration file as required. The test names will be
	# checked later on. By default all tests are enabled.
	#

	#
	# Get the command-line test names. These override
	# the configuration file enabled test names.
	#

	if [ $ENABLE_OPT -eq 1 ]; then
		ENABLE_TESTS=`echo "${CL_ENABLE_TESTS}" | tr -d '"' | tr -d "'" | tr ',' ' ' | tr -s '	 ' '  '`
		ENABLE_TESTS=`echo ${ENABLE_TESTS}`

		if [ -z "${ENABLE_TESTS}" ]; then
			echo "Invalid '--enable' option - no test names given."
			exit 1
		else
			ENABLE_TESTS=`echo "${ENABLE_TESTS}" | tr '[:upper:]' '[:lower:]'`
		fi


		#
		# We do a simple test here to see if just one test was enabled.
		# If it was then we skip the key press feature since it is most
		# likely that the user doesn't want that. The test name cannot be
		# 'all'.
		#

		if [ "${ENABLE_TESTS}" != "all" -a -z "`echo \"${ENABLE_TESTS}\" | grep ' '`" ]; then
			SKIP_KEY_PRESS=1
		fi
	else
		#
		# We get the configuration file entries by default.
		#

		ENABLE_TESTS=`get_option 2 single ENABLE_TESTS` || exit 1
		ENABLE_TESTS=`echo "${ENABLE_TESTS}" | tr '[:upper:]' '[:lower:]'`

		# The system default.
		test -z "${ENABLE_TESTS}" && ENABLE_TESTS="all"
	fi

	return
}


get_disable_option() {

	#
	# This function gets the disabled test names from the command-line
	# and the configuration file if required. The test names will be
	# checked later on. By default no tests are disabled.
	#
	# Note: disabled tests are always compared against the list
	# of enabled tests. Hence, if we used
	#      'rkhunter -c --enable system_commands --disable apps'
	# then only the system command tests are run. Any other test is
	# not run because it is not in the '--enable' list. As such
	# the '--disable' option in the example above is not necessary.
	#

	#
	# Get the command-line test names.
	#

	if [ -n "${CL_DISABLE_TESTS}" ]; then
		CL_DISABLE_TESTS=`echo "${CL_DISABLE_TESTS}" | tr -d '"' | tr -d "'" | tr ',' ' ' | tr -s '	 ' '  '`
		CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS}`

		if [ -z "${CL_DISABLE_TESTS}" ]; then
			echo "Invalid '--disable' option - no test names given."
			exit 1
		fi
	fi

	#
	# Get the configuration file test names
	# unless specifically requested not to do so.
	#

	if [ $USECF -eq 1 ]; then
		CONFIG_DISABLE_TESTS=`get_option 2 single DISABLE_TESTS` || exit 1
	fi

	DISABLE_TESTS="${CL_DISABLE_TESTS} ${CONFIG_DISABLE_TESTS}"
	DISABLE_TESTS=`echo ${DISABLE_TESTS}`

	if [ -z "${DISABLE_TESTS}" ]; then
		# The system default.
		DISABLE_TESTS="none"
	else
		DISABLE_TESTS=`echo "${DISABLE_TESTS}" | tr '[:upper:]' '[:lower:]'`
	fi

	return
}


get_xinetd_option() {

	#
	# This function obtains the inetd and xinetd configuration
	# file pathnames from the config file. It also get the
	# whitelisted services.
	#

	LEAVE=0
	ERRCODE=0

	FNAME=`get_option 1 single INETD_CONF_PATH` || exit 1

	if [ -n "${FNAME}" ]; then
		check_paths FNAME INETD_CONF_PATH STRICT

		test $ERRCODE -eq 1 && LEAVE=1

		INETD_CONF_PATH="${FNAME}"
	fi

	INETDALLOWEDSVCS=`get_option 2 multi INETD_ALLOWED_SVC` || exit 1


	#
	# Now do the same for xinetd.
	#

	ERRCODE=0

	FNAME=`get_option 1 single XINETD_CONF_PATH` || exit 1

	if [ -n "${FNAME}" ]; then
		check_paths FNAME XINETD_CONF_PATH STRICT

		test $ERRCODE -eq 1 && LEAVE=1

		XINETD_CONF_PATH="${FNAME}"
	fi

	XINETDALLOWEDSVCS=`get_option 2 multi XINETD_ALLOWED_SVC` || exit 1

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_ports_option() {

	#
	# Get the option from the configuration file, and do some
	# checks that it is valid.
	#

	RKHTMPVAR=`get_option 2 multi PORT_WHITELIST` || exit 1

	if [ -n "${RKHTMPVAR}" ]; then
		#
		# Loop through the list checking that it all looks okay.
		#

		LEAVE=0

		if [ -n "`echo \"${RKHTMPVAR}\" | grep '\*'`" ]; then
			PORT_WHITELIST_ALL_TRUSTED=1
			RKHTMPVAR=`echo "${RKHTMPVAR}" | tr -d '*'`
		fi

		for RKHTMPVAR2 in ${RKHTMPVAR}; do
			if [ -n "`echo \"${RKHTMPVAR2}\" | grep '^/'`" ]; then
				PORT=0
				FNAME=""
				PROTO=""

				# Dig out the port number, if present.
				if [ -n "`echo \"${RKHTMPVAR2}\" | grep '.:[1-9][0-9]*$'`" ]; then
					PORT=`echo "${RKHTMPVAR2}" | sed -e 's/^.*:\([1-9][0-9]*\)$/\1/'`

					if [ $PORT -gt 65535 ]; then
						LEAVE=1
						echo "Invalid PORT_WHITELIST configuration option - invalid port specified: ${RKHTMPVAR2}"
					fi

					# If the port is present, then the protocol must be as well.
					if [ -n "`echo \"${RKHTMPVAR2}\" | grep '.:[^:][^:]*:[1-9][0-9]*$'`" ]; then
						PROTO=`echo "${RKHTMPVAR2}" | sed -e 's/^.*:\([^:][^:]*\):[1-9][0-9]*$/\1/'`

						PROTO=`echo ${PROTO} | tr '[:lower:]' '[:upper:]'`

						if [ "${PROTO}" != "TCP" -a "${PROTO}" != "UDP" ]; then
							LEAVE=1
							echo "Invalid PORT_WHITELIST configuration option - invalid protocol specified: ${RKHTMPVAR2}"
						fi
					else
						LEAVE=1
						echo "Invalid PORT_WHITELIST configuration option - no protocol specified: ${RKHTMPVAR2}"
					fi
				fi

				# Dig out the pathname.
				if [ $PORT -gt 0 ]; then
					FNAME=`echo "${RKHTMPVAR2}" | sed -e 's/^\(.*\):[^:]*:[1-9][0-9]*$/\1/'`
				else
					FNAME="${RKHTMPVAR2}"
				fi

				if [ ! -e "${FNAME}" ]; then
					LEAVE=1
					echo "Invalid PORT_WHITELIST configuration option - non-existent pathname specified: ${RKHTMPVAR2}"
				elif [ ! -f "${FNAME}" ]; then
					LEAVE=1
					echo "Invalid PORT_WHITELIST configuration option - pathname specified is not a file: ${RKHTMPVAR2}"
				else
					if [ $PORT -gt 0 ]; then
						PORT_WHITELIST_PATH="${PORT_WHITELIST_PATH} ${FNAME}:${PROTO}:${PORT}"
					else
						PORT_WHITELIST_PATH="${PORT_WHITELIST_PATH} ${FNAME}"
					fi
				fi
			elif [ -n "`echo \"${RKHTMPVAR2}\" | grep '^[^:][^:]*:[1-9][0-9]*$'`" ]; then
				PROTO=`echo ${RKHTMPVAR2} | cut -d: -f1 | tr '[:lower:]' '[:upper:]'`
				PORT=`echo ${RKHTMPVAR2} | cut -d: -f2`

				if [ "${PROTO}" != "TCP" -a "${PROTO}" != "UDP" ]; then
					LEAVE=1
					echo "Invalid PORT_WHITELIST configuration option - invalid protocol specified: ${RKHTMPVAR2}"
				fi

				if [ $PORT -gt 65535 ]; then
					LEAVE=1
					echo "Invalid PORT_WHITELIST configuration option - invalid port specified: ${RKHTMPVAR2}"
				fi

				PORT_WHITELIST="${PORT_WHITELIST} ${PROTO}:${PORT}"
			else
				LEAVE=1
				echo "Invalid entry specified in PORT_WHITELIST configuration option: ${RKHTMPVAR2}"
			fi
		done

		if [ $LEAVE -eq 1 ]; then
			if [ $CONFIG_CHECK -eq 0 ]; then
				exit 1
			else
				RET_CODE=1
			fi
		fi

		PORT_WHITELIST=" ${PORT_WHITELIST} "
		PORT_WHITELIST_PATH=" ${PORT_WHITELIST_PATH} "
	fi

	return
}


get_shadow_file_option() {

	#
	# Get the option from the configuration file. We also cater
	# for cases such as BSD systems and users of TCB shadow files.
	# If the shadow file itself does not exist, then we look in
	# the password file to see if it contains the passwords.
	#

	ERRCODE=0

	SHADOW_FILE=`get_option 1 single PASSWORD_FILE` || exit 1

	if [ -n "${SHADOW_FILE}" ]; then
		check_paths SHADOW_FILE PASSWORD_FILE STRICT

		if [ $ERRCODE -eq 0 ]; then
			if [ -s "${SHADOW_FILE}" ]; then
				SHADOW_FILE="${SHADOW_FILE}"
			else
				SHADOW_FILE=""
			fi
		fi
	elif [ -s "/etc/shadow" ]; then
		SHADOW_FILE="/etc/shadow"
	elif [ \( $BSDOS -eq 1 -o $MACOSX -eq 1 \) -a -s "/etc/master.passwd" ]; then
		SHADOW_FILE="/etc/master.passwd"
	elif [ -f "/etc/tcb/root/shadow" ]; then
		HAVE_TCB_SHADOW=1
	elif [ -s "/etc/passwd" ]; then
		#
		# If the passwords are stored in the passwd file, then
		# it should contain at least 3 non-colon characters in the
		# second field. Checking for 3 characters allows for normal
		# shadow entries such as 'x', '!!' or '*'. It is assumed
		# that at least one account will have a password.
		#

		if [ -n "`grep '^[^:]*:[^:][^:][^:]' /etc/passwd`" ]; then
			SHADOW_FILE="/etc/passwd"
		fi
	fi

	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


test_epoch_cmd() {

	#
	# This function simply checks if the supplied command
	# can process epoch second times. We do this by using
	# the '%s' formatting option, and the 'seconds ago'
	# time format. If the command understands both of these
	# then we can use it for the epoch date.
	#

	RKHTMPVAR=$1

	if [ -n "`${RKHTMPVAR} --date '5 seconds ago' '+%s' 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		EPOCH_DATE_CMD=${RKHTMPVAR}
	fi

	return
}


get_epoch_date_cmd_option() {

	#
	# Get the option from the configuration file, or work out
	# if the 'date' command is suitable.
	#

	ERRCODE=0

	EPOCH_DATE_CMD=`get_option 2 single EPOCH_DATE_CMD` || exit 1

	#
	# Check the type of config file option we have. They user may have
	# specified a command to use or 'NONE', in which case we return.
	# If they specified 'PERL' then check we have a 'perl' command,
	# and then return.
	#

	if [ "${EPOCH_DATE_CMD}" = "PERL" ]; then
		EPOCH_DATE_CMD=""
		test -z "${PERL_CMD}" && EPOCH_DATE_CMD="NONE"
		return
	elif [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
		return
	elif [ -n "${EPOCH_DATE_CMD}" ]; then
		RKHTMPVAR=`echo "${EPOCH_DATE_CMD}" | cut -d' ' -f1`

		check_paths RKHTMPVAR EPOCH_DATE_CMD STRICT

		#
		# Check that the command exists and is executable.
		#

		if [ $ERRCODE -eq 0 ]; then
			FNAME=`find_cmd ${RKHTMPVAR}`

			if [ -n "${FNAME}" ]; then
				RKHTMPVAR2=`echo "${EPOCH_DATE_CMD}" | cut -d' ' -f2-`

				if [ -z "${RKHTMPVAR2}" -o "${RKHTMPVAR2}" = "${EPOCH_DATE_CMD}" ]; then
					EPOCH_DATE_CMD="${FNAME}"
				else
					EPOCH_DATE_CMD="${FNAME} ${RKHTMPVAR2}"
				fi
			else
				EPOCH_DATE_CMD="NONE"
			fi
		else
			if [ $CONFIG_CHECK -eq 0 ]; then
				exit 1
			else
				RET_CODE=1
			fi
		fi

		return
	fi


	#
	# Now we test if the 'date' command supports processing epoch seconds.
	#

	test_epoch_cmd "date"

	test -n "${EPOCH_DATE_CMD}" && return


	#
	# For SunOS systems we need to check some other 'date' commands.
	#

	if [ $SUNOS -eq 1 ]; then
		for RKHTMPVAR2 in `find_cmd gdate` /opt/sfw/bin/date; do
			test_epoch_cmd "${RKHTMPVAR2}"
			test -n "${EPOCH_DATE_CMD}" && break
		done
	fi

	return
}


get_phalanx2_option() {

	#
	# This is a specific function to get the PHALANX2_DIRTEST
	# option. It must be a digit, and can only be tested for
	# on Linux systems.
	#

	test $LINUXOS -eq 0 && return

	ERRCODE=0

	ROOTKIT_PHALANX2_DIRTESTVAL=`get_option 1 single PHALANX2_DIRTEST` || exit 1

	if [ -n "${ROOTKIT_PHALANX2_DIRTESTVAL}" ]; then
		check_is_digit ROOTKIT_PHALANX2_DIRTESTVAL
	else
		ROOTKIT_PHALANX2_DIRTESTVAL=0
	fi

	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_dev_options() {

	#
	# This function processes the ALLOWDEVFILE option which is
	# used to whitelist files allowed in the '/dev' directory.
	#

	ERRCODE=0
	ALLOWDEVFILES=""

	ALLOWDEVFILE_OPT=`get_option 2 multi ALLOWDEVFILE` || exit 1

	if [ -n "${ALLOWDEVFILE_OPT}" ]; then
		#
		# We 'echo' the variable so that any wildcards get expanded.
		#

		ALLOWDEVFILES=`echo ${ALLOWDEVFILE_OPT}`

		check_paths ALLOWDEVFILES ALLOWDEVFILE

		ALLOWDEVFILES=`echo " ${ALLOWDEVFILES} " | tr '%' ' '`
	fi

	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_hidden_options() {

	#
	# This function processes the ALLOWHIDDENFILE and ALLOWHIDDENDIR
	# options which are used to whitelist hidden files and directories.
	#

	LEAVE=0
	ERRCODE=0
	ALLOWHIDDENFILES=""

	ALLOWHIDDENFILE_OPT=`get_option 2 multi ALLOWHIDDENFILE` || exit 1

	if [ -n "${ALLOWHIDDENFILE_OPT}" ]; then
		#
		# We 'echo' the variable so that any wildcards get expanded.
		#

		ALLOWHIDDENFILES=`echo ${ALLOWHIDDENFILE_OPT}`

		check_paths ALLOWHIDDENFILES ALLOWHIDDENFILE

		test $ERRCODE -eq 1 && LEAVE=1

		ALLOWHIDDENFILES=`echo " ${ALLOWHIDDENFILES} " | tr '%' ' '`
	fi


	ERRCODE=0
	ALLOWHIDDENDIRS=""

	ALLOWHIDDENDIR_OPT=`get_option 2 multi ALLOWHIDDENDIR` || exit 1

	if [ -n "${ALLOWHIDDENDIR_OPT}" ]; then
		#
		# We 'echo' the variable so that any wildcards get expanded.
		#

		ALLOWHIDDENDIRS=`echo ${ALLOWHIDDENDIR_OPT}`

		check_paths ALLOWHIDDENDIRS ALLOWHIDDENDIR

		test $ERRCODE -eq 1 && LEAVE=1

		ALLOWHIDDENDIRS=`echo " ${ALLOWHIDDENDIRS} " | tr '%' ' '`
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_unhide_options() {

	#
	# This function processes the configuration options used
	# by the unhide commands in the 'hidden_procs' test.
	#

	LEAVE=0
	ERRCODE=0

	UNHIDE_TESTS=`get_option 2 single UNHIDE_TESTS` || exit 1

	if [ -z "${UNHIDE_TESTS}" ]; then
		UNHIDE_TESTS="sys"
	elif [ -z "`echo \" ${UNHIDE_TESTS}\" | grep ' [a-zA-Z]'`" ]; then
		LEAVE=1
		echo "Invalid UNHIDE_TESTS configuration option - no tests specified: ${UNHIDE_TESTS}"
	fi


	NOUNHIDE=`get_option 1 single DISABLE_UNHIDE` || exit 1

	if [ -n "${NOUNHIDE}" ]; then
		check_is_digit NOUNHIDE DISABLE_UNHIDE 2

		test $ERRCODE -eq 1 && LEAVE=1
	else
		NOUNHIDE=0
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_suspscan_options() {

	#
	# This function processes all the options
	# required for the suspscan test.
	#

	LEAVE=0
	ERRCODE=0

	SUSPSCAN_DFLT_TMP=0
	SUSPSCAN_DFLT_DIRS=0
	SUSPSCAN_DFLT_THRESH=0
	SUSPSCAN_DFLT_MAXSIZE=0

	#
	# Get the directories to scan.
	#

	SUSPSCAN_DIRS=`get_option 2 multi SUSPSCAN_DIRS` || exit 1

	if [ -n "${SUSPSCAN_DIRS}" ]; then
		check_paths SUSPSCAN_DIRS SUSPSCAN_DIRS STRICT

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_DFLT_DIRS=1
		SUSPSCAN_DIRS="/tmp /var/tmp"
	fi

	#
	# Get the tempdir to use. It should be a /dev/shm type.
	#

	ERRCODE=0

	SUSPSCAN_TEMP=`get_option 1 single SUSPSCAN_TEMP` || exit 1

	if [ -n "${SUSPSCAN_TEMP}" ]; then
		check_paths SUSPSCAN_TEMP SUSPSCAN_TEMP STRICT

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_DFLT_TMP=1
		SUSPSCAN_TEMP="/dev/shm"

		if [ ! -e "${SUSPSCAN_TEMP}" ]; then
			LEAVE=1
			ERRCODE=1
			echo "The default suspscan temporary directory does not exist: ${SUSPSCAN_TEMP}"
		elif [ ! -d "${SUSPSCAN_TEMP}" ]; then
			LEAVE=1
			ERRCODE=1
			echo "The default suspscan temporary directory is not a directory: ${SUSPSCAN_TEMP}"
		fi
	fi

	if [ $ERRCODE -eq 0 ]; then
		if [ ! -w "${SUSPSCAN_TEMP}" ]; then
			LEAVE=1
			echo "The suspscan temporary directory is not writable: ${SUSPSCAN_TEMP}"
		fi
	fi

	#
	# Get the maximum file size to handle, say 1024000.
	#

	ERRCODE=0

	SUSPSCAN_MAXSIZE=`get_option 1 single SUSPSCAN_MAXSIZE` || exit 1

	if [ -n "${SUSPSCAN_MAXSIZE}" ]; then
		check_is_digit SUSPSCAN_MAXSIZE SUSPSCAN_MAXSIZE ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_DFLT_MAXSIZE=1
		SUSPSCAN_MAXSIZE=1024000
	fi

	#
	# Get the score threshold, 200 seems sensible.
	#

	ERRCODE=0

	SUSPSCAN_THRESH=`get_option 1 single SUSPSCAN_THRESH` || exit 1

	if [ -n "${SUSPSCAN_THRESH}" ]; then
		check_is_digit SUSPSCAN_THRESH SUSPSCAN_THRESH ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_THRESH=200
		SUSPSCAN_DFLT_THRESH=1
	fi

	#
	# Get the line threshold. This exists purely for performance reasons. 3000 seems sensible as
	# Linux Kernel Modules don't exceed 2000 lines and for example most binaries in /bin don't exceed 3000 lines.
	# Note this configuration option will remain unlisted in both the documentation and configuration file.
	#

	ERRCODE=0

	SUSPSCAN_LINETHRESH=`get_option 1 single SUSPSCAN_LINETHRESH` || exit 1

	if [ -n "${SUSPSCAN_LINETHRESH}" ]; then
		check_is_digit SUSPSCAN_LINETHRESH SUSPSCAN_LINETHRESH ANY1

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_LINETHRESH=3000
	fi

	#
	# Get the debug flag value (defaults to 0). Setting this to 1 will cause verbose messages to be displayed
	# which will result in more warnings than you will want. Changing the SUSPSCAN_DEBUG default value implies
	# that you know what you are doing and that you don't need help "fixing" things afterwards.
	#

	ERRCODE=0

	SUSPSCAN_DEBUG=`get_option 1 single SUSPSCAN_DEBUG` || exit 1

	if [ -n "${SUSPSCAN_DEBUG}" ]; then
		check_is_digit SUSPSCAN_DEBUG

		test $ERRCODE -eq 1 && LEAVE=1
	else
		SUSPSCAN_DEBUG=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_if_prelinked() {

	#
	# A prelinked system is defined here as one which has a 'prelink'
	# command, and the '/etc/prelink.cache' file exists.
	#

	if [ -f "/etc/prelink.cache" ]; then
		#
		# Check that we have a 'prelink' command. If it
		# doesn't exist, then we cannot use prelinking.
		#

		PRELINK_CMD=`find_cmd prelink`

		test -z "${PRELINK_CMD}" && return


		#
		# We test (twice) for the existence of Libsafe since this seems to
		# riddle prelink test results with "dependency cycle" errors.
		# Don't test for existence of /lib/libsafe since it may be
		# installed elsewhere. If Libsafe is found, then we'll skip the
		# file properties hash test.
		#

		LIBSAFE_TEST1=""
		LIBSAFE_TEST2=""

		if [ -f "/etc/ld.so.preload" ]; then
			LIBSAFE_TEST1=`grep 'libsafe' /etc/ld.so.preload 2>&1`
		else
			LIBSAFE_TEST1=`echo "$LD_PRELOAD" | grep 'libsafe' 2>&1`
		fi

		if [ -n "${LDD_CMD}" ]; then
			if [ -f "/lib/libdl.so.?" ]; then
				LIBSAFE_TEST2=`${LDD_CMD} /lib/libdl.so.? | grep 'libsafe' 2>&1`
			elif [ -f "/lib64/libdl.so.?" ]; then
				LIBSAFE_TEST2=`${LDD_CMD} /lib64/libdl.so.? | grep 'libsafe' 2>&1`
			fi
		fi

		if [ -z "${LIBSAFE_TEST1}" -a -z "${LIBSAFE_TEST2}" ]; then
			PRELINKED=1

			#
			# Only use 'runcon' if SELinux is enabled.
			#

			SESTATUS_CMD=`find_cmd sestatus`

			if [ -n "${SESTATUS_CMD}" ]; then
				if [ -n "`${SESTATUS_CMD} 2>/dev/null | grep ' status: *enabled$'`" ]; then
					SELINUX_ENABLED=1
					RUNCON_CMD=`find_cmd runcon`
					test -n "${RUNCON_CMD}" && USE_RUNCON=1
				fi
			fi
		elif [ -n "${LIBSAFE_TEST1}" -a -n "${LIBSAFE_TEST2}" ]; then
			SKIP_HASH_MSG=2
		fi
	fi

	return
}


get_md5_hash_function() {

	#
	# This is a short function to try and locate
	# an MD5 hash function command.
	#

	if [ $PRELINKED -eq 1 ]; then
		if [ $USE_RUNCON -eq 1 ]; then
			echo "${RUNCON_CMD} -u root -- ${PRELINK_CMD} --verify --md5"
		else
			echo "${PRELINK_CMD} --verify --md5"
		fi
	else
		HFUNC=`find_cmd md5sum`

		test -z "${HFUNC}" && HFUNC=`find_cmd md5`

		if [ -z "${HFUNC}" -a -n "${PERL_CMD}" ]; then
			MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Digest::MD5 2>/dev/null | grep 'Digest::MD5 installed'`

			test -n "${MOD_INSTALLED}" && echo "${PERL_CMD} ${SCRIPT_PATH}/filehashsha.pl Digest::MD5 0"
		else
			echo "${HFUNC}"
		fi
	fi

	return
}


get_hash_function() {

	#
	# Get the option from the configuration file, and do a simple
	# check on whether it is empty or a space.
	#

	LEAVE=0
	ERRCODE=0

	if [ $HASH_OPT -eq 1 ]; then

		HASH_FUNC=`echo "${HASH_FUNC}" | tr -d '"' | tr -d "'" | tr -s '	 ' '  '`

		HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`

		# Stop globbing from being expanded.
		if [ -z "`echo \"${HASH_CMD}\" | grep '[][*?]'`" ]; then
			HASH_FUNC=`echo ${HASH_FUNC}`
		else
			LEAVE=1
			HASH_FUNC="NONE"
			echo "Invalid '--hash' option: invalid pathname: ${HASH_CMD}"
		fi

		if [ -z "${HASH_FUNC}" ]; then
			LEAVE=1
			HASH_FUNC="NONE"
			echo "Invalid '--hash' option: no hash function given."
		fi
	else
		HASH_FUNC=`get_option 2 single HASH_FUNC` || exit 1
	fi

	#
	# Test to ensure that globbing and other invalid
	# pathnames have not been given.
	#

	if [ -n "${HASH_FUNC}" ]; then
		HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`

		check_paths HASH_CMD HASH_FUNC STRICT

		if [ $ERRCODE -eq 1 ]; then
			LEAVE=1
			HASH_FUNC="NONE"
		fi
	fi

	if [ -n "`echo \"${HASH_FUNC}\" | egrep -i '^(MD5|SHA1|SHA224|SHA256|SHA384|SHA512|RIPEMD160|WHIRLPOOL|NONE)$'`" ]; then
		HASH_FUNC=`echo "${HASH_FUNC}" | tr '[:lower:]' '[:upper:]'`
	fi


	#
	# At this point we have either been given a specific hash function
	# command, the reserved word 'NONE', one of the SHA or other functions,
	# or nothing. For the SHA and MD5 reserved words we must find the SHA
	# or MD5 command, or use the supplied perl scripts. For the RIPEMD160
	# and WHIRLPOOL reserved words, we use the perl scripts.
	#

	SHA_SIZE=0

	test -z "${HASH_FUNC}" && HASH_FUNC="SHA1"

	case "${HASH_FUNC}" in
	SHA1)	SHA_SIZE=1
		;;
	SHA224)	SHA_SIZE=224
		;;
	SHA256)	SHA_SIZE=256
		;;
	SHA384)	SHA_SIZE=384
		;;
	SHA512)	SHA_SIZE=512
		;;
	esac

	if [ "${HASH_FUNC}" = "SHA1" -a  $PRELINKED -eq 1 ]; then
		PRELINK_HASH="SHA1"

		if [ $USE_RUNCON -eq 1 ]; then
			HASH_FUNC="${RUNCON_CMD} -u root -- ${PRELINK_CMD} --verify --sha"
		else
			HASH_FUNC="${PRELINK_CMD} --verify --sha"
		fi
	elif [ $SHA_SIZE -gt 0 ]; then
		HF=`find_cmd sha${SHA_SIZE}sum`

		if [ -z "${HF}" ]; then
			HF=`find_cmd sha${SHA_SIZE}`

			if [ -z "${HF}" -a $MACOSX -eq 1 ]; then
				HF=`find_cmd shasum`

				test -n "${HF}" && HF="${HF} -a $SHA_SIZE"
			fi
		fi

		if [ -z "${HF}" -a -n "${PERL_CMD}" ]; then
			MOD_INSTALLED=""

			if [ $SHA_SIZE -eq 1 ]; then
				MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Digest::SHA Digest::SHA1 Digest::SHA::PurePerl 2>/dev/null`
			elif [ $SHA_SIZE -eq 224 ]; then
				MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Digest::SHA Digest::SHA::PurePerl 2>/dev/null`
			else
				MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Digest::SHA Digest::SHA256 Digest::SHA::PurePerl 2>/dev/null`
			fi

			USE_MOD=`echo "${MOD_INSTALLED}" | grep -v 'NOT installed' | head ${HEAD_OPT}1 | cut -d' ' -f1`

			if [ -n "${USE_MOD}" ]; then
				HF="${PERL_CMD} ${SCRIPT_PATH}/filehashsha.pl ${USE_MOD} $SHA_SIZE"
			fi
		fi

		HASH_FUNC="${HF}"
	elif [ "${HASH_FUNC}" = "RIPEMD160" ]; then
		MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Crypt::RIPEMD160 2>/dev/null`

		if [ -n "`echo \"${MOD_INSTALLED}\" | grep 'Crypt::RIPEMD160 installed'`" ]; then
			HASH_FUNC="${PERL_CMD} ${SCRIPT_PATH}/filehashsha.pl Crypt::RIPEMD160 0"
		fi
	elif [ "${HASH_FUNC}" = "WHIRLPOOL" ]; then
		MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Digest::Whirlpool 2>/dev/null`

		if [ -n "`echo \"${MOD_INSTALLED}\" | grep 'Digest::Whirlpool installed'`" ]; then
			HASH_FUNC="${PERL_CMD} ${SCRIPT_PATH}/filehashsha.pl Digest::Whirlpool 0"
		fi
	fi


	#
	# If we still have no hash function, then look for an MD5 command,
	# but only if MD5 or SHA1 were specified.
	#

	if [ \( -z "${HASH_FUNC}" -a $SHA_SIZE -eq 1 \) -o "${HASH_FUNC}" = "MD5" ]; then
		SHA_SIZE=0

		HASH_FUNC=`get_md5_hash_function`

		if [ $PRELINKED -eq 1 ]; then
			PRELINK_HASH="MD5"
		elif [ -z "`echo \"${HASH_FUNC}\" | grep '/filehashsha\.pl Digest::MD5'`" ]; then
			MD5_CMD="${HASH_FUNC}"
		fi
	fi


	#
	# A final check that the command is actually executable.
	# This will ensure that the SHA/MD5 perl scripts have been
	# installed correctly, should they be needed.
	#

	if [ "${HASH_FUNC}" = "NONE" ]; then
		:
	elif [ "${HASH_FUNC}" = "RIPEMD160" -o "${HASH_FUNC}" = "WHIRLPOOL" ]; then
		LEAVE=1

		if [ $HASH_OPT -eq 1 ]; then
			echo "Invalid '--hash' option: no perl module for ${HASH_FUNC} could be found."
		else
			echo "Invalid HASH_FUNC configuration option: no perl module for ${HASH_FUNC} could be found."
		fi
	elif [ -n "${HASH_FUNC}" ]; then
		HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f1`
		HF=`find_cmd ${HASH_CMD}`

		if [ -n "${HF}" ]; then
			#
			# We rebuild the command to use the full pathname.
			#

			HASH_CMD=`echo "${HASH_FUNC}" | cut -d' ' -f2-`

			if [ -z "${HASH_CMD}" -o "${HASH_CMD}" = "${HASH_FUNC}" ]; then
				HASH_FUNC=$HF
			else
				HASH_FUNC="${HF} ${HASH_CMD}"
			fi
		elif [ $HASH_OPT -eq 1 ]; then
			LEAVE=1
			echo "Invalid '--hash' option: command '${HASH_CMD}' is non-existent or not executable."
		else
			LEAVE=1
			echo "Invalid HASH_FUNC configuration option: command '${HASH_CMD}' is non-existent or not executable."
		fi
	elif [ $HASH_OPT -eq 1 ]; then
		LEAVE=1
		echo "Invalid '--hash' option: no usable hash command or perl modules could be found."
	elif [ $SHA_SIZE -gt 1 ]; then
		LEAVE=1
		echo "Invalid HASH_FUNC configuration option: no usable hash command or perl module for SHA${SHA_SIZE} could be found."
	else
		LEAVE=1
		echo "Invalid HASH_FUNC configuration option: no usable hash command or perl modules for SHA1 or MD5 could be found."
	fi


	#
	# Now we get the hash field index. We will assume a field value
	# of one, but this value must be configurable since we allow
	# the user to specify the hash function to use.
	#

	ERRCODE=0

	RKHTMPVAR=`get_option 1 single HASH_FLD_IDX` || exit 1

	if [ -n "${RKHTMPVAR}" ]; then
		check_is_digit RKHTMPVAR HASH_FLD_IDX ANY1

		test $ERRCODE -eq 1 && LEAVE=1

		HASH_FLD_IDX=${RKHTMPVAR}
	fi


	#
	# Next we get the package manager to use for the file
	# properties hash check and update. If a file is not owned
	# as part of a package, the hash function defined above
	# will be used instead.
	#

	if [ -n "${PKGMGR}" ]; then
		PKGMGR=`echo "${PKGMGR}" | tr -d '" 	' | tr -d "'"`

		if [ -z "${PKGMGR}" ]; then
			LEAVE=1
			echo "Invalid '--pkgmgr' option: no package manager given."
		fi
	else
		PKGMGR=`get_option 1 single PKGMGR` || exit 1
	fi

	PKGMGR=`echo "${PKGMGR}" | tr '[:lower:]' '[:upper:]'`

	test "${PKGMGR}" = "NONE" && PKGMGR=""


	#
	# Now check that the package manager we have been given is valid.
	#

	case "${PKGMGR}" in
	"")
		;;
	RPM)
		RPM_CMD=`find_cmd rpm`

		if [ -z "${RPM_CMD}" ]; then
			LEAVE=1
			echo "Unable to find 'rpm' command for package manager 'RPM'."
		fi
		;;
	DPKG)
		DPKG_CMD=`find_cmd dpkg-query`

		test -z "${DPKG_CMD}" && DPKG_CMD=`find_cmd dpkg`

		if [ -z "${DPKG_CMD}" ]; then
			LEAVE=1
			echo "Unable to find 'dpkg-query' or 'dpkg' commands for package manager 'DPKG'."
		elif [ ! -d "/var/lib/dpkg/info" ]; then
			LEAVE=1
			echo "Unable to find package database directory (/var/lib/dpkg/info) for package manager 'DPKG'."
		fi

		if [ $CHECK -eq 1 ]; then
			PKGMGR_MD5_HASH=`get_md5_hash_function`

			if [ -z "${PKGMGR_MD5_HASH}" ]; then
				LEAVE=1
				echo "Unable to find an MD5 hash function command to assist package manager 'DPKG'."
			fi
		fi
		;;
	BSD)
		PKG_CMD=`find_cmd pkg_info`

		if [ -z "${PKG_CMD}" ]; then
			LEAVE=1
			echo "Unable to find 'pkg_info' command for package manager 'BSD'."
		elif [ ! -d "/var/db/pkg" ]; then
			LEAVE=1
			echo "Unable to find package database directory (/var/db/pkg) for package manager 'BSD'."
		fi

		if [ $CHECK -eq 1 ]; then
			PKGMGR_MD5_HASH=`get_md5_hash_function`

			if [ -z "${PKGMGR_MD5_HASH}" ]; then
				LEAVE=1
				echo "Unable to find an MD5 hash function command to assist package manager 'BSD'."
			fi
		fi
		;;
	SOLARIS)
		#
		# For the Solaris package manager, see if we want
		# to use the stored 16-bit checksum or not.
		#

		USE_SUNSUM=`get_option 1 single USE_SUNSUM` || exit 1

		if [ -n "${USE_SUNSUM}" ]; then
			check_is_digit USE_SUNSUM

			if [ $ERRCODE -eq 0 ]; then
				SUM_CMD=`find_cmd sum`

				if [ -z "${SUM_CMD}" ]; then
					LEAVE=1
					echo "Unable to find 'sum' command for package manager 'SOLARIS'."
				fi
			else
				LEAVE=1
			fi
		else
			USE_SUNSUM=0
		fi

		if [ ! -f "/var/sadm/install/contents" ]; then
			LEAVE=1
			echo "Unable to find package database file (/var/sadm/install/contents) for package manager 'SOLARIS'."
		fi
		;;
	*)
		LEAVE=1
		echo "Invalid package manager given: ${PKGMGR}"
		;;
	esac


	#
	# Finally we see if any files are to be exempt from the
	# package manager verification. These will go through the
	# usual commands to get the file info, so they will still
	# be tested.
	#

	ERRCODE=0

	PKGMGRNOVRFY=`get_option 2 multi PKGMGR_NO_VRFY` || exit 1

	if [ -n "${PKGMGRNOVRFY}" ]; then
		check_paths PKGMGRNOVRFY PKGMGR_NO_VRFY STRICT

		test $ERRCODE -eq 1 && LEAVE=1

		PKGMGRNOVRFY=" ${PKGMGRNOVRFY} "
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_scan_mode_dev_option() {

	#
	# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
	# The two allowed options are "THOROUGH" or "LAZY". If the option
	# is commented out, the default, then we do a THOROUGH scan, which
	# will increase the runtime of rkhunter.
	#

	#
	# See if the option is specified in the configuration file.
	#

	SCAN_MODE_DEV=`get_option 1 single SCAN_MODE_DEV` || exit 1

	if [ -n "${SCAN_MODE_DEV}" ]; then
		SCAN_MODE_DEV=`echo "${SCAN_MODE_DEV}" | tr '[:lower:]' '[:upper:]'`

		case "${SCAN_MODE_DEV}" in
		THOROUGH|LAZY)
			;;
		*)	# Don't make this fatal.
			echo "Invalid SCAN_MODE_DEV configuration option: ${SCAN_MODE_DEV}"
			echo "Defaulting to THOROUGH mode."

			SCAN_MODE_DEV="THOROUGH"
			;;
		esac
	else
		SCAN_MODE_DEV="THOROUGH"
	fi

	return
}


get_startup_paths_option() {

	#
	# This function gets the system startup files and directories
	# from the configuration file. There are no defaults.
	#
	# For backward compatability we still check for the old options
	# of LOCAL_RC_PATH and SYSTEM_RC_DIR.
	#

	ERRCODE=0

	STARTUP_PATHS=`get_option 2 multi STARTUP_PATHS` || exit 1

	if [ -n "${STARTUP_PATHS}" ]; then
		#
		# First see if we have any startup files or not.
		#

		if [ -n "`echo \"${STARTUP_PATHS}\" | grep -i '^none$'`" ]; then
			STARTUP_PATHS="NONE"
		else
			#
			# Check that the given files and directories are usable.
			#

			check_paths STARTUP_PATHS STARTUP_PATHS

			if [ $ERRCODE -eq 0 ]; then
				for FNAME in ${STARTUP_PATHS}; do
					test -f "${FNAME}" && RKHTMPVAR="file" || RKHTMPVAR="directory"

					if [ -h "${FNAME}" ]; then
						ERRCODE=1
						echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is a link: ${FNAME}"
					elif [ ! -e "${FNAME}" ]; then
						ERRCODE=1
						echo "Invalid STARTUP_PATHS configuration option: the name does not exist: ${FNAME}"
					elif [ ! -r "${FNAME}" ]; then
						ERRCODE=1
						echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is not readable: ${FNAME}"
					elif [ ! -s "${FNAME}" ]; then
						ERRCODE=1
						echo "Invalid STARTUP_PATHS configuration option: the ${RKHTMPVAR} is empty: ${FNAME}"
					fi
				done
			fi

			if [ $ERRCODE -eq 1 ]; then
				if [ $CONFIG_CHECK -eq 0 ]; then
					exit 1
				else
					RET_CODE=1
				fi
			fi
		fi
	fi

	return
}


get_rtkt_whitelist_options() {

	#
	# This function gets any whitelisted rootkit files
	# and directories from the configuration file.
	# There are no defaults.
	#

	ERRCODE=0

	RTKT_FILE_WHITELIST=`get_option 2 multi RTKT_FILE_WHITELIST` || exit 1

	if [ -n "${RTKT_FILE_WHITELIST}" ]; then
		#
		# Check that the given files are usable.
		#

		check_paths RTKT_FILE_WHITELIST RTKT_FILE_WHITELIST STRICT

		RTKT_FILE_WHITELIST=" ${RTKT_FILE_WHITELIST} "
	fi


	RTKT_DIR_WHITELIST=`get_option 2 multi RTKT_DIR_WHITELIST` || exit 1

	if [ -n "${RTKT_DIR_WHITELIST}" ]; then
		#
		# Check that the given directories are usable.
		#

		check_paths RTKT_DIR_WHITELIST RTKT_DIR_WHITELIST STRICT

		RTKT_DIR_WHITELIST=" ${RTKT_DIR_WHITELIST} "
	fi

	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_shared_lib_whitelist_option() {

	#
	# This function gets any whitelisted shared library files
	# from the configuration file. There are no defaults.
	#

	ERRCODE=0

	SHARED_LIB_WHITELIST=`get_option 2 multi SHARED_LIB_WHITELIST` || exit 1

	if [ -n "${SHARED_LIB_WHITELIST}" ]; then
		check_paths SHARED_LIB_WHITELIST SHARED_LIB_WHITELIST STRICT

		SHARED_LIB_WHITELIST=" ${SHARED_LIB_WHITELIST} "
	fi

	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_mirror_options() {

	#
	# This function gets the mirrors file options.
	#

	#
	# First we see if the mirrors.dat file
	# should be rotated when it is used.
	#

	LEAVE=0
	ERRCODE=0

	ROTATE_MIRRORS=`get_option 1 single ROTATE_MIRRORS` || exit 1

	if [ -n "${ROTATE_MIRRORS}" ]; then
		check_is_digit ROTATE_MIRRORS

		test $ERRCODE -eq 1 && LEAVE=1
	else
		ROTATE_MIRRORS=1
	fi

	#
	# Now check that the mirrors file is usable.
	#

	if [ -e "${DB_PATH}/mirrors.dat" -a \( ! -f "${DB_PATH}/mirrors.dat" -o -h "${DB_PATH}/mirrors.dat" \) ]; then
		LEAVE=1
		echo "The mirrors file is not a file: ${DB_PATH}/mirrors.dat"
	fi

	if [ $LEAVE -eq 0 -a $VERSIONCHECK -eq 1 ]; then
		if [ $ROTATE_MIRRORS -eq 0 ]; then
			# The mirrors file only needs to be readable.
			if [ ! -e "${DB_PATH}/mirrors.dat" -o ! -s "${DB_PATH}/mirrors.dat" ]; then
				RET_CODE=1
				echo "The mirrors file does not exist or is empty: ${DB_PATH}/mirrors.dat"
				echo "Run 'rkhunter --update'" to restore the default mirrors file.
				echo "The default mirror will be used."
			fi
		else
			# The mirrors file needs to be writable.
			if [ ! -e "${DB_PATH}/mirrors.dat" -o ! -s "${DB_PATH}/mirrors.dat" ]; then
				LEAVE=1
				echo "The mirrors file does not exist or is empty: ${DB_PATH}/mirrors.dat"
				echo "Run 'rkhunter --update'" to restore the default mirrors file.
			elif [ ! -w "${DB_PATH}/mirrors.dat" ]; then
				LEAVE=1
				echo "The mirrors file is not writable: ${DB_PATH}/mirrors.dat"
			fi
		fi
	fi


	#
	# Next we see if the mirrors file is to be updated when
	# we use the '--update' option.
	#

	if [ $UPDATE -eq 1 ]; then
		ERRCODE=0

		UPDATE_MIRRORS=`get_option 1 single UPDATE_MIRRORS` || exit 1

		if [ -n "${UPDATE_MIRRORS}" ]; then
			check_is_digit UPDATE_MIRRORS

			test $ERRCODE -eq 1 && LEAVE=1
		else
			UPDATE_MIRRORS=1
		fi
	fi


	#
	# Finally, we see which mirrors are to be used.
	#

	ERRCODE=0

	MIRRORS_MODE=`get_option 1 single MIRRORS_MODE` || exit 1

	if [ -n "${MIRRORS_MODE}" ]; then
		check_is_digit MIRRORS_MODE MIRRORS_MODE 2

		test $ERRCODE -eq 1 && LEAVE=1
	else
		MIRRORS_MODE=0
	fi


	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_os_info_options() {

	#
	# This function gets configuration options relating
	# to obtaining information about the O/S.
	#
	# The first part gets the 'release' file pathname
	# from the configuration file. There is no default.
	#

	LEAVE=0
	ERRCODE=0

	OS_VERSION_FILE=`get_option 1 single OS_VERSION_FILE` || exit 1

	if [ -n "${OS_VERSION_FILE}" ]; then
		#
		# Check that the given file is usable.
		#

		check_paths OS_VERSION_FILE OS_VERSION_FILE STRICT

		if [ $ERRCODE -eq 0 ]; then
			if [ ! -r "${OS_VERSION_FILE}" ]; then
				LEAVE=1
				echo "Invalid OS_VERSION_FILE configuration option: File is not readable: ${OS_VERSION_FILE}"
			elif [ ! -s "${OS_VERSION_FILE}" ]; then
				LEAVE=1
				echo "Invalid OS_VERSION_FILE configuration option: File is empty: ${OS_VERSION_FILE}"
			fi
		else
			LEAVE=1
		fi
	fi


	#
	# Next we get the option as to whether we should
	# issue a warning when the O/S info changes or not.
	#

	ERRCODE=0

	WARN_ON_OS_CHANGE=`get_option 1 single WARN_ON_OS_CHANGE` || exit 1

	if [ -n "${WARN_ON_OS_CHANGE}" ]; then
		check_is_digit WARN_ON_OS_CHANGE

		test $ERRCODE -eq 1 && LEAVE=1
	else
		WARN_ON_OS_CHANGE=1
	fi


	#
	# Now get the option as to whether we should automatically run
	# a properties update ('--propupd') if the O/S has changed.
	#

	ERRCODE=0

	UPDT_ON_OS_CHANGE=`get_option 1 single UPDT_ON_OS_CHANGE` || exit 1

	if [ -n "${UPDT_ON_OS_CHANGE}" ]; then
		check_is_digit UPDT_ON_OS_CHANGE

		test $ERRCODE -eq 1 && LEAVE=1
	else
		UPDT_ON_OS_CHANGE=0
	fi

	if [ $LEAVE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_user_fileprop_list() {

	#
	# This function gets any user supplied files and directories
	# for the file properties check and the properties file update.
	# It stores the different types of files and directories
	# found in different variables. Only basic syntax checking is
	# done here, further checking will be done later on.
	#
	# The configuration option can have three basic values:
	#
	#    1) A simple file (command) name - for example, 'top'
	#    2) A directory - for example, '/usr/local/sbin'
	#    3) A full file pathname - for example, '/usr/local/sbin/backup'
	#
	# The first two are simply added to the internal lists of files
	# and directories. These are then used to build the file properties
	# file list. The third type is added directly to the end of the file.
	#
	# The second and third types may be wildcarded. They may also be
	# excluded from the checks by preceding them with a '!'. Only
	# files and directories matching user added ones can be excluded.
	# This prevents users from excluding anything in the internal list.
	# For example: USER_FILEPROP_FILES_DIRS="/opt/b* !/opt/backup"
	#

	FILENAMES=`get_option 2 multi USER_FILEPROP_FILES_DIRS` || exit 1

	test -z "${FILENAMES}" && return

	#
	# We must first check to see if any of the names are simple names but
	# with wildcard characters included. This is a little messy, but we
	# need to loop over the names without them being expanded.
	#

	N=0
	ERRCODE=0

	# Take a copy of the filenames.
	RKHTMPVAR="${FILENAMES}"

	# Single pathnames won't have a space in them.
	test -n "`echo \"${RKHTMPVAR}\" | grep ' '`" && RKHTMPVAR2=1 || RKHTMPVAR2=0

	while :; do
		N=`expr $N + 1`

		FNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f $N`

		test -z "${FNAME}" && break

		if [ -n "`echo \"${FNAME}\" | grep '^[^/]*[][*?][^/]*$'`" ]; then
			ERRCODE=1
			echo "Invalid USER_FILEPROP_FILES_DIRS configuration option: Invalid pathname: ${FNAME}"
		fi

		test $RKHTMPVAR2 -eq 0 && break
	done

	#
	# We now 'echo' the variable so that any wildcards get expanded.
	#

	FILENAMES=`echo ${FILENAMES}`

	#
	# Next check the pathnames to ensure they are basically valid.
	#

	check_paths FILENAMES USER_FILEPROP_FILES_DIRS


	#
	# Now we loop through the entries and check them again. They
	# are then added to the relevant variable used to build the
	# file properties file list.
	#

	for FNAME in ${FILENAMES}; do
		FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

		#
		# First check for any files or directories to be excluded.
		#

		if [ -n "`echo \"${FNAME}\" | grep '^!'`" ]; then
			RKHTMPVAR=`echo ${FNAME} | cut -c2-`
			# Re-expand the name in case it has globbing characters.
			RKHTMPVAR=`echo ${RKHTMPVAR}`

			test -z "${USER_EXCLUDE_PROP}" && USER_EXCLUDE_PROP="${RKHTMPVAR}" || USER_EXCLUDE_PROP="${USER_EXCLUDE_PROP} ${RKHTMPVAR}"

			continue
		fi


		#
		# Now check to see if it is a simple file name.
		#

		if [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
			# Check that it hasn't already been set. If it has, then we just ignore it.

			if [ -z "`echo \" ${USER_SIMPLE_FILE_LIST} \" | grep \" ${FNAMEGREP} \"`" ]; then
				test -z "${USER_SIMPLE_FILE_LIST}" && USER_SIMPLE_FILE_LIST="${FNAME}" || USER_SIMPLE_FILE_LIST="${USER_SIMPLE_FILE_LIST} ${FNAME}"
			fi
		else
			# It's an absolute pathname. This could be a file or a directory.

			if [ -f "${FNAME}" -o -h "${FNAME}" ]; then
				# Check that it hasn't already been set. If it has, then we just ignore it.

				test -n "`echo \"${USER_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" && continue

				if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
					RKHTMPVAR=`${READLINK_CMD} -f ${FNAME}`

					if [ -n "${RKHTMPVAR}" ]; then
						FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\([.[]\)/\\\\\1/g'`

						if [ -z "`echo \"${USER_FILE_LIST}\" | grep \"^${FNAMEGREP}$\"`" ]; then
							FNAME="${FNAME}
${RKHTMPVAR}"
						fi
					fi
				fi

				#
				# Now add the file name.
				#

				test -z "${USER_FILE_LIST}" && USER_FILE_LIST="${FNAME}" || USER_FILE_LIST="${USER_FILE_LIST}
${FNAME}"
			elif [ -d "${FNAME}" ]; then
				if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
					RKHTMPVAR=`${READLINK_CMD} -f ${FNAME}`

					if [ -z "${RKHTMPVAR}" ]; then
						ERRCODE=1
						echo "Invalid USER_FILEPROP_FILES_DIRS configuration option: Invalid link found: ${FNAME}"
						continue
					elif [ "${RKHTMPVAR}" = "/" ]; then
						ERRCODE=1
						echo "Invalid USER_FILEPROP_FILES_DIRS configuration option: Invalid pathname: ${FNAME} -> /"
						continue
					fi

					FNAME="${RKHTMPVAR}"
				fi

				#
				# Check that the name hasn't already been set. If it has, then we just ignore it.
				#

				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

				if [ -z "`echo \" ${USER_DIR_LIST} \" | grep \" ${FNAMEGREP} \"`" ]; then
					test -z "${USER_DIR_LIST}" && USER_DIR_LIST="${FNAME}" || USER_DIR_LIST="${USER_DIR_LIST} ${FNAME}"
				fi
			fi
		fi
	done

	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_properties_options() {

	#
	# This function gets any configuration options required for
	# the file properties check and the properties file update.
	#
	# For options where filenames are specified, the existence
	# of the filename is checked.
	#

	check_test hashes && HASH_CHECK_ENABLED=1
	check_test attributes && HASH_CHECK_ENABLED=1


	ERRCODE=0

	ATTRWHITELIST=`get_option 2 multi ATTRWHITELIST` || exit 1

	if [ -n "${ATTRWHITELIST}" ]; then
		#
		# We 'echo' the variable so that any wildcards get expanded.
		#

		ATTRWHITELIST=`echo ${ATTRWHITELIST}`

		check_paths ATTRWHITELIST
	fi


	WRITEWHITELIST=`get_option 2 multi WRITEWHITELIST` || exit 1

	if [ -n "${WRITEWHITELIST}" ]; then
		WRITEWHITELIST=`echo ${WRITEWHITELIST}`

		check_paths WRITEWHITELIST
	fi


	IMMUTWHITELIST=`get_option 2 multi IMMUTWHITELIST` || exit 1

	if [ -n "${IMMUTWHITELIST}" ]; then
		IMMUTWHITELIST=`echo ${IMMUTWHITELIST}`

		check_paths IMMUTWHITELIST
	fi


	IMMUTABLE_SET=`get_option 1 single IMMUTABLE_SET` || exit 1

	if [ -n "${IMMUTABLE_SET}" ]; then
		check_is_digit IMMUTABLE_SET
	else
		IMMUTABLE_SET=0
	fi


	SCRIPTWHITELIST=`get_option 2 multi SCRIPTWHITELIST` || exit 1

	if [ -n "${SCRIPTWHITELIST}" ]; then
		SCRIPTWHITELIST=`echo ${SCRIPTWHITELIST}`

		check_paths SCRIPTWHITELIST
	fi


	if [ $ERRCODE -eq 1 ]; then
		if [ $CONFIG_CHECK -eq 0 ]; then
			exit 1
		else
			RET_CODE=1
		fi
	fi

	return
}


get_prelink_dep_option() {

	#
	# This function gets the prelink dependency error option.
	# This option is a workaround for any files which persistently
	# give a prelinking dependency error.
	#

	ERRCODE=0

	RKHTMPVAR=`get_option 2 multi IGNORE_PRELINK_DEP_ERR` || exit 1

	if [ -n "${RKHTMPVAR}" ]; then
		check_paths RKHTMPVAR IGNORE_PRELINK_DEP_ERR STRICT

		if [ $ERRCODE -eq 0 ]; then
			PRELINK_DEP_ERR_CMDS=" ${RKHTMPVAR} "
		else
			if [ $CONFIG_CHECK -eq 0 ]; then
				exit 1
			else
				RET_CODE=1
			fi
		fi
	fi

	return
}


get_configfile_options() {

	#
	# We call separate functions to process each option. The option
	# is checked first to see if it has been given on the command-line,
	# and, if not, then if it is specified in the configuration file.
	# Note that some of these functions are in a specific order. If you
	# change them around, then make sure the functions still work
	# correctly.
	#

	get_bindir_option

	get_scriptdir_option

	#
	# Now that we have processed BINDIR, we will recheck the required
	# commands.
	#
	# Before proceeding too far we also check that we have certain
	# commands available. Typically these are commands which might
	# not have been installed as part of the core system, but are
	# used by RKH. These commands are not 'required' though.
	#

	check_required_commands 2

	check_commands


	get_installdir_option

	get_rootdir_option

	get_logfile_option

	get_tmpdir_option

	get_dbdir_option

	get_language_option

	get_auto_x_option

	get_locking_options


	#
	# Some options are only required when checking the system.
	#

	if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		#
		# See if we are only to perform specific tests.
		#

		get_enable_option
		get_disable_option

		check_test_options

		get_existwl_option
	fi

	if [ $CHECK -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		test $NOMOW -eq 0 && get_mailonwarn_option

		get_ssh_options

		get_syslog_config_options

		get_syslog_option

		get_scan_mode_dev_option

		get_startup_paths_option

		get_rtkt_whitelist_options

		check_test trojans && get_xinetd_option

		check_test ports || check_test hidden_ports && get_ports_option

		check_test group_accounts && get_shadow_file_option

		check_test shared_libs && get_shared_lib_whitelist_option

		get_epoch_date_cmd_option

		get_phalanx2_option

		get_dev_options

		get_hidden_options

		check_test hidden_procs && get_unhide_options

		check_test suspscan && get_suspscan_options
	fi


	#
	# We only need the hash function option if we are going
	# to be checking the system or updating the file
	# properties database.
	#

	if `check_test properties` || test $PROP_UPDATE -eq 1 || test $CONFIG_CHECK -eq 1; then
		#
		# For the file properties check we need to find out if
		# we are a prelinked system, and if so, then find out
		# which hash function to use. Secondly, we need to find
		# the 'stat' command. Finally, we need to see if the
		# user has specified any files or directories for the
		# file properties check.
		#

		get_if_prelinked

		get_hash_function

		get_os_info_options

		get_user_fileprop_list

		get_properties_options
	fi

	#
	# If we are doing a file properties update, then we need to
	# see if we should be ignoring prelink errors for any files.
	#

	if [ $PROP_UPDATE -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		get_prelink_dep_option
	fi

	#
	# Get any set options when doing an update or version check.
	#

	if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 -o $CONFIG_CHECK -eq 1 ]; then
		get_mirror_options

		get_webcmd_option
	fi

	return
}


get_readable_date() {

	#
	# This function returns a given epoch second time as a
	# human-readable date and time. It sets the READABLE_DATE
	# variable.
	#

	EPOCH_SECS=$1

	READABLE_DATE=""

	if [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
		:
	elif [ -n "${EPOCH_DATE_CMD}" ]; then
		EPOCH_NOW=`${EPOCH_DATE_CMD} '+%s'`
		EPOCH_SECS=`expr $EPOCH_NOW - $EPOCH_SECS`

		READABLE_DATE=`${EPOCH_DATE_CMD} --date "$EPOCH_SECS seconds ago" '+%d-%b-%Y %H:%M:%S' 2>/dev/null`
	elif [ -n "${PERL_CMD}" ]; then
		READABLE_DATE=`${PERL_CMD} -e "@a=split(' ',scalar(localtime($EPOCH_SECS))); printf \"%d-%s-%d %s\",\\$a[2],\\$a[1],\\$a[4],\\$a[3];" 2>/dev/null`
	fi

	return
}


rkh_dat_set_version() {

	#
	# This function calculates and writes out the 'Version:' value
	# for the rkhunter.dat file. It looks for an old value, and adds
	# one to it. If there is no value then simply start at zero.
	#

	TODAY=`date +%Y%m%d 2>/dev/null`

	OLDVER=`grep '^[Vv]ersion:' ${RKHDAT_FILE} 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`

	if [ -n "${OLDVER}" ]; then
		OLDDATE=`echo "${OLDVER}" | cut -c1-8`
		OLDVER=`echo "${OLDVER}" | cut -c9-10`

		if [ "${OLDVER}" = "99" -o "${OLDDATE}" != "${TODAY}" -o -z "${OLDVER}" -o -n "`echo \"${OLDVER}\" | grep '[^0-9]'`" ]; then
			NEWVER="00"
		else
			NEWVER=`expr ${OLDVER} + 1`
			test $NEWVER -lt 10 && NEWVER="0${NEWVER}"
		fi
	else
		NEWVER="00"
	fi

	echo "Version:${TODAY}${NEWVER}" >>${RKHDAT_TMPFILE}

	return
}


rkh_dat_get_os_info() {

	#
	# This function obtains information about the local computer
	# system. This is then written into the rkhunter.dat file
	# using a simple 'keyword:<value>' format. The OSNAME and
	# ARCH values are not important, but are simply used to check
	# whether they have changed since RKH was last run.
	#
	# Obtaining the OSNAME is somewhat tricky. There is no sure
	# way of finding the information, so we have to use some tricks
	# to locate the correct file. First we look for certain specific
	# O/S release files, and then at the /etc/release file, but not
	# if it is a link. Next we look for a generic /etc/*-release
	# file, again not as a link. This should find most O/S versions.
	# Overall this should also save users having to ask us to support
	# their O/S. In other cases, we will have to ask what file does
	# contain their O/S release information.
	#

	ARCH=""
	OSNAME=""
	RELEASE=""

	if [ -n "${OS_VERSION_FILE}" ]; then
		REL_FILES="${OS_VERSION_FILE}"
	else
		REL_FILES="/etc/system-release /etc/lsb-release /etc/debian_version /etc/slackware-version /var/ipcop/general-functions.pl /etc/lunar.release /etc/ROCK-VERSION /etc/GoboLinuxVersion /etc/kanotix-version /etc/sidux-version /etc/knoppix-version /etc/zenwalk-version /etc/release /etc/*-release"
	fi

	RKH_LSB_SEEN=0

	for FNAME in ${REL_FILES}; do
		test ! -f "${FNAME}" && continue

		if [ "${FNAME}" = "/etc/system-release" ]; then
			RKH_IN_LSB=0
			RELEASE=$FNAME
			OSNAME=`cat ${FNAME}`
			break
		elif [ ! -h "${FNAME}" ]; then
			RELEASE=$FNAME

			RKH_IN_LSB=0

			case "${RELEASE}" in
			/etc/lsb-release)
				RKH_IN_LSB=1
				RKH_LSB_SEEN=1
				OSNAME=`grep '^DISTRIB_DESCRIPTION=' ${RELEASE} | sed -e 's/DISTRIB_DESCRIPTION=//' | tr -d '"'`
				;;
			/etc/gentoo-release)
				if [ -h "/etc/make.profile" ]; then
					OSNAME="Gentoo `ls -l /etc/make.profile 2>/dev/null | sed -e 's;^.*/\([^/]*/[^/]*\)$;\1;' | tr '/' ' '`"
				else
					OSNAME="Gentoo"
				fi
				;;
			/var/ipcop/general-functions.pl)
				OSNAME=`grep 'version *=' ${RELEASE} | head ${HEAD_OPT}1`
				;;
			/etc/debian_version)
				OSNAME="Debian `cat ${RELEASE}`"
				;;
			/etc/GoboLinuxVersion)
				OSNAME="GoboLinux `cat ${RELEASE}`"
				;;
			/etc/knoppix-version)
				OSNAME="Knoppix `cat ${RELEASE}`"
				;;
			/etc/zenwalk-version)
				OSNAME="Zenwalk `cat ${RELEASE}`"
				;;
			*)
				OSNAME=`awk '/^[ 	]*[^ 	]/ { print $0 }' ${RELEASE} | head ${HEAD_OPT}1`
				;;
			esac


			#
			# Strip out any leading blanks and tabs from the O/S version.
			#

			test -n "${OSNAME}" && OSNAME=`echo ${OSNAME}`


			#
			# If we have a release file but it seems to be blank,
			# and we are not looking at the LSB release file, then
			# we take a look for the first non-blank line. We
			# then, again, strip out any leading blanks and tabs.
			#

			if [ $RKH_IN_LSB -eq 0 -a -z "${OSNAME}" ]; then
				OSNAME=`awk '/^[ 	]*[^ 	]/ { print $0 }' ${RELEASE} | head ${HEAD_OPT}1`
				OSNAME=`echo ${OSNAME}`
			fi

			test -n "${OSNAME}" && break
		fi
	done


	if [ -z "${OSNAME}" ]; then
		RELEASE=""

		if [ -d "/var/smoothwall" ]; then
			OSNAME="Smoothwall Linux"
			RELEASE="/var/smoothwall"
		elif [ -n "`which sorcery 2>/dev/null | grep -v ' '`" -a -n "`which gaze 2>/dev/null | grep -v ' '`" ]; then
			OSNAME="Source Mage Linux"
		fi
	fi

	case "${OPERATING_SYSTEM}" in
	SunOS)
		ARCH=`uname -p 2>/dev/null`
		;;
	FreeBSD|DragonFly)
		ARCH=`sysctl -n hw.machine_arch 2>/dev/null`
		OSNAME=`uname -v 2>/dev/null | cut -d' ' -f1,2`
		;;
	OpenBSD)
		OSNAME="OpenBSD `uname -r 2>/dev/null`"
		;;
	Darwin)
		OSNAME=`sw_vers 2>/dev/null | grep '^ProductName:' | sed -e 's/ProductName:[ 	]*//'`
		OSNAME="${OSNAME} `sw_vers 2>/dev/null | grep '^ProductVersion:' | sed -e 's/ProductVersion:[ 	]*//'`"
#		OSNAME="${OSNAME} `sysctl kern.version 2>/dev/null | sed -e 's/^kern.version = //' | cut -d: -f1`"

		if [ -n "`sysctl -a 2>/dev/null | egrep '^(hw\.optional\.x86_64|hw\.optional\.64bitops|hw\.cpu64bit_capable).*1$'`" ]; then
			OSNAME="${OSNAME} (64-bit capable)"
		fi
		;;
	AIX)
		ARCH=`uname -p 2>/dev/null`
		OSNAME="IBM AIX `oslevel 2>/dev/null`"
		;;
	IRIX*)
		OSNAME="${OPERATING_SYSTEM} `uname -r 2>/dev/null`"
		;;
	esac


	#
	# If we still have no O/S version information, then as a last
	# resort we will look to see if an 'issue' file exists or use
	# whatever is in the LSB release file. We test these last because
	# they are not necessarily reliable in providing the O/S version.
	#
	# However, if an O/S has been found, but it seems to be just a
	# version number, then we look for the first word in the 'issue'
	# file and prepend that. Hopefully, it will make sense!
	#

	if [ -z "${OSNAME}" ]; then
		if [ -f "/etc/issue" ]; then
			OSNAME=`awk '/^[ 	]*[^ 	]/ { print $0 }' /etc/issue | head ${HEAD_OPT}1`
			OSNAME=`echo ${OSNAME}`
			test -n "${OSNAME}" && RELEASE="/etc/issue"
		fi

		if [ $RKH_LSB_SEEN -eq 1 -a -z "${OSNAME}" ]; then
			OSNAME=`awk '/^[ 	]*[^ 	]/ { print $0 }' /etc/lsb-release | head ${HEAD_OPT}1`
			OSNAME=`echo ${OSNAME}`
			test -n "${OSNAME}" && RELEASE="/etc/lsb-release"
		fi
	elif [ -n "`echo \"${OSNAME}\" | grep '^[0-9.][0-9.]*$'`" ]; then
		if [ -f "/etc/issue" ]; then
			RKHTMPVAR=`awk '/^[ 	]*[^ 	]/ { print $1 }' /etc/issue | head ${HEAD_OPT}1`

			test -n "${RKHTMPVAR}" && OSNAME="${RKHTMPVAR} ${OSNAME}"
		fi
	fi


	#
	# If some things have still not been set, then set them now.
	#

	test -z "${ARCH}" && ARCH=`uname -m 2>/dev/null`
	test -z "${OSNAME}" && OSNAME="`uname` `uname -r 2>/dev/null`"


	return
}


rkh_dat_set_file_properties() {

	#
	# This function obtains various bits of information about the
	# files to be checked. The format in the rkhunter.dat file is:
	#
	#     File:<pathname>:<hash value>:<inode>:<permissions>:<uid>:<gid>:
	#          <file size>:<date/time modified>:<package name>
	#
	# The format is actually governed by the stat.pl file, and the
	# output it produces. Changing the order of options does not
	# change the order of the output.
	#
	# To save time in the loops below, we determine the exact commands
	# required before using them.
	#

	NOHASH_COUNT=0
	BROKEN_LINK_COUNT=0
	PROP_FILE_LIST_COUNT=0
	PROP_FILE_PROPOPT_COUNT=0

	DIR_FILE_COUNT=""

	display --to LOG --type PLAIN SET_FILE_PROP_START


	if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
		SCMD=""
		INODECMD=""
	elif [ -z "${STAT_CMD}" ]; then
		SCMD=""
		INODECMD=""
	else
		if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
			if [ "${PKGMGR}" = "SOLARIS" ]; then
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --mtime"
			else
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --Mtime"
			fi

			INODECMD="${STAT_CMD} --modeoct --raw --ino"
		elif [ $BSDOS -eq 1 -o $MACOSX -eq 1 ]; then
			SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'"
			INODECMD="${STAT_CMD} -f '%i'"
		else
			SCMD="${STAT_CMD} -c '%i 0%a %u %g %s %Y:'"
			INODECMD="${STAT_CMD} -c '%i'"
		fi
	fi


	if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
		HASH_CMD=""
	elif [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then
		HASH_CMD=""
	else
		HASH_CMD="${HASH_FUNC}"
	fi


	#
	# Now loop through the pathnames looking for the files.
	#

	for FNAME in `cat ${RKH_FILEPROP_LIST}`; do
		test ! -f "${FNAME}" -a ! -h "${FNAME}" && continue

		FDATA=""
		SYSHASH=""
		PKGNAME=""
		FNAMEGREP=""
		RPM_QUERY_RESULT=""
		NOVRFYFILE=0
		FILE_IS_PKGD=0
		DEPENDENCY_ERR=0

		PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`


		#
		# Test to see if we are looking for specific files or not.
		#

		FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

		if [ -n "${PROPUPD_OPT}" ]; then
			#
			# If we are looking for specific files, then just copy the
			# entries from the current rkhunter.dat file for the files
			# we aren't looking for. For the ones we do want, we fall
			# through and process them as before.
			#

			if [ -z "`echo \"${PROPUPD_OPT}\" | grep \" ${FNAMEGREP} \"`" ]; then
				RKHTMPVAR=`grep "^File:${FNAMEGREP}:" ${RKHDAT_FILE}`

				if [ -n "${RKHTMPVAR}" ]; then
					echo "${RKHTMPVAR}" >>${RKHDAT_TMPFILE}
					continue
				fi
			fi

			PROP_FILE_PROPOPT_COUNT=`expr ${PROP_FILE_PROPOPT_COUNT} + 1`
		fi


		#
		# Sort out the directory counters.
		#

		test -n "${DIRNAME_CMD}" && DIR=`${DIRNAME_CMD} ${FNAME}` || DIR=`echo "${FNAME}" | sed -e 's:/[^/]*$::'`

		RKHTMPVAR2=`echo "${DIR}" | sed -e 's/\./\\\./g'`

		RKHTMPVAR=`echo "${DIR_FILE_COUNT}" | grep "^${RKHTMPVAR2}:"`

		if [ -z "${RKHTMPVAR}" ]; then
			DIR_FILE_COUNT="${DIR_FILE_COUNT}
${DIR}:1"
		else
			RKHTMPVAR=`echo ${RKHTMPVAR} | cut -d: -f2`
			RKHTMPVAR=`expr ${RKHTMPVAR} + 1`

			DIR_FILE_COUNT=`echo "${DIR_FILE_COUNT}" | sed -e "s;^\(${DIR}:\).*;\1${RKHTMPVAR};"`
		fi


		#
		# See if the file is to be exempt from any package manager verification.
		#

		if [ -n "`echo \"${PKGMGRNOVRFY}\" | grep \" ${FNAMEGREP} \"`" ]; then
			NOVRFYFILE=1
		fi


		#
		# Now start to get the file info by seeing if we are using a
		# package manager. If we are, then get the package name and
		# any other info we can excarot the hash value. That will be
		# dealt with afterwards.
		#

		case "${PKGMGR}" in
		RPM)
			#
			# First see if the file is exempt or belongs to a package.
			#

			if [ $NOVRFYFILE -eq 1 ]; then
				ERRCODE=1
			else
				RKHTMPVAR=`${RPM_CMD} -qf ${FNAME} --queryformat '%{NAME}\n' 2>/dev/null`
				ERRCODE=$?
			fi

			if [ $ERRCODE -eq 0 ]; then
				#
				# Okay we have a package name.
				#

				FILE_IS_PKGD=1
				PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1`

				RPM_QUERY_RESULT_ARCH=`${RPM_CMD} -qf --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{ARCH}:%{FILENAMES}\n]' ${FNAME} 2>/dev/null | grep ":${FNAMEGREP}\$"`
				ERRCODE=$?

				if [ $ERRCODE -eq 0 ]; then
					#
					# If multiple packages claim the same file, we
					# use the last one in the list. However, if we
					# have 64-bit as well as 32-bit packages, then
					# we use the 64-bit package in preference (as
					# this is what RPM does).
					#

					RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT_ARCH}" | egrep ':(x86_64|ia64):' | tail ${TAIL_OPT}1`

					test -z "${RPM_QUERY_RESULT}" && RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT_ARCH}" | tail ${TAIL_OPT}1`

					FPERM="0`echo \"${RPM_QUERY_RESULT}\" | cut -d: -f1 | cut -c 3-`"
					FPERM=`echo "${FPERM}" | sed -e 's/^00/0/'`

					RKHUID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f2`
					RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

					RKHGID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f3`
					RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

					RKHSIZE=`echo "${RPM_QUERY_RESULT}" | cut -d: -f4`

					RKHDTM=`echo "${RPM_QUERY_RESULT}" | cut -d: -f5`

					#
					# Now get the inode value directly from the disk,
					# but only if prelinking is not being used.
					#

					RKHTMPVAR2=""

					if [ $PRELINKED -eq 0 -a -n "${INODECMD}" ]; then
						RKHTMPVAR2=`eval ${INODECMD} ${FNAME} 2>/dev/null | tr -d ' '`
					fi

					FDATA="${RKHTMPVAR2}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
				else
					display --to LOG --type INFO CMD_ERROR "rpm -qf --queryformat... ${FNAME}" $ERRCODE
				fi
			fi
			;;
		DPKG)
			#
			# First see if the file is exempt or part of a known package.
			#

			if [ $NOVRFYFILE -eq 1 ]; then
				ERRCODE=1
			else
				RKHTMPVAR=`${DPKG_CMD} --search ${FNAME} 2>/dev/null`
				ERRCODE=$?
			fi

			if [ $ERRCODE -eq 0 ]; then
				#
				# Now we sort out the base part of the package name.
				#

				PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1 | cut -d: -f1`
			fi
			;;
		BSD)
			#
			# First see if the file is exempt or part of a known package.
			#

			if [ $NOVRFYFILE -eq 1 ]; then
				ERRCODE=1
			else
				RKHTMPVAR=`${PKG_CMD} -F -e ${FNAME} 2>/dev/null`
				ERRCODE=$?
			fi

			if [ $ERRCODE -eq 0 ]; then
				#
				# Now we sort out the base part of the package name.
				#

				PKGNAME=`echo "${RKHTMPVAR}" | tail ${TAIL_OPT}1 | sed -e 's/[0-9]nb[0-9][0-9]*$//; s/-[0-9.]*$//'`
			fi
			;;
		SOLARIS)
			#
			# First see if the file is exempt or belongs to a package.
			#

			if [ $NOVRFYFILE -eq 1 ]; then
				ERRCODE=1
			else
				RKHTMPVAR=`grep "^${FNAMEGREP} " /var/sadm/install/contents 2>/dev/null`
				test -n "${RKHTMPVAR}" && ERRCODE=0 || ERRCODE=1
			fi

			if [ $ERRCODE -eq 0 ]; then
				#
				# Okay we have a package name.
				#

				PKGNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f10-`

				FPERM=`echo "${RKHTMPVAR}" | cut -d' ' -f4`

				RKHUID=`echo "${RKHTMPVAR}" | cut -d' ' -f5`
				RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

				RKHGID=`echo "${RKHTMPVAR}" | cut -d' ' -f6`
				RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

				RKHSIZE=`echo "${RKHTMPVAR}" | cut -d' ' -f7`

				if [ $USE_SUNSUM -eq 1 ]; then
					# Treat this as a fully packaged file.
					FILE_IS_PKGD=1
					SYSHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f8`
				fi

				RKHDTM=`echo "${RKHTMPVAR}" | cut -d' ' -f9`

				#
				# Now get the inode value.
				#

				RKHTMPVAR2=""

				test -n "${INODECMD}" && RKHTMPVAR2=`eval ${INODECMD} ${FNAME} 2>/dev/null | tr -d ' '`

				FDATA="${RKHTMPVAR2}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
			fi
			;;
		esac


		if [ -n "${HASH_CMD}" ]; then
			if [ -n "`echo \"${PRELINK_DEP_ERR_CMDS}\" | grep \" ${FNAMEGREP} \"`" ]; then
				FILE_IS_PKGD=1
				SYSHASH="ignore-prelink-dep-err"
				display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "${FNAME}"
			else
				case "${PKGMGR}" in
				RPM)
					test $FILE_IS_PKGD -eq 1 && SYSHASH=`echo "${RPM_QUERY_RESULT}" | cut -d: -f6`
					;;
				DPKG)
					#
					# If we have a package name, then strip of the leading
					# '/' from the pathname, and then get the hash value.
					#

					if [ -n "${PKGNAME}" ]; then
						if [ -f "/var/lib/dpkg/info/${PKGNAME}.md5sums" ]; then
							FILNAM=`echo "${FNAME}" | sed -e 's:^/::; s:\.:\\\.:g'`
							SYSHASH=`egrep "( |\./)${FILNAM}\$" /var/lib/dpkg/info/${PKGNAME}.md5sums 2>/dev/null | cut -d' ' -f1`
							test -n "${SYSHASH}" && FILE_IS_PKGD=1
						fi
					fi
					;;
				BSD)
					#
					# If we have a package name, then strip of the leading
					# '/usr/pkg' from the pathname, and then get the hash value.
					#

					if [ -n "${PKGNAME}" ]; then
						FILNAM=`echo "${FNAME}" | sed -e 's:^/usr/pkg/::; s:\.:\\\.:g'`
						SYSHASH=`${PKG_CMD} -v -L ${RKHTMPVAR} 2>/dev/null | grep -A 1 "File: ${FILNAM}\$" | tail ${TAIL_OPT}1 | cut -d: -f3`
						test -n "${SYSHASH}" && FILE_IS_PKGD=1
					fi
					;;
				SOLARIS)
					#
					# If we are to use the stored 16-bit checksum, then
					# SYSHASH will already have been set above. Otherwise,
					# just calculate the hash as for non-packaged files.
					#
					;;
				esac
			fi

			if [ $FILE_IS_PKGD -eq 0 ]; then
				if [ "${HASH_CMD}" != "NONE" ]; then
					SYSHASH=""
					RKHTMPVAR=`${HASH_CMD} ${FNAME} 2>&1`

					if [ -n "`echo \"${RKHTMPVAR}\" | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
						DEPENDENCY_ERR=1
						RKHTMPVAR=`echo "${RKHTMPVAR}" | tr '\n' ':' | sed -e 's/:$//'`
					else
						SYSHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f $HASH_FLD_IDX | grep '^[0-9a-fA-F]*$'`
					fi
				fi

				if [ -z "${SYSHASH}" ]; then
					if [ "${HASH_CMD}" = "NONE" ]; then
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type INFO FILE_PROP_NO_PKGMGR_FILE "${FNAME}"
						fi
					elif [ -h "${FNAME}" -a ! -e "${FNAME}" ]; then
						if [ $HAVE_READLINK -eq 1 ]; then
							BL_TARGET=`${READLINK_CMD} -f ${FNAME}`
							RKHTMPVAR=" -> ${BL_TARGET}"
							RKHTMPVAR2=`echo "${BL_TARGET}" | sed -e 's/\([.[]\)/\\\\\1/g'`
						else
							RKHTMPVAR=""
						fi

						# Check the link target to see if it is whitelisted.
						if [ $HAVE_READLINK -eq 1 -a -n "`echo \"${EXISTWHITELIST}\" | grep \" ${RKHTMPVAR2} \"`" ]; then
							if [ $VERBOSE_LOGGING -eq 1 ]; then
								display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "${FNAME}${RKHTMPVAR}"
							fi
						else
							# Treat a broken link simply as a file with no hash.
							BROKEN_LINK_COUNT=`expr ${BROKEN_LINK_COUNT} + 1`

							display --to LOG --type WARNING FILE_PROP_NO_SYSHASH "${FNAME}"

							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_BL "${FNAME}${RKHTMPVAR}"
						fi
					else
						NOHASH_COUNT=`expr ${NOHASH_COUNT} + 1`

						display --to LOG --type WARNING FILE_PROP_NO_SYSHASH "${FNAME}"

						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_CMD "${RKHTMPVAR}"

						if [ $DEPENDENCY_ERR -eq 1 ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "${FNAME}"
						fi
					fi
				fi
			fi
		fi


		if [ -z "${SCMD}" ]; then
			FDATA=":::::"
		else
			if [ -z "${FDATA}" ]; then
				FDATA=`eval ${SCMD} ${FNAME} 2>/dev/null | tr ' ' ':' | sed -e 's/:$//'`

				if [ -z "${FDATA}" ]; then
					FDATA=":::::"
				elif [ -n "`echo ${FDATA} | grep '^[^:]*:0[0-9][0-9][0-9][0-9]:'`" ]; then
					# Ensure the file permissions consist of only 4 digits.
					FDATA=`echo $FDATA | sed -e 's/^\([^:]*:\)0\(.*\)$/\1\2/'`
				fi
			fi
		fi

		echo "File:${FNAME}:${SYSHASH}:${FDATA}:${PKGNAME}:" >>${RKHDAT_TMPFILE}
	done


	#
	# Display the number of files found in the directories.
	#

	for DIR in ${DIR_FILE_COUNT}; do
		test -z "${DIR}" && continue

		RKHTMPVAR=`echo $DIR | cut -d: -f1`
		RKHTMPVAR2=`echo $DIR | cut -d: -f2`

		display --to LOG --type INFO SET_FILE_PROP_DIR_FILE_COUNT $RKHTMPVAR2 "${RKHTMPVAR}"
	done


	#
	# Finally put the new file in place.
	#

	if [ -f ${RKHDAT_FILE} ]; then
		RKHTMPVAR="updated"
	else
		RKHTMPVAR="created"
	fi

	test $NOHASH_COUNT -gt 0 -o $BROKEN_LINK_COUNT -gt 0 && RET_CODE=1

	# Don't display messages if this is an automatic update.
	if [ $OS_CHANGED -eq 1 -a $UPDT_ON_OS_CHANGE -eq 1 ]; then
		:
	else
		if [ $NOHASH_COUNT -eq 0 ]; then
			if [ $BROKEN_LINK_COUNT -eq 0 ]; then
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_PROPOPT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT
				fi
			else
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_PROPOPT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $BROKEN_LINK_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $BROKEN_LINK_COUNT
				fi
			fi
		else
			if [ $BROKEN_LINK_COUNT -eq 0 ]; then
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $NOHASH_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $NOHASH_COUNT
				fi
			else
				if [ -n "${PROPUPD_OPT}" ]; then
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_PROPOPT_COUNT $PROP_FILE_LIST_COUNT $NOHASH_COUNT $BROKEN_LINK_COUNT
				else
					display --to SCREEN+LOG --type INFO SET_FILE_PROP_FILE_COUNT_NOHASH_BL "${RKHTMPVAR}" $PROP_FILE_LIST_TOTAL $PROP_FILE_LIST_COUNT $NOHASH_COUNT $BROKEN_LINK_COUNT
				fi
			fi
		fi
	fi

	return
}


create_rkh_file_prop_list() {

	#
	# This function creates the file of pathnames
	# used for the file properties check.
	#

	rm -f ${RKH_FILEPROP_LIST} >/dev/null 2>&1

	for DIR in ${PROP_DIR_LIST}; do
		for FNAME in ${PROP_FILE_LIST}; do
			echo "${DIR}/${FNAME}" >>${RKH_FILEPROP_LIST}
		done
	done


	#
	# Now we add any user specified absolute
	# pathnames to be included in the list.
	#

	if [ -n "${USER_FILE_LIST}" ]; then
		for FNAME in ${USER_FILE_LIST}; do
			#
			# We must exclude any user requested files or directories.
			#

			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

			if [ -n "${USER_EXCLUDE_PROP}" ]; then
				test -n "`echo \" ${USER_EXCLUDE_PROP} \" | grep \" ${FNAMEGREP} \"`" && continue
			fi

			test -z "`grep \"^${FNAMEGREP}$\" ${RKH_FILEPROP_LIST} 2>/dev/null`" && echo "${FNAME}" >>${RKH_FILEPROP_LIST}
		done
	fi

	chmod 640 ${RKH_FILEPROP_LIST} >/dev/null 2>&1

	return
}


do_prop_update() {

	#
	# This function updates the local hosts rkhunter.dat file
	# with O/S information and file properties.
	#

	display --to LOG --type INFO --nl PROPUPD_START

	#
	# First we need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.dat"
	RKHDAT_TMPFILE=$TEMPFILE

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE}"


	#
	# We now start to write out information about this system
	# to the file. Some information we already have available,
	# but for others we call functions to obtain what is wanted.
	#

	rkh_dat_set_version

	display --to LOG --type PLAIN PROPUPD_OSINFO_START

	rkh_dat_get_os_info

	echo "Host:${HOST_NAME}" >>${RKHDAT_TMPFILE}

	if [ -n "${ARCH}" ]; then
		echo "Arch:${ARCH}" >>${RKHDAT_TMPFILE}
		display --to LOG --type INFO PROPUPD_ARCH_FOUND "${ARCH}"
	fi

	if [ -n "${RELEASE}" ]; then
		display --to LOG --type INFO PROPUPD_REL_FILE "${RELEASE}"
	else
		display --to LOG --type INFO PROPUPD_NO_REL_FILE
		display --to LOG --type PLAIN NAME "      `ls -ld /etc/*release* /etc/*version* 2>/dev/null | tr '\n' ' '`"
	fi

	if [ -n "${OSNAME}" ]; then
		echo "OS:${OSNAME}" >>${RKHDAT_TMPFILE}
		display --to LOG --type INFO PROPUPD_OSNAME_FOUND "${OSNAME}"
	fi

	if [ $PRELINKED -eq 0 ]; then
		echo "Prelinked:No" >>${RKHDAT_TMPFILE}
	else
		echo "Prelinked:Yes" >>${RKHDAT_TMPFILE}
	fi

	#
	# We do not want to bother storing the file hashes or other attibutes
	# if the user has disabled these tests permanently. However, to do
	# this we must check whether the relevant test is enabled or not, and
	# that the --enable/--disable command-line options have not been used.
	#

	if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
		echo "Hash:Disabled" >>${RKHDAT_TMPFILE}
	elif [ -n "${PRELINK_HASH}" ]; then
		echo "Hash:${PRELINK_HASH}" >>${RKHDAT_TMPFILE}
	else
		echo "Hash:${HASH_FUNC}" >>${RKHDAT_TMPFILE}
	fi

	echo "Pkgmgr:${PKGMGR}" >>${RKHDAT_TMPFILE}

	if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
		echo "Attributes:Disabled" >>${RKHDAT_TMPFILE}
	elif [ -z "${STAT_CMD}" ]; then
		echo "Attributes:Nostatcmd" >>${RKHDAT_TMPFILE}
	else
		echo "Attributes:Stored" >>${RKHDAT_TMPFILE}
	fi


	#
	# Before we get the actual file properties we need
	# to write out the current list of pathnames.
	#

	create_rkh_file_prop_list


	#
	# Next get the file properties.
	#

	rkh_dat_set_file_properties


	#
	# Now put the new rkhunter.dat file in place.
	#

	cp -f -p ${RKHDAT_FILE} ${RKHDAT_FILE}.old >/dev/null 2>&1
	cp -f ${RKHDAT_TMPFILE} ${RKHDAT_FILE} >/dev/null 2>&1
	ERRCODE=$?

	if [ $ERRCODE -ne 0 ]; then
		RET_CODE=1
		display --to LOG --type INFO CMD_ERROR "cp ${RKHDAT_TMPFILE} ${RKHDAT_FILE}" $ERRCODE
		display --to SCREEN+LOG --type WARNING PROPUPD_ERROR $ERRCODE
	else
		display --to LOG --type INFO PROPUPD_NEW_DAT_FILE "${DB_PATH}"
	fi

	chmod 640 ${RKHDAT_FILE} >/dev/null 2>&1

	rm -f ${RKHDAT_TMPFILE} >/dev/null 2>&1

	return
}


get_next_mirror() {

	#
	# This function will obtain the next mirror in the mirrors file
	# if no mirror is currently being used. It then optionally
	# rotates the mirrors in the file.
	#


	#
	# Return if there is no mirrors file.
	#

	if [ ! -f "${DB_PATH}/mirrors.dat" ]; then
		display --to LOG --type INFO MIRRORS_NO_FILE "${DB_PATH}/mirrors.dat"
		return
	fi


	#
	# Return if there are no defined mirrors.
	#

	case $MIRRORS_MODE in
	0)
		MIRROR=`egrep -i '^(local|remote|mirror)=' ${DB_PATH}/mirrors.dat | head ${HEAD_OPT}1`
		;;
	1)
		MIRROR=`grep -i '^local=' ${DB_PATH}/mirrors.dat | head ${HEAD_OPT}1`
		;;
	2)
		MIRROR=`grep -i '^remote=' ${DB_PATH}/mirrors.dat | head ${HEAD_OPT}1`
		;;
	esac

	if [ -z "${MIRROR}" ]; then
		display --to LOG --type INFO MIRRORS_NO_MIRRORS "${DB_PATH}/mirrors.dat"
		return
	fi


	#
	# If we are not rotating the mirrors, then we need to calculate
	# which one to use next in the list. Return when we have done that.
	#

	if [ $ROTATE_MIRRORS -eq 0 ]; then
		N=`expr $TOTAL_MIRRORS - $MIRROR_COUNT`

		case $MIRRORS_MODE in
		0)
			MIRROR=`egrep -i '^(local|remote|mirror)=' ${DB_PATH}/mirrors.dat | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
			;;
		1)
			MIRROR=`grep -i '^local=' ${DB_PATH}/mirrors.dat | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
			;;
		2)
			MIRROR=`grep -i '^remote=' ${DB_PATH}/mirrors.dat | head ${HEAD_OPT}$N | tail ${TAIL_OPT}1 | cut -d= -f2-`
			;;
		esac

		return
	fi


	#
	# Now get the version number of the mirrors file. If the version
	# does not exist or is corrupt, then we reset it to zero. This
	# then allows the file to be updated next time the '--update'
	# option is used.
	#

	MIRRORSVERSION=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' ${DB_PATH}/mirrors.dat | tail ${TAIL_OPT}1`

	if [ -z "${MIRRORSVERSION}" ]; then
		display --to LOG --type INFO MIRRORS_NO_VERSION "${DB_PATH}/mirrors.dat"
		MIRRORSVERSION="Version:0000000000"
	fi


	#
	# Next get the remaining mirrors.
	#

	OTHERMIRRORS=`egrep -i '^(local|remote|mirror)=' ${DB_PATH}/mirrors.dat | grep -v "^${MIRROR}\$"`


	#
	# We need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/mirrors.dat"
	MIRRORS_FILE=$TEMPFILE

	display --to LOG --type INFO CREATED_TEMP_FILE "${MIRRORS_FILE}"


	#
	# Output to the temporary file the mirrors version, the other
	# mirrors, and finally the mirror we are about to use.
	#

	echo "${MIRRORSVERSION}" >${MIRRORS_FILE}

	for RKHM in ${OTHERMIRRORS}; do
		echo "${RKHM}" >>${MIRRORS_FILE}
	done;

	echo "${MIRROR}" >>${MIRRORS_FILE}

	MIRROR=`echo "${MIRROR}" | cut -d= -f2-`


	#
	# Move the new file into place, and delete the temporary file.
	#

	cat ${MIRRORS_FILE} >${DB_PATH}/mirrors.dat

	rm -f ${MIRRORS_FILE} >/dev/null 2>&1

	display --to LOG --type INFO MIRRORS_ROTATED "${DB_PATH}/mirrors.dat"

	return
}


download_file() {

	#
	# This function downloads a specified file. It takes three parameters:
	#     1=mirror, 2=url, 3=output file
	#
	# The URL is just the filename portion. The user will supply the
	# full URL, less the filename, to where the files are stored on
	# the local or remote server. For the SourceForge mirrors we will
	# provide the URL.
	#
	# The function sets a return code (DNLOADERR).
	#

	#
	# We loop round through the mirrors until the file is downloaded.
	# We do this by first seeing how many mirrors are available. Then
	# we call a function to get the next mirror, which also rotates
	# the mirror file. If a mirror has already been set, then that
	# mirror is used. That way, in effect, once we find a good mirror
	# then it will be used for all the downloads.
	#

	MIRROR=$1
	URL=$2
	OUTPUT_FILE=$3

	DNLOADERR=0
	MIRROR_COUNT=0
	TOTAL_MIRRORS=0

	if [ -f "${DB_PATH}/mirrors.dat" ]; then
		#
		# The version check will use both the
		# SF mirrors and remote mirrors.
		#

		case $MIRRORS_MODE in
		0)
			MIRROR_COUNT=`egrep -i '^(local|remote|mirror)=' ${DB_PATH}/mirrors.dat | wc -l | tr -d ' '`
			;;
		1)
			MIRROR_COUNT=`grep -i '^local=' ${DB_PATH}/mirrors.dat | wc -l | tr -d ' '`
			;;
		2)
			MIRROR_COUNT=`grep -i '^remote=' ${DB_PATH}/mirrors.dat | wc -l | tr -d ' '`
			;;
		esac

		test -z "${MIRROR_COUNT}" && MIRROR_COUNT=0
	fi

	test $MIRROR_COUNT -eq 0 && MIRROR_COUNT=1

	TOTAL_MIRRORS=$MIRROR_COUNT


	while test $MIRROR_COUNT -gt 0; do
		MIRROR_COUNT=`expr $MIRROR_COUNT - 1`

		if [ -z "${MIRROR}" ]; then
			get_next_mirror

			if [ -z "${MIRROR}" ]; then
				if [ $MIRRORS_MODE -eq 0 ]; then
					MIRROR="http://rkhunter.sourceforge.net"
					display --to LOG --type INFO MIRRORS_SF_DEFAULT "${MIRROR}"
				else
					DNLOADERR=1
					break
				fi
			fi


			#
			# For the SF mirrors add on the final
			# part of the mirror URL.
			#

			if [ "${MIRROR}" = "http://rkhunter.sourceforge.net" ]; then
				MIRROR="${MIRROR}/1.3"
			fi
		fi


		#
		# Now we can download the data into the temporary file.
		#

		# uns - WGET_CMD (cmd, version tested, comments):
		#       wget, *, none.
		#       bget, 1.2, appends output.
		#       curl, 7.15.3: none.
		#       links/elinks, 0.4.2, decompresses output.
		#       lynx, 2.8.5dev.7, decompresses output.

		CMD=""
		DNLOADERR=0

		rm -f ${OUTPUT_FILE} >/dev/null 2>&1

		case "${RKHWEBCMD_BASE}" in
		wget)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -q -O ${OUTPUT_FILE} ${MIRROR}${URL} 2>/dev/null"
			;;
		curl)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} --fail --output ${OUTPUT_FILE} ${MIRROR}${URL} 2>/dev/null"
			;;
		bget)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} --out ${OUTPUT_FILE} ${MIRROR}${URL} 2>/dev/null"
			;;
		links|elinks)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -no-home 1 -source ${MIRROR}${URL} >${OUTPUT_FILE} 2>/dev/null"
			;;
		lynx)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} -source ${MIRROR}${URL} >${OUTPUT_FILE} 2>/dev/null"
			;;
		GET)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} ${MIRROR}${URL} >${OUTPUT_FILE} 2>/dev/null"
			;;
		*)
			CMD="${RKHWEBCMD} ${RKHWEBCMD_OPTS} ${MIRROR}${URL} >${OUTPUT_FILE} 2>/dev/null"
			;;
		esac

		display --to LOG --type INFO DOWNLOAD_CMD "${CMD}"

		eval ${CMD}
		DNLOADERR=$?

		test $DNLOADERR -gt 1 && DNLOADERR=1


		#
		# Some of these commands do not set the return code. As such we
		# need to look in the output file to see if an error occurred.
		#

		if [ $DNLOADERR -eq 0 ]; then
			if [ -n "`echo \"${URL}\" | grep '/i18n\.ver$'`" ]; then
				#
				# The i18n.ver file is of a different
				# format from the other files.
				#

				:
			elif [ -n "`echo \"${URL}\" | grep '/rkhunter_latest\.dat$'`" ]; then
				#
				# The versioncheck file should just be a version number.
				#

				if [ -z "`grep '^[0-9][0-9]*\.[0-9][.0-9]*$' ${OUTPUT_FILE}`" ]; then
					DNLOADERR=1
				fi
			else
				#
				# All other files should have a normal
				# version number as the first line in them.
				#

				if [ -z "`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' ${OUTPUT_FILE}`" ]; then
					DNLOADERR=1
				fi
			fi
		fi

		test ! -s "${OUTPUT_FILE}" && DNLOADERR=1

		if [ $DNLOADERR -eq 0 ]; then
			break
		elif [ $MIRROR_COUNT -gt 0 ]; then
			MIRROR=""
			display --to LOG --type INFO DOWNLOAD_FAIL $MIRROR_COUNT
		fi
	done

	return $DNLOADERR
}


do_i18n_update() {

	#
	# This function updates the i18n language files.
	#
	# We do not know which i18n files should be checked until we
	# have downloaded the i18n/i18n.ver file. This file will tell
	# us which i18n files are available, and their latest version
	# number. We loop through the files, and check each version
	# number against the installed file.
	#

	download_file "${MIRROR}" "/i18n/${PROGRAM_version}/i18n.ver" "${RKHUPD_FILE}"
	ERRCODE=$?

	if [ $ERRCODE -eq 0 ]; then
		#
		# Check that we have some version numbers. There
		# should always be at least one, for the English
		# language! Once we have the list of files, we can
		# remove the temporary file and re-use it when
		# downloading the language files.
		#

		FOUNDFILES=`grep '^[a-zA-Z][a-zA-Z0-9._-]*:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' ${RKHUPD_FILE}`

		rm -f ${RKHUPD_FILE} >/dev/null 2>&1

		if [ -z "${FOUNDFILES}" ]; then
			RET_CODE=1
			UPD_ERROR=1

			display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "i18n versions"

			display --to LOG --type WARNING UPDATE_I18N_NO_VERS

			return
		fi


		#
		# Now loop through the language files checking their
		# version numbers.
		#

		for FNAME in ${FOUNDFILES}; do
			LANGFILE=`echo "${FNAME}" | cut -d: -f1`
			LATEST_VERS=`echo "${FNAME}" | cut -d: -f2`

			#
			# Only update the language files the user has asked for.
			#

			if [ -n "${UPDATE_LANG}" ]; then
				if [ -z "`echo \" ${UPDATE_LANG} \" | grep \" ${LANGFILE} \"`" ]; then
					display --to LOG --type INFO UPDATE_SKIPPED
					display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color YELLOW --result SKIPPED UPDATE_CHECKING_FILE "i18n/${LANGFILE}"

					continue
				fi
			fi

			if [ -s "${DB_PATH}/i18n/${LANGFILE}" ]; then
				PROG_VERS=`grep ${GREP_OPT} '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' ${DB_PATH}/i18n/${LANGFILE} 2>/dev/null | tail ${TAIL_OPT}1 | cut -d: -f2`

				if [ -z "${PROG_VERS}" ]; then
					PROG_VERS=0
					display --to LOG --type INFO UPDATE_FILE_NO_VERS "${DB_PATH}/i18n/${LANGFILE}"
				fi
			else
				PROG_VERS=0

				touch ${DB_PATH}/i18n/${LANGFILE} >/dev/null 2>&1
				chmod 640 ${DB_PATH}/i18n/${LANGFILE} >/dev/null 2>&1

				display --to LOG --type INFO UPDATE_FILE_MISSING "${DB_PATH}/i18n/${LANGFILE}"
			fi


			display --to LOG --type INFO VERSIONCHECK_CURRENT "${PROG_VERS}"
			display --to LOG --type INFO VERSIONCHECK_LATEST "${LATEST_VERS}"


			if [ $PROG_VERS -lt $LATEST_VERS ]; then
				download_file "${MIRROR}" "/i18n/${PROGRAM_version}/${LANGFILE}" "${RKHUPD_FILE}"
				ERRCODE=$?

				if [ $ERRCODE -eq 0 ]; then
					test $RET_CODE -eq 0 && RET_CODE=2

					cat ${RKHUPD_FILE} >${DB_PATH}/i18n/${LANGFILE}

					display --to LOG --type INFO VERSIONCHECK_UPDT_AVAIL
					display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result UPD UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
				else
					RET_CODE=1
					UPD_ERROR=1

					display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL "i18n/${LANGFILE}"
					display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
				fi

				rm -f ${RKHUPD_FILE} >/dev/null 2>&1
			else
				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result NO_UPD UPDATE_CHECKING_FILE "i18n/${LANGFILE}"
			fi
		done
	else
		RET_CODE=1
		UPD_ERROR=1

		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "i18n versions"

		display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL "i18n.ver"
	fi


	rm -f ${RKHUPD_FILE} >/dev/null 2>&1

	return
}


do_update() {

	#
	# This function checks to see if any of the supplied RKH
	# *.dat and i18n files needs updating. If it does, then the
	# file is overwritten with the new version.
	#

	display --to SCREEN+LOG --type PLAIN --color YELLOW --nl UPDATE_START


	#
	# First we need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.upd"
	RKHUPD_FILE=$TEMPFILE

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHUPD_FILE}"


	#
	# Now we loop round through the files we need to check. Each file
	# will use the first mirror, and if necessary loop through the
	# remaining mirrors until the file is downloaded. In theory this
	# could take some time if the mirror sites are all experiencing
	# problems and this is affecting all the files.
	#
	# For each file we look at the current version number. If there
	# is a problem doing this, then we just try and download a new
	# copy of the file. If the version number is okay, then we
	# download the file to find the latest version number. If
	# that is successful, we then update the file if necessary.
	#

	UPD_ERROR=0
	MIRROR=""

	for UPDFILE in mirrors.dat programs_bad.dat backdoorports.dat suspscan.dat; do
		if [ $UPDATE_MIRRORS -eq 0 -a "${UPDFILE}" = "mirrors.dat" ]; then
			display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result SKIPPED UPDATE_CHECKING_FILE "${UPDFILE}"
			continue
		fi


		LATEST_VERS=0

		if [ -s "${DB_PATH}/${UPDFILE}" ]; then
			PROG_VERS=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' ${DB_PATH}/${UPDFILE} | tail ${TAIL_OPT}1 | cut -d: -f2`

			if [ -z "${PROG_VERS}" ]; then
				PROG_VERS=0
				display --to LOG --type INFO UPDATE_FILE_NO_VERS "${UPDFILE}"
			fi
		else
			PROG_VERS=0

			touch ${DB_PATH}/${UPDFILE} >/dev/null 2>&1
			chmod 640 ${DB_PATH}/${UPDFILE} >/dev/null 2>&1

			display --to LOG --type INFO UPDATE_FILE_MISSING "${UPDFILE}"
		fi


		#
		# Now download the file.
		#
		# Note: To avoid any backward incompatability we
		# get the files from a specific directory which
		# previous versions do not use.
		#

		download_file "${MIRROR}" "/${UPDFILE}" "${RKHUPD_FILE}"
		ERRCODE=$?


		#
		# Next we compare the current and downloaded
		# file version numbers.
		#

		if [ $ERRCODE -eq 0 ]; then
			LATEST_VERS=`grep '^[Vv]ersion:[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$' ${RKHUPD_FILE} | tail ${TAIL_OPT}1 | cut -d: -f2`

			if [ -z "${LATEST_VERS}" ]; then
				LATEST_VERS=0
			elif [ -z "`echo \"${LATEST_VERS}\" | grep '^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]$'`" ]; then
				LATEST_VERS=0
			fi


			display --to LOG --type INFO VERSIONCHECK_CURRENT "${PROG_VERS}"
			display --to LOG --type INFO VERSIONCHECK_LATEST "${LATEST_VERS}"

			if [ $LATEST_VERS -eq 0 ]; then
				RET_CODE=1
				UPD_ERROR=1

				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result VCHK_FAILED UPDATE_CHECKING_FILE "${UPDFILE}"

				LATEST_VERS=`head ${HEAD_OPT}1 ${RKHUPD_FILE}`

				display --to LOG --type WARNING VERSIONCHECK_CONV_FAIL "${PROG_VERS}" "${LATEST_VERS}"
			elif [ $PROG_VERS -lt $LATEST_VERS ]; then
				test $RET_CODE -eq 0 && RET_CODE=2

				display --to LOG --type INFO VERSIONCHECK_UPDT_AVAIL

				cat ${RKHUPD_FILE} >${DB_PATH}/${UPDFILE}

				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result UPD UPDATE_CHECKING_FILE "${UPDFILE}"
			else
				display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color GREEN --result NO_UPD UPDATE_CHECKING_FILE "${UPDFILE}"
			fi
		else
			RET_CODE=1
			UPD_ERROR=1

			display --to LOG --type WARNING UPDATE_DOWNLOAD_FAIL "${UPDFILE}"
			display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color RED --result UPD_FAILED UPDATE_CHECKING_FILE "${UPDFILE}"
		fi

		rm -f ${RKHUPD_FILE} >/dev/null 2>&1
	done


	#
	# We now need to update the i18n files. Since this is a little
	# more complicated, it is handled in a separate function.
	#

	do_i18n_update


	if [ $UPD_ERROR -eq 1 ]; then
		if [ $NOLOG -eq 1 ]; then
			display --to SCREEN --type PLAIN --nl --nl-after CHECK_WARNINGS_FOUND_RERUN
		else
			display --to SCREEN --type PLAIN --nl --nl-after CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
		fi
	fi

	return
}


do_versioncheck() {

	#
	# This function performs a program version check.
	#
	# It will set the return code in some instances:
	#       0 - (implied) no error, no new version available
	#	1 - a download (of the version number) error occurred
	#	2 - no error occurred, but a new version is available
	#

	MIRROR=""
	LATESTVERSION=""

	display --to SCREEN+LOG --type PLAIN --color YELLOW --nl VERSIONCHECK_START


	#
	# First we need to get a temporary file name to use.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.vc"
	RKHVC_FILE=$TEMPFILE

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHVC_FILE}"


	#
	# Next we get the current program version number.
	#

	PROG_VERS=`echo "${PROGRAM_version}" | cut -d. -f1-3 | sed -e 's/\.\([0-9]\)\./.0\1./' | sed -e 's/\.\([0-9]\)$/.0\1/' | tr -d '.'`

	test -z "${PROG_VERS}" && PROG_VERS=0

	display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_CURRENT "${PROGRAM_version}"


	#
	# Download the file, and then compare the current value
	# with the downloaded one.
	#

	download_file "${MIRROR}" "/rkhunter_latest.dat" "${RKHVC_FILE}"
	ERRCODE=$?

	if [ $ERRCODE -eq 0 ]; then
		LATESTVERSION=`cat ${RKHVC_FILE} 2>/dev/null`

		#
		# Convert the version string to zero-spaced numbers.
		# This allows us to numerically compare the versions,
		# even when the numbers go above ten.
		#
		# E.g. '1.2.10' => 10210,   '1.3.2' => 10302.
		#

		LATEST_VERS=`echo "${LATESTVERSION}" | cut -d. -f1-3 | sed -e 's/\.\([0-9]\)\./.0\1./' | sed -e 's/\.\([0-9]\)$/.0\1/' | tr -d '.'`

		test -z "${LATEST_VERS}" && LATEST_VERS=0

		display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_LATEST "${LATESTVERSION}"

		if [ $LATEST_VERS -eq 0 ]; then
			RET_CODE=1
			display --to SCREEN+LOG --type WARNING --screen-indent 2 VERSIONCHECK_CONV_FAIL "${PROGRAM_version}" "${LATESTVERSION}"
		elif [ $PROG_VERS -lt $LATEST_VERS ]; then
			test $RET_CODE -eq 0 && RET_CODE=2
			display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_UPDT_AVAIL
		fi
	else
		RET_CODE=1

		display --to LOG --type WARNING VERSIONCHECK_FAIL_ALL
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 VERSIONCHECK_LATEST_FAIL
	fi

	rm -f ${RKHVC_FILE} >/dev/null 2>&1

	return
}


do_config_check() {

	#
	# This function performs a basic configuration file check.
	#

	#
	# First we define the list of valid configuration options.
	#

	VALIDOPTS="ALLOWDEVFILE ALLOWHIDDENDIR ALLOWHIDDENFILE ALLOWPROCDELFILE ALLOWPROCLISTEN
		   ALLOWPROMISCIF ALLOW_SSH_PROT_V1 ALLOW_SSH_ROOT_USER ALLOW_SYSLOG_REMOTE_LOGGING
		   APPEND_LOG APP_WHITELIST ATTRWHITELIST AUTO_X_DETECT BINDIR COLOR_SET2
		   COPY_LOG_ON_ERROR DBDIR DISABLE_TESTS DISABLE_UNHIDE ENABLE_TESTS EPOCH_DATE_CMD
		   EXISTWHITELIST HASH_FLD_IDX HASH_FUNC IGNORE_PRELINK_DEP_ERR IMMUTABLE_SET
		   IMMUTWHITELIST INETD_ALLOWED_SVC INETD_CONF_PATH INSTALLDIR LANGUAGE LOCK_TIMEOUT
		   LOGFILE MAIL-ON-WARNING MAIL_CMD MIRRORS_MODE MODULES_DIR OS_VERSION_FILE
		   PASSWORD_FILE PHALANX2_DIRTEST PKGMGR_NO_VRFY PKGMGR PORT_WHITELIST
		   PWDLESS_ACCOUNTS ROOTDIR ROTATE_MIRRORS RTKT_DIR_WHITELIST RTKT_FILE_WHITELIST
		   SCAN_MODE_DEV SCRIPTDIR SCRIPTWHITELIST SHARED_LIB_WHITELIST SHOW_LOCK_MSGS
		   SSH_CONFIG_DIR STARTUP_PATHS SUSPSCAN_DEBUG SUSPSCAN_DIRS SUSPSCAN_LINETHRESH
		   SUSPSCAN_MAXSIZE SUSPSCAN_TEMP SUSPSCAN_THRESH SYSLOG_CONFIG_FILE TMPDIR
		   UID0_ACCOUNTS UNHIDE_TESTS UPDATE_LANG UPDATE_MIRRORS UPDT_ON_OS_CHANGE
		   USE_SUNSUM USER_FILEPROP_FILES_DIRS USE_LOCKING USE_SYSLOG WARN_ON_OS_CHANGE
		   WEBCMD WEB_CMD WHITELISTED_IS_WHITE WRITEWHITELIST XINETD_ALLOWED_SVC
		   XINETD_CONF_PATH"

	VALIDOPTS=" `echo ${VALIDOPTS}` "


	#
	# Now check to see if any unknown options have been configured.
	#

	RKHTMPVAR=`egrep -h -v '^[ 	]*(#|$)' ${CONFIGFILE} ${LOCALCONFIGFILE}`

	IFS=$IFSNL

	for CONFIGOPT in ${RKHTMPVAR}; do
		CONFIGCMD=`echo ${CONFIGOPT} | cut -d= -f 1`

		#
		# We have to handle the *_CMD entries specially.
		#

		if [ -n "`echo ${CONFIGCMD} | grep '_CMD$'`" ]; then
			CMD_OK=0

			# We know about these ones.
			test "${CONFIGCMD}" = "EPOCH_DATE_CMD" -o "${CONFIGCMD}" = "MAIL_CMD" -o "${CONFIGCMD}" = "WEB_CMD" && CMD_OK=1

			if [ $CMD_OK -eq 0 ]; then
				# Dig out the actual command name used.
				CFG_CMD=`echo ${CONFIGCMD} | sed -e 's/_CMD$//'`

				# Check to see if the command is one we now about.
				test -n "`echo \" ${CMDLIST} \" | grep -i \" ${CFG_CMD} \"`" && CMD_OK=1
			fi

			#
			# Now check to see if the supplied command is actually exectuable.
			#

			if [ $CMD_OK -eq 1 ]; then
				# Dig out the command name.
				CFG_CMD=`echo ${CONFIGOPT} | cut -d= -f 2 | awk '{ print $1 }'`

				# We know about these values.
				if [ "${CFG_CMD}" = "DISABLED" ]; then
					:
				elif [ \( "${CONFIGCMD}" = "STAT_CMD" -o "${CONFIGCMD}" = "READLINK_CMD" \) -a "${CFG_CMD}" = "BUILTIN" ]; then
					:
				elif [ "${CONFIGCMD}" = "EPOCH_DATE_CMD" -a \( "${CFG_CMD}" = "NONE" -o "${CFG_CMD}" = "PERL" \) ]; then
					:
				else
					if [ -z "`IFS=$RKHIFS find_cmd ${CFG_CMD}`" ]; then
						RET_CODE=1
						echo "Command cannot be found: ${CONFIGOPT}"
					fi
				fi

				continue
			fi
		fi

		if [ -z "`echo \"${VALIDOPTS}\" | grep \" ${CONFIGCMD} \"`" ]; then
			RET_CODE=1
			echo "Unknown configuration file option: ${CONFIGOPT}"
		fi
	done

	IFS=$RKHIFS

	return
}


do_system_check_initialisation() {

	#
	# This function simply initialises the default rootkit
	# files and directories.
	#


	# 55808 Variant A
	W55808A_FILES="/tmp/.../r
		       /tmp/.../a"
	W55808A_DIRS=
	W55808A_KSYMS=


	# Adore Rootkit. OK, nobody calls it that but basically it uses Adore.
	# In one commercial AV vendors naming scheme it's called Dextenea.
	AKIT_FILES="/usr/secure
		    /usr/doc/sys/qrt
		    /usr/doc/sys/run
		    /usr/doc/sys/crond
		    /usr/sbin/kfd
		    /usr/doc/kern/var
		    /usr/doc/kern/string.o
		    /usr/doc/kern/ava
		    /usr/doc/kern/adore.o
		    /var/log/ssh/old"
	AKIT_DIRS="/lib/security/.config/ssh
		   /usr/doc/kern
		   /usr/doc/backup
		   /usr/doc/backup/txt
		   /lib/backup
		   /lib/backup/txt
		   /usr/doc/work
		   /usr/doc/sys
		   /var/log/ssh
		   /usr/doc/.spool
		   /usr/lib/kterm"
	AKIT_KSYMS=


	# AjaKit Rootkit
	AJAKIT_FILES="/dev/tux/.addr
		      /dev/tux/.proc
		      /dev/tux/.file
		      /lib/.libgh-gh/cleaner
		      /lib/.libgh-gh/Patch/patch
		      /lib/.libgh-gh/sb0k"
	AJAKIT_DIRS="/dev/tux
		     /lib/.libgh-gh"
	AJAKIT_KSYMS=


	# aPa Kit Rootkit
	APAKIT_FILES="/usr/share/.aPa"
	APAKIT_DIRS=
	APAKIT_KSYMS=


	# Apache Worm
	APACHEWORM_FILES="/bin/.log"
	APACHEWORM_DIRS=
	APACHEWORM_KSYMS=


	# Ambient (ark) Rootkit
	ARK_FILES="/usr/lib/.ark?
		   /dev/ptyxx/.log
		   /dev/ptyxx/.file
		   /dev/ptyxx/.proc
		   /dev/ptyxx/.addr"
	ARK_DIRS="/dev/ptyxx"
	ARK_KSYMS=


	# Balaur Rootkit 2.0 (LRK5 based)
	BALAUR_FILES="/usr/lib/liblog.o"
	BALAUR_DIRS="/usr/lib/.kinetic
		     /usr/lib/.egcs
		     /usr/lib/.wormie"
	BALAUR_KSYMS=


	# Beastkit Rootkit
	BEASTKIT_FILES="/usr/sbin/arobia
			/usr/sbin/idrun
			/usr/lib/elm/arobia/elm
			/usr/lib/elm/arobia/elm/hk
			/usr/lib/elm/arobia/elm/hk.pub
			/usr/lib/elm/arobia/elm/sc
			/usr/lib/elm/arobia/elm/sd.pp
			/usr/lib/elm/arobia/elm/sdco
			/usr/lib/elm/arobia/elm/srsd"
	BEASTKIT_DIRS="/lib/ldd.so/bktools"
	BEASTKIT_KSYMS=


	# beX2 Rootkit
	BEX_FILES="/usr/info/termcap.info-5.gz
		   /usr/bin/sshd2"
	BEX_DIRS="/usr/include/bex"
	BEX_KSYMS=


	# BOBkit Rootkit
	BOBKIT_FILES="/usr/sbin/ntpsx
		      /usr/sbin/.../bkit-ava
		      /usr/sbin/.../bkit-d
		      /usr/sbin/.../bkit-shd
		      /usr/sbin/.../bkit-f
		      /usr/include/.../proc.h
		      /usr/include/.../.bash_history
		      /usr/include/.../bkit-get
		      /usr/include/.../bkit-dl
		      /usr/include/.../bkit-screen
		      /usr/include/.../bkit-sleep
		      /usr/lib/.../bkit-adore.o
		      /usr/lib/.../ls
		      /usr/lib/.../netstat
		      /usr/lib/.../lsof
		      /usr/lib/.../bkit-ssh/bkit-shdcfg
		      /usr/lib/.../bkit-ssh/bkit-shhk
		      /usr/lib/.../bkit-ssh/bkit-pw
		      /usr/lib/.../bkit-ssh/bkit-shrs
		      /usr/lib/.../bkit-ssh/bkit-mots
		      /usr/lib/.../uconf.inv
		      /usr/lib/.../psr
		      /usr/lib/.../find
		      /usr/lib/.../pstree
		      /usr/lib/.../slocate
		      /usr/lib/.../du
		      /usr/lib/.../top"
	BOBKIT_DIRS="/usr/sbin/...
		     /usr/include/...
		     /usr/include/.../.tmp
		     /usr/lib/...
		     /usr/lib/.../.ssh
		     /usr/lib/.../bkit-ssh
		     /usr/lib/.bkit-
		     /tmp/.bkp"
	BOBKIT_KSYMS=


	# OSX Boonana-A Trojan (aka Koobface.A)
	BOONANA_FILES="/Library/StartupItems/OSXDriverUpdates/OSXDriverUpdates
		       /Library/StartupItems/OSXDriverUpdates/StartupParameters.plist"
	BOONANA_DIRS="/var/root/.jnana"
	BOONANA_KSYMS=


	# cb Rootkit (w00tkit by ZeeN) 
	# The '%' character represents a space.
	# xC.o = Adore LKM
	CB_FILES="/dev/srd0
		  /lib/libproc.so.2.0.6
		  /dev/mounnt
		  /etc/rc.d/init.d/init
		  /usr/bin/.zeen/..%/cl
		  /usr/bin/.zeen/..%/.x.tgz
		  /usr/bin/.zeen/..%/statdx
		  /usr/bin/.zeen/..%/wted
		  /usr/bin/.zeen/..%/write
		  /usr/bin/.zeen/..%/scan
		  /usr/bin/.zeen/..%/sc
		  /usr/bin/.zeen/..%/sl2
		  /usr/bin/.zeen/..%/wroot
		  /usr/bin/.zeen/..%/wscan
		  /usr/bin/.zeen/..%/wu
		  /usr/bin/.zeen/..%/v
		  /usr/bin/.zeen/..%/read
		  /usr/lib/sshrc
		  /usr/lib/ssh_host_key
		  /usr/lib/ssh_host_key.pub
		  /usr/lib/ssh_random_seed
		  /usr/lib/sshd_config
		  /usr/lib/shosts.equiv
		  /usr/lib/ssh_known_hosts
		  /u/zappa/.ssh/pid
		  /usr/bin/.system/..%/tcp.log
		  /usr/bin/.zeen/..%/curatare/attrib
		  /usr/bin/.zeen/..%/curatare/chattr
		  /usr/bin/.zeen/..%/curatare/ps
		  /usr/bin/.zeen/..%/curatare/pstree
		  /usr/bin/.system/..%/.x/xC.o"
	CB_DIRS="/usr/bin/.zeen
		 /usr/bin/.zeen/..%/curatare
		 /usr/bin/.zeen/..%/scan
		 /usr/bin/.system/..%"
	CB_KSYMS=


	# CiNIK Worm (Slapper.B variant)
	CINIK_FILES="/tmp/.cinik"
	CINIK_DIRS="/tmp/.font-unix/.cinik"
	CINIK_KSYMS=


	# CX Rootkit
	CXKIT_FILES="/usr/lib/ldlibso
		     /usr/lib/configlibso
		     /usr/lib/shklibso
		     /usr/lib/randomlibso
		     /usr/lib/ldlibstrings.so
		     /usr/lib/ldlibdu.so
		     /usr/lib/ldlibns.so
		     /usr/include/db"
	CXKIT_DIRS="/usr/include/cxk"
	CXKIT_KSYMS=


	# Danny-Boy's Abuse Kit
	DANNYBOYS_FILES="/dev/mdev
			 /usr/lib/libX.a"
	DANNYBOYS_DIRS=
	DANNYBOYS_KSYMS=


	# Devil Rootkit
	DEVIL_FILES="/var/lib/games/.src
		     /dev/dsx
		     /dev/caca
		     /dev/pro
		     /bin/bye
		     /bin/homedir
		     /usr/bin/xfss
		     /usr/sbin/tzava
		     /usr/doc/tar/.../.dracusor/stuff/holber
		     /usr/doc/tar/.../.dracusor/stuff/sense
		     /usr/doc/tar/.../.dracusor/stuff/clear
		     /usr/doc/tar/.../.dracusor/stuff/tzava
		     /usr/doc/tar/.../.dracusor/stuff/citeste
		     /usr/doc/tar/.../.dracusor/stuff/killrk
		     /usr/doc/tar/.../.dracusor/stuff/searchlog
		     /usr/doc/tar/.../.dracusor/stuff/gaoaza
		     /usr/doc/tar/.../.dracusor/stuff/cleaner
		     /usr/doc/tar/.../.dracusor/stuff/shk
		     /usr/doc/tar/.../.dracusor/stuff/srs
		     /usr/doc/tar/.../.dracusor/utile.tgz
		     /usr/doc/tar/.../.dracusor/webpage
		     /usr/doc/tar/.../.dracusor/getpsy
		     /usr/doc/tar/.../.dracusor/getbnc
		     /usr/doc/tar/.../.dracusor/getemech
		     /usr/doc/tar/.../.dracusor/localroot.sh
		     /usr/doc/tar/.../.dracusor/stuff/old/sense"
	DEVIL_DIRS="/usr/doc/tar/.../.dracusor"
	DEVIL_KSYMS=


	# Dica-Kit (T0rn variant) Rootkit
	DICA_FILES="/lib/.sso
		    /lib/.so
		    /var/run/...dica/clean
		    /var/run/...dica/dxr
		    /var/run/...dica/read
		    /var/run/...dica/write
		    /var/run/...dica/lf
		    /var/run/...dica/xl
		    /var/run/...dica/xdr
		    /var/run/...dica/psg
		    /var/run/...dica/secure
		    /var/run/...dica/rdx
		    /var/run/...dica/va
		    /var/run/...dica/cl.sh
		    /var/run/...dica/last.log
		    /usr/bin/.etc
		    /etc/sshd_config
		    /etc/ssh_host_key
		    /etc/ssh_random_seed"
	DICA_DIRS="/var/run/...dica
		   /var/run/...dica/mh
		   /var/run/...dica/scan"
	DICA_KSYMS=


	# Dreams Rootkit
	DREAMS_FILES="/dev/ttyoa
		      /dev/ttyof
		      /dev/ttyop
		      /usr/bin/sense
		      /usr/bin/sl2
		      /usr/bin/logclear
		      /usr/bin/(swapd)
		      /usr/bin/initrd
		      /usr/bin/crontabs
		      /usr/bin/snfs
		      /usr/lib/libsss
		      /usr/lib/libsnf.log
		      /usr/lib/libshtift/top
		      /usr/lib/libshtift/ps
		      /usr/lib/libshtift/netstat
		      /usr/lib/libshtift/ls
		      /usr/lib/libshtift/ifconfig
		      /usr/include/linseed.h
		      /usr/include/linpid.h
		      /usr/include/linkey.h
		      /usr/include/linconf.h
		      /usr/include/iceseed.h
		      /usr/include/icepid.h
		      /usr/include/icekey.h
		      /usr/include/iceconf.h" 
	DREAMS_DIRS="/dev/ida/.hpd
		     /usr/lib/libshtift"
	DREAMS_KSYMS=


	# Duarawkz Rootkit
	DUARAWKZ_FILES="/usr/bin/duarawkz/loginpass"
	DUARAWKZ_DIRS="/usr/bin/duarawkz"
	DUARAWKZ_KSYMS=


	# ENYE LKM v1.1, v1.2
	# Installer default.
	ENYELKM_FILES="/etc/.enyelkmHIDE^IT.ko
		       /etc/.enyelkmOCULTAR.ko"
	ENYELKM_DIRS=
	ENYELKM_KSYMS=


	# Flea Linux Rootkit
	FLEA_FILES="/etc/ld.so.hash
		    /lib/security/.config/ssh/sshd_config
		    /lib/security/.config/ssh/ssh_host_key
		    /lib/security/.config/ssh/ssh_host_key.pub
		    /lib/security/.config/ssh/ssh_random_seed
		    /usr/bin/ssh2d
		    /usr/lib/ldlibns.so
		    /usr/lib/ldlibps.so
		    /usr/lib/ldlibpst.so
		    /usr/lib/ldlibdu.so
		    /usr/lib/ldlibct.so"
	FLEA_DIRS="/lib/security/.config/ssh
		   /dev/..0
		   /dev/..0/backup"
	FLEA_KSYMS=


	# FreeBSD Rootkit (FBRK) catering to versions and compile-time defaults used by: 
	# 1.0 (1997, Method), 1.2 (1997, Method), "ImperialS-FBRK 1.0" (2001, Nyo)
	FREEBSD_RK_FILES="/dev/ptyp
			  /dev/ptyq
			  /dev/ptyr
			  /dev/ptys
			  /dev/ptyt
			  /dev/fd/.88/freshb-bsd
			  /dev/fd/.88/fresht
			  /dev/fd/.88/zxsniff
			  /dev/fd/.88/zxsniff.log
			  /dev/fd/.99/.ttyf00
			  /dev/fd/.99/.ttyp00
			  /dev/fd/.99/.ttyq00
			  /dev/fd/.99/.ttys00
			  /dev/fd/.99/.pwsx00
			  /etc/.acid
			  /usr/lib/.fx/sched_host.2
			  /usr/lib/.fx/random_d.2
			  /usr/lib/.fx/set_pid.2
			  /usr/lib/.fx/setrgrp.2
			  /usr/lib/.fx/TOHIDE
			  /usr/lib/.fx/cons.saver
			  /usr/lib/.fx/adore/ava/ava
			  /usr/lib/.fx/adore/adore/adore.ko
			  /bin/sysback
			  /usr/local/bin/sysback"
	FREEBSD_RK_DIRS="/dev/fd/.88
			 /dev/fd/.99
			 /usr/lib/.fx
			 /usr/lib/.fx/adore"
	FREEBSD_RK_KSYMS=


	# Fu Rootkit
	FU_FILES="/sbin/xc
		  /usr/include/ivtype.h
		  /bin/.lib"
	FU_DIRS=
	FU_KSYMS=


	# Fuckit Rootkit
	FUCKIT_FILES="/lib/libproc.so.2.0.7
		      /dev/proc/.bash_profile
		      /dev/proc/.bashrc
		      /dev/proc/.cshrc
		      /dev/proc/fuckit/hax0r
		      /dev/proc/fuckit/hax0rshell
		      /dev/proc/fuckit/config/lports
		      /dev/proc/fuckit/config/rports
		      /dev/proc/fuckit/config/rkconf
		      /dev/proc/fuckit/config/password
		      /dev/proc/fuckit/config/progs
		      /dev/proc/fuckit/system-bins/init
		      /usr/lib/libcps.a
		      /usr/lib/libtty.a"
	FUCKIT_DIRS="/dev/proc
		     /dev/proc/fuckit
		     /dev/proc/fuckit/system-bins
		     /dev/proc/toolz"
	FUCKIT_KSYMS=


	# GasKit Rootkit
	GASKIT_FILES="/dev/dev/gaskit/sshd/sshdd"
	GASKIT_DIRS="/dev/dev
		     /dev/dev/gaskit
		     /dev/dev/gaskit/sshd"
	GASKIT_KSYMS=


	# Heroin LKM
	HEROIN_FILES=
	HEROIN_DIRS=
	HEROIN_KSYMS="heroin"


	# HjC Kit Rootkit
	HJCKIT_FILES=
	HJCKIT_DIRS="/dev/.hijackerz"
	HJCKIT_KSYMS=


	# ignoKit Rootkit
	IGNOKIT_FILES="/lib/defs/p
		       /lib/defs/q
		       /lib/defs/r
		       /lib/defs/s
		       /lib/defs/t
		       /usr/lib/defs/p
		       /usr/lib/defs/q
		       /usr/lib/defs/r
		       /usr/lib/defs/s
		       /usr/lib/defs/t
		       /usr/lib/.libigno/pkunsec
		       /usr/lib/.libigno/.igno/psybnc/psybnc"
	IGNOKIT_DIRS="/usr/lib/.libigno
		      /usr/lib/.libigno/.igno"
	IGNOKIT_KSYMS=


	# iLLogiC Rootkit (SunOS Rootkit variant)
	ILLOGIC_FILES="/dev/kmod
		       /dev/dos
		       /usr/lib/crth.o
		       /usr/lib/crtz.o
		       /etc/ld.so.hash
		       /usr/bin/sia
		       /usr/bin/ssh2d
		       /lib/security/.config/sn
		       /lib/security/.config/iver
		       /lib/security/.config/uconf.inv
		       /lib/security/.config/ssh/ssh_host_key
		       /lib/security/.config/ssh/ssh_host_key.pub
		       /lib/security/.config/ssh/sshport
		       /lib/security/.config/ssh/ssh_random_seed
		       /lib/security/.config/ava
		       /lib/security/.config/cleaner
		       /lib/security/.config/lpsched
		       /lib/security/.config/sz
		       /lib/security/.config/rcp
		       /lib/security/.config/patcher
		       /lib/security/.config/pg
		       /lib/security/.config/crypt
		       /lib/security/.config/utime
		       /lib/security/.config/wget
		       /lib/security/.config/instmod
		       /lib/security/.config/bin/find
		       /lib/security/.config/bin/du
		       /lib/security/.config/bin/ls
		       /lib/security/.config/bin/psr
		       /lib/security/.config/bin/netstat
		       /lib/security/.config/bin/su
		       /lib/security/.config/bin/ping
		       /lib/security/.config/bin/passwd"
	ILLOGIC_DIRS="/lib/security/.config
		      /lib/security/.config/ssh
		      /lib/security/.config/bin
		      /lib/security/.config/backup
		      /root/%%%/.dir
		      /root/%%%/.dir/mass-scan
		      /root/%%%/.dir/flood"
	ILLOGIC_KSYMS=


	# OSX Inqtana (Variant A)
	INQTANAA_FILES="/Users/w0rm-support.tgz
			/Users/InqTest.class
			/Users/com.openbundle.plist
			/Users/com.pwned.plist
			/Users/libavetanaBT.jnilib"
	INQTANAA_DIRS="/Users/de
		       /Users/javax"
	INQTANAA_KSYMS=


	# OSX Inqtana (Variant B)
	INQTANAB_FILES="/Users/w0rms.love.apples.tgz
			/Users/InqTest.class
			/Users/InqTest.java
			/Users/libavetanaBT.jnilib
			/Users/InqTanaHandler
			/Users/InqTanaHandler.bundle"
	INQTANAB_DIRS="/Users/de
		       /Users/javax"
	INQTANAB_KSYMS=


	# OSX Inqtana (Variant C)
	INQTANAC_FILES="/Users/applec0re.tgz
			/Users/InqTest.class
			/Users/InqTest.java
			/Users/libavetanaBT.jnilib
			/Users/environment.plist
			/Users/pwned.c
			/Users/pwned.dylib"
	INQTANAC_DIRS="/Users/de
		       /Users/javax"
	INQTANAC_KSYMS=


	# IntoXonia-NG Rootkit
	INTOXONIA_FILES=
	INTOXONIA_DIRS=
	INTOXONIA_KSYMS="funces
			ixinit
			tricks
			kernel_unlink
			rootme
			hide_module
			find_sys_call_tbl"


	# Irix Rootkit (for Irix 6.x)
	IRIXRK_FILES=
	IRIXRK_DIRS="/dev/pts/01
		     /dev/pts/01/backup
		     /dev/pts/01/etc
		     /dev/pts/01/tmp"
	IRIXRK_KSYMS=


	# Jynx Rootkit 
	JYNX_FILES="/xochikit/bc
		    /xochikit/ld_poison.so
		    /omgxochi/bc
		    /omgxochi/ld_poison.so"
	JYNX_DIRS="/xochikit
		   /omgxochi"
	JYNX_KSYMS=


	# KBeast (Kernel Beast) Rootkit
	KBEAST_FILES="/usr/_h4x_/ipsecs-kbeast-v1.ko
		      /usr/_h4x_/_h4x_bd
		      /usr/_h4x_/acctlog"
	KBEAST_DIRS="/usr/_h4x_"
	KBEAST_KSYMS="h4x_delete_module
		     h4x_getdents64
		     h4x_kill
		     h4x_open
		     h4x_read
		     h4x_rename
		     h4x_rmdir
		     h4x_tcp4_seq_show
		     h4x_write"


	# Kitko Rootkit
	KITKO_FILES=
	KITKO_DIRS="/usr/src/redhat/SRPMS/..."
	KITKO_KSYMS=


	# Knark Rootkit
	KNARK_FILES="/proc/knark/pids"
	KNARK_DIRS="/proc/knark"
	KNARK_KSYMS=


	# ld-linuxv.so (LD_PRELOAD shared library rootkit)
	LINUXV_FILES="/lib/ld-linuxv.so.1"
	LINUXV_DIRS="/var/opt/_so_cache
		     /var/opt/_so_cache/ld
		     /var/opt/_so_cache/lc"
	LINUXV_KSYMS=


	# Lion Worm
	LION_FILES="/bin/in.telnetd
		    /bin/mjy
		    /usr/man/man1/man1/lib/.lib/mjy
		    /usr/man/man1/man1/lib/.lib/in.telnetd
		    /usr/man/man1/man1/lib/.lib/.x
		    /dev/.lib/lib/scan/1i0n.sh
		    /dev/.lib/lib/scan/hack.sh
		    /dev/.lib/lib/scan/bind
		    /dev/.lib/lib/scan/randb
		    /dev/.lib/lib/scan/scan.sh
		    /dev/.lib/lib/scan/pscan
		    /dev/.lib/lib/scan/star.sh
		    /dev/.lib/lib/scan/bindx.sh
		    /dev/.lib/lib/scan/bindname.log
		    /dev/.lib/lib/1i0n.sh
		    /dev/.lib/lib/lib/netstat
		    /dev/.lib/lib/lib/dev/.1addr
		    /dev/.lib/lib/lib/dev/.1logz
		    /dev/.lib/lib/lib/dev/.1proc
		    /dev/.lib/lib/lib/dev/.1file"
	LION_DIRS=
	LION_KSYMS=


	# Lockit Rootkit (aka LJK2)
	LOCKIT_FILES="/usr/lib/libmen.oo/.LJK2/ssh_config
		      /usr/lib/libmen.oo/.LJK2/ssh_host_key
		      /usr/lib/libmen.oo/.LJK2/ssh_host_key.pub
		      /usr/lib/libmen.oo/.LJK2/ssh_random_seed*
		      /usr/lib/libmen.oo/.LJK2/sshd_config
		      /usr/lib/libmen.oo/.LJK2/backdoor/RK1bd
		      /usr/lib/libmen.oo/.LJK2/backup/du
		      /usr/lib/libmen.oo/.LJK2/backup/ifconfig
		      /usr/lib/libmen.oo/.LJK2/backup/inetd.conf
		      /usr/lib/libmen.oo/.LJK2/backup/locate
		      /usr/lib/libmen.oo/.LJK2/backup/login
		      /usr/lib/libmen.oo/.LJK2/backup/ls
		      /usr/lib/libmen.oo/.LJK2/backup/netstat
		      /usr/lib/libmen.oo/.LJK2/backup/ps
		      /usr/lib/libmen.oo/.LJK2/backup/pstree
		      /usr/lib/libmen.oo/.LJK2/backup/rc.sysinit
		      /usr/lib/libmen.oo/.LJK2/backup/syslogd
		      /usr/lib/libmen.oo/.LJK2/backup/tcpd
		      /usr/lib/libmen.oo/.LJK2/backup/top
		      /usr/lib/libmen.oo/.LJK2/clean/RK1sauber
		      /usr/lib/libmen.oo/.LJK2/clean/RK1wted
		      /usr/lib/libmen.oo/.LJK2/hack/RK1parse
		      /usr/lib/libmen.oo/.LJK2/hack/RK1sniff
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1addr
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1dir
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1log
		      /usr/lib/libmen.oo/.LJK2/hide/.RK1proc
		      /usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c
		      /usr/lib/libmen.oo/.LJK2/modules/README.modules
		      /usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c
		      /usr/lib/libmen.oo/.LJK2/modules/RK1phide
		      /usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh"
	LOCKIT_DIRS="/usr/lib/libmen.oo/.LJK2"
	LOCKIT_KSYMS=


	# MRK (MiCrobul?) RootKit (based on Devil RootKit, also see Xzibit)
	MRK_FILES="/dev/ida/.inet/pid
		   /dev/ida/.inet/ssh_host_key
		   /dev/ida/.inet/ssh_random_seed
		   /dev/ida/.inet/tcp.log"
	MRK_DIRS="/dev/ida/.inet
		  /var/spool/cron/.sh"
	MRK_KSYMS=


	# Mood-NT Rootkit
	# Binary is by default called "mood-nt" but can be anywhere.
	# Here we look for collaterals, from include/prefs.h defaults
	# until sig-based dirscan() is added.
	MOODNT_FILES="/sbin/init__mood-nt-_-_cthulhu
		      /_cthulhu/mood-nt.init
		      /_cthulhu/mood-nt.conf
		      /_cthulhu/mood-nt.sniff"
	MOODNT_DIRS="/_cthulhu"
	MOODNT_KSYMS=


	# Ni0 Rootkit
	NIO_FILES="/var/lock/subsys/...datafile.../...net...
		   /var/lock/subsys/...datafile.../...port...
		   /var/lock/subsys/...datafile.../...ps...
		   /var/lock/subsys/...datafile.../...file..."
	NIO_DIRS="/tmp/waza
		  /var/lock/subsys/...datafile...
		  /usr/sbin/es"
	NIO_KSYMS=


	# Ohhara Rootkit
	OHHARA_FILES="/var/lock/subsys/...datafile.../...datafile.../in.smbd.log"
	OHHARA_DIRS="/var/lock/subsys/...datafile...
		     /var/lock/subsys/...datafile.../...datafile...
		     /var/lock/subsys/...datafile.../...datafile.../bin
		     /var/lock/subsys/...datafile.../...datafile.../usr/bin
		     /var/lock/subsys/...datafile.../...datafile.../usr/sbin
		     /var/lock/subsys/...datafile.../...datafile.../lib/security"
	OHHARA_KSYMS=


	# Optic Kit (Tux variant) Rootkit
	OPTICKIT_FILES=
	OPTICKIT_DIRS="/dev/tux
		       /usr/bin/xchk
		       /usr/bin/xsf
		       /usr/bin/ssh2d"
	OPTICKIT_KSYMS=


	# OSX Rootkit 0.2.1 (OSXRK)
	OSXRK_FILES="/dev/.rk/nc
		     /dev/.rk/diepu
		     /dev/.rk/backd
		     /Library/StartupItems/opener
		     /Library/StartupItems/opener.sh
		     /System/Library/StartupItems/opener
		     /System/Library/StartupItems/opener.sh"
	OSXRK_DIRS="/dev/.rk
		    /Users/LDAP-daemon
		    /tmp/.work"
	OSXRK_KSYMS=


	# Oz Rootkit
	OZ_FILES="/dev/.oz/.nap/rkit/terror"
	OZ_DIRS="/dev/.oz"
	OZ_KSYMS=


	# Phalanx Rootkit
	PHALANX_FILES="/uNFuNF
		       /etc/host.ph1
		       /bin/host.ph1
		       /usr/share/.home.ph1/phalanx
		       /usr/share/.home.ph1/cb
		       /usr/share/.home.ph1/kebab"
	PHALANX_DIRS="/usr/share/.home.ph1
		      /usr/share/.home.ph1/tty"
	PHALANX_KSYMS=


	# Phalanx2 Rootkit
	PHALANX2_FILES="/etc/khubd.p2/.p2rc
		        /etc/khubd.p2/.phalanx2
		        /etc/khubd.p2/.sniff
		        /etc/khubd.p2/sshgrab.py
		        /etc/lolzz.p2/.p2rc
		        /etc/lolzz.p2/.phalanx2
		        /etc/lolzz.p2/.sniff
		        /etc/lolzz.p2/sshgrab.py
			/etc/cron.d/zupzzplaceholder
			/usr/lib/zupzz.p2/.p-2.3d
			/usr/lib/zupzz.p2/.p2rc"
	PHALANX2_DIRS="/etc/khubd.p2
		       /etc/lolzz.p2
		       /usr/lib/zupzz.p2"
	PHALANX2_KSYMS=

	# Portacelo Rootkit
	PORTACELO_FILES="/var/lib/.../.ak
			 /var/lib/.../.hk
			 /var/lib/.../.rs
			 /var/lib/.../.p
			 /var/lib/.../getty
			 /var/lib/.../lkt.o
			 /var/lib/.../show
			 /var/lib/.../nlkt.o
			 /var/lib/.../ssshrc
			 /var/lib/.../sssh_equiv
			 /var/lib/.../sssh_known_hosts
			 /var/lib/.../sssh_pid ~/.sssh/known_hosts"
	PORTACELO_DIRS=
	PORTACELO_KSYMS=


	# R3dstorm Toolkit
	REDSTORM_FILES="/var/log/tk02/see_all
			/var/log/tk02/.scris
			/bin/.../sshd/sbin/sshd1
			/bin/.../hate/sk
			/bin/.../see_all"
	REDSTORM_DIRS="/var/log/tk02
		       /var/log/tk02/old
		       /bin/..."
	REDSTORM_KSYMS=


	# RH-Sharpe's Rootkit
	RHSHARPES_FILES="/bin/lps
			 /usr/bin/lpstree
			 /usr/bin/ltop
			 /usr/bin/lkillall
			 /usr/bin/ldu
			 /usr/bin/lnetstat
			 /usr/bin/wp
			 /usr/bin/shad
			 /usr/bin/vadim
			 /usr/bin/slice
			 /usr/bin/cleaner
			 /usr/include/rpcsvc/du"
	RHSHARPES_DIRS=
	RHSHARPES_KSYMS=


	# RSHA's Rootkit
	RSHA_FILES="/bin/kr4p
		    /usr/bin/n3tstat
		    /usr/bin/chsh2
		    /usr/bin/slice2
		    /usr/src/linux/arch/alpha/lib/.lib/.1proc
		    /etc/rc.d/arch/alpha/lib/.lib/.1addr"
	RSHA_DIRS="/etc/rc.d/rsha
		   /etc/rc.d/arch/alpha/lib/.lib"
	RSHA_KSYMS=


	# Shutdown Rootkit
	# The '%' character represents a space.
	SHUTDOWN_FILES="/usr/man/man5/..%/.dir/scannah/asus
			/usr/man/man5/..%/.dir/see
			/usr/man/man5/..%/.dir/nscd
			/usr/man/man5/..%/.dir/alpd
			/etc/rc.d/rc.local%"
	SHUTDOWN_DIRS="/usr/man/man5/..%/.dir
		       /usr/man/man5/..%/.dir/scannah
		       /etc/rc.d/rc0.d/..%/.dir"
	SHUTDOWN_KSYMS=


	# Scalper (FreeBSD.Scalper.Worm) Worm
	SCALPER_FILES="/tmp/.a
		       /tmp/.uua"
	SCALPER_DIRS=
	SCALPER_KSYMS=


	# SHV4 Rootkit
	SHV4_FILES="/etc/ld.so.hash
		    /lib/libext-2.so.7
		    /lib/lidps1.so
		    /lib/libproc.a
		    /lib/libproc.so.2.0.6
		    /lib/ldd.so/tks
		    /lib/ldd.so/tkp
		    /lib/ldd.so/tksb
		    /lib/security/.config/sshd
		    /lib/security/.config/ssh/ssh_host_key
		    /lib/security/.config/ssh/ssh_host_key.pub
		    /lib/security/.config/ssh/ssh_random_seed
		    /usr/include/file.h
		    /usr/include/hosts.h
		    /usr/include/lidps1.so
		    /usr/include/log.h
		    /usr/include/proc.h
		    /usr/sbin/xntps
		    /dev/srd0"
	SHV4_DIRS="/lib/ldd.so
		   /lib/security/.config
		   /lib/security/.config/ssh"
	SHV4_KSYMS=


	# SHV5 Rootkit
	SHV5_FILES="/etc/sh.conf
		    /lib/libproc.a
		    /lib/libproc.so.2.0.6
		    /lib/lidps1.so
		    /lib/libsh.so/bash
		    /usr/include/file.h
		    /usr/include/hosts.h
		    /usr/include/log.h
		    /usr/include/proc.h
		    /lib/libsh.so/shdcf2
		    /lib/libsh.so/shhk
		    /lib/libsh.so/shhk.pub
		    /lib/libsh.so/shrs
		    /usr/lib/libsh/.bashrc
		    /usr/lib/libsh/shsb
		    /usr/lib/libsh/hide
		    /usr/lib/libsh/.sniff/shsniff
		    /usr/lib/libsh/.sniff/shp
		    /dev/srd0"
	SHV5_DIRS="/lib/libsh.so
		   /usr/lib/libsh
		   /usr/lib/libsh/utilz
		   /usr/lib/libsh/.backup"
	SHV5_KSYMS=


	# Sin Rootkit
	SINROOTKIT_FILES="/dev/.haos/haos1/.f/Denyed
			  /dev/ttyoa
			  /dev/ttyof
			  /dev/ttyop
			  /dev/ttyos
			  /usr/lib/.lib
			  /usr/lib/sn/.X
			  /usr/lib/sn/.sys
			  /usr/lib/ld/.X
			  /usr/man/man1/...
			  /usr/man/man1/.../.m
			  /usr/man/man1/.../.w"
	SINROOTKIT_DIRS="/usr/lib/sn
			 /usr/lib/man1/...
			 /dev/.haos"
	SINROOTKIT_KSYMS=


	# Slapper Worm
	SLAPPER_FILES="/tmp/.bugtraq
		       /tmp/.uubugtraq
		       /tmp/.bugtraq.c
		       /tmp/httpd
		       /tmp/.unlock
		       /tmp/update
		       /tmp/.cinik
		       /tmp/.b"
	SLAPPER_DIRS=
	SLAPPER_KSYMS=


	# Sneakin Rootkit
	SNEAKIN_FILES=
	SNEAKIN_DIRS="/tmp/.X11-unix/.../rk"
	SNEAKIN_KSYMS=


	# Solaris Wanuk backdoor
	WANUKDOOR_FILES="/var/adm/sa/.adm/.lp-door.i86pc
			 /var/adm/sa/.adm/.lp-door.sun4
			 /var/spool/lp/admins/.lp-door.i86pc
			 /var/spool/lp/admins/.lp-door.sun4
			 /var/spool/lp/admins/lpshut
			 /var/spool/lp/admins/lpsystem
			 /var/spool/lp/admins/lpadmin
			 /var/spool/lp/admins/lpmove
			 /var/spool/lp/admins/lpusers
			 /var/spool/lp/admins/lpfilter
			 /var/spool/lp/admins/lpstat
			 /var/spool/lp/admins/lpd
			 /var/spool/lp/admins/lpsched
			 /var/spool/lp/admins/lpc"
	WANUKDOOR_DIRS="/var/adm/sa/.adm"
	WANUKDOOR_KSYMS=


	# Solaris Wanuk Worm (ELF_WANUK.A)
	WANUKWORM_FILES="/var/adm/.adm
			 /var/adm/.i86pc
			 /var/adm/.sun4
			 /var/adm/sa/.adm
			 /var/adm/sa/.adm/.i86pc
			 /var/adm/sa/.adm/.sun4
			 /var/adm/sa/.adm/.crontab
			 /var/adm/sa/.adm/devfsadmd
			 /var/adm/sa/.adm/svcadm
			 /var/adm/sa/.adm/cfgadm
			 /var/adm/sa/.adm/kadmind
			 /var/adm/sa/.adm/zoneadmd
			 /var/adm/sa/.adm/sadm
			 /var/adm/sa/.adm/sysadm
			 /var/adm/sa/.adm/dladm
			 /var/adm/sa/.adm/bootadm
			 /var/adm/sa/.adm/routeadm
			 /var/adm/sa/.adm/uadmin
			 /var/adm/sa/.adm/acctadm
			 /var/adm/sa/.adm/cryptoadm
			 /var/adm/sa/.adm/inetadm
			 /var/adm/sa/.adm/logadm
			 /var/adm/sa/.adm/nlsadmin
			 /var/adm/sa/.adm/sacadm
			 /var/adm/sa/.adm/syseventadmd
			 /var/adm/sa/.adm/ttyadmd
			 /var/adm/sa/.adm/consadmd
			 /var/adm/sa/.adm/metadevadm
			 /var/adm/sa/.i86pc
			 /var/adm/sa/.sun4
			 /var/adm/sa/acctadm
			 /var/adm/sa/bootadm
			 /var/adm/sa/cfgadm
			 /var/adm/sa/consadmd
			 /var/adm/sa/cryptoadm
			 /var/adm/sa/devfsadmd
			 /var/adm/sa/dladm
			 /var/adm/sa/inetadm
			 /var/adm/sa/kadmind
			 /var/adm/sa/logadm
			 /var/adm/sa/metadevadm
			 /var/adm/sa/nlsadmin
			 /var/adm/sa/routeadm
			 /var/adm/sa/sacadm
			 /var/adm/sa/sadm
			 /var/adm/sa/svcadm
			 /var/adm/sa/sysadm
			 /var/adm/sa/syseventadmd
			 /var/adm/sa/ttyadmd
			 /var/adm/sa/uadmin
			 /var/adm/sa/zoneadmd
			 /var/spool/lp/admins/.lp/.crontab
			 /var/spool/lp/admins/.lp/lpshut
			 /var/spool/lp/admins/.lp/lpsystem
			 /var/spool/lp/admins/.lp/lpadmin
			 /var/spool/lp/admins/.lp/lpmove
			 /var/spool/lp/admins/.lp/lpusers
			 /var/spool/lp/admins/.lp/lpfilter
			 /var/spool/lp/admins/.lp/lpstat
			 /var/spool/lp/admins/.lp/lpd
			 /var/spool/lp/admins/.lp/lpsched
			 /var/spool/lp/admins/.lp/lpc"
	WANUKWORM_DIRS="/var/adm/sa/.adm
			/var/spool/lp/admins/.lp"
	WANUKWORM_KSYMS=


	# 'Spanish' Rootkit
	SPANISH_FILES="/dev/ptyq
		       /bin/ad
		       /bin/ava
		       /bin/server
		       /usr/sbin/rescue
		       /usr/share/.../chrps
		       /usr/share/.../chrifconfig
		       /usr/share/.../netstat
		       /usr/share/.../linsniffer
		       /usr/share/.../charbd
		       /usr/share/.../charbd2
		       /usr/share/.../charbd3
		       /usr/share/.../charbd4
		       /usr/man/tmp/update.tgz
		       /var/lib/rpm/db.rpm
		       /var/cache/man/.cat
		       /var/spool/lpd/remote/.lpq"
	SPANISH_DIRS="/usr/share/..."
	SPANISH_KSYMS= 


	# Suckit Rootkit
	SUCKIT_FILES="/sbin/initsk12
		      /sbin/initxrk
		      /usr/bin/null
		      /usr/share/locale/sk/.sk12/sk
		      /etc/rc.d/rc0.d/S23kmdac
		      /etc/rc.d/rc1.d/S23kmdac
		      /etc/rc.d/rc2.d/S23kmdac
		      /etc/rc.d/rc3.d/S23kmdac
		      /etc/rc.d/rc4.d/S23kmdac
		      /etc/rc.d/rc5.d/S23kmdac
		      /etc/rc.d/rc6.d/S23kmdac"
	SUCKIT_DIRS="/dev/sdhu0/tehdrakg
		     /etc/.MG
		     /usr/share/locale/sk/.sk12
		     /usr/lib/perl5/site_perl/i386-linux/auto/TimeDate/.packlist"
	SUCKIT_KSYMS=


	# SunOS / NSDAP Rootkit
	NSDAP_FILES="/dev/pts/01/55su
		     /dev/pts/01/55ps
		     /dev/pts/01/55ping
		     /dev/pts/01/55login
		     /dev/pts/01/PATCHER_COMPLETED
		     /dev/prom/sn.l
		     /dev/prom/dos
		     /usr/lib/vold/nsdap/.kit
		     /usr/lib/vold/nsdap/defines
		     /usr/lib/vold/nsdap/patcher
		     /usr/lib/vold/nsdap/pg
		     /usr/lib/vold/nsdap/cleaner
		     /usr/lib/vold/nsdap/utime
		     /usr/lib/vold/nsdap/crypt
		     /usr/lib/vold/nsdap/findkit
		     /usr/lib/vold/nsdap/sn2
		     /usr/lib/vold/nsdap/sniffload
		     /usr/lib/vold/nsdap/runsniff
		     /usr/lib/lpset
		     /usr/lib/lpstart
		     /usr/bin/mc68000
		     /usr/bin/mc68010
		     /usr/bin/mc68020
		     /usr/ucb/bin/ps
		     /usr/bin/m68k
		     /usr/bin/sun2
		     /usr/bin/mc68030
		     /usr/bin/mc68040
		     /usr/bin/sun3
		     /usr/bin/sun3x
		     /usr/bin/lso
		     /usr/bin/u370"
	NSDAP_DIRS="/dev/pts/01
		    /dev/prom
		    /usr/lib/vold/nsdap
		    /.pat"
	NSDAP_KSYMS=


	# SunOS Rootkit
	SUNOSROOTKIT_FILES="/etc/ld.so.hash
			    /lib/libext-2.so.7
			    /usr/bin/ssh2d
			    /bin/xlogin
			    /usr/lib/crth.o
			    /usr/lib/crtz.o
			    /sbin/login
			    /lib/security/.config/sn
			    /lib/security/.config/lpsched
			    /dev/kmod
			    /dev/dos"
	SUNOSROOTKIT_DIRS=
	SUNOSROOTKIT_KSYMS=


	# Superkit Rootkit (Suckit 1.3b-based)
	SUPERKIT_FILES="/usr/man/.sman/sk/backsh
			/usr/man/.sman/sk/izbtrag
			/usr/man/.sman/sk/sksniff
			/var/www/cgi-bin/cgiback.cgi"
	SUPERKIT_DIRS="/usr/man/.sman/sk"
	SUPERKIT_KSYMS=


	# Telnet Backdoor
	TBD_FILES="/usr/lib/.tbd"
	TBD_DIRS=
	TBD_KSYMS=


	# TeLeKiT Rootkit
	TELEKIT_FILES="/usr/man/man3/.../TeLeKiT/bin/sniff
		       /usr/man/man3/.../TeLeKiT/bin/telnetd
		       /usr/man/man3/.../TeLeKiT/bin/teleulo
		       /usr/man/man3/.../cl
		       /dev/ptyr
		       /dev/ptyp
		       /dev/ptyq
		       /dev/hda06
		       /usr/info/libc1.so"
	TELEKIT_DIRS="/usr/man/man3/...
		      /usr/man/man3/.../lsniff
		      /usr/man/man3/.../TeLeKiT"
	TELEKIT_KSYMS=


	# OSX Togroot Rootkit
	TOGROOT_FILES="/System/Library/Extensions/Togroot.kext/Contents/Info.plist
		       /System/Library/Extensions/Togroot.kext/Contents/pbdevelopment.plist
		       /System/Library/Extensions/Togroot.kext/Contents/MacOS/togrootkext"
	TOGROOT_DIRS="/System/Library/Extensions/Togroot.kext
		      /System/Library/Extensions/Togroot.kext/Contents
		      /System/Library/Extensions/Togroot.kext/Contents/MacOS"
	TOGROOT_KSYMS=


	# T0rn (and misc) Rootkit
	TORN_FILES="/dev/.lib/lib/lib/t0rns
		    /dev/.lib/lib/lib/du
		    /dev/.lib/lib/lib/ls
		    /dev/.lib/lib/lib/t0rnsb
		    /dev/.lib/lib/lib/ps
		    /dev/.lib/lib/lib/t0rnp
		    /dev/.lib/lib/lib/find
		    /dev/.lib/lib/lib/ifconfig
		    /dev/.lib/lib/lib/pg
		    /dev/.lib/lib/lib/ssh.tgz
		    /dev/.lib/lib/lib/top
		    /dev/.lib/lib/lib/sz
		    /dev/.lib/lib/lib/login
		    /dev/.lib/lib/lib/in.fingerd
		    /dev/.lib/lib/lib/1i0n.sh
		    /dev/.lib/lib/lib/pstree
		    /dev/.lib/lib/lib/in.telnetd
		    /dev/.lib/lib/lib/mjy
		    /dev/.lib/lib/lib/sush
		    /dev/.lib/lib/lib/tfn
		    /dev/.lib/lib/lib/name
		    /dev/.lib/lib/lib/getip.sh
		    /usr/info/.torn/sh*
		    /usr/src/.puta/.1addr
		    /usr/src/.puta/.1file
		    /usr/src/.puta/.1proc
		    /usr/src/.puta/.1logz
		    /usr/info/.t0rn"
	TORN_DIRS="/dev/.lib
		   /dev/.lib/lib
		   /dev/.lib/lib/lib
		   /dev/.lib/lib/lib/dev
		   /dev/.lib/lib/scan
		   /usr/src/.puta
		   /usr/man/man1/man1
		   /usr/man/man1/man1/lib
		   /usr/man/man1/man1/lib/.lib
		   /usr/man/man1/man1/lib/.lib/.backup"
	TORN_KSYMS=


	# trNkit Rootkit
	TRNKIT_FILES="/usr/lib/libbins.la
		      /usr/lib/libtcs.so
		      /dev/.ttpy/ulogin.sh
		      /dev/.ttpy/tcpshell.sh
		      /dev/.ttpy/bupdu
		      /dev/.ttpy/buloc
		      /dev/.ttpy/buloc1
		      /dev/.ttpy/buloc2
		      /dev/.ttpy/stat
		      /dev/.ttpy/backps
		      /dev/.ttpy/tree
		      /dev/.ttpy/topk
		      /dev/.ttpy/wold
		      /dev/.ttpy/whoold
		      /dev/.ttpy/backdoors"
	TRNKIT_DIRS=
	TRNKIT_KSYMS=


	# Trojanit Kit Rootkit
	TROJANIT_FILES="/bin/.ls
			/bin/.ps
			/bin/.netstat
			/usr/bin/.nop
			/usr/bin/.who"
	TROJANIT_DIRS=
	TROJANIT_KSYMS=


	# Turtle / Turtle2 Rootkit
	TURTLE_FILES="/dev/turtle2dev"
	TURTLE_DIRS=
	TURTLE_KSYMS=


	# Tuxtendo (Tuxkit) Rootkit
	TUXTENDO_FILES="/lib/libproc.so.2.0.7
			/usr/bin/xchk
			/usr/bin/xsf
			/dev/tux/suidsh
			/dev/tux/.addr
			/dev/tux/.cron
			/dev/tux/.file
			/dev/tux/.log
			/dev/tux/.proc
			/dev/tux/.iface
			/dev/tux/.pw
			/dev/tux/.df
			/dev/tux/.ssh
			/dev/tux/.tux
			/dev/tux/ssh2/sshd2_config
			/dev/tux/ssh2/hostkey
			/dev/tux/ssh2/hostkey.pub
			/dev/tux/ssh2/logo
			/dev/tux/ssh2/random_seed
			/dev/tux/backup/crontab
			/dev/tux/backup/df
			/dev/tux/backup/dir
			/dev/tux/backup/find
			/dev/tux/backup/ifconfig
			/dev/tux/backup/locate
			/dev/tux/backup/netstat
			/dev/tux/backup/ps
			/dev/tux/backup/pstree
			/dev/tux/backup/syslogd
			/dev/tux/backup/tcpd
			/dev/tux/backup/top
			/dev/tux/backup/updatedb
			/dev/tux/backup/vdir"
	TUXTENDO_DIRS="/dev/tux
		       /dev/tux/ssh2
		       /dev/tux/backup"
	TUXTENDO_KSYMS=


	# Universal Rootkit by K2 (URK) Release 0.9.8
	URK_FILES="/dev/prom/sn.l
		   /usr/lib/ldlibps.so
		   /usr/lib/ldlibnet.so
		   /dev/pts/01/uconf.inv
		   /dev/pts/01/cleaner
		   /dev/pts/01/bin/psniff
		   /dev/pts/01/bin/du
		   /dev/pts/01/bin/ls
		   /dev/pts/01/bin/passwd
		   /dev/pts/01/bin/ps
		   /dev/pts/01/bin/psr
		   /dev/pts/01/bin/su
		   /dev/pts/01/bin/find
		   /dev/pts/01/bin/netstat
		   /dev/pts/01/bin/ping
		   /dev/pts/01/bin/strings
		   /dev/pts/01/bin/bash
		   /usr/man/man1/xxxxxxbin/du
		   /usr/man/man1/xxxxxxbin/ls
		   /usr/man/man1/xxxxxxbin/passwd
		   /usr/man/man1/xxxxxxbin/ps
		   /usr/man/man1/xxxxxxbin/psr
		   /usr/man/man1/xxxxxxbin/su
		   /usr/man/man1/xxxxxxbin/find
		   /usr/man/man1/xxxxxxbin/netstat
		   /usr/man/man1/xxxxxxbin/ping
		   /usr/man/man1/xxxxxxbin/strings
		   /usr/man/man1/xxxxxxbin/bash
		   /tmp/conf.inv"
	URK_DIRS="/dev/prom
		  /dev/pts/01
		  /dev/pts/01/bin
		  /usr/man/man1/xxxxxxbin"
	URK_KSYMS=
	# Also-see: /usr/lib/lpset (esniff), /var/lp/lpacct/ (files), /usr/lib/bnclp, /usr/lib/lpsys (identd),
	# Also-see: /usr/lib/lptd (backdoor?), /sbin/rc2 and /sbin/rc3 containing string "/usr/lib/lpstart",
	# Also-see: dos, psbnc, lpacct, USER, lp,
	# Also see: /etc/lpconfig vs /etc/ttyhash, uconv.inv vs urk.conf.


	# VcKit Rootkit
	VCKIT_FILES=
	VCKIT_DIRS="/usr/include/linux/modules/lib.so
		    /usr/include/linux/modules/lib.so/bin"
	VCKIT_KSYMS=


	# Vampire Rootkit
	VAMPIRE_FILES=
	VAMPIRE_DIRS=
	VAMPIRE_KSYMS="new_getdents
			old_getdents
			should_hide_file_name
			should_hide_task_name"	


	# Volc Rootkit
	# Omit listing system binaries that should be picked up by changed hashes.
	VOLC_FILES="/usr/bin/volc
		    /usr/lib/volc/backdoor/divine
		    /usr/lib/volc/linsniff
		    /etc/rc.d/rc1.d/S25sysconf
		    /etc/rc.d/rc2.d/S25sysconf
		    /etc/rc.d/rc3.d/S25sysconf
		    /etc/rc.d/rc4.d/S25sysconf
		    /etc/rc.d/rc5.d/S25sysconf"
	VOLC_DIRS="/var/spool/.recent
		   /var/spool/.recent/.files
		   /usr/lib/volc
		   /usr/lib/volc/backup"
	VOLC_KSYMS=


	# weaponX 0.1
	WEAPONX_FILES="/System/Library/Extensions/WeaponX.kext"
	WEAPONX_DIRS="/tmp/..."
	WEAPONX_KSYMS=


	# WMKR26 2.0, WindEX, XND Crew, LKM for kernel 2.6
	# (2.6.12 -  2.6.19.2, i[456]86 and x86_64)
	# These files don't exist and can't be seen:
	# /proc/qwerty
	# /proc/givemeroot
	# /proc/hide+[PID]
	# /proc/hide-[PID]
	# /proc/active-
	# /proc/module_hide+
	# /proc/module_hide-
	# /proc/givemeinfo


	# Xzibit Rootkit (also see MRK (MiCrobul?) RootKit)
	XZIBIT_FILES="/dev/dsx
		      /dev/caca
		      /dev/ida/.inet/linsniffer
		      /dev/ida/.inet/logclear
		      /dev/ida/.inet/sense
		      /dev/ida/.inet/sl2
		      /dev/ida/.inet/sshdu
		      /dev/ida/.inet/s
		      /dev/ida/.inet/ssh_host_key
		      /dev/ida/.inet/ssh_random_seed
		      /dev/ida/.inet/sl2new.c
		      /dev/ida/.inet/tcp.log
		      /home/httpd/cgi-bin/becys.cgi
		      /usr/local/httpd/cgi-bin/becys.cgi
		      /usr/local/apache/cgi-bin/becys.cgi
		      /www/httpd/cgi-bin/becys.cgi
		      /www/cgi-bin/becys.cgi"
	XZIBIT_DIRS="/dev/ida/.inet"
	XZIBIT_KSYMS=


	# X-Org SunOS Rootkit
	XORGSUNOS_FILES="/usr/lib/libX.a/bin/tmpfl
			 /usr/lib/libX.a/bin/rps
			 /usr/bin/srload
			 /usr/lib/libX.a/bin/sparcv7/rps
			 /usr/sbin/modcheck"
	XORGSUNOS_DIRS="/usr/lib/libX.a
			/usr/lib/libX.a/bin
			/usr/lib/libX.a/bin/sparcv7
			/usr/share/man..."
	XORGSUNOS_KSYMS=


	# zaRwT.KiT Rootkit
	ZARWT_FILES="/dev/rd/s/sendmeil
		     /dev/ttyf
		     /dev/ttyp
		     /dev/ttyn
		     /rk/tulz"
	ZARWT_DIRS="/rk
		    /dev/rd/s"
	ZARWT_KSYMS=


	# ZK Rootkit
	ZK_FILES="/usr/share/.zk/zk
		  /usr/X11R6/.zk/xfs
		  /usr/X11R6/.zk/echo
		  /etc/1ssue.net
		  /etc/sysconfig/console/load.zk"
	ZK_DIRS="/usr/share/.zk
		 /usr/X11R6/.zk"
	ZK_KSYMS=


	# Miscellaneous login backdoors
	LOGIN_BACKDOOR_FILES="/bin/.login
			      /sbin/.login"


	# Suspicious directories
	SUSPICIOUS_DIRS="/usr/X11R6/bin/.,/copy
			 /dev/rd/cdb"


	# Evil strings
	STRINGSCAN="crond:LOGNAME=root:Illogic Rootkit
		    hostname:phalanx:Phalanx Rootkit
		    init:/dev/proc/fuckit:Fuckit Rootkit
		    init:FUCK:Suckit Rootkit
		    init:backdoor:Suckit Rootkit (backdoored init file)
		    init:/usr/bin/rcpc:Portacelo Rootkit
		    init:/usr/sbin/login:trNkit Rootkit ulogin
		    killall:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    login:vt200:Linux Rootkit (LRK4)
		    login:/usr/bin/xstat:Linux Rootkit (LRK4)
		    login:/bin/envpc:Linux Rootkit (LRK4)
		    login:L4m3r0x:Linux Rootkit (LRK4)
		    login:/lib/libext:SHV4 Rootkit
		    login:/usr/sbin/login:Flea Linux Rootkit
		    login:/usr/lib/.tbd:TBD Rootkit
		    login:sendmail:Ambient (ark) Rootkit
		    login:cocacola:cb Rootkit
		    login:joao:Spanish Rootkit
		    ls:/dev/ptyxx/.file:Dica-Kit Rootkit
		    ls:/dev/ptyxx/.file:Ambient (ark) Rootkit
		    ls:/dev/sgk:Linux Rootkit (LRK4)
		    ls:/var/lock/subsys/...datafile...:Ohhara Rootkit
		    ls:/usr/lib/.tbd:TBD Rootkit
		    netstat:/dev/proc/fuckit:Fuckit Rootkit
		    netstat:/lib/.sso:Dica-Kit Rootkit
		    netstat:/var/lock/subsys/...datafile...:Ohhara Rootkit
		    netstat:/dev/caca:MRK Rootkit
		    netstat:/dev/ttyoa:Sin Rootkit
		    netstat:/usr/lib/ldlibns.so:Flea Linux Rootkit
		    netstat:/dev/ptyxx/.addr:Ambient (ark) Rootkit
		    netstat:syg:Trojaned netstat
		    nscd:sshd_config:Backdoor shell installed (SSH)
                    ps:/var/lock/subsys/...datafile...:Ohhara Rootkit or Ni0 Rootkit
		    ps:/dev/pts/01:Universal Rootkit (URK)
		    ps:tw33dl3:SunOS Rootkit
		    ps:psniff:SunOS Rootkit
		    ps:uconf.inv:Universal Rootkit (URK)
		    ps:lib/ldlibps.so:Flea Linux Rootkit or Universal Rootkit (URK)
		    pstree:/usr/lib/ldlibpst.so:Flea Linux Rootkit
		    ps:libproc.so.2.0.7:Fuckit Rootkit
		    ps:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    pstree:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    pgrep:libproc.so.2.0.7:Fuckit Rootkit
		    pkill:libproc.so.2.0.7:Fuckit Rootkit
		    ping:/bin/bash:Ping Rootkit or other backdoor
		    rpc.nfsd:cant open log:Sniffer installed
		    rpc.nfsd:sniff.pid:Sniffer installed
		    rpc.nfsd:tcp.log:Sniffer installed
		    sshd:/dev/ptyxx:OpenBSD Rootkit
		    sshd:/.config:SHV4 Rootkit
		    sshd:+\\$.*\\$\!.*\!\!\\$:Backdoored SSH daemon installed
		    sshd:backdoor.h:Trojaned SSH daemon
		    sshd:backdoor_active:Trojaned SSH daemon
		    sshd:magic_pass_active:Trojaned SSH daemon
		    sshd:/usr/include/gpm2.h:Trojaned SSH daemon
		    sshd:/usr/include/openssl:Trojaned SSH daemon
		    sshd:aion:Trojaned SSH daemon
		    sshd:pcszPass:Trojaned SSH daemon
		    sshd:LogPass:Trojaned SSH daemon
		    sshd:Login_Check:Trojaned SSH daemon
		    sshd:includes.h:Trojaned SSH daemon
		    sshd:DecodeString:Trojaned SSH daemon
		    sshd:EncodeString:Trojaned SSH daemon
		    xntps:/.config:SHV4 Rootkit
		    syslogd:promiscuous:Sniffer installed
		    syslogd:/usr/lib/.tbd:TBD Rootkit
		    syslogd:/dev/ptyxx/.log:Ambient (ark) Rootkit
		    syslogd:/usr/share/pci.r:Trojaned Syslog daemon
		    tcpd:/dev/xdta:Dica-Kit Rootkit
		    top:/usr/lib/.tbd:TBD Rootkit
		    top:/dev/ptyxx/.proc:Ambient (ark) Rootkit
		    xtty:/bin/sh:Backdoor shell
		    ttymon:fucknut:SHV5 Rootkit
		    ttymon:lamersucks:SHV5 Rootkit
		    ttymon:skillz:SHV5 Rootkit
		    ttyload:/sbin/ttyload:SHV5 Rootkit
		    ttyload:/sbin/ttymon:SHV5 Rootkit
		    ttyload:propert of SH:SHV5 Rootkit
		    rcfile:in.inetd:SHV4 Rootkit
		    rcfile:+#<HIDE_.*>:Enye LKM
		    rcfile:bin/xchk:Optic Kit (Tux) Worm
		    rcfile:bin/xsf:Optic Kit (Tux) Worm
		    rcfile:/usr/bin/ssh2d:Flea Linux Rootkit or Optic Kit (Tux variant) Rootkit or SunOS Rootkit 
		    rcfile:/usr/sbin/xntps:SHV4 Rootkit
		    rcfile:ttyload:SHV5 Rootkit
		    rcfile:/etc/rc.d/init.d/init:cb Rootkit or w00tkit Rootkit
		    rcfile:usr/bin/xfss:Devil Rootkit
		    rcfile:/usr/sbin/rpc.netinet:FreeBSD (FBRK) Rootkit
		    rcfile:/usr/lib/.fx/cons.saver:FreeBSD (FBRK) Rootkit
		    rcfile:/usr/lib/.fx/xs:FreeBSD (FBRK) Rootkit
		    rcfile:/ssh2d:Illogic Rootkit or SunOS Rootkit
		    rcfile:/dev/kmod:Illogic Rootkit or SunOS Rootkit
		    rcfile:/crth.o:Illogic Rootkit or SunOS Rootkit
		    rcfile:/crtz.o:Illogic Rootkit or SunOS Rootkit
		    rcfile:/dev/dos:Illogic Rootkit or SunOS Rootkit
		    rcfile:/lpq:Illogic Rootkit or SunOS Rootkit
		    rcfile:/usr/sbin/rescue:Spanish Rootkit
		    rcfile:/usr/lib/lpstart:SunOS NSDAP Rootkit or Universal Rootkit (URK)
		    rcfile:/volc:Volc Rootkit
		    rcfile:sourcemask:Rootkit component
		    rcfile:/bin/vobiscum:Rootkit component
		    rcfile:/usr/sbin/in.telnet:Rootkit component
		    rcfile:/usr/bin/hdparm?-t1?-X53?-p:Xzibit Rootkit
		    rcfile:/lib/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		    rcfile:/etc/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		    rcfile:/lib/.ssyslog:Flooder (Linux/Bckdr-RKC) component
		    rcfile:/tmp/.sendmail:Flooder (Linux/Bckdr-RKC) component
		    ssh:/lib/ldd.so/tkps:SHV4 Rootkit
		    ssh1:/lib/ldd.so/tkps:SHV4 Rootkit
		    ssh:t0rnkit:T0rn Rootkit
		    ssh:/dev/proc/fuckit:Fuckit Rootkit
		    ssh:backdoor.h:Trojaned SSH daemon
		    ssh:backdoor_active:Trojaned SSH daemon
		    ssh:magic_pass_active:Trojaned SSH daemon
		    ssh:/usr/include/gpm2.h:Trojaned SSH daemon
		    skill:libproc.so.2.0.7:Fuckit Rootkit
		    snice:libproc.so.2.0.7:Fuckit Rootkit
		    top:libproc.so.2.0.7:Fuckit Rootkit
		    slocate:/usr/lib/ldlibct.so:Flea Linux Rootkit
		    locate:/usr/lib/ldlibct.so:Flea Linux Rootkit
		    du:/usr/lib/ldlibdu.so:Flea Linux Rootkit
		    du:/dev/ptyxx/.file:Ambient (ark) Rootkit
		    w:libproc.so.2.0.7:Fuckit Rootkit
		    xlogin:/lib/libext:SHV4 Rootkit
		    hdparm:/dev/ida/.inet:Xzibit Rootkit
		    pgrep:/usr/include/mysql/mysql.hh1:Rootkit component
		    pkill:/usr/include/mysql/mysql.hh1:Rootkit component
		    pmap:/usr/include/mysql/mysql.hh1:Rootkit component
		    ps:/usr/include/mysql/mysql.hh1:Rootkit component
		    w:/usr/include/mysql/mysql.hh1:Rootkit component
		    top:/usr/include/mysql/mysql.hh1:Rootkit component
		    bc:backconnect:Jynx Rootkit
		    bc:magic?packet?received:Jynx Rootkit"


	# Possible rootkit files and directories
	# The '%' character represents a space.
	FILESCAN="file:/dev/sdr0:T0rn Rootkit MD5 hash database
		  file:/dev/pisu:Rootkit component
		  file:/dev/xdta:Dica-Kit Rootkit
		  file:/dev/saux:Trojaned SSH daemon sniffer log
		  file:/dev/hdx:Linux.RST.B infection
		  file:/dev/hdx1:Linux.RST.B infection
		  file:/dev/hdx2:Linux.RST.B infection
		  file:/dev/ptyy:Rootkit component
		  file:/dev/ptyu:Rootkit component
		  file:/dev/ptyv:Rootkit component
		  file:/dev/hdbb:Rootkit component
		  file:/tmp/.syshackfile:Trojaned syslog daemon
		  file:/tmp/.bash_history:Lite5-r Rootkit
		  file:/usr/info/.clib:Backdoor component
		  file:/usr/sbin/tcp.log:Sniffer log
		  file:/usr/bin/take/pid:Trojaned SSH daemon
		  file:/sbin/create:MzOzD Local backdoor
		  file:/dev/ttypz:spwn login backdoor
		  file:/var/log/tcp.log:beX2 Rootkit
		  file:/usr/include/audit.h:beX2 Rootkit
		  file:/usr/bin/sourcemask:Rootkit component
		  file:/usr/bin/ras2xm:Rootkit component
		  file:/dev/xmx:Dica-Kit Rootkit
		  file:/usr/sbin/gpm.root:Rootkit component
		  file:/bin/vobiscum:Rootkit component
		  file:/bin/psr:Rootkit component
		  file:/dev/kdx:Rootkit component
		  file:/dev/dkx:Rootkit component
		  file:/usr/sbin/sshd3:Rootkit component
		  file:/usr/sbin/jcd:Rootkit component
		  file:/etc/rc.d/init.d/jcd:Rootkit component
		  file:/usr/sbin/atd2:Rootkit component
		  file:/home/httpd/cgi-bin/linux.cgi:Dica-Kit Rootkit
		  file:/home/httpd/cgi-bin/psid:Dica-Kit Rootkit
		  file:/home/httpd/cgi-bin/void.cgi:Dica-Kit Rootkit
		  file:/etc/rc.d/init.d/system:Rootkit component
		  file:/etc/rc.d/rc3.d/S93users:Rootkit component
		  file:/tmp/.ush:Dica-Kit Rootkit
		  file:/usr/lib/libhidefile.so:HIDEFILE envvar file-hiding library
		  file:/etc/cron.d/kmod:Illogic Rootkit
		  file:/usr/lib/dmis/dmisd:Trojaned SSH daemon
		  file:/lib/secure/libhij.so:Solaris Trojaned SSH daemon
		  file:/usr/sbin/sshd3:Rootkit component
		  file:/etc/rc.d/init.d/crontab:Rootkit component
		  file:/etc/rc.d/init.d/jcd:Rootkit component
		  file:/usr/sbin/atd2:Rootkit component
		  file:/etc/rc.d/rc5.d/S93users:Rootkit component
		  file:/usr/include/mysql/mysql.hh1:Rootkit component
		  file:/etc/init.d/xfs3:Rootkit component
		  file:/usr/sbin/t.txt:Opyum kit component
		  file:/usr/sbin/change:Opyum kit component
		  file:/usr/sbin/s:Opyum kit component
		  file:/bin/f:Opyum kit component
		  file:/bin/i:Opyum kit component
		  file:/lib/libncom.so.4.0.1:ncom rootkit library
		  file:/sbin/zinit:Rootkit component
		  file:/tmp/pass_ssh.log:Trojaned SSH daemon
		  file:/usr/include/gpm2.h:Trojaned SSH daemon
		  file:/etc/ssh/.sshd_auth:Trojaned SSH daemon (logins)
		  file:/usr/lib/.sshd.h:Trojaned SSH daemon (logins)
		  file:/var/run/.defunct:Trojaned SSH daemon
		  file:/etc/httpd/run/.defunct:Trojaned SSH daemon
		  file:/usr/share/pci.r:Trojaned Syslog daemon
		  file:/etc/cron.daily/dnsquery:Sniffer
		  file:/usr/lib/libutil1.2.1.2.so:Trojaned SSH daemon component (hwclock binary)
		  file:/bin/ceva:Trojaned SSH daemon (client binary)
		  file:/sbin/syslogd%:Trojaned SSH daemon (sebd)
		  file:/usr/include/shup.h:Trojaned SSH daemon (client binary)
		  file:/etc/rpm/sshdOLD:Trojaned SSH daemon (original sshd binary)
		  file:/etc/rpm/sshOLD:Trojaned SSH daemon (original ssh binary)
		  file:/usr/share/passwd.h:Trojaned SSH daemon (default configuration)
		  file:/lib/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		  file:/etc/.xsyslog:Flooder (Linux/Bckdr-RKC) component
		  file:/lib/.ssyslog:Flooder (Linux/Bckdr-RKC) component
		  file:/tmp/.sendmail:Flooder (Linux/Bckdr-RKC) component
		  file:/usr/share/sshd.sync:Trojaned SSH daemon
		  file:/bin/zcut:Trojaned SSH daemon
		  file:/usr/bin/zmuie:Trojaned SSH daemon
		  dir:/dev/ptyas:Langsuir installation directory
		  dir:/usr/bin/take:Trojaned SSH daemon
		  dir:/usr/src/.lib:Rootkit component
		  dir:/usr/share/man/man1/.1c:Eggdrop (IRC bot)
		  dir:/lib/lblip.tk:T0rn Rootkit directory with backdoored SSH-configuration
		  dir:/usr/sbin/...:Rootkit component
		  dir:/usr/share/.gun:Rootkit component
		  dir:/unde/vrei/tu/sa/te/ascunzi/in/server:Unknown rootkit
		  dir:/usr/man/man1/..%%/.dir:Unknown rootkit
		  dir:/usr/X11R6/include/X11/...:Unknown rootkit
		  dir:/usr/X11R6/lib/X11/.fonts/misc/...:Unknown rootkit
		  dir:/tmp/.sys:Rootkit component
		  dir:/tmp/':Rootkit component
		  dir:/tmp/.,:Rootkit component
		  dir:/tmp/,.,:Rootkit component
		  dir:/dev/shm/emilien:Rootkit component
		  dir:/var/tmp/.log:Rootkit component
		  dir:/tmp/zmeu/...%:Rootkit component
		  dir:/var/log/ssh:Rootkit component
		  dir:/dev/ida:Rootkit component
		  dir:/var/lib/games/.src/ssk/shit:Rootkit component
		  dir:/usr/lib/libshtift:Rootkit component
		  dir:/usr/src/.poop:Ramen worm
		  dir:/dev/wd4:IRC bot
		  dir:/var/run/.tmp:Rootkit component
		  dir:/usr/man/man1/lib/.lib:Rootkit component
		  dir:/dev/portd:Rootkit component
		  dir:/dev/...:Rootkit component
		  dir:/usr/share/man/mansps:Rootkit component
		  dir:/lib/.so:Rootkit component
		  dir:/lib/.sso:Rootkit component
		  dir:/usr/include/sslv3:Rootkit component
		  dir:/dev/shm/sshd:Trojaned SSH daemon
		  dir:/usr/share/locale/mk/.dev/sk:Sniffer
		  dir:/usr/share/locale/mk/.dev:Sniffer
		  dir:/usr/include/netda.h:Trojaned SSH daemon
		  dir:/usr/include/.ssh:Trojaned SSH daemon
		  dir:/usr/share/locale/jp/.%:IRC bot
		  dir:/usr/share/.sqe:IRC bot"


	# Evil strings for FreeBSD KLD (Dynamic Kernel Linker modules)
	KLDSTATKEYWORDS="backd00r backdoor darkside nekit rpldev rpldev_mod spapem_core spapem_genr00t hide_process turtle"


	# Suspicious startup file strings
	RCLOCAL_STRINGS="/usr/bin/rpc.wall:Linux Rootkit (LRK4)
			 sshdd:GasKit Rootkit
			 hidef:Knark Rootkit
			 /usr/bin/.etc:Dica-Kit Rootkit"


	# Suspicious open files
	SUSP_FILES_INFO="backdoor:Generic backdoor
			 adore.o:Adore kernel module
			 mod_rootme.so:Apache mod_rootme backdoor
			 phide_mod.o:Process hiding kernel module
			 lbk.ko:LBK FreeBSD kernel module
			 vlogger.o:THC-Vlogger kernel module
			 cleaner.o:Adore kernel module
			 cleaner:Adore Rootkit
			 ava:Adore Rootkit
			 tzava:Adore Rootkit
			 mod_klgr.o:klgr, keyboard logger (kernel module)
			 hydra:THC-Hydra (password capture)
			 hydra.restore:THC-Hydra (password capture)
			 ras2xm:Unknown rootkit
			 vobiscum:Unknown rootkit
			 sshd3:Unknown rootkit
			 system:Unknown rootkit
			 t0rnsb:T0rn Rootkit
			 t0rns:T0rn Rootkit
			 t0rnp:T0rn Rootkit
			 rx4u:Unknown rootkit
			 rx2me:Unknown rootkit
			 crontab:Unknown rootkit
			 sshdu:Unknown rootkit
			 glotzer:Unknown rootkit
			 holber:Devil Rootkit
			 xhide:Process hiding software
			 xh:Process hiding software (alternative of XHide)
			 emech:IRC bot
			 psybnc:IRC bot
			 mech:IRC bot
			 httpd.bin:IRC bot
			 mh:Dica-Kit Rootkit IRC bot
			 xl:Dica-Kit Rootkit
			 write:Dica-Kit Rootkit
			 Phantasmagoria.o:Process hiding Linux kernel module
			 lkt.o:Portacelo Rootkit
			 nlkt.o:Portacelo Rootkit
			 ld_poison.so:Jynx Rootkit
			 .xsyslog:Flooder (Linux/Bckdr-RKC) component
			 .ssyslog:Flooder (Linux/Bckdr-RKC) component
			 pscan2:Port scanner
			 scanssh:Port scanner
			 sshf:Possible port scanner
			 ssh-scan:Port scanner
			 atac:Port scanner component
			 \[pdflush\]:IRC bot"


	# System startup file pathnames
	RCLOCATIONS="/etc/rc.d
		     /etc/rc.local
		     /usr/local/etc/rc.d
		     /usr/local/etc/rc.local
		     /etc/conf.d/local.start
		     /etc/init.d
		     /etc/inittab"


	# Integrity tests
	STRINGS_INTEGRITY="${BOBKIT_FILES} ${BOBKIT_DIRS} ${CINIK_FILES}
			   ${CINIK_DIRS} ${DICA_FILES} ${FREEBSD_RK_FILES}
			   ${TBD_FILES} ${TORN_FILES} ${TORN_DIRS}"


	SNIFFER_FILES="/usr/lib/libice.log
		       /dev/prom/sn.l
		       /dev/fd/.88/zxsniff.log"


	# Known bad Linux kernel modules
	LKM_BADNAMES="adore.o
		      bkit-adore.o
		      cleaner.o
		      flkm.o
		      knark.o
		      modhide.o
		      mod_klgr.o
		      phide_mod.o
		      vlogger.o
		      p2.ko
		      rpldev.o
		      xC.o
		      strings.o
		      wkmr26.ko"

	return
}


strings_check() {

	#
	# This function carries out the 'strings' command check.
	# It passes specific strings through the strings command to
	# see if they are missing. If so, then it can indicate that
	# the command has been modified to hide information.
	#

	if `check_test strings`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST strings
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 STRINGS_CHECK_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST strings
		return
	fi


	#
	# First check to see if we have a 'strings' command.
	#

	if [ -z "${STRINGS_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 STRINGS_CHECK
		display --to LOG --type INFO NOT_FOUND_CMD "strings"
		return
	fi


	STRINGSFAILED=0

	for STRING in ${STRINGS_INTEGRITY}; do
		STRINGNAME=`echo "${STRING}" | sed -e 's/\./\\\./g'`
		STRING_SEEN=`echo "${STRING}" | ${STRINGS_CMD} | grep "${STRINGNAME}" | tr -d ' '`

		if [ -z "${STRING_SEEN}" ]; then
			STRINGSFAILED=1
			display --to LOG --type WARNING --result WARNING --log-indent 2 STRINGS_SCANNING_BAD "${STRING}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result OK --log-indent 2 STRINGS_SCANNING_OK "${STRING}"
		fi
	done


	if [ $STRINGSFAILED -eq 0 ]; then
		RKHTMPVAR="SCREEN"
		test $VERBOSE_LOGGING -eq 0 && RKHTMPVAR="SCREEN+LOG"

		display --to "${RKHTMPVAR}" --type PLAIN --result OK --color GREEN --screen-indent 4 STRINGS_CHECK
	else
		display --to SCREEN --type PLAIN --result WARNING --color RED --screen-indent 4 STRINGS_CHECK
	fi

	return
}


shared_libs_check() {

	#
	# This function checks shared library loading problems.
	# It is part of do_system_commands_checks and should precede or run
	# just after strings_check if enabled.
	#

	#
	# Remarks:
	# Oracle-10.1.0.3 on RHEL3 needs /etc/libcwait.so,
	# F-PROT Antivirus for GNU/Linux needs f-prot.so,
	# AVAYA Labs "stack overflow protection" uses libsafe.
	#

	if `check_test shared_libs`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST shared_libs
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 SHARED_LIBS_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST shared_libs
		return
	fi


	#
	# First check for preloading exported variables.
	#

	VARFOUND=""

	for RKHTMPVAR in LD_PRELOAD LD_AOUT_PRELOAD LD_ELF_PRELOAD; do
		RKHTMPVAR_RES=`eval echo "\\$${RKHTMPVAR}"`

		FOUND=0

		for FNAME in ${RKHTMPVAR_RES}; do
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

			if [ -z "`echo \"${SHARED_LIB_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				FOUND=1
			else
				display --to LOG --type INFO SHARED_LIBS_PRELOAD_LIB_WLIST "${FNAME}"
			fi
		done

		if [ $FOUND -eq 1 ]; then
			VARFOUND="${VARFOUND}
${RKHTMPVAR}=\"${RKHTMPVAR_RES}\""
		fi
	done


	VARFOUND=`echo "${VARFOUND}" | sed -e '/^$/d'`

	if [ -z "${VARFOUND}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_VAR
	else
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_VAR

		IFS=$IFSNL

		for FNAME in ${VARFOUND}; do
			display --to LOG --type WARNING SHARED_LIBS_PRELOAD_VAR_FOUND "${FNAME}"
		done

		IFS=$RKHIFS
	fi


	#
	# Next check for a preload file.
	#

	RKHTMPVAR="/etc/ld.so.preload"

	if [ -s ${RKHTMPVAR} ]; then
		RKHLIBLIST=""

		display --to LOG --type INFO SHARED_LIBS_PRELOAD_FILE_FOUND "${RKHTMPVAR}"

		for FNAME in `cat ${RKHTMPVAR}`; do
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

			if [ -z "`echo \"${SHARED_LIB_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				RKHLIBLIST="${RKHLIBLIST} ${FNAME}"
			else
				display --to LOG --type INFO SHARED_LIBS_PRELOAD_LIB_WLIST "${FNAME}"
			fi
		done

		if [ -n "${RKHLIBLIST}" ]; then
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE

			for FNAME in ${RKHLIBLIST}; do
				display --to LOG --type WARNING SHARED_LIBS_PRELOAD_LIB_FOUND "${FNAME}"
			done
		else
			display --to SCREEN+LOG --type PLAIN --result WHITELISTED --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PRELOAD_FILE
	fi


	#
	# Finally we check the LD_LIBRARY_PATH. This check may be
	# disabled by the user if the 'ldd' command is not available.
	#

	if `check_test shared_libs_path`; then
		display --to LOG --type INFO --log-nl STARTING_TEST shared_libs_path

		if [ -n "${LDD_CMD}" ]; then
			if [ -n "${LD_LIBRARY_PATH}" ]; then
				LD_LIBR_FAILED=0
				RKHTMPVAR_BIN=""
				LD_LIBRARY_PATH_SAVED="${LD_LIBRARY_PATH}"

				if [ -z "${MD5_CMD}" ]; then
					MD5_CMD=`find_cmd md5sum`
					test -z "${MD5_CMD}" && MD5_CMD=`find_cmd md5`
				fi

				LS_CMD=`find_cmd ls`

				for RKHTMPVAR in FIND PS STRINGS MD5 LS STAT; do
					RKHTMPVAR=`eval echo "\\$${RKHTMPVAR}_CMD"`
					RKHTMPVAR=`echo "${RKHTMPVAR}" | cut -d' ' -f1`

					RKHTMPVAR_BIN="${RKHTMPVAR_BIN} ${RKHTMPVAR}"
				done

				for RKHTMPVAR in ${RKHTMPVAR_BIN}; do
					LD_LIBRARY_PATH="${LD_LIBRARY_PATH_SAVED}"
					export LD_LIBRARY_PATH
					RKHTMPVAR_WITH=`${LDD_CMD} ${RKHTMPVAR} | sed -e 's/(0x[0-9a-f]*)/0xHEX/' 2>&1`

					unset LD_LIBRARY_PATH
					RKHTMPVAR_WITHOUT=`${LDD_CMD} ${RKHTMPVAR} | sed -e 's/(0x[0-9a-f]*)/0xHEX/' 2>&1`

					if [ "${RKHTMPVAR_WITH}" != "${RKHTMPVAR_WITHOUT}" ]; then
						#
						# Testing one command should be "evidence" enough.
						#

						LD_LIBR_FAILED=1
						break
					fi
				done


				#
				# Reset things to the way they were before.
				#

				LD_LIBRARY_PATH="${LD_LIBRARY_PATH_SAVED}"
				export LD_LIBRARY_PATH

				if [ $LD_LIBR_FAILED -eq 0 ]; then
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
				else
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
					display --to LOG --type WARNING SHARED_LIBS_PATH_BAD "${LD_LIBRARY_PATH}"
				fi
			else
				display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 --log-indent 2 SHARED_LIBS_PATH
			display --to LOG --type INFO NOT_FOUND_CMD "ldd"
		fi
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST shared_libs_path
	fi

	return
}


updt_rkhdat() {

	#
	# This function is part of the file properties check. It is
	# used to add and remove entries from the rkhunter.dat file.
	#

	get_temp_file "${RKHTMPDIR}/rkhunter.dat"
	RKHDAT_TMPFILE=$TEMPFILE

	get_temp_file "${RKHTMPDIR}/rkhunter.dat2"
	RKHDAT_TMPFILE2=$TEMPFILE

	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE}"
	display --to LOG --type INFO CREATED_TEMP_FILE "${RKHDAT_TMPFILE2}"

	cp -f -p ${RKHDAT_FILE} ${RKHDAT_TMPFILE}


	IFS=$IFSNL

	OLDRKHENTRIES=`echo "${OLDRKHENTRIES}" | sed -e '/^$/d'`

	for FNAME in ${OLDRKHENTRIES}; do
		FILENAME=`echo "${FNAME}" | cut -d: -f2`

		display --to LOG --type INFO RKHDAT_DEL_OLD_ENTRY "${FILENAME}"

		FNAMEGREP=`echo "${FNAME}" | sed -e 's:/:\\\/:g'`

		sed -e "/^${FNAMEGREP}$/d" ${RKHDAT_TMPFILE} >${RKHDAT_TMPFILE2}

		cp -f ${RKHDAT_TMPFILE2} ${RKHDAT_TMPFILE}
	done


	NEWRKHENTRIES=`echo "${NEWRKHENTRIES}" | sed -e '/^$/d'`

	for FNAME in ${NEWRKHENTRIES}; do
		FILENAME=`echo "${FNAME}" | cut -d: -f2`

		display --to LOG --type INFO RKHDAT_ADD_NEW_ENTRY "${FILENAME}"

		echo "${FNAME}" >>${RKHDAT_TMPFILE}
	done

	IFS=$RKHIFS


	#
	# Now put the new rkhunter.dat file in place.
	#

	cp -f -p ${RKHDAT_FILE} ${RKHDAT_FILE}.old >/dev/null 2>&1
	cp -f ${RKHDAT_TMPFILE} ${RKHDAT_FILE} >/dev/null 2>&1
	ERRCODE=$?

	if [ $ERRCODE -ne 0 ]; then
		RET_CODE=1
		display --to LOG --type INFO CMD_ERROR "cp ${RKHDAT_TMPFILE} ${RKHDAT_FILE}" $ERRCODE
		display --to SCREEN+LOG --type WARNING PROPUPD_ERROR $ERRCODE
	else
		display --to LOG --type INFO PROPUPD_NEW_DAT_FILE "${DB_PATH}"
	fi

	chmod 640 ${RKHDAT_FILE} >/dev/null 2>&1

	rm -f ${RKHDAT_TMPFILE} ${RKHDAT_TMPFILE2} >/dev/null 2>&1


	return
}


file_properties_check() {

	#
	# This function carries out a check of system command property
	# values checked against their previous value, which is stored
	# in the rkhunter.dat file. Other checks work on the current
	# file, and do not use any previously stored value (for example,
	# the immutable-bit check).
	#

	#
	# Each test will set the variable TEST_RESULT, and use it to
	# display the actual result. Typically a null string indicates
	# 'OK', and anything else is a 'Warning'.
	#

	TEST_RESULT=""
	NEWRKHENTRIES=""
	OLDRKHENTRIES=""
	WHITELIST_RESULT=""
	SKIP_ATTR=0; SKIP_HASH=0; SKIP_IMMUT=0; SKIP_SCRIPT=0
	USE_DAT_FILE=1
	SKIP_IMMUT_OS=0
	PROP_FILE_LIST_COUNT=0
	ADDNEWENTRY=0

	#
	# In order to disable the whole test we have to check if
	# each specific test has been disabled.
	#

	for RKHTMPVAR in attributes hashes immutable scripts; do
		if ! `check_test ${RKHTMPVAR}`; then
			case "${RKHTMPVAR}" in
			attributes)
				SKIP_ATTR=1
				;;
			hashes)
				SKIP_HASH=1
				;;
			immutable)
				SKIP_IMMUT=1
				;;
			scripts)
				SKIP_SCRIPT=1
				;;
			esac
		fi
	done

	#
	# The immutable-bit test is only applicable to Linux and
	# BSD systems. We need to disable the test, but not have
	# it logged as if the user had disabled it (that would be
	# confusing).
	#

	if [ $BSDOS -eq 0 -a $LINUXOS -eq 0 ]; then
		if [ $SKIP_IMMUT -eq 0 ]; then
			SKIP_IMMUT=1
			SKIP_IMMUT_OS=1
		fi
	fi

	if ! `check_test properties`; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST properties
		return
	elif [ $SKIP_ATTR -eq 1 -a $SKIP_HASH -eq 1 -a $SKIP_IMMUT -eq 1 -a $SKIP_SCRIPT -eq 1 ]; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST properties
		return
	else
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST properties
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 FILE_PROP_START
	fi


	#
	# If the user wants to skip a test then log it.
	#

	for RKHTMPVAR in attributes hashes immutable scripts; do
		case "${RKHTMPVAR}" in
		attributes)
			TEST_NAME=$SKIP_ATTR
			;;
		hashes)
			TEST_NAME=$SKIP_HASH
			;;
		scripts)
			TEST_NAME=$SKIP_SCRIPT
			;;
		immutable)
			TEST_NAME=0
			test $SKIP_IMMUT_OS -eq 0 && TEST_NAME=$SKIP_IMMUT
			;;
		esac

		test $TEST_NAME -eq 1 && display --to LOG --type INFO USER_DISABLED_TEST ${RKHTMPVAR}
	done


	#
	# The first test we do is on the commands needed to
	# perform all the file checks. If the user has not
	# disabled any test, and a command is missing, then
	# we must let them know that without marking each file
	# test as a 'Warning' (because that could hide a real
	# problem). We include checks on the rkhunter.dat file
	# as well.
	#

	RKHTMPVAR=""

	if [ $SKIP_ATTR -eq 0 -a -z "${STAT_CMD}" ]; then
		SKIP_ATTR=1
		RKHTMPVAR="${RKHTMPVAR} attr"
	fi

	if [ $SKIP_HASH -eq 0 ]; then
		# Not sure about this one...!
		if [ -z "${OLD_PKGMGR}" -a -s ${RKHDAT_FILE} -a "${HASH_FUNC}" != "NONE" -a \( "${OLD_HASH_FUNC}" = "NONE" -o "${OLD_HASH_FUNC}" = "Disabled" -o -z "${OLD_HASH_FUNC}" \) ]; then
			SKIP_HASH=1
			RKHTMPVAR="${RKHTMPVAR} hash"

			if [ -n "${PRELINK_HASH}" ]; then
				HASH_FUNC_ERR="prelink with ${PRELINK_HASH}"
			else
				HASH_FUNC_ERR="${HASH_FUNC}"
			fi

			if [ -z "${OLD_HASH_FUNC}" ]; then
				OLD_HASH_FUNC_ERR="Unset"
			else
				if [ "${OLD_HASH_FUNC}" = "MD5" -o "${OLD_HASH_FUNC}" = "SHA1" ]; then
					OLD_HASH_FUNC_ERR="prelink with ${OLD_HASH_FUNC}"
				else
					OLD_HASH_FUNC_ERR="${OLD_HASH_FUNC}"
				fi
			fi

			if [ -z "${PKGMGR}" ]; then
				PKGMGR_ERR="Unset"
			else
				PKGMGR_ERR="${PKGMGR}"
			fi

			if [ -z "${OLD_PKGMGR}" ]; then
				OLD_PKGMGR_ERR="Unset"
			else
				OLD_PKGMGR_ERR="${OLD_PKGMGR}"
			fi
		fi


		if [ $SKIP_HASH_MSG -eq 1 ]; then
			SKIP_HASH=1
			RKHTMPVAR="${RKHTMPVAR} sha1"
		elif [ $SKIP_HASH_MSG -eq 2 ]; then
			SKIP_HASH=1
			RKHTMPVAR="${RKHTMPVAR} libsafe"
		fi
	fi

	if [ $SKIP_IMMUT -eq 0 ]; then
		if [ $BSDOS -eq 1 ]; then
			if [ -z "`ls -lno ${CONFIGFILE} 2>/dev/null`" ]; then
				SKIP_IMMUT=1
				RKHTMPVAR="${RKHTMPVAR} immutable-bsd"
			fi
		else
			if [ -z "${LSATTR_CMD}" ]; then
				SKIP_IMMUT=1
				RKHTMPVAR="${RKHTMPVAR} immutable"
			else
				for FNAME in ${CONFIGFILE} ${LOCALCONFIGFILE} ${DB_PATH}/*.dat ${DB_PATH}/i18n/*; do
					test -f "${FNAME}" -a ! -h "${FNAME}" && break
				done

				if [ -z "`${LSATTR_CMD} ${FNAME} 2>/dev/null`" ]; then
					SKIP_IMMUT=1
					RKHTMPVAR="${RKHTMPVAR} immutable-cmd"
				fi
			fi
		fi
	fi

	if [ $SKIP_SCRIPT -eq 0 ]; then
		if [ -z "${FILE_CMD}" ]; then
			SKIP_SCRIPT=1
			RKHTMPVAR="${RKHTMPVAR} script"
		elif [ -z "`${FILE_CMD} ${CONFIGFILE} 2>/dev/null`" ]; then
			SKIP_SCRIPT=1
			RKHTMPVAR="${RKHTMPVAR} script-cmd"
		fi
	fi

	if [ $SKIP_ATTR -eq 0 -o $SKIP_HASH -eq 0 ]; then
		if [ ! -f ${RKHDAT_FILE} ]; then
			SKIP_HASH=1
			SKIP_ATTR=1
			USE_DAT_FILE=0
			RKHTMPVAR="${RKHTMPVAR} missing"
		fi

		if [ $USE_DAT_FILE -eq 1 -a ! -s ${RKHDAT_FILE} ]; then
			SKIP_HASH=1
			SKIP_ATTR=1
			USE_DAT_FILE=0
			RKHTMPVAR="${RKHTMPVAR} empty"
		fi
	else
		#
		# If we are not checking the file attributes or
		# the hash value, then we don't need to look at
		# the rkhunter.dat file. The other tests can be
		# done without the file.
		#

		USE_DAT_FILE=0
	fi

	#
	# If the O/S has changed in some way, and we are not just reporting warnings,
	# and O/S warnings are enabled, then show a warning in the prerequisites test.
	#

	if [ $OS_CHANGED -eq 1 -a $SHOWWARNINGSONLY -eq 0 -a $WARN_ON_OS_CHANGE -eq 1 ]; then
		RKHTMPVAR="${RKHTMPVAR} os_changed"
	fi

	#
	# If all the previous checks have disabled all the tests,
	# then we tell the user and then return.
	#

	if [ $SKIP_ATTR -eq 1 -a $SKIP_HASH -eq 1 -a $SKIP_IMMUT -eq 1 -a $SKIP_SCRIPT -eq 1 ]; then
		RKHTMPVAR="${RKHTMPVAR} notests"
	fi


	#
	# Display the results.
	#

	if [ $SKIP_IMMUT_OS -eq 1 ]; then
		display --to LOG --type INFO FILE_PROP_IMMUT_OS
	fi

	if [ $IMMUTABLE_SET -eq 1 ]; then
		display --to LOG --type INFO FILE_PROP_IMMUT_SET
	fi

	if [ -z "${RKHTMPVAR}" ]; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result OK --color GREEN FILE_PROP_CMDS
	else
		SUMMARY_PROP_REQCMDS=1

		display --to SCREEN+LOG --type WARNING --screen-indent 4 --log-indent 2 --result WARNING --color RED FILE_PROP_CMDS


		RKHTMPVAR2=0

		for TEST_RESULT in ${RKHTMPVAR}; do
			case "${TEST_RESULT}" in
			attr)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_ATTR
				;;
			hash|prelink|sha1|libsafe)
				if [ $RKHTMPVAR2 -eq 0 ]; then
					RKHTMPVAR2=1
					display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_HASH
				fi

				case "${TEST_RESULT}" in
				hash)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_FUNC "${HASH_FUNC_ERR}" "${PKGMGR_ERR}" "${OLD_HASH_FUNC_ERR}" "${OLD_PKGMGR_ERR}"
					;;
				prelink)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_PRELINK
					;;
				sha1)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_SHA1
					;;
				libsafe)
					display --to LOG --type PLAIN --log-indent 13 FILE_PROP_SKIP_HASH_LIBSAFE
					;;
				esac
				;;
			immutable)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT
				;;
			immutable-bsd)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_CMD "ls -lno"
				;;
			immutable-cmd)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_IMMUT_CMD "lsattr"
				;;
			script)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_SCRIPT
				;;
			script-cmd)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SKIP_FILE_CMD
				;;
			os_changed)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_OS_CHANGED
				;;
			missing)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_DAT_MISSING
				display --to LOG --type INFO FILE_PROP_DAT_MISSING_INFO
				;;
			empty)
				display --to LOG --type PLAIN --log-indent 9 FILE_PROP_DAT_EMPTY
				display --to LOG --type INFO FILE_PROP_DAT_MISSING_INFO
				;;
			esac
		done


		if [ -n "`echo \"${RKHTMPVAR}\" | egrep 'libsafe|missing|empty'`" ]; then
			display --to LOG --type WARNING --nl PROPUPD_WARN
		fi

		if [ -n "`echo \"${RKHTMPVAR}\" | grep 'notests'`" ]; then
			display --to LOG --type WARNING --nl FILE_PROP_SKIP_ALL
			return
		fi
	fi


	#
	# Set up some local variables depending on what
	# commands we have available.
	#

	if [ $SKIP_ATTR -eq 1 ]; then
		SCMD=""
		INODECMD=""
	else
		if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
			if [ "${PKGMGR}" = "SOLARIS" ]; then
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --mtime"
			else
				SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --Mtime"
			fi

			INODECMD="${STAT_CMD} --modeoct --raw --ino"
		elif [ $BSDOS -eq 1 -o $MACOSX -eq 1 ]; then
			SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'"
			INODECMD="${STAT_CMD} -f '%i'"
		else
			SCMD="${STAT_CMD} -c '%i 0%a %u %g %s %Y:'"
			INODECMD="${STAT_CMD} -c '%i'"
		fi
	fi

	if [ $SKIP_HASH -eq 1 ]; then
		SYSHASH=""
		HASH_CMD=""
	else
		HASH_CMD="${HASH_FUNC}"
	fi


	#
	# Next we have to recreate the list of pathnames for the
	# file properties checks. We need to recreate it because
	# the root PATH may have changed, and so there may be more
	# directories to be checked. However, if we have just run
	# the '--propupd' option, then we can skip this.
	#

	test $PROP_UPDATE -eq 0 && create_rkh_file_prop_list


	#
	# Now loop through each of the files and
	# perform the tests on each one.
	#

	VERIFIED_PKG_LIST=""

	for FNAME in `cat ${RKH_FILEPROP_LIST}`; do
		FILENAME=""
		FNAMEGREP=""
		TEST_RESULT=""
		WHITELIST_RESULT=""

		NOVRFYFILE=0
		ADDNEWENTRY=0
		FILE_IS_PKGD=0
		DEPENDENCY_ERR=0
		HASH_TEST_PASSED=0
		SIZE_TEST_PASSED=0


		#
		# We first need to test if the file exists or not,
		# and if the file is listed in the rkhunter.dat
		# file or not. This can indicate files that have
		# appeared on or disappeared from the system.
		#

		if [ -f "${FNAME}" -o -h "${FNAME}" ]; then
			FILE_EXISTS=1
			PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`
		else
			FILE_EXISTS=0
		fi

		if [ $USE_DAT_FILE -eq 1 ]; then
			FNAMEGREP=`echo "${FNAME}" | sed -e 's:\([.[]\):\\\\\1:g'`

			RKHLINE=`grep "^File:${FNAMEGREP}:" ${RKHDAT_FILE}`

			if [ $FILE_EXISTS -eq 1 -a -z "${RKHLINE}" ]; then
				if [ -n "`echo \"${EXISTWHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
					#
					# We need to add the file to the rkhunter.dat file.
					# We add a dummy entry to start with, but it must contain values.
					#

					ADDNEWENTRY=1
					RKHLINE="File:${FNAME}:1:1:1:1:1:1:1::"
				else
					TEST_RESULT="${TEST_RESULT} norkhline"
				fi
			elif [ $FILE_EXISTS -eq 0 ]; then
				if [ -n "`echo \"${EXISTWHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
					if [ -n "${RKHLINE}" ]; then
						#
						# We need to remove the file from the rkhunter.dat file.
						#

						OLDRKHENTRIES="${OLDRKHENTRIES}
${RKHLINE}"
					fi
				elif [ -n "${RKHLINE}" ]; then
					PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`

					display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "${FNAME}"
					display --to LOG --type WARNING FILE_PROP_FILE_NOT_EXIST "${FNAME}"
				fi

				continue
			fi
		elif [ $FILE_EXISTS -eq 1 ]; then
			RKHLINE=""
			FNAMEGREP=`echo "${FNAME}" | sed -e 's:\([.[]\):\\\\\1:g'`
		else
			continue
		fi


		#
		# Start the tests.
		#

		SYSUID=0
		SYSGID=0
		SYSDTM=0
		SYSSIZE=0
		SYSPERM=0
		SYSINODE=0
		SYSHASH=""

		if [ $USE_DAT_FILE -eq 1 -a -n "${RKHLINE}" ]; then
			FDATA=""
			RPM_QUERY_RESULT=""
			PKGMGR_VERIFY_RESULT=""

			#
			# See if the file is to be exempt from any package manager verification.
			#

			if [ -n "`echo \"${PKGMGRNOVRFY}\" | grep \" ${FNAMEGREP} \"`" ]; then
				NOVRFYFILE=1
			fi


			#
			# Because the RPM package manager can verify most of the tests we are
			# doing, we obtain the verified data now. The Solaris package manager
			# provides some data, but does not verify it against the values on disk.
			# With all the package managers we have to obtain unverified data by
			# using commands. The other package managers, at present, only provide
			# the MD5 checksum. As such we simply handle them within the hash test.
			#

			if [ "${PKGMGR}" = "RPM" ]; then
				#
				# First we see if the file is exempt or part of a package.
				#

				if [ $NOVRFYFILE -eq 1 ]; then
					ERRCODE=1
				else
					PKGNAME_ARCH=`${RPM_CMD} -qf ${FNAME} --queryformat '%{N}-%{V}-%{R}.%{ARCH}\n' 2>/dev/null`
					ERRCODE=$?
				fi

				if [ $ERRCODE -eq 0 ]; then
					#
					# Okay we have a package name. Is it in the list
					# of packages we have already tested as verified?
					#
					# If multiple packages claim the same file, we use
					# 64-bit over 32-bit, or simply the last one.
					#

					FILE_IS_PKGD=1

					PKGNAME=`echo "${PKGNAME_ARCH}" | egrep '\.(x86_64|ia64)$' | tail ${TAIL_OPT}1`

					test -z "${PKGNAME}" && PKGNAME=`echo "${PKGNAME_ARCH}" | tail ${TAIL_OPT}1`

					RKHTMPVAR=`echo "${PKGNAME}" | sed -e 's/\./\\\./g'`

					if [ -z "`echo \"${VERIFIED_PKG_LIST}\" | grep \" ${RKHTMPVAR} \"`" ]; then
						#
						# No, it isn't in the list. So we verify the package
						# and either add it to the list if it verifies okay,
						# or get the verification result for the file.
						#

						PKGMGR_VERIFY_RESULT=`${RPM_CMD} -V "${PKGNAME}" 2>&1`

						if [ -z "${PKGMGR_VERIFY_RESULT}" ]; then
							VERIFIED_PKG_LIST="${VERIFIED_PKG_LIST} ${PKGNAME} "
						else
							if [ -n "`echo \"${PKGMGR_VERIFY_RESULT}\" | grep \"prelink.* ${FNAME}.* dependenc\"`" ]; then
								DEPENDENCY_ERR=1
							fi

							PKGMGR_VERIFY_RESULT=`echo "${PKGMGR_VERIFY_RESULT}" | grep " ${FNAMEGREP}\$" | cut -d' ' -f1`
						fi
					fi


					#
					# The package manager check does not verify all the items
					# we check. So we still need to dig out the rest of the
					# information about this file from the package manager database.
					#

					RPM_QUERY_RESULT=`${RPM_CMD} -q --queryformat '[%{FILEMODES:octal}:%{FILEUSERNAME}:%{FILEGROUPNAME}:%{FILESIZES}:%{FILEMTIMES}:%{FILEMD5S}:%{FILENAMES}\n]' "${PKGNAME}" 2>/dev/null | grep ":${FNAMEGREP}\$"`
					ERRCODE=$?

					if [ $ERRCODE -eq 0 ]; then
						RPM_QUERY_RESULT=`echo "${RPM_QUERY_RESULT}" | tail ${TAIL_OPT}1`

						FPERM="0`echo \"${RPM_QUERY_RESULT}\" | cut -d: -f1 | cut -c 3-`"
						FPERM=`echo "${FPERM}" | sed -e 's/^00/0/'`

						RKHUID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f2`
						RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

						RKHGID=`echo "${RPM_QUERY_RESULT}" | cut -d: -f3`
						RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

						RKHSIZE=`echo "${RPM_QUERY_RESULT}" | cut -d: -f4`

						RKHDTM=`echo "${RPM_QUERY_RESULT}" | cut -d: -f5`

						FDATA="${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}:"
					else
						#
						# If, for some reason, we cannot get the package information,
						# then treat it as if it returned all null values.
						#

						FDATA=":::::"
						display --to LOG --type INFO CMD_ERROR "rpm -qf --queryformat... ${FNAME}" $ERRCODE
					fi

					#
					# Now get the inode value directly from the disk,
					# but only if prelinking is not being used.
					#

					RKHTMPVAR=""

					if [ $PRELINKED -eq 0 -a -n "${INODECMD}" ]; then
						RKHTMPVAR=`eval ${INODECMD} ${FNAME} 2>/dev/null | tr -d ' '`
					fi

					FDATA="${RKHTMPVAR}:${FDATA}"
				fi
			elif [ "${PKGMGR}" = "SOLARIS" ]; then
				#
				# First we see if the file is exempt or part of a package.
				#

				if [ $NOVRFYFILE -eq 1 ]; then
					ERRCODE=1
				else
					RKHTMPVAR=`grep "^${FNAMEGREP} " /var/sadm/install/contents 2>/dev/null`
					test -n "${RKHTMPVAR}" && ERRCODE=0 || ERRCODE=1
				fi

				if [ $ERRCODE -eq 0 ]; then
					#
					# We will rebuild the RKHLINE value with the values from
					# the package manager database. We can then verify it just
					# as if it had been read from the RKH database.
					#

					FPERM=`echo "${RKHTMPVAR}" | cut -d' ' -f4`

					RKHUID=`echo "${RKHTMPVAR}" | cut -d' ' -f5`
					RKHUID=`grep "^${RKHUID}:" /etc/passwd 2>/dev/null | cut -d: -f3`

					RKHGID=`echo "${RKHTMPVAR}" | cut -d' ' -f6`
					RKHGID=`grep "^${RKHGID}:" /etc/group 2>/dev/null | cut -d: -f3`

					RKHSIZE=`echo "${RKHTMPVAR}" | cut -d' ' -f7`

					if [ $USE_SUNSUM -eq 1 ]; then
						# Treat this as a fully packaged file.
						FILE_IS_PKGD=1
						RKHHASH=`echo "${RKHTMPVAR}" | cut -d' ' -f8`
					else
						RKHHASH=`echo ${RKHLINE} | cut -d: -f3`
					fi

					RKHDTM=`echo "${RKHTMPVAR}" | cut -d' ' -f9`

					#
					# Now get the inode value.
					#

					RKHTMPVAR=""

					test -n "${INODECMD}" && RKHTMPVAR=`eval ${INODECMD} ${FNAME} 2>/dev/null | tr -d ' '`

					#
					# Finally, get the file name.
					#

					RKHTMPVAR2=`echo ${RKHLINE} | cut -d: -f1-2`

					#
					# Now put it all together.
					#

					RKHLINE="${RKHTMPVAR2}:${RKHHASH}:${RKHTMPVAR}:${FPERM}:${RKHUID}:${RKHGID}:${RKHSIZE}:${RKHDTM}"
				fi
			fi


			#
			# Do the file hash value check.
			#

			if [ $SKIP_HASH -eq 0 ]; then
				#
				# First we get all the package manager results.
				#

				case "${PKGMGR}" in
				RPM)
					;;
				DPKG)
					#
					# First see if the file is exempt or part of a known package.
					#

					if [ $NOVRFYFILE -eq 1 ]; then
						PKGNAME=""
					else
						PKGNAME=`${DPKG_CMD} --search ${FNAME} 2>/dev/null | cut -d: -f1`
					fi

					if [ -n "${PKGNAME}" -a -f "/var/lib/dpkg/info/${PKGNAME}.md5sums" ]; then
						FNAMEGREP=`echo "${FNAMEGREP}" | sed -e 's:^/::'`

						SYSHASH=`egrep "( |\./)${FNAMEGREP}\$" /var/lib/dpkg/info/${PKGNAME}.md5sums | cut -d' ' -f1`

						if [ -n "${SYSHASH}" ]; then
							FILE_IS_PKGD=1
							RKHTMPVAR=`${PKGMGR_MD5_HASH} ${FNAME} 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

							if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
								PKGMGR_VERIFY_RESULT="5"

								if [ -n "`${PKGMGR_MD5_HASH} ${FNAME} 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
									DEPENDENCY_ERR=1
								fi
							fi
						fi
					fi
					;;
				BSD)
					#
					# First see if the file is exempt or part of a known package.
					#

					if [ $NOVRFYFILE -eq 1 ]; then
						PKGNAME=""
					else
						PKGNAME=`${PKG_CMD} -F -e ${FNAME} 2>/dev/null`
					fi

					if [ -n "${PKGNAME}" ]; then
						#
						# Next strip of the '/usr/pkg' from the
						# pathname, and then get the hash value.
						#

						FNAMEGREP=`echo "${FNAMEGREP}" | sed -e 's:^/usr/pkg/::'`

						SYSHASH=`${PKG_CMD} -v -L ${PKGNAME} 2>/dev/null | grep -A 1 "File: ${FNAMEGREP}\$" | tail ${TAIL_OPT}1 | cut -d: -f3`

						if [ -n "${SYSHASH}" ]; then
							FILE_IS_PKGD=1
							RKHTMPVAR=`${PKGMGR_MD5_HASH} ${FNAME} 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

							if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
								PKGMGR_VERIFY_RESULT="5"

								if [ -n "`${PKGMGR_MD5_HASH} ${FNAME} 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
									DEPENDENCY_ERR=1
								fi
							fi
						fi
					fi
					;;
				SOLARIS)
					#
					# We only use the Solaris package manager
					# hash value if we have been told to do so.
					#

					if [ $NOVRFYFILE -eq 0 -a $USE_SUNSUM -eq 1 ]; then
						SYSHASH="${RKHHASH}"

						RKHTMPVAR=`${SUM_CMD} ${FNAME} 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

						if [ "${RKHTMPVAR}" != "${SYSHASH}" ]; then
							PKGMGR_VERIFY_RESULT="5"
						fi
					fi
					;;
				esac


				#
				# Now see if we need to work out the hash value or not.
				#

				RKHHASH=`echo ${RKHLINE} | cut -d: -f3`

				if [ $FILE_IS_PKGD -eq 1 ]; then
					if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
						if [ $DEPENDENCY_ERR -eq 1 ]; then
							DEPENDENCY_ERR=0
							PKGMGR_VERIFY_RESULT=""
							display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "${FNAME}"
						else
							PKGMGR_VERIFY_RESULT="5"
						fi
					fi

					if [ -z "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep '5|(^..\?)'`" ]; then
						HASH_TEST_PASSED=1
					else
						TEST_RESULT="${TEST_RESULT} verify:hashchanged"
					fi
				else
					#
					# The file is not part of a package. So we need
					# to compare the on-disk hash value against the
					# value in the rkhunter.dat file.
					#
					# First see if we have a stored hash value.
					#

					RKHTMPVAR=0

					if [ -z "${RKHHASH}" ]; then
						#
						# Broken links may not give a hash value, so we must check to see if the link is whitelisted.
						#

						if [ -h "${FNAME}" -a $HAVE_READLINK -eq 1 ]; then
							# Check the link target to see if it is whitelisted.
							BL_TARGET=`${READLINK_CMD} -f ${FNAME}`

							FNAMEGREP=`echo "${BL_TARGET}" | sed -e 's/\([.[]\)/\\\\\1/g'`

							if [ -n "`echo \"${EXISTWHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
								RKHTMPVAR=1

								if [ ! -e "${FNAME}" -a $VERBOSE_LOGGING -eq 1 ]; then
									# Only log this if it is a broken link.
									display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "${FNAME} -> ${BL_TARGET}"
								fi
							fi
						fi

						test $RKHTMPVAR -eq 0 && TEST_RESULT="${TEST_RESULT} norkhhash"
					fi

					if [ $RKHTMPVAR -eq 0 -a -z "${TEST_RESULT}" ]; then
						if [ "${HASH_CMD}" = "NONE" ]; then
							SYSHASH=""
						else
							SYSHASH=`${HASH_CMD} ${FNAME} 2>/dev/null | cut -d' ' -f $HASH_FLD_IDX`

							if [ -z "${SYSHASH}" ]; then
								if [ -n "`${HASH_CMD} ${FNAME} 2>&1 | egrep 'prelink.* (dependenc|adjusting unfinished)'`" ]; then
									if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
										SYSHASH="${RKHHASH}"
										display --to LOG --type INFO FILE_PROP_IGNORE_PRELINK_DEP_ERR "${FNAME}"
									else
										DEPENDENCY_ERR=1
									fi
								fi
							fi
						fi

						if [ "${RKHHASH}" != "${SYSHASH}" ]; then
							#
							# We must test for cases where a symbolic link becomes broken. In those
							# cases the link would have had a hash value, but will now have none.
							# If it was whitelisted, then we should not give a warning.
							#

							if [ -h "${FNAME}" -a ! -e "${FNAME}" ]; then
								if [ $HAVE_READLINK -eq 1 ]; then
									# Check the link target to see if it is whitelisted.
									BL_TARGET=`${READLINK_CMD} -f ${FNAME}`

									FNAMEGREP=`echo "${BL_TARGET}" | sed -e 's/\([.[]\)/\\\\\1/g'`

									if [ -n "`echo \"${EXISTWHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
										if [ $VERBOSE_LOGGING -eq 1 ]; then
											display --to LOG --type INFO FILE_PROP_BROKEN_LINK_WL_TGT "${FNAME} -> ${BL_TARGET}"
										fi
									else
										TEST_RESULT="${TEST_RESULT} hashchanged"
									fi
								else
									TEST_RESULT="${TEST_RESULT} hashchanged"
								fi
							else
								TEST_RESULT="${TEST_RESULT} hashchanged"
							fi
						fi
					fi
				fi


				#
				# Because the BSD and DPKG package managers only provide the MD5
				# checksum, and the Solaris package manager does not provide verified
				# data, we can assume that any file which is part of a package after
				# this test must be an RPM file.
				#

				test "${PKGMGR}" != "RPM" && FILE_IS_PKGD=0
			fi


			#
			# Do the file attributes checks.
			#
			# This checks the files permissions, and the uid/gid.
			# The file permissions are also checked to see if 'w'
			# has been allowed for all users. If prelinking is not
			# in use then the inode, file size, and modification
			# date-time are checked as well.
			#

			if [ $SKIP_ATTR -eq 0 ]; then
				#
				# First check to see if the file is whitelisted here,
				# just the once. It is better than checking after
				# each individual attribute test.
				#

				WL_FILE=""

				for WHITELISTFILE in ${ATTRWHITELIST}; do
					if [ "${WHITELISTFILE}" = "${FNAME}" ]; then
						WL_FILE="whitelisted"
						WHITELIST_RESULT="${WHITELIST_RESULT} attr"
						break
					fi
				done

				if [ -z "${FDATA}" ]; then
					FDATA=`eval ${SCMD} ${FNAME} 2>/dev/null | tr ' ' ':'`

					# Ensure the file permissions consist of only 4 digits.
					if [ -n "`echo ${FDATA} | grep '^[^:]*:0[0-9][0-9][0-9][0-9]:'`" ]; then
						FDATA=`echo $FDATA | sed -e 's/^\([^:]*:\)0\(.*\)$/\1\2/'`
					fi
				fi

				if [ -z "${WL_FILE}" -a -n "${FDATA}" ]; then
					#
					# Check the file permissions.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'M|(^.\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:permchanged"
					else
						RKHPERM=`echo ${RKHLINE} | cut -d: -f5`
						SYSPERM=`echo ${FDATA} | cut -d: -f2`

						if [ -n "${RKHPERM}" ]; then
							test "${RKHPERM}" != "${SYSPERM}" && TEST_RESULT="${TEST_RESULT} permchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhperm"
						fi
					fi


					#
					# Check the file user-id.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'U|(^.....\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:uidchanged"
					else
						RKHUID=`echo ${RKHLINE} | cut -d: -f6`
						SYSUID=`echo ${FDATA} | cut -d: -f3`

						if [ -n "${RKHUID}" ]; then
							test "${RKHUID}" != "${SYSUID}" && TEST_RESULT="${TEST_RESULT} uidchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhuid"
						fi
					fi


					#
					# Check the file group-id.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'G|(^......\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:gidchanged"
					else
						RKHGID=`echo ${RKHLINE} | cut -d: -f7`
						SYSGID=`echo ${FDATA} | cut -d: -f4`

						if [ -n "${RKHGID}" ]; then
							test "${RKHGID}" != "${SYSGID}" && TEST_RESULT="${TEST_RESULT} gidchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhgid"
						fi
					fi


					#
					# Check the file inode number.
					#

					if [ $PRELINKED -eq 0 ]; then
						RKHINODE=`echo ${RKHLINE} | cut -d: -f4`
						SYSINODE=`echo ${FDATA} | cut -d: -f1`

						if [ -n "${RKHINODE}" ]; then
							test "${RKHINODE}" != "${SYSINODE}" && TEST_RESULT="${TEST_RESULT} inodechanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhinode"
						fi
					fi


					#
					# Check the file size.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						if [ -z "`echo \"${PKGMGR_VERIFY_RESULT}\" | egrep 'S|(^\?)'`" ]; then
							SIZE_TEST_PASSED=1
						else
							TEST_RESULT="${TEST_RESULT} verify:sizechanged"
						fi
					elif [ $PRELINKED -eq 0 -o $FILE_IS_PKGD -eq 0 ]; then
						RKHSIZE=`echo ${RKHLINE} | cut -d: -f8`
						SYSSIZE=`echo ${FDATA} | cut -d: -f5`

						if [ -n "${RKHSIZE}" ]; then
							if [ "${RKHSIZE}" = "${SYSSIZE}" ]; then
								SIZE_TEST_PASSED=1
							else
								TEST_RESULT="${TEST_RESULT} sizechanged"
							fi
						else
							TEST_RESULT="${TEST_RESULT} norkhsize"
						fi
					fi


					#
					# Check the file modification date-time.
					#

					if [ $FILE_IS_PKGD -eq 1 ]; then
						echo "${PKGMGR_VERIFY_RESULT}" | egrep 'T|(^.......\?)' >/dev/null && TEST_RESULT="${TEST_RESULT} verify:dtmchanged"
					elif [ $PRELINKED -eq 0 -o $FILE_IS_PKGD -eq 0 ]; then
						RKHDTM=`echo ${RKHLINE} | cut -d: -f9`
						SYSDTM=`echo ${FDATA} | cut -d: -f6`

						if [ -n "${RKHDTM}" ]; then
							test "${RKHDTM}" != "${SYSDTM}" && TEST_RESULT="${TEST_RESULT} dtmchanged"
						else
							TEST_RESULT="${TEST_RESULT} norkhdtm"
						fi
					fi
				elif [ -z "${WL_FILE}" ]; then
					TEST_RESULT="${TEST_RESULT} sysattrunavail"
				fi


				#
				# Check the file permissions here to see if the 'other' permission
				# contains a 'w'. The check is against the octal value. Symbolic
				# links are ignored.
				#

				if [ ! -h "${FNAME}" -a $FILE_IS_PKGD -eq 0 ]; then
					WL_FILE=""

					for WHITELISTFILE in ${WRITEWHITELIST}; do
						if [ "${WHITELISTFILE}" = "${FNAME}" ]; then
							WL_FILE="whitelisted"
							WHITELIST_RESULT="${WHITELIST_RESULT} write"
							break
						fi
					done

					if [ -z "${WL_FILE}" ]; then
						SYSPERM=`echo ${FDATA} | cut -d: -f2`

						if [ -n "`echo ${SYSPERM} | grep '[2367]\$'`" ]; then
							TEST_RESULT="${TEST_RESULT} write"
						elif [ -z "${SYSPERM}" ]; then
							TEST_RESULT="${TEST_RESULT} syspermunavail"
						fi
					fi
				fi
			fi


			#
			# If we are adding this file to the rkhunter.dat file, then we
			# need to remove any failed test results caused by the file
			# currently being missing. We then add the file to the list of
			# files to be added, and include the detected system attributes
			# of the file.
			#

			if [ $ADDNEWENTRY -eq 1 ]; then
				if [ -n "${TEST_RESULT}" ]; then
					for RKHTMPVAR in ${TEST_RESULT}; do
						case "${RKHTMPVAR}" in 
						hashchanged|permchanged|uidchanged|gidchanged|inodechanged|sizechanged|dtmchanged)
							TEST_RESULT=`echo "${TEST_RESULT}" | sed -e "s/ ${RKHTMPVAR}//"`
							;;
						esac
					done
				fi

				NEWRKHENTRIES="${NEWRKHENTRIES}
File:${FNAME}:${SYSHASH}:${SYSINODE}:${SYSPERM}:${SYSUID}:${SYSGID}:${SYSSIZE}:${SYSDTM}::"
			fi
		fi


		#
		# We can now carry out the tests which do not
		# require the rkhunter.dat file.
		#

		#
		# Do the file immutable-bit check.
		#

		if [ $SKIP_IMMUT -eq 0 ]; then
			#
			# Test if the file is whitelisted.
			#

			WL_FILE=""
			RKHTMPVAR=""

			for WHITELISTFILE in ${IMMUTWHITELIST}; do
				if [ "${WHITELISTFILE}" = "${FNAME}" ]; then
					WL_FILE="whitelisted"
					WHITELIST_RESULT="${WHITELIST_RESULT} immutable"
					break
				fi
			done

			if [ -z "${WL_FILE}" ]; then
				if [ $BSDOS -eq 0 ]; then
					if [ ! -h "${FNAME}" ]; then
						RKHTMPVAR=`${LSATTR_CMD} ${FNAME} 2>&1 | cut -d' ' -f1 | grep 'i'`
					fi
				else
					RKHTMPVAR=`ls -lno ${FNAME} 2>&1 | awk '{ print $5 }' | egrep 'uchg|schg|sappnd|uappnd|sunlnk|sunlink|schange|simmutable|sappend|uappend|uchange|uimmutable'`
				fi

				#
				# Reverse the test result if the immutable bit is always set.
				#

				if [ $IMMUTABLE_SET -eq 1 ]; then
					test -n "${RKHTMPVAR}" && RKHTMPVAR="" || RKHTMPVAR="set"
				fi

				test -n "${RKHTMPVAR}" && TEST_RESULT="${TEST_RESULT} immutable"
			fi
		fi


		#
		# Do the file script replacement check.
		#

		if [ $SKIP_SCRIPT -eq 0 ]; then
			#
			# If we are using a package manager, and both the hash test
			# and the file size test have passed, then we skip the script
			# replacement check. The assumption is that to change a file
			# with one value remaining the same is possible, but to change
			# it such that both are the same is improbable. It would also
			# require the package manager database having being corrupted
			# as well.
			#

			if [ $HASH_TEST_PASSED -eq 0 -o $SIZE_TEST_PASSED -eq 0 ]; then
				#
				# See if the file is whitelisted.
				#

				WL_FILE=""
				SYSSCRIPT=""

				for WHITELISTFILE in ${SCRIPTWHITELIST}; do
					if [ "${WHITELISTFILE}" = "${FNAME}" ]; then
						WL_FILE="whitelisted"
						WHITELIST_RESULT="${WHITELIST_RESULT} script"
						break
					fi
				done

				if [ -z "${WL_FILE}" ]; then
					test -n "${BASENAME_CMD}" && RKHTMPVAR=`${BASENAME_CMD} ${FNAME}` || RKHTMPVAR=`echo "${FNAME}" | sed -e 's:^.*/::'`

					if [ "${RKHTMPVAR}" = "rkhunter" ]; then
						SYSSCRIPT=`${FILE_CMD} ${FNAME} 2>&1 | cat -v | egrep -i -v '(shell|/bin/sh) script( |,|$)'`
					else
						SYSSCRIPT=`${FILE_CMD} ${FNAME} 2>&1 | cat -v | egrep -i ' script( |,|$)'`
					fi

					test -n "${SYSSCRIPT}" && TEST_RESULT="${TEST_RESULT} script"
				fi
			fi
		fi


		#
		# Now output the results.
		#

		if [ -z "${TEST_RESULT}" ]; then
			display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result OK --color GREEN NAME "${FNAME}"
		else
			display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "${FNAME}"

			PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`

			RKHTMPVAR2=0
			RKHTMPVAR3=0
			for RKHTMPVAR in ${TEST_RESULT}; do
				case "${RKHTMPVAR}" in
				hashchanged|permchanged|uidchanged|gidchanged|inodechanged|sizechanged|dtmchanged)
					if [ $RKHTMPVAR2 -eq 0 ]; then
						RKHTMPVAR2=1
						display --to LOG --type WARNING FILE_PROP_CHANGED
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_CHANGED2 "${FNAME}"
					fi

					case "${RKHTMPVAR}" in
					hashchanged)
						if [ -z "${SYSHASH}" ]; then
							if [ -h "${FNAME}" ]; then
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH_UNAVAIL_BL
							else
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH_UNAVAIL
							fi
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSHASH "${SYSHASH}"
						fi

						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHHASH "${RKHHASH}"

						test $DEPENDENCY_ERR -eq 1 && display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "${FNAME}"
						;;
					permchanged)
						if [ -z "${SYSPERM}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_PERM_UNAVAIL "${RKHPERM}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_PERM "${SYSPERM}" "${RKHPERM}"
						fi
						;;
					uidchanged)
						if [ -z "${SYSUID}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_UID_UNAVAIL "${RKHUID}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_UID "${SYSUID}" "${RKHUID}"
						fi
						;;
					gidchanged)
						if [ -z "${SYSGID}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_GID_UNAVAIL "${RKHGID}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_GID "${SYSGID}" "${RKHGID}"
						fi
						;;
					inodechanged)
						if [ -z "${SYSINODE}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_INODE_UNAVAIL "${RKHINODE}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_INODE "${SYSINODE}" "${RKHINODE}"
						fi
						;;
					sizechanged)
						if [ -z "${SYSSIZE}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SIZE_UNAVAIL "${RKHSIZE}"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SIZE "${SYSSIZE}" "${RKHSIZE}"
						fi
						;;
					dtmchanged)
						if [ -z "${SYSDTM}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM_UNAVAIL
						else
							get_readable_date ${SYSDTM}

							if [ -n "${READABLE_DATE}" ]; then
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM "${SYSDTM} (${READABLE_DATE})"
							else
								display --to LOG --type PLAIN --log-indent 9 FILE_PROP_SYSDTM "${SYSDTM}"
							fi
						fi

						get_readable_date ${RKHDTM}

						if [ -n "${READABLE_DATE}" ]; then
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHDTM "${RKHDTM} (${READABLE_DATE})"
						else
							display --to LOG --type PLAIN --log-indent 9 FILE_PROP_RKHDTM "${RKHDTM}"
						fi
						;;
					esac
					;;
				verify:hashchanged|verify:permchanged|verify:uidchanged|verify:gidchanged|verify:sizechanged|verify:dtmchanged)
					if [ $RKHTMPVAR3 -eq 0 ]; then
						RKHTMPVAR3=1
						display --to LOG --type WARNING FILE_PROP_VRFY
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_CHANGED2 "${FNAME}"

						test $DEPENDENCY_ERR -eq 1 && display --to LOG --type PLAIN --log-indent 9 FILE_PROP_NO_SYSHASH_DEPENDENCY "${FNAME}"
					fi

					case "${RKHTMPVAR}" in
					verify:hashchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_HASH

						if [ "${RKHHASH}" = "ignore-prelink-dep-err" ]; then
							display --to LOG --type INFO --log-indent 9 FILE_PROP_IGNORE_PRELINK_DEP_ERR "${FNAME}"
						fi
						;;
					verify:permchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_PERM
						;;
					verify:uidchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_UID
						;;
					verify:gidchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_GID
						;;
					verify:sizechanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_SIZE
						;;
					verify:dtmchanged)
						display --to LOG --type PLAIN --log-indent 9 FILE_PROP_VRFY_DTM
						;;
					esac
					;;
				norkhline)
					display --to LOG --type WARNING FILE_PROP_NO_RKH_REC "${FNAME}"
					;;
				norkhhash)
					display --to LOG --type WARNING FILE_PROP_NO_RKHHASH "${FNAME}"
					;;
				norkhperm)
					display --to LOG --type WARNING FILE_PROP_NO_RKHPERM "${FNAME}"
					;;
				norkhuid)
					display --to LOG --type WARNING FILE_PROP_NO_RKHUID "${FNAME}"
					;;
				norkhgid)
					display --to LOG --type WARNING FILE_PROP_NO_RKHGID "${FNAME}"
					;;
				norkhinode)
					display --to LOG --type WARNING FILE_PROP_NO_RKHINODE "${FNAME}"
					;;
				norkhsize)
					display --to LOG --type WARNING FILE_PROP_NO_RKHSIZE "${FNAME}"
					;;
				norkhdtm)
					display --to LOG --type WARNING FILE_PROP_NO_RKHDTM "${FNAME}"
					;;
				sysattrunavail)
					display --to LOG --type WARNING FILE_PROP_NO_SYSATTR "${FNAME}"
					;;
				write)
					display --to LOG --type WARNING FILE_PROP_WRITE "${FNAME}"
					;;
				syspermunavail)
					display --to LOG --type WARNING FILE_PROP_SYSPERM_UNAVAIL "${FNAME}"
					;;
				immutable)
					if [ $IMMUTABLE_SET -eq 0 ]; then
						display --to LOG --type WARNING FILE_PROP_IMMUT "${FNAME}"
					else
						display --to LOG --type WARNING FILE_PROP_IMMUT_NOT_SET "${FNAME}"
					fi
					;;
				script)
					test -n "${BASENAME_CMD}" && RKHTMPVAR4=`${BASENAME_CMD} ${FNAME}` || RKHTMPVAR4=`echo "${FNAME}" | sed -e 's:^.*/::'`

					if [ "${RKHTMPVAR4}" = "rkhunter" ]; then
						display --to LOG --type WARNING FILE_PROP_SCRIPT_RKH "${FNAME}" "${SYSSCRIPT}"
					else
						display --to LOG --type WARNING FILE_PROP_SCRIPT "${FNAME}" "${SYSSCRIPT}"
					fi
					;;
				esac
			done
		fi

		if [ -n "${WHITELIST_RESULT}" ]; then
			for WL_FILE in ${WHITELIST_RESULT}; do
				case "${WL_FILE}" in
				hash)
					RKHTMPVAR="file hash"
					;;
				attr)
					RKHTMPVAR="file attributes"
					;;
				write)
					RKHTMPVAR="file write permission"
					;;
				immutable)
					RKHTMPVAR="file immutable-bit"
					;;
				script)
					RKHTMPVAR="script replacement"
					;;
				esac

				display --to LOG --type INFO FILE_PROP_WL "${FNAME}" "${RKHTMPVAR}"
			done
		fi
	done


	#
	# We must now loop through the rkhunter.dat file and see if any filenames
	# are missing from the rkhunter_prop_list.dat file. If so, then this
	# indicates a (probably wildcarded) file has been removed from the system.
	#

	if [ $USE_DAT_FILE -eq 1 ]; then
		for FNAME in `grep '^File:' ${RKHDAT_FILE} | cut -d: -f2`; do
			if [ -z "`grep \"^${FNAME}$\" ${RKH_FILEPROP_LIST}`" ]; then
				if [ -n "`echo \"${EXISTWHITELIST}\" | grep \" ${FNAME} \"`" ]; then
					#
					# Remove the entry from the rkhunter.dat file.
					#

					OLDRKHENTRIES="${OLDRKHENTRIES}
File:${FNAME}:.*"
				else
					PROP_FAILED_COUNT=`expr ${PROP_FAILED_COUNT} + 1`
					PROP_FILE_LIST_COUNT=`expr ${PROP_FILE_LIST_COUNT} + 1`

					display --to SCREEN+LOG --type PLAIN --screen-indent 4 --log-indent 2 --result WARNING --color RED NAME "${FNAME}"
					display --to LOG --type WARNING FILE_PROP_FILE_NOT_EXIST "${FNAME}"
				fi
			fi
		done
	fi


	#
	# Finally, add or remove any specified entries to/from the rkhunter.dat file.
	#

	test -n "${OLDRKHENTRIES}" -o -n "${NEWRKHENTRIES}" && updt_rkhdat


	return
}


suspscan() {

	#
	# Suspscan content scan using fixed strings.
	#
	# Suspscan is a CPU hog and only useful to some limit.
	# Suspscan should NEVER be enabled by default.
	#
	# The suspscan options are intially processed in 'get_suspscan_options'.
	#

	if `check_test suspscan`; then
		display --to LOG --type INFO --nl STARTING_TEST suspscan
		display --to LOG --type PLAIN --log-indent 2 SUSPSCAN_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST suspscan
		return
	fi


	#
	# First check that we have the commands we need.
	#

	if [ -z "${FILE_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 SUSPSCAN_CHECK
		display --to LOG --type INFO NOT_FOUND_CMD "file"
		return
	elif [ -z "${STRINGS_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 SUSPSCAN_CHECK
		display --to LOG --type INFO NOT_FOUND_CMD "strings"
		return
	fi

	#
	# Now check that the suspscan data file is usable.
	#

	if [ ! -e "${DB_PATH}/suspscan.dat" -o ! -s "${DB_PATH}/suspscan.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
		display --to LOG --type WARNING --log-indent 9 SUSPSCAN_DAT_MISSING "${DB_PATH}/suspscan.dat"
		return
	elif [ ! -f "${DB_PATH}/suspscan.dat" -o -h "${DB_PATH}/suspscan.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
		display --to LOG --type WARNING --log-indent 9 SUSPSCAN_DAT_NOTAFILE "${DB_PATH}/suspscan.dat"
		return
	fi

	#
	# Now log the configurable option values.
	#
	# Log which directories are to be scanned.
	#

	if [ $SUSPSCAN_DFLT_DIRS -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_NO_DIRS "${SUSPSCAN_DIRS}"
	else
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_DIRS "${SUSPSCAN_DIRS}"
	fi

	#
	# Log the temporary directory being used.
	#

	if [ $SUSPSCAN_DFLT_TMP -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_NO_TEMP "${SUSPSCAN_TEMP}"
	else
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_TEMP "${SUSPSCAN_TEMP}"
	fi

	#
	# Log the maximum file size to handle.
	#

	if [ $SUSPSCAN_DFLT_MAXSIZE -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_NO_SIZE "${SUSPSCAN_MAXSIZE}"
	else
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_SIZE "${SUSPSCAN_MAXSIZE}"
	fi

	#
	# Log the score threshold.
	#

	if [ $SUSPSCAN_DFLT_THRESH -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_NO_THRESH "${SUSPSCAN_THRESH}"
	else
		display --to LOG --type PLAIN --log-indent 4 SUSPSCAN_THRESH "${SUSPSCAN_THRESH}"
	fi


	#
	# Start the test.
	#

	FOUND=0
	FOUNDDIRS=""
	FILENAME="${SUSPSCAN_TEMP}/suspscan.$$.strings"

	rm -f ${SUSPSCAN_TEMP}/suspscan.*.strings >/dev/null 2>&1

	#
	# Set a temporary file to log scan results to.
	#

	get_temp_file "${RKHTMPDIR}/suspscan.tmp"
	SUSPSCAN_TMPFILE=$TEMPFILE
	touch ${SUSPSCAN_TMPFILE}


	for DIR in ${SUSPSCAN_DIRS}; do
		SUSPSCAN_DIR="${DIR}"

		if [ -d "${SUSPSCAN_DIR}" ]; then
			FOUND=0

			if [ $SUSPSCAN_DEBUG -eq 1 ]; then
				echo "4 SUSPSCAN_DIR_CHECK "${SUSPSCAN_DIR}"" >> "${SUSPSCAN_TMPFILE}"
			fi

			$FIND_CMD "${SUSPSCAN_DIR}" -type f -o -type l 2>/dev/null | while read SUSPSCAN_ITEM; do
				#
				# Skip the debug file which may well be in one of the default suspscan directories.
				#

				test $DEBUG_OPT -eq 1 -a "${SUSPSCAN_ITEM}" = "${RKHDEBUGFILE}" && continue

				#
				# If the file is a link, then find what it points to.
				#

				if [ -h "${SUSPSCAN_ITEM}" ]; then
					if [ $HAVE_READLINK -eq 1 ]; then
						RKHTMPVAR="${SUSPSCAN_ITEM}"

						SUSPSCAN_ITEM=`${READLINK_CMD} -f ${RKHTMPVAR}`

						if [ $SUSPSCAN_DEBUG -eq 1 ]; then
							echo "6 SUSPSCAN_FILE_LINK_CHANGE "${RKHTMPVAR}" "${SUSPSCAN_ITEM}"" >> "${SUSPSCAN_TMPFILE}"
						fi
					else
						if [ $SUSPSCAN_DEBUG -eq 1 ]; then
							echo "6 SUSPSCAN_FILE_SKIPPED_LINK "${SUSPSCAN_ITEM}"" >> "${SUSPSCAN_TMPFILE}"
						fi

						continue
					fi
				fi


				#
				# Next check the size of the file.
				#

				if [ ! -s "${SUSPSCAN_ITEM}" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_EMPTY "${SUSPSCAN_ITEM}"" >> "${SUSPSCAN_TMPFILE}"
					fi

					continue
				elif [ -z "`${FIND_CMD} "${SUSPSCAN_ITEM}" -size -${SUSPSCAN_MAXSIZE}c 2>/dev/null`" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_SIZE "${SUSPSCAN_ITEM}"" >> "${SUSPSCAN_TMPFILE}"
					fi

					continue
				fi


				#
				# Finally, test the file type.
				#

				FTYPE=`${FILE_CMD} "${SUSPSCAN_ITEM}" 2>&1 | awk -F':' '{ print $NF }' | cut -c2-`

				#
				# We need to check errors from the file command, but not
				# if they are caused by the file disappearing beneath us.
				#

				test ! -e "${SUSPSCAN_ITEM}" && continue

				#
				# Adding "text" to the egrep below widens scope at the expense of more false-positives and extending running time.
				#

				if [ -n "`echo \"${FTYPE}\" | grep -v -i 'compres' | egrep -i 'execu|reloc|shell|libr|data|obj|text'`" ]; then
					FOUND=1
					SUSPSCAN_NUM=1; SUSPSCAN_SCORE=0; SUSPSCAN_HITCOUNT=0
					SUSPSCAN_STRINGS=""

					$STRINGS_CMD -n 4 "${SUSPSCAN_ITEM}" | head ${HEAD_OPT}$SUSPSCAN_LINETHRESH >${FILENAME} 2>&1

					for SUSPSCAN_STRING in `grep -v "^Version" ${DB_PATH}/suspscan.dat | tail ${TAIL_OPT}1` ; do

						#
						# Break off if the score already exceeds the threshold.
						#

						if [ $SUSPSCAN_SCORE -ge $SUSPSCAN_THRESH ]; then
							break
						fi

						SUSPSCAN_TERM="${SUSPSCAN_STRING}"

						#
						# Searchterm with class.
						#

						case "${SUSPSCAN_STRING}" in
						[a-z]:*) 
								SUSPSCAN_CLASS=`echo "${SUSPSCAN_STRING}" | cut -d: -f1`
								SUSPSCAN_TERM=`echo "${SUSPSCAN_STRING}" | cut -d: -f2-`
							 	;;
						esac

						#
						# Searchterm with multiplier.
						#

						case "${SUSPSCAN_STRING}" in
						*+[0-9][0-9]*) 
							  	SUSPSCAN_TERM=`echo "${SUSPSCAN_TERM}" | cut -d'+' -f1`
							  	SUSPSCAN_MULTIPLIER=`echo "${SUSPSCAN_STRING}" | cut -d'+' -f2`
								;;
						esac

						grep -i ${SUSPSCAN_TERM} ${FILENAME} >/dev/null 2>&1
						ERRCODE=$?

						if [ $ERRCODE -eq 0 ]; then

							if [ "$SUSPSCAN_CLASS" = "$SUSPSCAN_CLASS_PREV" ]; then
								SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + 10`
							fi

							SUSPSCAN_HITS="$SUSPSCAN_NUM ${SUSPSCAN_HITS}"

							if [ -n "$SUSPSCAN_MULTIPLIER" ]; then
								SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + ${SUSPSCAN_MULTIPLIER}` 
								unset SUSPSCAN_MULTIPLIER
							else
								SUSPSCAN_SCORE=`expr ${SUSPSCAN_SCORE} + 1`
							fi

							SUSPSCAN_HITCOUNT=`expr $SUSPSCAN_HITCOUNT + 1`

							SUSPSCAN_STRINGS="${SUSPSCAN_STRINGS} ${SUSPSCAN_TERM}"

							SUSPSCAN_CLASS_PREV="$SUSPSCAN_CLASS"
						fi

						SUSPSCAN_NUM=`expr ${SUSPSCAN_NUM} + 1`
					done

					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_CHECK_DEBUG "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE" "$SUSPSCAN_HITCOUNT" "${SUSPSCAN_STRINGS}"" >> "${SUSPSCAN_TMPFILE}"
					fi

					if [ $SUSPSCAN_SCORE -ge $SUSPSCAN_THRESH ]; then
						echo "6 SUSPSCAN_FILE_CHECK "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE"" >> "${SUSPSCAN_TMPFILE}"
						echo "SUSPSCAN_INSPECT "${SUSPSCAN_ITEM}" "$SUSPSCAN_SCORE"" >> "${SUSPSCAN_TMPFILE}"
					fi

					unset SUSPSCAN_TERM

				#
				# Compressed or obfuscated.
				#

				elif [ -n "`echo \"${FTYPE}\" | grep 'corrupted section header size'`" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "Possible UPX-compressed or Dexter01s obfuscated binary"" >> "${SUSPSCAN_TMPFILE}"
					fi

				#
				# ELF ultimate compression kit (ELFuck).
				#

				elif [ -n "`echo \"${FTYPE}\" | grep 'invalid class invalid byte order'`" ]; then
					if [ $SUSPSCAN_DEBUG -eq 1 ]; then
						echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "Possible ELFuck obfuscated binary"" >> "${SUSPSCAN_TMPFILE}"
					fi
				elif [ $SUSPSCAN_DEBUG -eq 1 ]; then
					echo "6 SUSPSCAN_FILE_SKIPPED_TYPE "${SUSPSCAN_ITEM}" "${FTYPE}"" >> "${SUSPSCAN_TMPFILE}"
				fi
			done

		else
			echo "4 SUSPSCAN_DIR_NOT_EXIST "${SUSPSCAN_DIR}"" >> "${SUSPSCAN_TMPFILE}"
		fi
	done

	rm -f ${SUSPSCAN_TEMP}/suspscan.*.strings >/dev/null 2>&1


	#
	# Now display the results.
	#
	
	cat "${SUSPSCAN_TMPFILE}" | while read LINE; do
		LOGCHAR=`echo "$LINE" | cut -c 1`
		case "$LOGCHAR" in
			4|6)	LOGTYPE=`echo "$LINE" | cut -d ' ' -f 2`
				case "$LOGTYPE" in
					SUSPSCAN_FILE_SKIPPED_TYPE)
						SUSP_SKIP_ITEM=`echo "$LINE" | cut -d ' ' -f 3`
						SUSP_SKIP_MSG=`echo "$LINE" | cut -d ' ' -f 4-`
						if [ $SUSPSCAN_DEBUG -eq 1 ]; then
							display --to LOG --type PLAIN --log-indent $LOGCHAR $LOGTYPE "${SUSP_SKIP_ITEM}" "${SUSP_SKIP_MSG}"
						fi
					;;
					*)
						display --to LOG --type PLAIN --log-indent $LINE
					;;
				esac
			;;
			S)	
				display --to LOG --type WARNING $LINE
			;;
		esac
	done

	FOUNDDIRS=`grep '^6 SUSPSCAN_FILE_CHECK' ${SUSPSCAN_TMPFILE} | head ${HEAD_OPT}1`
	if [ -z "${FOUNDDIRS}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 SUSPSCAN_CHECK
	else
		# The 'type' here should be PLAIN, but the loop prevents RKH from seeing that a warning has occurred.
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 SUSPSCAN_CHECK
	fi

	rm -f "${SUSPSCAN_TMPFILE}"

	return
}


do_system_commands_checks() {

	#
	# This function carries out a sequence of tests on
	# system commands. These consist of the 'strings' command
	# check, library checks and the file properties checks.
	#

	if `check_test system_commands`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST system_commands
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_SYS_COMMANDS
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST system_commands
		return
	fi


	strings_check

	shared_libs_check

	file_properties_check

	keypresspause

	return
}


rootkit_file_dir_checks() {

	#
	# This function performs the check for known rootkit
	# files and directories.
	#

	if `check_test known_rkts`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST known_rkts
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_FILES_DIRS_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST known_rkts
		return
	fi


	# 55808 Trojan - Variant A

	SCAN_ROOTKIT="55808 Trojan - Variant A"
	SCAN_FILES=${W55808A_FILES}
	SCAN_DIRS=${W55808A_DIRS}
	SCAN_KSYMS=${W55808A_KSYMS}
	scanrootkit

	# ADM Worm

	SCAN_ROOTKIT="ADM Worm"

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
	fi

	if [ -f "/etc/passwd" ]; then
		RKHTMPVAR=`grep 'w0rm' /etc/passwd`

		if [ -z "${RKHTMPVAR}" ]; then
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_STR "w0rm"
			fi

			display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		else
			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_STR "w0rm"
			fi

			display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_STR_FOUND "w0rm" "/etc/passwd"
		fi
	else
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_NOFILE "/etc/passwd"
	fi

	# AjaKit Rootkit

	SCAN_ROOTKIT="AjaKit Rootkit"
	SCAN_FILES=${AJAKIT_FILES}
	SCAN_DIRS=${AJAKIT_DIRS}
	SCAN_KSYMS=${AJAKIT_KSYMS}
	scanrootkit

	# "Adore" Rootkit

	SCAN_ROOTKIT="Adore Rootkit"
	SCAN_FILES=${AKIT_FILES}
	SCAN_DIRS=${AKIT_DIRS}
	SCAN_KSYMS=${AKIT_KSYMS}
	scanrootkit

	# aPa Kit

	SCAN_ROOTKIT="aPa Kit"
	SCAN_FILES=${APAKIT_FILES}
	SCAN_DIRS=${APAKIT_DIRS}
	SCAN_KSYMS=${APAKIT_KSYMS}
	scanrootkit

	# Apache worm

	SCAN_ROOTKIT="Apache Worm"
	SCAN_FILES=${APACHEWORM_FILES}
	SCAN_DIRS=${APACHEWORM_DIRS}
	SCAN_KSYMS=${APACHEWORM_KSYMS}
	scanrootkit

	# Ambient (ark) Rootkit

	SCAN_ROOTKIT="Ambient (ark) Rootkit"
	SCAN_FILES=${ARK_FILES}
	SCAN_DIRS=${ARK_DIRS}
	SCAN_KSYMS=${ARK_KSYMS}
	scanrootkit

	# Balaur Rootkit

	SCAN_ROOTKIT="Balaur Rootkit"
	SCAN_FILES=${BALAUR_FILES}
	SCAN_DIRS=${BALAUR_DIRS}
	SCAN_KSYMS=${BALAUR_KSYMS}
	scanrootkit

	# BeastKit Rootkit

	SCAN_ROOTKIT="BeastKit Rootkit"
	SCAN_FILES=${BEASTKIT_FILES}
	SCAN_DIRS=${BEASTKIT_DIRS}
	SCAN_KSYMS=${BEASTKIT_KSYMS}
	scanrootkit

	# beX2 Rootkit

	SCAN_ROOTKIT="beX2 Rootkit"
	SCAN_FILES=${BEX_FILES}
	SCAN_DIRS=${BEX_DIRS}
	SCAN_KSYMS=${BEX_KSYMS}
	scanrootkit

	# BOBKit Rootkit

	SCAN_ROOTKIT="BOBKit Rootkit"
	SCAN_FILES=${BOBKIT_FILES}
	SCAN_DIRS=${BOBKIT_DIRS}
	SCAN_KSYMS=${BOBKIT_KSYMS}
	scanrootkit

	# OSX Boonana Trojan
	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Boonana Trojan"
		SCAN_FILES=${BOONANA_FILES}
		SCAN_DIRS=${BOONANA_DIRS}
		SCAN_KSYMS=${BOONANA_KSYMS}
		scanrootkit
	fi

	# cb Rootkit
	SCAN_ROOTKIT="cb Rootkit"
	SCAN_FILES=${CB_FILES}
	SCAN_DIRS=${CB_DIRS}
	SCAN_KSYMS=${CB_KSYMS}
	scanrootkit

	# CiNIK Worm (Slapper.B variant)

	SCAN_ROOTKIT="CiNIK Worm (Slapper.B variant)"
	SCAN_FILES=${CINIK_FILES}
	SCAN_DIRS=${CINIK_DIRS}
	SCAN_KSYMS=${CINIK_KSYMS}
	scanrootkit

	# CX Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="CX Rootkit"
		SCAN_FILES=${CXKIT_FILES}
		SCAN_DIRS=${CXKIT_DIRS}
		SCAN_KSYMS=${CXKIT_KSYMS}
		scanrootkit
	fi

	# Danny-Boy's Abuse Kit

	SCAN_ROOTKIT="Danny-Boy's Abuse Kit"
	SCAN_FILES=${DANNYBOYS_FILES}
	SCAN_DIRS=${DANNYBOYS_DIRS}
	SCAN_KSYMS=${DANNYBOYS_KSYMS}
	scanrootkit

	# Devil RootKit

	SCAN_ROOTKIT="Devil RootKit"
	SCAN_FILES=${DEVIL_FILES}
	SCAN_DIRS=${DEVIL_DIRS}
	SCAN_KSYMS=${DEVIL_KSYMS}
	scanrootkit

	# Dica-Kit Rootkit

	SCAN_ROOTKIT="Dica-Kit Rootkit"
	SCAN_FILES=${DICA_FILES}
	SCAN_DIRS=${DICA_DIRS}
	SCAN_KSYMS=${DICA_KSYMS}
	scanrootkit

	# Dreams RootKit

	SCAN_ROOTKIT="Dreams Rootkit"
	SCAN_FILES=${DREAMS_FILES}
	SCAN_DIRS=${DREAMS_DIRS}
	SCAN_KSYMS=${DREAMS_KSYMS}
	scanrootkit

	# Duarawkz Rootkit

	SCAN_ROOTKIT="Duarawkz Rootkit"
	SCAN_FILES=${DUARAWKZ_FILES}
	SCAN_DIRS=${DUARAWKZ_DIRS}
	SCAN_KSYMS=${DUARAWKZ_KSYMS}
	scanrootkit

	# Enye LKM

	SCAN_ROOTKIT="Enye LKM"
	SCAN_FILES=${ENYELKM_FILES}
	SCAN_DIRS=${ENYELKM_DIRS}
	SCAN_KSYMS=${ENYELKM_KSYMS}
	scanrootkit

	# Flea Linux Rootkit

	SCAN_ROOTKIT="Flea Linux Rootkit"
	SCAN_FILES=${FLEA_FILES}
	SCAN_DIRS=${FLEA_DIRS}
	SCAN_KSYMS=${FLEA_KSYMS}
	scanrootkit

	# FreeBSD Rootkit

	if [ $BSDOS -eq 1 ]; then
		SCAN_ROOTKIT="FreeBSD Rootkit"
		SCAN_FILES=${FREEBSD_RK_FILES}
		SCAN_DIRS=${FREEBSD_RK_DIRS}
		SCAN_KSYMS=${FREEBSD_RK_KSYMS}
		scanrootkit
	fi

	# Fu Rootkit

	SCAN_ROOTKIT="Fu Rootkit"
	SCAN_FILES=${FU_FILES}
	SCAN_DIRS=${FU_DIRS}
	SCAN_KSYMS=${FU_KSYMS}
	scanrootkit

	# Fuck`it Rootkit

	SCAN_ROOTKIT="Fuck\`it Rootkit"
	SCAN_FILES=${FUCKIT_FILES}
	SCAN_DIRS=${FUCKIT_DIRS}
	SCAN_KSYMS=${FUCKIT_KSYMS}
	scanrootkit

	# GasKit Rootkit

	SCAN_ROOTKIT="GasKit Rootkit"
	SCAN_FILES=${GASKIT_FILES}
	SCAN_DIRS=${GASKIT_DIRS}
	SCAN_KSYMS=${GASKIT_KSYMS}
	scanrootkit

	# Heroin LKM

	SCAN_ROOTKIT="Heroin LKM"
	SCAN_FILES=${HEROIN_FILES}
	SCAN_DIRS=${HEROIN_DIRS}
	SCAN_KSYMS=${HEROIN_KSYMS}
	scanrootkit

	# HjC Kit

	SCAN_ROOTKIT="HjC Kit"
	SCAN_FILES=${HJCKIT_FILES}
	SCAN_DIRS=${HJCKIT_DIRS}
	SCAN_KSYMS=${HJCKIT_KSYMS}
	scanrootkit

	# ignoKit Rootkit

	SCAN_ROOTKIT="ignoKit Rootkit"
	SCAN_FILES=${IGNOKIT_FILES}
	SCAN_DIRS=${IGNOKIT_DIRS}
	SCAN_KSYMS=${IGNOKIT_KSYMS}
	scanrootkit

	# iLLogiC Rootkit (SunOS Rootkit variant)

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="iLLogiC Rootkit"
		SCAN_FILES=${ILLOGIC_FILES}
		SCAN_DIRS=${ILLOGIC_DIRS}
		SCAN_KSYMS=${ILLOGIC_KSYMS}
		scanrootkit
	fi

	# OSX Inqtana (Variant A)

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Inqtana Worm (Variant A)"
		SCAN_FILES=${INQTANAA_FILES}
		SCAN_DIRS=${INQTANAA_DIRS}
		SCAN_KSYMS=${INQTANAA_KSYMS}
		scanrootkit
	fi

	# OSX Inqtana (Variant B)

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Inqtana Worm (Variant B)"
		SCAN_FILES=${INQTANAB_FILES}
		SCAN_DIRS=${INQTANAB_DIRS}
		SCAN_KSYMS=${INQTANAB_KSYMS}
		scanrootkit
	fi

	# OSX Inqtana (Variant C)

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Inqtana Worm (Variant C)"
		SCAN_FILES=${INQTANAC_FILES}
		SCAN_DIRS=${INQTANAC_DIRS}
		SCAN_KSYMS=${INQTANAC_KSYMS}
		scanrootkit
	fi

	# IntoXonia-NG Rootkit

	SCAN_ROOTKIT="IntoXonia-NG Rootkit"
	SCAN_FILES=${INTOXONIA_FILES}
	SCAN_DIRS=${INTOXONIA_DIRS}
	SCAN_KSYMS=${INTOXONIA_KSYMS}
	scanrootkit

	# Irix Rootkit

	SCAN_ROOTKIT="Irix Rootkit"
	SCAN_FILES=${IRIXRK_FILES}
	SCAN_DIRS=${IRIXRK_DIRS}
	SCAN_KSYMS=${IRIXRK_KSYMS}
	scanrootkit

	# Jynx Rootkit

	SCAN_ROOTKIT="Jynx Rootkit"
	SCAN_FILES=${JYNX_FILES}
	SCAN_DIRS=${JYNX_DIRS}
	SCAN_KSYMS=${JYNX_KSYMS}
	scanrootkit

	# KBeast Rootkit

	SCAN_ROOTKIT="KBeast Rootkit"
	SCAN_FILES=${KBEAST_FILES}
	SCAN_DIRS=${KBEAST_DIRS}
	SCAN_KSYMS=${KBEAST_KSYMS}
	scanrootkit

	# Kitko Rootkit

	SCAN_ROOTKIT="Kitko Rootkit"
	SCAN_FILES=${KITKO_FILES}
	SCAN_DIRS=${KITKO_DIRS}
	SCAN_KSYMS=${KITKO_KSYMS}
	scanrootkit

	# Knark Rootkit

	SCAN_ROOTKIT="Knark Rootkit"
	SCAN_FILES=${KNARK_FILES}
	SCAN_DIRS=${KNARK_DIRS}
	SCAN_KSYMS=${KNARK_KSYMS}
	scanrootkit

	# ld-linuxv.so (LD_PRELOAD shared library rootkit)

	SCAN_ROOTKIT="ld-linuxv.so Rootkit"
	SCAN_FILES=${LINUXV_FILES}
	SCAN_DIRS=${LINUXV_DIRS}
	SCAN_KSYMS=${LINUXV_KSYMS}
	scanrootkit

	# Li0n Worm

	SCAN_ROOTKIT="Li0n Worm"
	SCAN_FILES=${LION_FILES}
	SCAN_DIRS=${LION_DIRS}
	SCAN_KSYMS=${LION_KSYMS}
	scanrootkit

	# Lockit / LJK2 Rootkit

	SCAN_ROOTKIT="Lockit / LJK2 Rootkit"
	SCAN_FILES=${LOCKIT_FILES}
	SCAN_DIRS=${LOCKIT_DIRS}
	SCAN_KSYMS=${LOCKIT_KSYMS}
	scanrootkit

	# Mood-NT Rootkit

	SCAN_ROOTKIT="Mood-NT Rootkit"
	SCAN_FILES=${MOODNT_FILES}
	SCAN_DIRS=${MOODNT_DIRS}
	SCAN_KSYMS=${MOODNT_KSYMS}
	scanrootkit

	# MRK (MiCrobul?) RootKit

	SCAN_ROOTKIT="MRK Rootkit"
	SCAN_FILES=${MRK_FILES}
	SCAN_DIRS=${MRK_DIRS}
	SCAN_KSYMS=${MRK_KSYMS}
	scanrootkit

	# Ni0 Rootkit

	SCAN_ROOTKIT="Ni0 Rootkit"
	SCAN_FILES=${NIO_FILES}
	SCAN_DIRS=${NIO_DIRS}
	SCAN_KSYMS=${NIO_KSYMS}
	scanrootkit

	# Ohhara Rootkit

	SCAN_ROOTKIT="Ohhara Rootkit"
	SCAN_FILES=${OHHARA_FILES}
	SCAN_DIRS=${OHHARA_DIRS}
	SCAN_KSYMS=${OHHARA_KSYMS}
	scanrootkit

	# Optic Kit Worm

	SCAN_ROOTKIT="Optic Kit (Tux) Worm"
	SCAN_FILES=${OPTICKIT_FILES}
	SCAN_DIRS=${OPTICKIT_DIRS}
	SCAN_KSYMS=${OPTICKIT_KSYMS}
	scanrootkit

	# OSX Rootkit 0.2.1

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="OS X Rootkit"
		SCAN_FILES="${OSXRK_FILES}"
		SCAN_DIRS="${OSXRK_DIRS}"
		SCAN_KSYMS=${OSXRK_KSYMS}
		scanrootkit
	fi

	# Oz Rootkit

	SCAN_ROOTKIT="Oz Rootkit"
	SCAN_FILES=${OZ_FILES}
	SCAN_DIRS=${OZ_DIRS}
	SCAN_KSYMS=${OZ_KSYMS}
	scanrootkit

	# Phalanx Rootkit

	SCAN_ROOTKIT="Phalanx Rootkit"
	SCAN_FILES=${PHALANX_FILES}
	SCAN_DIRS=${PHALANX_DIRS}
	SCAN_KSYMS=${PHALANX_KSYMS}
	scanrootkit

	# Phalanx2 Rootkit (dirs and files)

	SCAN_ROOTKIT="Phalanx2 Rootkit"
	SCAN_FILES=${PHALANX2_FILES}
	SCAN_DIRS=${PHALANX2_DIRS}
	SCAN_KSYMS=${PHALANX2_KSYMS}
	scanrootkit

	# Phalanx2 Rootkit (extended tests)

	if [ $LINUXOS -eq 1 ]; then
		SCAN_ROOTKIT="Phalanx2 Rootkit (extended tests)"

		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		ROOTKIT_PHALANX2_TEST=0

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
		fi

		if [ $ROOTKIT_PHALANX2_DIRTESTVAL -eq 1 ]; then
			ROOTKIT_PHALANX2_DIRNAMES=`find /etc /usr -type d -iname "*.p2"`
		else
			ROOTKIT_PHALANX2_DIRNAMES="/etc/khubd.p2 /etc/lolzz.p2 /usr/lib/zupzz.p2"
		fi

		if [ -n "${ROOTKIT_PHALANX2_DIRNAMES}" ]; then

			for ROOTKIT_PHALANX2_DIRNAME in ${ROOTKIT_PHALANX2_DIRNAMES}; do

				if `cd ${ROOTKIT_PHALANX2_DIRNAME} >/dev/null 2>&1`; then
					ROOTKIT_PHALANX2_TEST=1

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${ROOTKIT_PHALANX2_DIRNAME}"
					fi

					display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
					display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_DIR_FOUND "${ROOTKIT_PHALANX2_DIRNAME}"
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${ROOTKIT_PHALANX2_DIRNAME}"
				fi
			done

		elif [ $VERBOSE_LOGGING -eq 1 -a $ROOTKIT_PHALANX2_DIRTESTVAL -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "*.p2"
		fi

		if `grep -q '^/dev/root .* ext[23] ' /proc/mounts 2>/dev/null`; then 
			if [ -n "${STAT_CMD}" ]; then
				if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
					NLINKS1=`${STAT_CMD} --nlink /etc 2>/dev/null`
				else
					NLINKS1=`${STAT_CMD} -c %h /etc 2>/dev/null`
				fi

				NLINKS2=`ls -ld /etc 2>/dev/null | awk -F' ' '/^d/ {print $2}' | head ${HEAD_OPT}1`

				test -z "${NLINKS1}" && NLINKS1=-1
				test -z "${NLINKS2}" && NLINKS2=-2

				if [ $NLINKS1 -ne $NLINKS2 ]; then
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result WARNING --log-indent 2 ROOTKIT_LINK_COUNT "/etc"

						if [ $NLINKS1 -eq -1 ]; then
							display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_CMDERR "${STAT_CMD}" "/etc"
						fi

						if [ $NLINKS2 -eq -2 ]; then
							display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_CMDERR "ls -ld" "/etc"
						fi

						display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_FAIL "${STAT_CMD}" "$NLINKS1"
						display --to LOG --type PLAIN --log-indent 4 ROOTKIT_LINK_COUNT_FAIL "ls -ld" "$NLINKS2"
					fi

					if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
						ROOTKIT_PHALANX2_TEST=1
						display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
					fi

					display --to LOG --type PLAIN --log-indent 9 ROOTKIT_PHALANX2_LINK_COUNT_FAIL "/etc"
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result OK --log-indent 2 ROOTKIT_LINK_COUNT "/etc"
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_LINK_COUNT "/etc"
				display --to LOG --type INFO NOT_FOUND_CMD "stat"
			fi
		fi

		# On Linux 2.6 kernels certain processes are children of the kthread process which itself is a child of init.
		# argv[0] hiding in plain sight works OK (who expects '^ata/0$' processes to be illegal?) but if the parent process Id is not kthread's
		# then suspicion is justified. Like other process listing relying on 'ps' the usual process hiding caveat remains.

		if [ -n "${PGREP_CMD}" ]; then
			if [ -n "`${PGREP_CMD} 'ata/0'`" ]; then
				ROOTKIT_PHALANX2_PROC_KTHREAD_PPID=`${PGREP_CMD} -f '^kthread.?$'`
				ROOTKIT_PHALANX2_PROC_ATA_PPID=`${PS_CMD} --no-headers -C 'ata/0' -oppid 2>/dev/null`

				if [ -n "${ROOTKIT_PHALANX2_PROC_ATA_PPID}" -a -n "${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID}" ]; then
					if [ ${ROOTKIT_PHALANX2_PROC_ATA_PPID} -ne ${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID} ]; then
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type PLAIN --result WARNING --log-indent 2 ROOTKIT_PHALANX2_PROC_FOUND
							display --to LOG --type PLAIN --log-indent 4 ROOTKIT_PHALANX2_PROC_PPID "${ROOTKIT_PHALANX2_PROC_KTHREAD_PPID}" "${ROOTKIT_PHALANX2_PROC_ATA_PPID}"
						fi

						if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
							ROOTKIT_PHALANX2_TEST=1
							display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
						fi

						display --to LOG --type PLAIN --log-indent 9 ROOTKIT_PHALANX2_PROC_FOUND
					else
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type PLAIN --result OK --log-indent 2 ROOTKIT_PHALANX2_PROC
						fi
					fi

				else # ROOTKIT_PHALANX2_PROC_ATA_PPID ps might not support some cmdline args
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_PHALANX2_PROC
						display --to LOG --type INFO ROOTKIT_PHALANX2_PROC_PS_ERR
					fi
				fi

			#else # This kernel does not run any 'ata/0' kthread child processes, no warning necessary.
			fi

		else # PGREP_CMD
			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_PHALANX2_PROC
				display --to LOG --type INFO NOT_FOUND_CMD "pgrep"
			fi
		fi

		if [ $ROOTKIT_PHALANX2_TEST -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		else
			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "
		fi

	fi

	# Portacelo Rootkit

	SCAN_ROOTKIT="Portacelo Rootkit"
	SCAN_FILES=${PORTACELO_FILES}
	SCAN_DIRS=${PORTACELO_DIRS}
	SCAN_KSYMS=${PORTACELO_KSYMS}
	scanrootkit

	# R3dstorm Toolkit

	SCAN_ROOTKIT="R3dstorm Toolkit"
	SCAN_FILES=${REDSTORM_FILES}
	SCAN_DIRS=${REDSTORM_DIRS}
	SCAN_KSYMS=${REDSTORM_KSYMS}
	scanrootkit

	# RH-Sharpe's Rootkit

	SCAN_ROOTKIT="RH-Sharpe's Rootkit"
	SCAN_FILES=${RHSHARPES_FILES}
	SCAN_DIRS=${RHSHARPES_DIRS}
	SCAN_KSYMS=${RHSHARPES_KSYMS}
	scanrootkit

	# RSHA's Rootkit

	SCAN_ROOTKIT="RSHA's Rootkit"
	SCAN_FILES=${RSHA_FILES}
	SCAN_DIRS=${RSHA_DIRS}
	SCAN_KSYMS=${RSHA_KSYMS}
	scanrootkit

	# Scalper Worm

	SCAN_ROOTKIT="Scalper Worm"
	SCAN_FILES=${SCALPER_FILES}
	SCAN_DIRS=${SCALPER_DIRS}
	SCAN_KSYMS=${SCALPER_KSYMS}
	scanrootkit

	# Sebek LKM (Honeypot)

	SCAN_ROOTKIT="Sebek LKM"

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
	fi

	FOUND=0

	if [ -n "${KSYMS_FILE}" ]; then
		egrep -i 'adore|sebek' ${KSYMS_FILE} >/dev/null 2>&1 && FOUND=1
	fi

	if [ $FOUND -eq 0 ]; then
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			if [ -n "${KSYMS_FILE}" ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "adore or sebek"
			else
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "adore or sebek"
			fi
		fi

		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "adore or sebek"
		fi

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
		display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_KSYM_FOUND "adore or sebek"
	fi

	# Shutdown Rootkit

	SCAN_ROOTKIT="Shutdown Rootkit"
	SCAN_FILES=${SHUTDOWN_FILES}
	SCAN_DIRS=${SHUTDOWN_DIRS}
	SCAN_KSYMS=${SHUTDOWN_KSYMS}
	scanrootkit

	# SHV4 Rootkit

	SCAN_ROOTKIT="SHV4 Rootkit"
	SCAN_FILES=${SHV4_FILES}
	SCAN_DIRS=${SHV4_DIRS}
	SCAN_KSYMS=${SHV4_KSYMS}
	scanrootkit

	# SHV5 Rootkit

	SCAN_ROOTKIT="SHV5 Rootkit"
	SCAN_FILES=${SHV5_FILES}
	SCAN_DIRS=${SHV5_DIRS}
	SCAN_KSYMS=${SHV5_KSYMS}
	scanrootkit

	# Sin Rootkit

	SCAN_ROOTKIT="Sin Rootkit"
	SCAN_FILES=${SINROOTKIT_FILES}
	SCAN_DIRS=${SINROOTKIT_DIRS}
	SCAN_KSYMS=${SINROOTKIT_KSYMS}
	scanrootkit

	# SInAR Rootkit

	if [ $SUNOS -eq 1 ]; then
		FOUND=0
		SINARFILES=""

		SCAN_ROOTKIT="SInAR Rootkit"

		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
		fi

		if [ -n "${FIND_CMD}" ]; then
			for DIR in ${BINPATHS}; do
				FOUNDINDIR="NOT_FOUND"

				for FNAME in `${FIND_CMD} "${DIR}" -type f -name "*[sS][iI][nN][aA][rR]*" 2>/dev/null`; do
					if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAME} \"`" ]; then
						display --to LOG --type INFO FILE_PROP_WL "${FNAME}" known_rkts
					elif `grep -i 'sinar' ${FNAME} >/dev/null 2>&1`; then
						FOUND=1
						FOUNDINDIR="FOUND"
						SINARFILES="${SINARFILES} ${FNAME}"
					fi
				done

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result "${FOUNDINDIR}" --log-indent 2 ROOTKIT_FILES_DIRS_SINAR_DIR "${DIR}"
				fi
			done


			#
			# Now display the result.
			#

			if [ $FOUND -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
			else
				ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
				ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

				display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_SINAR "${SINARFILES}"
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NAME "${SCAN_ROOTKIT}"
			display --to LOG --type INFO NOT_FOUND_CMD "find"
		fi
	fi

	# Slapper Worm

	SCAN_ROOTKIT="Slapper Worm"
	SCAN_FILES=${SLAPPER_FILES}
	SCAN_DIRS=${SLAPPER_DIRS}
	SCAN_KSYMS=${SLAPPER_KSYMS}
	scanrootkit

	# Sneakin Rootkit

	SCAN_ROOTKIT="Sneakin Rootkit"
	SCAN_FILES=${SNEAKIN_FILES}
	SCAN_DIRS=${SNEAKIN_DIRS}
	SCAN_KSYMS=${SNEAKIN_KSYMS}
	scanrootkit

	# Solaris Wanuk backdoor

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="Solaris Wanuk backdoor"
		SCAN_FILES=${WANUKDOOR_FILES}
		SCAN_DIRS=${WANUKDOOR_DIRS}
		SCAN_KSYMS=${WANUKDOOR_KSYMS}
		scanrootkit
	fi

	# Solaris Wanuk Worm

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="Solaris Wanuk Worm"
		SCAN_FILES=${WANUKWORM_FILES}
		SCAN_DIRS=${WANUKWORM_DIRS}
		SCAN_KSYMS=${WANUKWORM_KSYMS}
		scanrootkit
	fi

	# 'Spanish' Rootkit

	SCAN_ROOTKIT="'Spanish' Rootkit"
	SCAN_FILES=${SPANISH_FILES}
	SCAN_DIRS=${SPANISH_DIRS}
	SCAN_KSYMS=${SPANISH_KSYMS}
	scanrootkit

	# Suckit Rootkit

	SCAN_ROOTKIT="Suckit Rootkit"
	SCAN_FILES=${SUCKIT_FILES}
	SCAN_DIRS=${SUCKIT_DIRS}
	SCAN_KSYMS=${SUCKIT_KSYMS}
	scanrootkit

	# SunOS Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="SunOS Rootkit"
		SCAN_FILES=${SUNOSROOTKIT_FILES}
		SCAN_DIRS=${SUNOSROOTKIT_DIRS}
		SCAN_KSYMS=${SUNOSROOTKIT_KSYMS}
		scanrootkit
	fi

	# SunOS / NSDAP Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="SunOS / NSDAP Rootkit"
		SCAN_FILES=${NSDAP_FILES}
		SCAN_DIRS=${NSDAP_DIRS}
		SCAN_KSYMS=${NSDAP_KSYMS}
		scanrootkit
	fi

	# Superkit Rootkit

	SCAN_ROOTKIT="Superkit Rootkit"
	SCAN_FILES=${SUPERKIT_FILES}
	SCAN_DIRS=${SUPERKIT_DIRS}
	SCAN_KSYMS=${SUPERKIT_KSYMS}
	scanrootkit

	# TBD (Telnet BackDoor)

	SCAN_ROOTKIT="TBD (Telnet BackDoor)"
	SCAN_FILES=${TBD_FILES}
	SCAN_DIRS=${TBD_DIRS}
	SCAN_KSYMS=${TBD_KSYMS}
	scanrootkit

	# TeLeKiT Rootkit

	SCAN_ROOTKIT="TeLeKiT Rootkit"
	SCAN_FILES=${TELEKIT_FILES}
	SCAN_DIRS=${TELEKIT_DIRS}
	SCAN_KSYMS=${TELEKIT_KSYMS}
	scanrootkit

	# OSX Togroot Rootkit

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="Togroot Rootkit"
		SCAN_FILES=${TOGROOT_FILES}
		SCAN_DIRS=${TOGROOT_DIRS}
		SCAN_KSYMS=${TOGROOT_KSYMS}
		scanrootkit
	fi

	# T0rn Rootkit

	SCAN_ROOTKIT="T0rn Rootkit"
	SCAN_FILES=${TORN_FILES}
	SCAN_DIRS=${TORN_DIRS}
	SCAN_KSYMS=${TORN_KSYMS}
	scanrootkit

	# TrNkit Rootkit

	SCAN_ROOTKIT="trNkit Rootkit"
	SCAN_FILES=${TRNKIT_FILES}
	SCAN_DIRS=${TRNKIT_DIRS}
	SCAN_KSYMS=${TRNKIT_KSYMS}
	scanrootkit

	# Trojanit Kit

	SCAN_ROOTKIT="Trojanit Kit"
	SCAN_FILES=${TROJANIT_FILES}
	SCAN_DIRS=${TROJANIT_DIRS}
	SCAN_KSYMS=${TROJANIT_KSYMS}
	scanrootkit

	# Turtle / Turtle2 Rootkit

	if [ $BSDOS -eq 1 ]; then
		SCAN_ROOTKIT="Turtle Rootkit"
		SCAN_FILES=${TURTLE_FILES}
		SCAN_DIRS=${TURTLE_DIRS}
		SCAN_KSYMS=${TURTLE_KSYMS}
		scanrootkit
	fi

	# Tuxtendo Rootkit

	SCAN_ROOTKIT="Tuxtendo Rootkit"
	SCAN_FILES=${TUXTENDO_FILES}
	SCAN_DIRS=${TUXTENDO_DIRS}
	SCAN_KSYMS=${TUXTENDO_KSYMS}
	scanrootkit

	# Universal Rootkit by K2 (URK)

	SCAN_ROOTKIT="URK Rootkit"
	SCAN_FILES=${URK_FILES}
	SCAN_DIRS=${URK_DIRS}
	SCAN_KSYMS=${URK_KSYMS}
	scanrootkit

	# Vampire Rootkit

	SCAN_ROOTKIT="Vampire Rootkit"
	SCAN_FILES=${VAMPIRE_FILES}
	SCAN_DIRS=${VAMPIRE_DIRS}
	SCAN_KSYMS=${VAMPIRE_KSYMS}
	scanrootkit

	# VcKit Rootkit

	SCAN_ROOTKIT="VcKit Rootkit"
	SCAN_FILES=${VCKIT_FILES}
	SCAN_DIRS=${VCKIT_DIRS}
	SCAN_KSYMS=${VCKIT_KSYMS}
	scanrootkit

	# Volc Rootkit

	SCAN_ROOTKIT="Volc Rootkit"
	SCAN_FILES=${VOLC_FILES}
	SCAN_DIRS=${VOLC_DIRS}
	SCAN_KSYMS=${VOLC_KSYMS}
	scanrootkit

	# weaponX Rootkit

	if [ $MACOSX -eq 1 ]; then
		SCAN_ROOTKIT="weaponX Rootkit"
		SCAN_FILES=${WEAPONX_FILES}
		SCAN_DIRS=${WEAPONX_DIRS}
		SCAN_KSYMS=${WEAPONX_KSYMS}
		scanrootkit
	fi

	# Xzibit Rootkit

	SCAN_ROOTKIT="Xzibit Rootkit"
	SCAN_FILES=${XZIBIT_FILES}
	SCAN_DIRS=${XZIBIT_DIRS}
	SCAN_KSYMS=${XZIBIT_KSYMS}
	scanrootkit

	# X-Org SunOS Rootkit

	if [ $SUNOS -eq 1 ]; then
		SCAN_ROOTKIT="X-Org SunOS Rootkit"
		SCAN_FILES=${XORGSUNOS_FILES}
		SCAN_DIRS=${XORGSUNOS_DIRS}
		SCAN_KSYMS=${XORGSUNOS_KSYMS}
		scanrootkit
	fi

	# zaRwT.KiT Rootkit

	SCAN_ROOTKIT="zaRwT.KiT Rootkit"
	SCAN_FILES=${ZARWT_FILES}
	SCAN_DIRS=${ZARWT_DIRS}
	SCAN_KSYMS=${ZARWT_KSYMS}
	scanrootkit

	# ZK Rootkit

	SCAN_ROOTKIT="ZK Rootkit"
	SCAN_FILES=${ZK_FILES}
	SCAN_DIRS=${ZK_DIRS}
	SCAN_KSYMS=${ZK_KSYMS}
	scanrootkit

	return
}


possible_rootkit_file_dir_checks() {

	#
	# This function performs the check for possible rootkit
	# files and directories.
	#

	if `check_test possible_rkt_files`; then
		display --to LOG --type INFO --nl STARTING_TEST possible_rkt_files
		display --to LOG --type PLAIN --log-indent 2 ROOTKIT_POSS_FILES_DIRS_LOG
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST possible_rkt_files
		return
	fi

	FOUND=0
	FOUNDFILES=""
	FOUNDDIRS=""

	IFS=$IFSNL

	for RKHTMPVAR in ${FILESCAN}; do
		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

		RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ 	]*//'`

		TYPE=`echo ${RKHTMPVAR} | cut -d: -f1`
		FILE=`echo ${RKHTMPVAR} | cut -d: -f2`
		INFO=`echo ${RKHTMPVAR} | cut -d: -f3`

		FNAME=`echo "${FILE}" | tr '%' ' '`

		case "${TYPE}" in
		dir)
			if [ -d "${FNAME}" ]; then
				FNAMEGREP=`echo "${FILE}" | sed -e 's/\./\\\./g'`

				if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
					display --to LOG --type INFO FILE_PROP_WL_DIR "${FNAME}" possible_rkt_files
					test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "${FNAME}"
				else
					FOUND=1
					FOUNDDIRS="${FOUNDDIRS}
${FNAME}:${INFO}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_DIR "${FNAME}"
					fi
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "${FNAME}"
			fi
			;;
		file)
			if [ -f "${FNAME}" ]; then
				FNAMEGREP=`echo "${FILE}" | sed -e 's/\./\\\./g'`

				if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
					display --to LOG --type INFO FILE_PROP_WL "${FNAME}" possible_rkt_files
					test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "${FNAME}"
				else
					FOUND=1
					FOUNDFILES="${FOUNDFILES}
${FNAME}:${INFO}"

					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_FILE "${FNAME}"
					fi
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "${FNAME}"
			fi
			;;
		*)
			echo "Error: Unknown file type in possible rootkit check: FILESCAN contains: ${TYPE}"
			;;
		esac
	done

	IFS=$RKHIFS


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_POSS_FILES_DIRS
	else
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_POSS_FILES_DIRS

		IFS=$IFSNL

		FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDFILES}; do
			FILE=`echo "${RKHTMPVAR}" | cut -d: -f1`
			INFO=`echo "${RKHTMPVAR}" | cut -d: -f2`

			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "

			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_FILES_FILE_FOUND "${FILE}" "${INFO}"
		done

		FOUNDDIRS=`echo "${FOUNDDIRS}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDDIRS}; do
			FILE=`echo "${RKHTMPVAR}" | cut -d: -f1`
			INFO=`echo "${RKHTMPVAR}" | cut -d: -f2`

			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "

			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_FILES_DIR_FOUND "${FILE}" "${INFO}"
		done

		IFS=$RKHIFS
	fi

	return
}


get_rc_paths() {

	#
	# This function gets a list of the system startup files.
	# Directories are searched for files.
	#
	# This functions will set the variable RC_PATHS.
	#

	RC_PATHS=""
	RKHTMPVAR2=""

	if [ -n "${STARTUP_PATHS}" ]; then
		RKHTMPVAR="${STARTUP_PATHS}"
	else
		RKHTMPVAR="${RCLOCATIONS}"
	fi


	for DIR in ${RKHTMPVAR}; do
		test -h "${DIR}" && continue

		if [ -f "${DIR}" ]; then
			RC_PATHS="${RC_PATHS}
${DIR}"
			RKHTMPVAR2="${RKHTMPVAR2} ${DIR}"
		elif [ -d "${DIR}" ]; then
			RKHTMPVAR2="${RKHTMPVAR2} ${DIR}"

			if [ -n "${FIND_CMD}" ]; then
				for FNAME in `${FIND_CMD} ${DIR} -type f -a ! -type l 2>/dev/null`; do
					RC_PATHS="${RC_PATHS}
${FNAME}"
				done
			else
				for FNAME in ${DIR}/*; do
					test -f "${FNAME}" -a ! -h "${FNAME}" && RC_PATHS="${RC_PATHS}
${FNAME}"
				done
			fi
		fi
	done

	if [ $STARTUP_PATHS_LOGGED -eq 0 ]; then
		STARTUP_PATHS_LOGGED=1

		test -z "${RKHTMPVAR2}" && RKHTMPVAR2="${RKHTMPVAR}"

		RKHTMPVAR2=`echo ${RKHTMPVAR2}`
		display --to LOG --type INFO CONFIG_STARTUP_PATHS "${RKHTMPVAR2}"
	fi

	return
}


possible_rootkit_string_checks() {

	#
	# This function performs the check for possible rootkit
	# strings in files.
	#

	if `check_test possible_rkt_strings`; then
		display --to LOG --type INFO --nl STARTING_TEST possible_rkt_strings

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 2 ROOTKIT_POSS_STRINGS_LOG
		fi
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST possible_rkt_strings
		return
	fi

	#
	# First check to see that we can run the test.
	#

	if [ -z "${STRINGS_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 ROOTKIT_POSS_STRINGS
		display --to LOG --type INFO NOT_FOUND_CMD "strings"
		return
	elif [ "${STARTUP_PATHS}" = "NONE" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color GREEN --screen-indent 4 ROOTKIT_POSS_STRINGS
		display --to LOG --type INFO STARTUP_NONE_GIVEN
		return
	fi


	#
	# Now get and check that the system startup files are okay.
	#

	get_rc_paths

	if [ -z "${RC_PATHS}" ]; then
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 ROOTKIT_POSS_STRINGS
		display --to LOG --type PLAIN --log-indent 9 STARTUP_CHECK_NO_RC_FILES
		return
	fi


	FOUND=0
	FOUNDFILES=""

	IFS=$IFSNL

	for RKHTMPVAR in ${STRINGSCAN}; do
		FOUNDFILE=0
		STRINGFOUND=0
		FOUNDSTRING=""

		RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ 	]*//'`

		FILE=`echo ${RKHTMPVAR} | cut -d: -f1`
		FILESTRING=`echo ${RKHTMPVAR} | cut -d: -f2`

		if [ "`echo ${FILESTRING} | cut -c 1`" = "+" ]; then
			STRING=`echo ${FILESTRING} | cut -c 2-`
			FILESTRING="${STRING}"
		else
			STRING=`echo ${FILESTRING} | sed -e 's/\./\\\./g'`
		fi

		INFO=`echo ${RKHTMPVAR} | cut -d: -f3`

		if [ "${FILE}" = "rcfile" ]; then
			FOUNDFILE=1

			for FNAME in ${RC_PATHS}; do
				FOUNDSTRING=`${STRINGS_CMD} -n 3 ${FNAME} | grep -v '^[ 	]*#' | grep "${STRING}"`

				if [ -n "${FOUNDSTRING}" ]; then
					FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

					if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP}:${STRING} \"`" ]; then
						RKHTMPVAR2=`echo "${STRING}" | sed -e 's/\\\//g'`
						display --to LOG --type INFO FILE_PROP_WL_STR "${FNAME}" "${RKHTMPVAR2}" possible_rkt_strings
					elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP}:\"`" ]; then
						display --to LOG --type INFO FILE_PROP_WL "${FNAME}" possible_rkt_strings
					else
						FOUND=1
						STRINGFOUND=1
						FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${FILESTRING}:${INFO}"
					fi
				fi
			done
		else
			#
			# We cannot use the 'find_cmd' function here because we
			# are looking at the command binaries themselves, not
			# executing them as commands from the local system.
			#
			# We need to jiggle with IFS here because we are in
			# two loops which are using different field separators.
			#

			IFS=$RKHIFS

			for DIR in ${BINPATHS}; do
				FNAME="${DIR}/${FILE}"

				if [ -f "${FNAME}" ]; then
					FOUNDFILE=1
					FOUNDSTRING=`${STRINGS_CMD} -n 3 ${FNAME} | grep "${STRING}"`

					if [ -n "${FOUNDSTRING}" ]; then
						FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

						if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP}:${STRING} \"`" ]; then
							RKHTMPVAR2=`echo "${STRING}" | sed -e 's/\\\//g'`
							display --to LOG --type INFO FILE_PROP_WL_STR "${FNAME}" "${RKHTMPVAR2}" possible_rkt_strings
						elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP}:\"`" ]; then
							display --to LOG --type INFO FILE_PROP_WL "${FNAME}" possible_rkt_strings
						else
							FOUND=1
							STRINGFOUND=1
							FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${FILESTRING}:${INFO}"
						fi
					fi

					break
				fi
			done
		fi

		if [ $FOUNDFILE -eq 1 ]; then
			ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				if [ $STRINGFOUND -eq 0 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_STR "${FILESTRING}"
				else
					display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_FILES_DIRS_STR "${FILESTRING}"
				fi
			fi
		fi

		IFS=$IFSNL
	done

	IFS=$RKHIFS


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_POSS_STRINGS
	else
		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_POSS_STRINGS

		IFS=$IFSNL

		FOUNDSTRINGS=`echo "${FOUNDSTRINGS}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDSTRINGS}; do
			FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
			STRING=`echo "${RKHTMPVAR}" | cut -d: -f2`

			if [ "`echo ${STRING} | cut -c 1`" = "+" ]; then
				STRING=`echo ${STRING} | cut -c 2-`
			fi

			INFO=`echo "${RKHTMPVAR}" | cut -d: -f3`

			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "

			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_POSS_STRINGS_FOUND "${STRING}" "${FNAME}" "${INFO}"
		done

		IFS=$RKHIFS
	fi

	return
}


additional_rootkit_checks() {

	#
	# This function performs additional rootkit checks.
	#

	if `check_test additional_rkts`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST additional_rkts
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_ADD_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST additional_rkts
		return
	fi

	test $LINUXOS -eq 1 && suckit_extra_checks

	possible_rootkit_file_dir_checks

	possible_rootkit_string_checks

	return
}



malware_checks() {

	#
	# This function performs malware checks.
	#

	if `check_test malware`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST malware
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_MALWARE_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST malware
		return
	fi


	#
	# First we check for processes using deleted files.
	#

	if `check_test deleted_files`; then
		display --to LOG --type INFO --nl STARTING_TEST deleted_files

		if [ -n "${LSOF_CMD}" ]; then
			FOUND=0
			WHITEPROC=""; BLACKPROC=""

			DELE_FILES=`${LSOF_CMD} -wnlP +c 0 ${SOLARISX} | grep '(dele' | head ${HEAD_OPT}1`

			if [ -n "${DELE_FILES}" ]; then
				PIDLIST=" "

				ALLOWPROCDELFILES=`get_option 2 multi ALLOWPROCDELFILE` || exit 1

				IFS=$IFSNL

				for LINE in `${LSOF_CMD} -wnlP +c 0 ${SOLARISX} | grep '(dele'`; do
					PROC=""

					PID=`echo "${LINE}" | awk '{ print $2 }'`
					NODE=`echo "${LINE}" | awk '{ print $8 }'`
					FNAME=`echo "${LINE}" | awk '{ print $9 }'`

					#
					# Skip any PID's we have already seen.
					#

					test -n "`echo \"${PIDLIST}\" | grep \" $PID \"`" && continue

					#
					# Try and get the running process name.
					#

					if [ $HAVE_READLINK -eq 1 ]; then
						RKHTMPVAR=""

						if [ $SOL_PROC -eq 1 ]; then
							test -h "/proc/${PID}/path/a.out" && RKHTMPVAR=`${READLINK_CMD} -f /proc/${PID}/path/a.out`
						elif [ $SUNOS -eq 0 -o -h "/proc/${PID}/exe" ]; then
							test -h "/proc/${PID}/exe" && RKHTMPVAR=`${READLINK_CMD} -f /proc/${PID}/exe`
						fi

						test -n "${RKHTMPVAR}" && PROC=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
					fi

					if [ -z "${PROC}" ]; then
						if [ $SUNOS -eq 1 ]; then
							PROC=`${LSOF_CMD} -wnlP +c 0 -p $PID | grep '[ 	]txt[ 	][ 	]*VREG[ 	]' | head ${HEAD_OPT}1 | awk '{ print $NF }'`
						else
							PROC=`${LSOF_CMD} -wnlP +c 0 -p $PID | grep '[ 	]txt[ 	][ 	]*REG[ 	]' | awk '{ print $NF }'`
						fi

						test -z "${PROC}" && PROC=`echo "${LINE}" | awk '{ print $1 }'`
					fi

					#
					# If FNAME is not a pathname then look at the NODE.
					#

					if [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then
						if [ -n "`echo \"${NODE}\" | grep '^/'`" ]; then
							FNAME="${NODE}"
						fi
					fi

					#
					# Strip anything after the pathname.
					#

					if [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
						FNAME=`echo "${FNAME}" | cut -d' ' -f1`
					fi

					#
					# Now see if the process is whitelisted.
					#

					PROCWHITELISTED=0
					PROCDELFILES_GIVEN=0

					IFS=$RKHIFS

					for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
						PROCDELFILES_GIVEN=0

						if [ -n "`echo \"${RKHTMPVAR}\" | grep ':/'`" ]; then
							PROCDELFILES_GIVEN=1
							RKHTMPVAR2=`echo "${RKHTMPVAR}" | cut -d: -f1`
						else
							RKHTMPVAR2="${RKHTMPVAR}"
						fi

						if [ "${PROC}" = "${RKHTMPVAR2}" ]; then
							if [ $PROCDELFILES_GIVEN -eq 1 ]; then
								RKHTMPVAR3=`echo "${RKHTMPVAR}" | cut -d: -f2-`

								if [ -n "`echo \"${RKHTMPVAR3}\" | grep '[?*]'`" ]; then
									FNAMEGREP=`echo "${RKHTMPVAR3}" | sed -e 's/\./\\\./g; s/\?/./g; s/\*/.*/g'`
								else
									FNAMEGREP=`echo "${RKHTMPVAR3}" | sed -e 's/\./\\\./g'`
								fi

								if [ -n "`echo \"${FNAME}\" | grep \"^${FNAMEGREP}\$\"`" ]; then
									PROCWHITELISTED=1
								fi
							else
								PROCWHITELISTED=1
							fi

							test $PROCWHITELISTED -eq 1 && break
						fi
					done

					IFS=$IFSNL

					test $HAVE_READLINK -eq 0 && PROC="\"${PROC}\""

					if [ $PROCWHITELISTED -eq 1 ]; then
						if [ $PROCDELFILES_GIVEN -eq 1 ]; then
							if [ -z "`echo \"${WHITEPROC} \" | grep \"${PROC}:${FNAME} \"`" ]; then
								WHITEPROC="${WHITEPROC} ${PROC}:${FNAME}"
							fi
						elif [ -z "`echo \"${WHITEPROC} \" | grep \"${PROC} \"`" ]; then
							WHITEPROC="${WHITEPROC} ${PROC}"
						fi
					else
						FOUND=1
						BLACKPROC="${BLACKPROC}
${PROC} ${PID} ${FNAME}"
					fi


					#
					# Finally add the PID to the seen PID list.
					#

					PIDLIST="$PIDLIST $PID "
				done
			fi


			#
			# Now display the results.
			#

			if [ $FOUND -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES

				display --to LOG --type WARNING ROOTKIT_MALWARE_DELETED_FILES_FOUND

				for LINE in ${BLACKPROC}; do
					PROC=`echo "$LINE" | cut -d' ' -f1`
					PID=`echo "$LINE" | cut -d' ' -f2`
					FNAME=`echo "$LINE" | cut -d' ' -f3`

					test -z "${PROC}" && continue

					display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA "${PROC}" "${PID}" "${FNAME}"
				done
			fi

			IFS=$RKHIFS

			for RKHTMPVAR in ${WHITEPROC}; do
				if [ -n "`echo \"${RKHTMPVAR}\" | grep ':/'`" ]; then
					PROC=`echo "${RKHTMPVAR}" | cut -d: -f1`
					FNAME=`echo "${RKHTMPVAR}" | cut -d: -f2`

					display --to LOG --type INFO ROOTKIT_MALWARE_DELETED_FILES_WL "${PROC}" "${FNAME}"
				else
					display --to LOG --type INFO NETWORK_PACKET_CAP_WL "${RKHTMPVAR}"
				fi
			done
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
			display --to LOG --type INFO NOT_FOUND_CMD "lsof"
		fi
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST deleted_files
	fi


	#
	# Next we check to see if there any running processes
	# using suspicious files.
	#

	if `check_test running_procs`; then
		display --to LOG --type INFO --nl STARTING_TEST running_procs

		if [ -n "${LSOF_CMD}" ]; then
			#
			# First get a temporary file to store the output.
			#

			get_temp_file "${RKHTMPDIR}/lsofprocs.out"
			RKHLSOF_FILE=$TEMPFILE

			${LSOF_CMD} -wnlP +c 0 2>&1 | egrep -v ' (FIFO|V?DIR|IPv[46]) ' | sort | uniq >${RKHLSOF_FILE}

			#
			# Now loop through the known suspicious filenames,
			# and see if any are in the lsof output.
			#

			FOUND=0
			SUSP_FILES=""

			IFS=$IFSNL

			for RKHTMPVAR in ${SUSP_FILES_INFO}; do
				RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ 	]*//'`

				FNAME=`echo ${RKHTMPVAR} | cut -d: -f1`

				FNAMEGREP=`echo ${FNAME} | sed -e 's/\./\\\./g'`

				FOUNDFILES=`grep "/${FNAMEGREP}$" ${RKHLSOF_FILE}`

				if [ -n "${FOUNDFILES}" ]; then
					FOUND=0

					INFO=`echo ${RKHTMPVAR} | cut -d: -f2`

					#
					# It is possible that more than one line of output was found.
					# So we must loop through them and record them all.
					#

					for FNAME in ${FOUNDFILES}; do
						#
						# See if the filename has been whitelisted.
						#

						FILENAME=`echo "${FNAME}" | sed -e 's/^.*[ 	]\([^ 	][^ 	]*\)$/\1/'`
						FNAMEGREP=`echo ${FILENAME} | sed -e 's/\./\\\./g'`

						if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
							display --to LOG --type INFO FILE_PROP_WL "${FILENAME}" running_procs
						else
							FOUND=1
							SUSP_FILES="${SUSP_FILES}
${RKHTMPVAR}:${FNAME}"
						fi
					done

					if [ $FOUND -eq 1 ]; then
						ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
						ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "
					fi
				fi
			done

			IFS=$RKHIFS

			rm -f ${RKHLSOF_FILE} >/dev/null 2>&1

			if [ $FOUND -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
				display --to LOG --type WARNING ROOTKIT_MALWARE_SUSP_FILES_FOUND

				IFS=$IFSNL

				SUSP_FILES=`echo "${SUSP_FILES}" | sed -e '/^$/d'`

				for FILENAME in ${SUSP_FILES}; do
					INFO=`echo ${FILENAME} | cut -d: -f2`
					RKHTMPVAR=`echo ${FILENAME} | cut -d: -f3-`

					FOUNDINFO=`echo "${RKHTMPVAR}" | awk '{ print $1 }'`
					display --to LOG --type PLAIN --log-indent 9 ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD "${FOUNDINFO}"

					FOUNDINFO=`echo "${RKHTMPVAR}" | awk '{ print $3 }'`
					RKHTMPVAR2=`echo "${RKHTMPVAR}" | awk '{ print $2 }'`
					display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_UID "${FOUNDINFO}" "${RKHTMPVAR2}"

					FOUNDINFO=`echo "${RKHTMPVAR}" | awk '{ print $9 }'`
					display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH "${FOUNDINFO}"

					display --to LOG --type PLAIN --log-indent 11 ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT "${INFO}"
				done

				IFS=$RKHIFS
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_SUSP_FILES
			display --to LOG --type INFO NOT_FOUND_CMD "lsof"
		fi
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST running_procs
	fi


	#
	# Next we check for any hidden processes.
	#

	if `check_test hidden_procs`; then
		FOUND=0
		UNHIDE_VERS=0
		HIDDEN_PROCS=""

		display --to LOG --type INFO --nl STARTING_TEST hidden_procs


		#
		# First we test for the 'unhide' C program.
		#

		SEEN=0
		RKHTMPVAR="unhide"
		UNHIDE_CMD=`find_cmd unhide`

		if [ $LINUXOS -eq 1 -a -z "${UNHIDE_CMD}" ]; then
			if [ -n "`uname -r | grep '^2\.6'`" ]; then
				RKHTMPVAR="unhide-linux26"
				UNHIDE_CMD=`find_cmd unhide-linux26`
			fi
		fi

		if [ -n "${UNHIDE_CMD}" ]; then
			FOUND=1

			display --to LOG --type INFO FOUND_CMD "${RKHTMPVAR}" "${UNHIDE_CMD}"

			if [ $NOUNHIDE -eq 1 ]; then
				SEEN=1
				display --to LOG --type INFO ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE 'unhide'
			else
				#
				# Dig out the version number for use later on.
				#

				UNHIDE_VERS=`${UNHIDE_CMD} -V 2>/dev/null | head ${HEAD_OPT}1`

				if [ -n "`echo ${UNHIDE_VERS} | grep '^Unhide [0-9][0-9]*$'`" ]; then
					UNHIDE_VERS=`echo ${UNHIDE_VERS} | cut -d' ' -f2`
				else
					UNHIDE_VERS=0
				fi

				if [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type INFO ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS "${UNHIDE_VERS}"
				fi


				#
				# Now run each of the configured tests.
				#

				UNHIDE_OPTS=""
				FOUND_PROCS=""

				for RKHTMPVAR in ${UNHIDE_TESTS}; do
					if [ -n "`echo ${RKHTMPVAR} | grep '^-'`" ]; then
						# Only newer versions have command-line options.
						if [ $UNHIDE_VERS -ge 20100919 ]; then
							# Ignore obvious invalid options.
							test "${RKHTMPVAR}" = "-V" -o "${RKHTMPVAR}" = "-h" && continue

							UNHIDE_OPTS="${UNHIDE_OPTS} ${RKHTMPVAR}"
						fi

						continue
					elif [ $UNHIDE_VERS -lt 20100819 ]; then
						# Ignore unknown tests for earlier versions.
						test "${RKHTMPVAR}" != "sys" -a "${RKHTMPVAR}" != "proc" -a "${RKHTMPVAR}" != "brute" && continue
					fi

					SEEN=1
					FOUND_PROCS=`${UNHIDE_CMD} ${UNHIDE_OPTS} ${RKHTMPVAR} 2>&1 | egrep -v '^(Unhide |yjesus@|http:|\[\*\]|$)'`

					if [ -z "${FOUND_PROCS}" ]; then
						# Nothing found.
						if [ $VERBOSE_LOGGING -eq 1 ]; then
							display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "`echo unhide ${UNHIDE_OPTS} ${RKHTMPVAR}`"
						fi
					else
						# For newer versions we can sort the messages.
						if [ $UNHIDE_VERS -ge 20100919 ]; then
							FOUND_PROCS=`echo "${FOUND_PROCS}" | sort | uniq`
						fi

						HIDDEN_PROCS="${HIDDEN_PROCS}
${FOUND_PROCS}"

						display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "`echo unhide ${UNHIDE_OPTS} ${RKHTMPVAR}`"
					fi
				done


				#
				# Mark the test as skipped if we have not executed any command because of invalid test names.
				#

				if [ $SEEN -eq 0 ]; then
					display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD "`echo unhide ${UNHIDE_OPTS} ${RKHTMPVAR}`"
				fi
			fi
		else
			SEEN=1
			display --to LOG --type INFO NOT_FOUND_CMD 'unhide'

			if [ "${RKHTMPVAR}" = "unhide-linux26" ]; then
				display --to LOG --type INFO NOT_FOUND_CMD "${RKHTMPVAR}"
			fi
		fi


		#
		# Next we test for the 'unhide.rb' Ruby program.
		#

		ERRCODE=0
		RKHTMPVAR=""

		UNHIDE_CMD=`find_cmd unhide.rb`

		if [ -n "${UNHIDE_CMD}" ]; then
			FOUND=1

			display --to LOG --type INFO FOUND_CMD 'unhide.rb' "${UNHIDE_CMD}"

			if [ $NOUNHIDE -eq 2 ]; then
				display --to LOG --type INFO ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE 'unhide.rb'
			else
				RKHTMPVAR=`${UNHIDE_CMD} 2>&1`
				ERRCODE=$?

				if [ $ERRCODE -eq 0 ]; then
					# Nothing found.
					if [ $VERBOSE_LOGGING -eq 1 ]; then
						display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD 'unhide.rb'
					fi
				elif [ $ERRCODE -eq 1 ]; then
					# An error occurred. This is handled in the results section below.
					display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD 'unhide.rb'
				elif [ $ERRCODE -eq 2 ]; then
					# Something found.
					HIDDEN_PROCS="${HIDDEN_PROCS}
${RKHTMPVAR}"

					display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD 'unhide.rb'
				fi
			fi
		else
			display --to LOG --type INFO NOT_FOUND_CMD "unhide.rb"
		fi


		#
		# Now display the results.
		#
		# At this point if SEEN is 0, then a problem occurred with the 'unhide' program.
		# If ERRCODE is 1, then a problem occurred with the 'unhide.rb' program. In both
		# cases we treat these as warnings so that the user is aware that something went
		# wrong.
		#

		HIDDEN_PROCS=`echo "${HIDDEN_PROCS}" | sed -e '/^$/d'`

		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS
		elif [ -z "${HIDDEN_PROCS}" -a $ERRCODE -ne 1 -a $SEEN -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS
		else
			#
			# At this point we have either found a hidden PID, or an error occurred with the 'unhide.rb' program,
			# or both. We need to warn the user in either case. We also need to display all the information.
			#

			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_HIDDEN_PROCS

			#
			# First see if an 'unhide.rb' error occurred.
			#

			if [ $ERRCODE -eq 1 ]; then
				display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR

				IFS=$IFSNL

				for RKHTMPVAR2 in ${RKHTMPVAR}; do
					display --to LOG --type PLAIN --log-indent 9 NAME "${RKHTMPVAR2}"
				done

				IFS=$RKHIFS
			fi

			#
			# Next see if there was a problem executing the 'unhide' commands.
			#

			if [ $SEEN -eq 0 ]; then
				display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR "${UNHIDE_TESTS}"
			fi

			#
			# Now display if any actual hidden PIDs were found.
			#

			if [ -n "${HIDDEN_PROCS}" ]; then
				display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND

				IFS=$IFSNL

				for RKHTMPVAR in ${HIDDEN_PROCS}; do
					display --to LOG --type PLAIN --log-indent 9 NAME "${RKHTMPVAR}"
				done

				IFS=$RKHIFS
			fi
		fi
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST hidden_procs
	fi


	# 
	# Next we run the check for suspicious file contents.
	# 

	suspscan


	#
	# We have completed the checks which can be enabled/disabled,
	# but we need to be able to exclude or include the rest of the
	# malware checks. As such we do a simple test for 'other_malware'
	# as a test name, and only proceed if it is enabled.
	#

	if `check_test other_malware`; then
		display --to LOG --type INFO --nl STARTING_TEST other_malware

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR_LOG
		fi
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST other_malware
		return
	fi


	#
	# Next we check for login backdoors.
	#

	FOUND=0
	FOUNDFILES=""

	for FNAME in ${LOGIN_BACKDOOR_FILES}; do
		if [ -e "${FNAME}" ]; then
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				display --to LOG --type INFO FILE_PROP_WL "${FNAME}" other_malware
			else
				FOUND=1
				FOUNDFILES="${FOUNDFILES} ${FNAME}"
			fi

			test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_MALWARE_LOGIN_BDOOR_CHK "${FNAME}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_MALWARE_LOGIN_BDOOR_CHK "${FNAME}"
		fi
	done


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR

		for FNAME in ${FOUNDFILES}; do
			display --to LOG --type WARNING ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND "${FNAME}"
		done
	fi


	#
	# Next check for any suspicious directories.
	#

	FOUND=0
	FOUNDDIRS=""

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR_LOG
	fi

	for DIR in ${SUSPICIOUS_DIRS}; do
		if [ -d "${DIR}" ]; then
			FNAMEGREP=`echo "${DIR}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				display --to LOG --type INFO FILE_PROP_WL_DIR "${DIR}" other_malware
			else
				FOUND=1
				FOUNDDIRS="${FOUNDDIRS} ${DIR}"
			fi

			test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "${DIR}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_DIR "${DIR}"
		fi
	done


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR

		for DIR in ${FOUNDDIRS}; do
			display --to LOG --type WARNING ROOTKIT_MALWARE_SUSP_DIR_FOUND "${DIR}"
		done
	fi


	#
	# Next we check for any software intrusions.
	#

	TRIPWIREFILE="/var/lib/tripwire/`uname -n 2>/dev/null`.twd"

	if [ -f "${TRIPWIREFILE}" ]; then
		if [ -z "`grep 'Tripwire segment-faulted !' ${TRIPWIREFILE}`" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 --log-nl ROOTKIT_MALWARE_SFW_INTRUSION
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 --log-nl ROOTKIT_MALWARE_SFW_INTRUSION
			display --to LOG --type WARNING --log-indent 2 ROOTKIT_MALWARE_SFW_INTRUSION_FOUND "${TRIPWIREFILE}" "Tripwire segment-faulted"
		fi
	else
		display --to LOG --type PLAIN --result SKIPPED --log-indent 2 --log-nl ROOTKIT_MALWARE_SFW_INTRUSION
		display --to LOG --type INFO ROOTKIT_MALWARE_SFW_INTRUSION_SKIP
	fi


	#
	# Next, check for sniffer log files.
	#

	FOUND=0
	FOUNDFILES=""

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SNIFFER_LOG
	fi

	for FNAME in ${SNIFFER_FILES}; do
		if [ -f "${FNAME}" ]; then
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" ]; then
				display --to LOG --type INFO FILE_PROP_WL "${FNAME}" other_malware
			else
				FOUND=1
				FOUNDFILES="${FOUNDFILES} ${FNAME}"
			fi

			test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "${FNAME}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 4 ROOTKIT_FILES_DIRS_FILE "${FNAME}"
		fi
	done


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SNIFFER
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_MALWARE_SNIFFER

		for FNAME in ${FOUNDFILES}; do
			display --to LOG --type WARNING ROOTKIT_MALWARE_SNIFFER_FOUND "${FNAME}"
		done
	fi

	return
}


xinetd_include() {

	#
	# This function handles the xinetd 'include' directive.
	# It is also used to initially process the xinetd.conf
	# file, and to process any files within an 'includedir'
	# directory.
	#
	# Any filename containing a dot or ending in a tilde (~)
	# is ignored. Also absolute pathnames must be used.
	#

	test -z "$1" -o ! -f "$1" && return
	test -z "`echo \"$1\" | grep '^/'`" && return

	test -n "`echo \"$1\" | grep '/[^/]*\.[^/]*$'`" -a "$1" != "${XINETD_CONF_PATH}" && return
	test -n "`echo \"$1\" | grep '~$'`" && return


	#
	# First see if any services have been enabled.
	#

	if [ -n "`grep '^[ 	]*disable[ 	]*=[ 	]*no' $1`" ]; then
		#
		# See if the file is whitelisted.
		#

		RKHTMPVAR=0

		for FNAME in ${XINETDALLOWEDSVCS}; do
			if [ "${FNAME}" = "$1" ]; then
				RKHTMPVAR=1
				break
			fi
		done

		if [ $RKHTMPVAR -eq 0 ]; then
			FOUND=1
			FOUNDFILES="${FOUNDFILES} $1"

			if [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "$1"
			fi
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "$1"
			display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "$1" "xinetd"
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_TROJAN_XINETD_ENABLED "$1"
	fi


	#
	# Next we look for any 'include' directives.
	#

	for FNAME in `grep '^[ 	]*include[ 	]' $1 | awk '{ print $2 }'`; do
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 6 ROOTKIT_TROJAN_XINETD_INCLUDE "${FNAME}"
		fi

		xinetd_include "${FNAME}"
	done


	#
	# Finally we look for any 'includedir' directives.
	#

	for DIR in `grep '^[ 	]*includedir[ 	]' $1 | awk '{ print $2 }'`; do
		if [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 6 ROOTKIT_TROJAN_XINETD_INCLUDEDIR "${DIR}"
		fi

		xinetd_includedir "${DIR}"
	done

	return
}


xinetd_includedir() {

	#
	# This function handles the xinetd 'includedir' directive.
	#
	# Absolute pathnames must be used.
	#

	test -z "$1" -o ! -d "$1" && return
	test -z "`echo \"$1\" | grep '^/'`" && return


	for FNAME in `ls $1`; do
		xinetd_include "$1/${FNAME}"
	done

	return
}


sol10_inetd() {

	#
	# This function handles the Solaris 10, and later, inetd
	# configuration. Because the original inetd.conf file may
	# well exist, we look in there as well for any enabled services.
	#
	# This function sets the FOUNDSTRING variable, which will
	# be used later.
	#

	FOUNDSTRING=`${INETADM_CMD} | grep '^enabled' | cut -d: -f2`

	if [ -f "${INETD_CONF_PATH}" ]; then
		STR=`grep -v '^#' ${INETD_CONF_PATH} | awk '{ print $1 }'`

		#
		# Remove any inetd services which we already know
		# about from inetadm.
		#

		for RKHTMPVAR in ${STR}; do
			if [ -z "`echo \"${FOUNDSTRING}\" | grep \"/${RKHTMPVAR}/\"`" ]; then
				FOUNDSTRING="${FOUNDSTRING} ${RKHTMPVAR}"
			fi
		done
	fi

	return
}


trojan_checks() {

	#
	# This function performs some trojan specific checks.
	#

	if `check_test trojans`; then
		if ! `check_test malware`; then
			display --to SCREEN --type PLAIN --screen-indent 2 --nl ROOTKIT_MALWARE_START
		fi

		display --to LOG --type INFO --nl STARTING_TEST trojans
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST trojans
		return
	fi


	#
	# We first need to see if we are running Solaris 10 or later.
	# Earlier versions of Solaris used the standard inetd configuration
	# file, but later versions use a different mechanism. The 'inetadm'
	# command can be used on these later Solaris versions.
	#

	if [ $SUNOS -eq 1 ]; then
		INETADM_CMD=`find_cmd inetadm`

		test -n "${INETADM_CMD}" && sol10_inetd
	else
		INETADM_CMD=""
	fi


	if [ -f "${INETD_CONF_PATH}" -o -f "${XINETD_CONF_PATH}" -o -n "${INETADM_CMD}" ]; then
		RKHTMPVAR="SCREEN+LOG"
	else
		RKHTMPVAR="LOG"
	fi

	display --to "${RKHTMPVAR}" --type PLAIN --screen-indent 2 ROOTKIT_TROJAN_START


	#
	# We first check the inetd.conf file. This includes the
	# Solaris 10 inetd services as well.
	#

	if [ -f "${INETD_CONF_PATH}" -o -n "${INETADM_CMD}" ]; then
		if [ -z "${INETADM_CMD}" ]; then
			display --to LOG --type INFO CONFIG_XINETD_PATH "inetd" "${INETD_CONF_PATH}"

			FOUNDSTRING=`grep -v '^#' ${INETD_CONF_PATH} | awk '{ print $1 }'`
		else
			display --to LOG --type INFO CONFIG_SOL10_INETD
		fi

		#
		# We now need to see if any of the services are whitelisted.
		#

		RKHTMPVAR=""

		for STR in ${FOUNDSTRING}; do
			FOUND=0

			for SVC in ${INETDALLOWEDSVCS}; do
				if [ "${STR}" = "${SVC}" ]; then
					FOUND=1
					display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${SVC}" "inetd"
					break
				fi
			done

			if [ $FOUND -eq 0 ]; then
				#
				# We want to change any RPC services into
				# an actual executable name, if we can. The
				# executable is the sixth field. If the
				# sixth field is empty or this is an internal
				# service, then we just use the service name.
				#

				if [ -n "`echo \"${STR}\" | grep '^[0-9/_-]*$'`" ]; then
					EXECNAME=`grep "^${STR}" ${INETD_CONF_PATH} | awk '{ print $6 }'`

					test -z "${EXECNAME}" -o "${EXECNAME}" = "internal" && EXECNAME="${STR}"

					STR="${EXECNAME}"


					#
					# Now check if the executable has been whitelisted.
					#

					for SVC in ${INETDALLOWEDSVCS}; do
						if [ "${STR}" = "${SVC}" ]; then
							FOUND=1
							display --to LOG --type INFO ROOTKIT_TROJAN_XINETD_WHITELIST "${SVC}" "inetd"
							break
						fi
					done
				fi

				test $FOUND -eq 0 && RKHTMPVAR="${RKHTMPVAR} ${STR}"
			fi
		done

		FOUNDSTRING="${RKHTMPVAR}"


		#
		# Now display the results.
		#

		if [ -z "${FOUNDSTRING}" ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_TROJAN_INETD

			for STR in ${FOUNDSTRING}; do
				display --to LOG --type WARNING ROOTKIT_TROJAN_INETD_FOUND "${STR}"
			done
		fi
	else
		display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_INETD
		display --to LOG --type INFO ROOTKIT_TROJAN_INETD_SKIP "${INETD_CONF_PATH}"
	fi


	#
	# Next we check the xinetd.conf file.
	#

	FOUND=0
	FOUNDFILES=""

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_TROJAN_XINETD_LOG
	fi

	if [ -f "${XINETD_CONF_PATH}" ]; then
		display --to LOG --type INFO CONFIG_XINETD_PATH "xinetd" "${XINETD_CONF_PATH}"

		xinetd_include "${XINETD_CONF_PATH}"


		#
		# Now display the results.
		#

		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_XINETD

			for FNAME in ${FOUNDFILES}; do
				display --to LOG --type WARNING ROOTKIT_TROJAN_XINETD_ENABLED_FOUND "${FNAME}"
			done
		fi
	else
		display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_TROJAN_XINETD
		display --to LOG --type INFO ROOTKIT_TROJAN_INETD_SKIP "${XINETD_CONF_PATH}"
	fi


	#
	# Finally we check for an Apache backdoor module.
	#

	FOUND=0
	FOUNDFILES=""

	MOD_DIRS="/etc/apache2/mods-enabled /etc/httpd/modules /usr/apache/libexec /usr/lib/modules /usr/local/apache/modules"

	HTTPDDIRS="/usr/local/apache/conf /usr/local/etc/apache /etc/apache /etc/httpd/conf"

	for DIR in ${MOD_DIRS} ${HTTPDDIRS}; do
		if [ -d "${DIR}" ]; then
			FOUND=1

			test -f "${DIR}/mod_rootme.so" && FOUNDFILES="${FOUNDFILES} ${DIR}/mod_rootme.so"
			test -f "${DIR}/mod_rootme2.so" && FOUNDFILES="${FOUNDFILES} ${DIR}/mod_rootme2.so"

			if [ -f "${DIR}/httpd.conf" ]; then
				if [ -n "`egrep 'mod_rootme2?\.so' ${DIR}/httpd.conf`" ]; then
					FOUNDFILES="${FOUNDFILES} ${DIR}/httpd.conf"
				fi
			fi
		fi
	done


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to LOG --type INFO ROOTKIT_TROJAN_APACHE_SKIPPED
	elif [ -z "${FOUNDFILES}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_TROJAN_APACHE

		for FILE in ${FOUNDFILES}; do
			display --to LOG --type WARNING ROOTKIT_TROJAN_APACHE_FOUND "${FILE}"
		done
	fi

	return
}


bsd_specific_checks() {

	#
	# This function performs tests specific to the BSD O/S.
	#

	#
	# We check that the output of sockstat and netstat for
	# local listening sockets is the same.
	#

	SOCKSTAT_CMD=`find_cmd sockstat`

	if [ -n "${SOCKSTAT_CMD}" -a -n "${NETSTAT_CMD}" ]; then
		test "${OPERATING_SYSTEM}" = "NetBSD" && RKHTMPVAR="-n" || RKHTMPVAR=""

		SOCKSTAT_OUTPUT=`${SOCKSTAT_CMD} ${RKHTMPVAR} | awk '$5 ~ /^(tcp|udp)/ { if ($6 == 6) print $7; else print $6 }'`

		SOCKSTAT_OUTPUT=`echo "${SOCKSTAT_OUTPUT}" | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`

		NETSTAT_OUTPUT=`${NETSTAT_CMD} -an | awk '$1 ~ /^(tcp|udp)/ { print $4 }' | grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq`

		if [ "${SOCKSTAT_OUTPUT}" = "${NETSTAT_OUTPUT}" ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET
		else
			SOCKSTAT_OUTPUT=`echo ${SOCKSTAT_OUTPUT}`
			NETSTAT_OUTPUT=`echo ${NETSTAT_OUTPUT}`

			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET

			display --to LOG --type WARNING ROOTKIT_OS_BSD_SOCKNET_FOUND
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_BSD_SOCKNET_OUTPUT "Sockstat" "${SOCKSTAT_OUTPUT}"
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_BSD_SOCKNET_OUTPUT "Netstat" "${NETSTAT_OUTPUT}"
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_OS_BSD_SOCKNET

		test -z "${SOCKSTAT_CMD}" && display --to LOG --type INFO NOT_FOUND_CMD "sockstat"
		test -z "${NETSTAT_CMD}" && display --to LOG --type INFO NOT_FOUND_CMD "netstat"
	fi

	return
}


freebsd_specific_checks() {

	#
	# This function performs tests specific to the FreeBSD O/S.
	#


	#
	# First we check for KLD backdoors.
	#

	KLDSTAT_CMD=`find_cmd kldstat`

	if [ -n "${KLDSTAT_CMD}" ]; then
		FOUND=0
		FOUNDKEYS=""

		for RKHTMPVAR in ${KLDSTATKEYWORDS}; do
			RKHTMPVAR=`echo ${RKHTMPVAR}`

			KLDKEYWD=`echo ${RKHTMPVAR} | sed -e 's/\./\\\./g'`

			if [ -n "`${KLDSTAT_CMD} -v | grep \"${KLDKEYWD}\"`" ]; then
				FOUND=1
				FOUNDKEYS="${FOUNDKEYS} ${RKHTMPVAR} "
			fi
		done


		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD

			for RKHTMPVAR in ${FOUNDKEYS}; do
				display --to LOG --type WARNING ROOTKIT_OS_FREEBSD_KLD_FOUND "${RKHTMPVAR}"
			done
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_KLD

		display --to LOG --type INFO NOT_FOUND_CMD "kldstat"
	fi


	#
	# Next we check that the package database is okay.
	#

	if [ "${OPERATING_SYSTEM}" = "DragonFly" ]; then
		PKGDB_CMD=`find_cmd pkg_admin`

		if [ -n "${PKGDB_CMD}" ]; then
			RKHTMPVAR=`${PKGDB_CMD} check 2>&1 >/dev/null`

			if [ -z "${RKHTMPVAR}" ]; then
				display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

				display --to LOG --type WARNING ROOTKIT_OS_DFLY_PKGDB_NOTOK
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

			display --to LOG --type INFO NOT_FOUND_CMD "pkg_admin"
		fi
	else
		PKGDB_CMD=`find_cmd pkgdb`

		if [ -n "${PKGDB_CMD}" ]; then
			RKHTMPVAR=`${PKGDB_CMD} -Fa -v 2>&1 | grep 'Skipped\.'`

			if [ -z "${RKHTMPVAR}" ]; then
				display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

				display --to LOG --type WARNING ROOTKIT_OS_FREEBSD_PKGDB_NOTOK
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_OS_FREEBSD_PKGDB

			display --to LOG --type INFO NOT_FOUND_CMD "pkgdb"
		fi
	fi

	return
}


linux_loaded_modules() {

	#
	# This test checks the currently loaded kernel modules. It verifies
	# that what is seen by the 'lsmod' command is the same as seen in
	# the /proc/modules directory.
	#

	if ! `check_test loaded_modules`; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST loaded_modules
		return
	fi


	if [ ! -f "/proc/modules" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

		display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_MOD_MISSING "/proc/modules"
	elif [ -z "${LSMOD_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

		test -z "${LSMOD_CMD}" && display --to LOG --type INFO NOT_FOUND_CMD "lsmod"
	else
		PROC_OUTPUT=`cat /proc/modules | cut -d' ' -f1 | sort`
		LSMOD_OUTPUT=`${LSMOD_CMD} | grep -v 'Size *Used *by' | cut -d' ' -f1 | sort`


		if [ -n "${PROC_OUTPUT}" -a -n "${LSMOD_OUTPUT}" ]; then
			if [ "${PROC_OUTPUT}" = "${LSMOD_OUTPUT}" ]; then
				display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKM
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

				display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_FOUND
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT "/proc/modules" "${PROC_OUTPUT}"
				display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT "lsmod" "${LSMOD_OUTPUT}"
			fi
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKM

			display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKM_EMPTY
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT "/proc/modules" "${PROC_OUTPUT}"
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_OS_LINUX_LKM_OUTPUT "lsmod" "${LSMOD_OUTPUT}"
		fi
	fi

	return
}


linux_avail_modules() {

	#
	# This test checks the names of the kernel
	# modules that are available on this system.
	#

	if ! `check_test avail_modules`; then
		display --to LOG --type INFO --nl USER_DISABLED_TEST avail_modules
		return
	fi


	#
	# First obtain and log where the modules are kept. This can
	# be set in the configuration file, but generally rkhunter
	# will determine the location based on the kernel version.
	# However, in the case of remote diagnostics the diagnosing
	# and diagnosed kernel versions may be different. In this
	# case we simply look in '/lib/modules'.
	#

	FOUND=0
	FOUNDFILES=""
	LKM_PATH=""
	LKM_NAMES=""

	RKHTMPVAR=`get_option 1 single MODULES_DIR` || exit 1

	if [ -n "${RKHTMPVAR}" ]; then
		LKM_PATH="${RKHTMPVAR}"
	else
		LKM_PATH="/lib/modules/`uname -r 2>/dev/null`"
		test ! -d "${LKM_PATH}" && LKM_PATH="/lib/modules"
	fi

	display --to LOG --type INFO ROOTKIT_OS_LINUX_LKMNAMES_PATH "${LKM_PATH}"


	#
	# Next, we reformat the LKM names at this point since
	# we only need to do it once.
	#

	for RKHTMPVAR in ${LKM_BADNAMES}; do
		RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/\./\\\./g'`

		LKM_NAMES="${LKM_NAMES} ${RKHTMPVAR}"
	done


	#
	# Now do the test.
	#

	if [ ! -d "${LKM_PATH}" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

		display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING "${LKM_PATH}"
	elif [ -z "${FIND_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

		display --to LOG --type INFO NOT_FOUND_CMD "find"
	elif [ -z "`ls -1 ${LKM_PATH} 2>/dev/null`" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

		display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING "${LKM_PATH}"
	else
		for FNAME in `${FIND_CMD} ${LKM_PATH} -type f -name "*.o" 2>/dev/null`; do
			for RKHTMPVAR in ${LKM_NAMES}; do
				if [ -n "`echo ${FNAME} | grep \"/${RKHTMPVAR}$\"`" ]; then
					FOUND=1
					FOUNDFILES="${FOUNDFILES} ${RKHTMPVAR}"
				fi
			done
		done


		if [ $FOUND -eq 0 ]; then
			display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ROOTKIT_OS_LINUX_LKMNAMES

			for RKHTMPVAR in ${FOUNDFILES}; do
				RKHTMPVAR=`echo "${RKHTMPVAR}" | sed -e 's/\\\././g'`

				display --to LOG --type WARNING ROOTKIT_OS_LINUX_LKMNAMES_FOUND "${LKM_PATH}" "${RKHTMPVAR}"
			done
		fi
	fi

	return
}


linux_specific_checks() {

	#
	# This function performs tests specific to the Linux O/S.
	#

	linux_loaded_modules

	linux_avail_modules

	return
}


os_specific_checks() {

	#
	# This function performs any O/S specific tests.
	#

	if `check_test os_specific`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST os_specific
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST os_specific
		return
	fi


	#
	# Run the relevant O/S specific tests.
	#

	case "${OPERATING_SYSTEM}" in
	FreeBSD|NetBSD|DragonFly)
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"

		bsd_specific_checks

		test "${OPERATING_SYSTEM}" = "FreeBSD" -o "${OPERATING_SYSTEM}" = "DragonFly" && freebsd_specific_checks
		;;
	Linux)
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ROOTKIT_OS_START "${OPERATING_SYSTEM}"

		linux_specific_checks
		;;
	*)
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --color YELLOW --result SKIPPED ROOTKIT_OS_START "${OPERATING_SYSTEM}"
		display --to LOG --type INFO ROOTKIT_OS_SKIPPED
		;;
	esac

	return
}


do_rootkit_checks() {

	#
	# This function carries out a sequence of tests for rootkits.
	# This consists of the default files and directories check,
	# possible rootkit checks, and checks for malware.
	#

	if `check_test rootkits`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST rootkits
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_ROOTKITS
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST rootkits
		return
	fi


	rootkit_file_dir_checks

	check_test known_rkts || check_test all && keypresspause

	additional_rootkit_checks

	malware_checks

	trojan_checks

	os_specific_checks

	keypresspause

	return
}


check_port_wl() {

	#
	# This function tries to find the PID and command pathname using
	# a given port. It then checks to see if the port is whitelisted.
	#
	# A single parameter indicates if we are in the 'hidden_ports'
	# test or not.
	#

	PID=0
	PID_SEEN=0
	FNAME=""
	FOUND=""

	IN_HIDDEN_PORTS=$1

	if [ -n "${LSOF_CMD}" ]; then
		IFS=$IFSNL

		for LSOFLINE in `${LSOF_CMD} -wnlP -i ${PROTO}:${PORT}`; do
			#
			# We must only look at connections using the port on the local host.
			#

			if [ -n "`echo \"${LSOFLINE}\" | grep \" ${PROTO} \*:${PORT} \"`" ]; then
				# Process listening for connections from anywhere.
				PID=`echo "${LSOFLINE}" | awk '{ print $2 }'`
			elif [ -n "`echo \"${LSOFLINE}\" | egrep \" ${PROTO} [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:${PORT}[ -]\"`" ]; then
				# Established or listening process using IPv4 address.
				PID=`echo "${LSOFLINE}" | awk '{ print $2 }'`
			elif [ -n "`echo \"${LSOFLINE}\" | egrep \" ${PROTO} \[[:0-9a-fA-F]+\]:${PORT}[ -]\"`" ]; then
				# Established or listening process using IPv6 address.
				PID=`echo "${LSOFLINE}" | awk '{ print $2 }'`
			else
				# Ignore anything else.
				continue
			fi

			PID_SEEN=1

			#
			# Try and get the running process name.
			#

			if [ $HAVE_READLINK -eq 1 ]; then
				RKHTMPVAR=""

				if [ $SOL_PROC -eq 1 ]; then
					test -h "/proc/${PID}/path/a.out" && RKHTMPVAR=`${READLINK_CMD} -f /proc/${PID}/path/a.out`
				elif [ $SUNOS -eq 0 -o -h "/proc/${PID}/exe" ]; then
					test -h "/proc/${PID}/exe" && RKHTMPVAR=`${READLINK_CMD} -f /proc/${PID}/exe`
				fi

				test -n "${RKHTMPVAR}" && FNAME=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
			fi

			if [ -z "${FNAME}" ]; then
				if [ $SUNOS -eq 1 ]; then
					FNAME=`${LSOF_CMD} -wnlP +c 0 -p $PID | grep '[ 	]txt[ 	][ 	]*VREG[ 	]' | head ${HEAD_OPT}1 | awk '{ print $NF }'`
				else
					FNAME=`${LSOF_CMD} -wnlP +c 0 -p $PID | grep '[ 	]txt[ 	][ 	]*REG[ 	]' | awk '{ print $NF }'`
				fi
			fi

			if [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
				FOUND="${FNAME}"
				break
			fi
		done

		IFS=$RKHIFS

		if [ -z "${FOUND}" -a $PID_SEEN -eq 1 ]; then
			FNAME=""
			FOUND="${PROTO}:${PORT}"
		fi
	elif [ $IN_HIDDEN_PORTS -eq 1 ]; then
		# The 'netstat' command offers us no further information
		# on hidden ports, so we can skip it.
		:
	else
		case "${OPERATING_SYSTEM}" in
		Linux)
			FOUND=`${NETSTAT_CMD} -an | grep -i "^${PROTO}.*:${PORT} " | awk '{ print $4 }' | grep ":${PORT}\$"`
			;;
		*BSD|Darwin|IRIX*|DragonFly)
			FOUND=`${NETSTAT_CMD} -an | grep -i "^${PROTO}.*\.${PORT} " | awk '{ print $4 }' | grep "\.${PORT}\$"`
			;;
		AIX)
			if [ "${PROTO}" = "UDP" ]; then
				FOUND=`${NETSTAT_CMD} -an | grep -i "^udp.*\.${PORT} " | awk '{ print $4 }' | grep "\.${PORT}\$"`
			elif [ "${PROTO}" = "TCP" ]; then
				FOUND=`${NETSTAT_CMD} -an | egrep -i "^tcp.*\.${PORT} .*(BOUND|ESTABLISH|LISTEN)" | awk '{ print $4 }' | grep "\.${PORT}\$"`
			fi
			;;
		SunOS)
			if [ "${PROTO}" = "UDP" ]; then
				FOUND=`${NETSTAT_CMD} -an | awk '/^UDP: IPv4/, /^$/ { print $1 }' | grep "\.${PORT}\$"`

				if [ -z "${FOUND}" ]; then
					FOUND=`${NETSTAT_CMD} -an | awk '/^UDP: IPv6/, /^$/ { print $1 }' | grep "\.${PORT}\$"`
				fi
			elif [ "${PROTO}" = "TCP" ]; then
				FOUND=`${NETSTAT_CMD} -an | awk '/^TCP: IPv4/, /^$/ { print $0 }' | egrep 'BOUND|ESTABLISH|LISTEN' | awk '{ print $1 }' | grep "\.${PORT}\$"`

				if [ -z "${FOUND}" ]; then
					FOUND=`${NETSTAT_CMD} -an | awk '/^TCP: IPv6/, /^$/ { print $0 }' | egrep 'BOUND|ESTABLISH|LISTEN' | awk '{ print $1 }' | grep "\.${PORT}\$"`
				fi
			fi
			;;
		esac
	fi


	#
	# If we have found something, then see if it is whitelisted.
	#

	if [ -n "${FOUND}" -o $IN_HIDDEN_PORTS -eq 1 ]; then
		RKHTMPVAR2=0

		if [ -n "${LSOF_CMD}" ]; then
			if [ -n "${FNAME}" ]; then
				if [ -n "`echo \"${TEST_PORT_WHITELIST_PATH}\" | grep \" ${FNAME}:${PROTO}:${PORT} \"`" ]; then
					RKHTMPVAR2=1
					FOUND="path_whitelisted"
				elif [ -n "`echo \"${TEST_PORT_WHITELIST_PATH}\" | grep \" ${FNAME} \"`" ]; then
					RKHTMPVAR2=1
					FOUND="path_whitelisted"
				elif [ $TEST_PORT_WHITELIST_ALL_TRUSTED -eq 1 ]; then
					test -n "${BASENAME_CMD}" && RKHTMPVAR=`${BASENAME_CMD} ${FNAME}` || RKHTMPVAR=`echo "${FNAME}" | sed -e 's:^.*/::'`

					RKHTMPVAR=`IFS=$RKHIFS find_cmd ${RKHTMPVAR}`

					if [ "${RKHTMPVAR}" = "${FNAME}" ]; then
						RKHTMPVAR2=1
						FOUND="trusted_whitelisted"
					fi
				fi
			fi
		fi

		if [ $RKHTMPVAR2 -eq 0 -a -n "`echo \"${PORT_WHITELIST}\" | grep \" ${PROTO}:${PORT} \"`" ]; then
			FOUND="port_whitelisted"
		fi
	fi

	return
}


do_network_port_checks() {

	#
	# This function will check the network ports to see
	# if any known backdoor ports are being used.
	#

	if `check_test ports || check_test hidden_ports`; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --nl NETWORK_PORTS_START
	fi

	if `check_test ports`; then
		display --to LOG --type INFO STARTING_TEST ports
		display --to LOG --type PLAIN --log-indent 2 NETWORK_PORTS_BACKDOOR_LOG
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST ports
		return
	fi


	#
	# We must first check to see if we can perform this test.
	#

	if [ -z "${LSOF_CMD}" -a -z "${NETSTAT_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color YELLOW --result SKIPPED NETWORK_PORTS_BACKDOOR
		display --to LOG --type INFO TEST_SKIPPED_OS "network port checks" "lsof or netstat command required."
		return
	fi

	#
	# Check that the backdoor ports data file is usable.
	#

	if [ ! -e "${DB_PATH}/backdoorports.dat" -o ! -s "${DB_PATH}/backdoorports.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
		display --to LOG --type WARNING NETWORK_PORTS_FILE_MISSING "${DB_PATH}/backdoorports.dat"
		return
	elif [ ! -f "${DB_PATH}/backdoorports.dat" -o -h "${DB_PATH}/backdoorports.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
		display --to LOG --type WARNING NETWORK_PORTS_FILE_NOTAFILE "${DB_PATH}/backdoorports.dat"
		return
	fi

	#
	# Next we do some further testing and the initial logging.
	#

	TEST_PORT_WHITELIST_PATH="${PORT_WHITELIST_PATH}"
	TEST_PORT_WHITELIST_ALL_TRUSTED=$PORT_WHITELIST_ALL_TRUSTED

	if [ -z "${LSOF_CMD}" ]; then
		case "${OPERATING_SYSTEM}" in
		*BSD|Linux|AIX|SunOS|Darwin|IRIX*|DragonFly)
			#
			# We can only use pathnames if we have the 'lsof' command.
			#

			TEST_PORT_WHITELIST_PATH=""
			TEST_PORT_WHITELIST_ALL_TRUSTED=0
			display --to LOG --type INFO NETWORK_PORTS_DISABLE_PATHS
			;;
		*)
			display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
			display --to LOG --type WARNING NETWORK_PORTS_UNKNOWN_NETSTAT
			return
			;;
		esac
	fi

	test $TEST_PORT_WHITELIST_ALL_TRUSTED -eq 1 && display --to LOG --type INFO NETWORK_PORTS_ENABLE_TRUSTED


	#
	# Now do the test.
	#

	FOUNDPORT=0

	IFS=$IFSNL

	for LINE in `cat ${DB_PATH}/backdoorports.dat`; do
		if [ -n "`echo \"${LINE}\" | egrep '^(#|[Vv]ersion:)'`" ]; then
			continue
		elif [ -z "${LINE}" ]; then
			continue
		fi

		PORT=`echo "${LINE}" | cut -d: -f1`
		DESCRIPTION=`echo "${LINE}" | cut -d: -f2`
		PROTO=`echo "${LINE}" | cut -d: -f3 | tr '[:lower:]' '[:upper:]'`

		if [ -z "`echo \"${PORT}\" | grep '^[1-9][0-9]*$'`" ]; then
			echo "Error: Invalid port in backdoorports.dat file: $LINE"
			continue
		elif [ "${PROTO}" != "UDP" -a "${PROTO}" != "TCP" ]; then
			echo "Error: Invalid protocol in backdoorports.dat file: $LINE"
			continue
		fi

		check_port_wl 0

		# We need to reset IFS because it is set in 'check_port_wl'.
		IFS=$IFSNL

		#
		# Now log the result.
		#

		case "${FOUND}" in
		path_whitelisted)
			display --to LOG --type INFO NETWORK_PORTS_PATH_WHITELIST "${PROTO}" "${PORT}" "${FNAME}"
			display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			;;
		trusted_whitelisted)
			display --to LOG --type INFO NETWORK_PORTS_TRUSTED_WHITELIST "${PROTO}" "${PORT}" "${FNAME}"
			display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			;;
		port_whitelisted)
			display --to LOG --type INFO NETWORK_PORTS_PORT_WHITELIST "${PROTO}" "${PORT}"
			display --to LOG --type PLAIN --log-indent 4 --result WHITELISTED NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			;;
		"")
			display --to LOG --type PLAIN --log-indent 4 --result NOT_FOUND NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"
			;;
		*)
			FOUNDPORT=1
			display --to LOG --type PLAIN --log-indent 4 --result FOUND NETWORK_PORTS_BACKDOOR_CHK "${PROTO}" "${PORT}"

			test -n "${FNAME}" && FNAME=" by ${FNAME}"

			display --to LOG --type WARNING NETWORK_PORTS_BKDOOR_FOUND "${PROTO}" "${PORT}" "${FNAME}" "${DESCRIPTION}"
			;;
		esac
	done

	IFS=$RKHIFS


	#
	# Finally show the overall result on the screen.
	#

	if [ $FOUNDPORT -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color GREEN --result NONE_FOUND NETWORK_PORTS_BACKDOOR
	else
		display --to SCREEN+LOG --type PLAIN --log-indent 2 --screen-indent 4 --color RED --result WARNING NETWORK_PORTS_BACKDOOR
	fi

	return
}


do_network_hidden_port_checks() {

	#
	# This function will check the network
	# ports to see if any are being hidden.
	#

	if `check_test hidden_ports`; then
		display --to LOG --type INFO --nl STARTING_TEST hidden_ports
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST hidden_ports
		return
	fi


	#
	# We must first check to see if we can perform this test.
	#

	UNHIDETCP_CMD=`find_cmd unhide-tcp`

	if [ -n "${UNHIDETCP_CMD}" ]; then
		display --to LOG --type INFO FOUND_CMD 'unhide-tcp' "${UNHIDETCP_CMD}"
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NETWORK_HIDDEN_PORTS
		display --to LOG --type INFO NOT_FOUND_CMD "unhide-tcp"
		return
	fi

	if [ $SUNOS -eq 1 ]; then
		RKHTMPVAR="gawk"
		AWK_CMD=`find_cmd gawk`

		if [ -z "${AWK_CMD}" ]; then
			RKHTMPVAR="nawk"
			AWK_CMD=`find_cmd nawk`
		fi
	else
		RKHTMPVAR="awk"
		AWK_CMD=`find_cmd awk`
	fi

	if [ -n "${AWK_CMD}" ]; then
		display --to LOG --type INFO FOUND_CMD "${RKHTMPVAR}" "${AWK_CMD}"
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --screen-indent 4 NETWORK_HIDDEN_PORTS
		test $SUNOS -eq 1 && RKHTMPVAR="gawk or nawk" || RKHTMPVAR="awk"
		display --to LOG --type INFO NOT_FOUND_CMD "${RKHTMPVAR}"
		return
	fi

	#
	# We don't *need* the 'lsof' command to perform this test, but
	# if it is available then it will be used to find out pathnames.
	#

	TEST_PORT_WHITELIST_PATH="${PORT_WHITELIST_PATH}"
	TEST_PORT_WHITELIST_ALL_TRUSTED=$PORT_WHITELIST_ALL_TRUSTED

	if [ -z "${LSOF_CMD}" ]; then
		case "${OPERATING_SYSTEM}" in
		*BSD|Linux|AIX|SunOS|Darwin|IRIX*|DragonFly)
			#
			# We can only use pathnames if we have the 'lsof' command.
			#

			TEST_PORT_WHITELIST_PATH=""
			TEST_PORT_WHITELIST_ALL_TRUSTED=0
			display --to LOG --type INFO NETWORK_PORTS_DISABLE_PATHS
			;;
		esac
	fi

	test $TEST_PORT_WHITELIST_ALL_TRUSTED -eq 1 && display --to LOG --type INFO NETWORK_PORTS_ENABLE_TRUSTED


	#
	# Now perform the test. We must do this in two parts
	# to pick out the TCP ports, and then the UDP ports.
	#

	RKHTMPVAR=`${UNHIDETCP_CMD} 2>&1`

	TCP_PORTS=`echo "${RKHTMPVAR}" | ${AWK_CMD} '/^Starting TCP check/, /^Starting UDP check/ { print $0 }' | grep '^Found ' | cut -d: -f2`
	UDP_PORTS=`echo "${RKHTMPVAR}" | ${AWK_CMD} '/^Starting UDP check/, 0 { print $0 }' | grep '^Found ' | cut -d: -f2`

	if [ -z "${TCP_PORTS}" -a -z "${UDP_PORTS}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
	else
		FOUND_PORTS=""

		for PROTO in TCP UDP; do
			HIDDEN_PORTS=`eval echo "\\$${PROTO}_PORTS"`

			test -z "${HIDDEN_PORTS}" && continue

			HIDDEN_PORTS=`echo ${HIDDEN_PORTS} | tr ' ' '\n' | sort | uniq`
			HIDDEN_PORTS=`echo ${HIDDEN_PORTS}`

			for PORT in ${HIDDEN_PORTS}; do
				check_port_wl 1

				#
				# Now log the result.
				#

				case "${FOUND}" in
				path_whitelisted)
					display --to LOG --type INFO NETWORK_HIDDEN_PORTS_PATH_WHITELIST "${PROTO}" "${PORT}" "${FNAME}"
					;;
				trusted_whitelisted)
					display --to LOG --type INFO NETWORK_HIDDEN_PORTS_TRUSTED_WHITELIST "${PROTO}" "${PORT}" "${FNAME}"
					;;
				port_whitelisted)
					display --to LOG --type INFO NETWORK_HIDDEN_PORTS_PORT_WHITELIST "${PROTO}" "${PORT}"
					;;
				*)
					FOUND_PORTS="${FOUND_PORTS}
${PROTO}:${PORT}:${FNAME}"
					;;
				esac
			done
		done

		if [ -z "${FOUND_PORTS}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 NETWORK_HIDDEN_PORTS
			display --to LOG --type WARNING --log-indent 2 NETWORK_HIDDEN_PORTS_FOUND

			IFS=$IFSNL

			FOUND_PORTS=`echo "${FOUND_PORTS}" | sed -e '/^$/d'`

			for RKHTMPVAR in ${FOUND_PORTS}; do
				PROTO=`echo ${RKHTMPVAR} | cut -d: -f1`
				PORT=`echo ${RKHTMPVAR} | cut -d: -f2`
				FNAME=`echo ${RKHTMPVAR} | cut -d: -f3-`

				if [ -z "${FNAME}" ]; then
					display --to LOG --type PLAIN --log-indent 9 NETWORK_HIDDEN_PORTS_CHK "${PROTO}" "${PORT}"
				else
					display --to LOG --type PLAIN --log-indent 9 NETWORK_HIDDEN_PORTS_CHK_NAME "${PROTO}" "${PORT}" "${FNAME}"
				fi
			done

			IFS=$RKHIFS
		fi
	fi

	return
}


do_network_interface_checks() {

	#
	# This function will check the network interfaces to see
	# if any are in promiscuous mode. It will also check to see
	# if there are any applications running which are capturing
	# network interface packets.
	#

	if `check_test promisc || check_test packet_cap_apps`; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 --nl NETWORK_INTERFACE_START
	fi

	if `check_test promisc`; then
		display --to LOG --type INFO STARTING_TEST promisc


		if [ -n "${IFCONFIG_CMD}" ]; then
			PROMISCSCAN1=""; PROMISCSCAN2=""

			IFWLIST=`get_option 2 multi ALLOWPROMISCIF` || exit 1

			if [ -n "${IFWLIST}" ]; then
				display --to LOG --type INFO NETWORK_PROMISC_WLIST "${IFWLIST}"

				IFWLIST=`echo "${IFWLIST}" | tr ' ' '|'`
			fi

			case "${OPERATING_SYSTEM}" in
			*BSD|DragonFly)
				if [ -z "${IFWLIST}" ]; then
					PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | awk '$1 !~ /^pflog/ && /PROMISC/ { print }'`
				else
					PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | awk '$1 !~ /^pflog/ && $1 !~ /^('${IFWLIST}'):$/ && /PROMISC/ { print }'`
				fi
				;;
			SunOS|IRIX*|AIX)
				if [ -z "${IFWLIST}" ]; then
					PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | awk '/PROMISC/ { print }'`
				else
					PROMISCSCAN1=`${IFCONFIG_CMD} -a 2>&1 | awk '$1 !~ /^('${IFWLIST}'):$/ && /PROMISC/ { print }'`
				fi
				;;
			*)
				if [ -z "${IFWLIST}" ]; then
					PROMISCSCAN1=`${IFCONFIG_CMD} 2>&1 | awk 'BEGIN { RS="" }; /PROMISC/ { print }'`
				else
					PROMISCSCAN1=`${IFCONFIG_CMD} 2>&1 | awk 'BEGIN { RS="" }; $1 !~ /^('${IFWLIST}'):?$/ && /PROMISC/ { print }'`
				fi
				;;
			esac

			if [ $LINUXOS -eq 1 ]; then
				if [ -n "${IP_CMD}" ]; then
					PROMISCSCAN2=`${IP_CMD} link | grep '^[0-9]' | grep -vE "^[0-9][0-9]*: (${IFWLIST}):" | grep 'PROMISC'`
				else
					display --to LOG --type INFO NETWORK_PROMISC_NO_IP
				fi
			fi


			#
			# Now show the results of the interface check.
			#

			if [ -z "${PROMISCSCAN1}" -a -z "${PROMISCSCAN2}" ]; then
				display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 NETWORK_PROMISC_CHECK
			else
				display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PROMISC_CHECK

				display --to LOG --type WARNING NETWORK_PROMISC_IF

				PROMISCSCAN1=`echo "${PROMISCSCAN1}" | awk '$0 !~ /^ / || /PROMISC/ { print }'`

				display --to LOG --type PLAIN --log-indent 9 NETWORK_PROMISC_IF_1

				IFS=$IFSNL

				for IFACE in ${PROMISCSCAN1}; do
					display --to LOG --type PLAIN --log-indent 13 NAME "${IFACE}"
				done

				IFS=$RKHIFS


				if [ $LINUXOS -eq 1 -a -n "${PROMISCSCAN2}" ]; then
					display --to LOG --type PLAIN --log-indent 9 NETWORK_PROMISC_IF_2

					PROMISCSCAN2=`echo "${PROMISCSCAN2}" | cut -d: -f2-`

					IFS=$IFSNL

					# Only indent by 12 spaces here because the output starts with a space.
					for IFACE in ${PROMISCSCAN2}; do
						display --to LOG --type PLAIN --log-indent 12 NAME "${IFACE}"
					done

					IFS=$RKHIFS
				fi
			fi
		else
			display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --screen-indent 4 NETWORK_PROMISC_CHECK
			display --to LOG --type WARNING NETWORK_PROMISC_NO_IFCONFIG
		fi
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST promisc
	fi


	#
	# For the packet capturing check, we must first see if we
	# are able to run the test. We let the user know if the test
	# was disabled, or if the lsof command is not present.
	#

	if `check_test packet_cap_apps`; then
		display --to LOG --type INFO --nl STARTING_TEST packet_cap_apps
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST packet_cap_apps
		return
	fi

	if [ $LINUXOS -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
		display --to LOG --type INFO TEST_SKIPPED_OS 'packet_cap_apps' '/proc/net/packet required.'
		return
	elif [ ! -f "/proc/net/packet" ]; then
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
		display --to LOG --type WARNING NETWORK_PACKET_CAP_CHECK_NO_FILE '/proc/net/packet'
		return
	elif [ -z "${LSOF_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --color YELLOW --result SKIPPED --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
		display --to LOG --type INFO NOT_FOUND_CMD 'lsof'
		return
	fi


	#
	# Now run the test.
	#

	FOUND=0
	WHITEPROC=""; BLACKPROC=""

	LIBPCAPRES=`egrep -v '^sk|888e' /proc/net/packet | head ${HEAD_OPT}1`

	if [ -n "${LIBPCAPRES}" ]; then
		#
		# We only need to get the whitelisted processes once.
		#

		ALLOWPROCLISTENERS=`get_option 2 multi ALLOWPROCLISTEN` || exit 1


		INODE_LIST=""

		for INODE in `egrep -v '^sk|888e' /proc/net/packet | awk '{ print $9 }'`; do
			INODE_LIST="${INODE_LIST}|$INODE"
		done

		INODE_LIST=`echo "${INODE_LIST}" | sed -e 's/^|//'`
		test -z "${INODE_LIST}" && INODE_LIST="RKHunterPktCapture"


		for PID in `${LSOF_CMD} -lMnPw -d 1-20 | egrep "[ 	](${INODE_LIST})[ 	]" | awk '{ print $2 }'`; do
			NAME=""

			if [ -h "/proc/$PID/exe" -a $HAVE_READLINK -eq 1 ]; then
				NAME=`${READLINK_CMD} -f /proc/$PID/exe | cut -d' ' -f1`
			elif [ -f "/proc/$PID/status" ]; then
				NAME=`grep '^Name:.' /proc/$PID/status | sed -e 's/^Name:.//'`
			fi


			test -z "${NAME}" && continue

			AMATCH=1

			for RKHTMPVAR in ${ALLOWPROCLISTENERS}; do
				if [ "${NAME}" = "${RKHTMPVAR}" ]; then
					AMATCH=0; break
				fi
			done

			if [ $AMATCH -eq 0 ]; then
				FNAME=`echo "${NAME}" | sed -e 's/\./\\\./g'`

				if [ -z "`echo \"${WHITEPROC} \" | grep \"${FNAME} \"`" ]; then
					WHITEPROC="${WHITEPROC} ${NAME}"
				fi
			else
				FOUND=1
				BLACKPROC="${BLACKPROC}
${NAME} ${PID}"
			fi
		done
	fi


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 NETWORK_PACKET_CAP_CHECK


		IFS=$IFSNL

		for RKHTMPVAR in ${BLACKPROC}; do
			test -z "${RKHTMPVAR}" && continue

			NAME=`echo "${RKHTMPVAR}" | cut -d' ' -f1`
			PID=`echo "${RKHTMPVAR}" | cut -d' ' -f2`

			display --to LOG --type WARNING NETWORK_PACKET_CAP_FOUND "${NAME}" "${PID}"
		done

		IFS=$RKHIFS
	fi

	for NAME in ${WHITEPROC}; do
		display --to LOG --type INFO NETWORK_PACKET_CAP_WL "${NAME}"
	done

	return
}


do_network_checks() {

	#
	# This function carries out some network checks. This consists
	# of port checks, and some interface checks.
	#

	if `check_test network`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST network
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_NETWORK
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST network
		return
	fi


	do_network_port_checks
	do_network_hidden_port_checks

	do_network_interface_checks

	return
}


do_system_startup_file_checks() {

	#
	# This function carries out checks on the system startup files.
	#

	if `check_test startup_files`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST startup_files
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 STARTUP_FILES_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST startup_files
		return
	fi

	#
	# First we check that the local host name has been set.
	#

	if [ -n "${HOST_NAME}" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 STARTUP_HOSTNAME
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_HOSTNAME
		display --to LOG --type WARNING STARTUP_NO_HOSTNAME
	fi


	#
	# Check that the startup file malware checks are to be done.
	#

	if `check_test startup_malware`; then
		display --to LOG --type INFO --nl STARTING_TEST startup_malware
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST startup_malware
		return
	fi

	#
	# First check to see that we can run the test.
	#

	if [ "${STARTUP_PATHS}" = "NONE" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result SKIPPED --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
		display --to LOG --type INFO STARTUP_NONE_GIVEN
		return
	fi


	#
	# Now get and check that the system startup files are okay.
	#

	get_rc_paths

	if [ -n "${RC_PATHS}" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_EXIST
		display --to LOG --type WARNING STARTUP_CHECK_NO_RC_FILES
		return
	fi


	#
	# Next we check all the startup files for any suspicious
	# strings in them.
	#

	FOUND=0
	FOUNDSTRINGS=""

	#
	# Since we are going to be checking a lot of files
	# for strings that are static, we may as well do
	# some pre-processing of the string, and then we
	# only need to spend time if a string is found.
	#

	RCSTRINGS=""

	IFS=$IFSNL

	for RKHTMPVAR in ${RCLOCAL_STRINGS}; do
		RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[ 	]*//'`

		STRING=`echo ${RKHTMPVAR} | cut -d: -f1 | sed -e 's/\./\\\./g'`
		INFO=`echo ${RKHTMPVAR} | cut -d: -f2`

		RCSTRINGS="${RCSTRINGS}
${STRING}:${INFO}"

		ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
	done

	IFS=$RKHIFS

	RCSTRINGS=`echo "${RCSTRINGS}" | sed -e '/^$/d'`


	for FNAME in ${RC_PATHS}; do
		IFS=$IFSNL

		FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

		for STR in ${RCSTRINGS}; do
			STRING=`echo ${STR} | cut -d: -f1`

			RKHTMPVAR=`grep "${STRING}" ${FNAME}`

			if [ -n "${RKHTMPVAR}" ]; then
				test -z "`echo \"${RKHTMPVAR}\" | egrep -v '^[ 	]*#'`" && continue

				if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP}:${STRING} \"`" ]; then
					STRING=`echo ${STRING} | sed -e 's/\\\//g'`
					display --to LOG --type INFO FILE_PROP_WL_STR "${FNAME}" "${STRING}" startup_malware
				elif [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP} \"`" -a -z "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${FNAMEGREP}:\"`" ]; then
					display --to LOG --type INFO FILE_PROP_WL "${FNAME}" startup_malware
				else
					FOUND=1

					STRING=`echo ${STRING} | sed -e 's/\\\//g'`
					INFO=`echo ${STR} | cut -d: -f2`

					FOUNDSTRINGS="${FOUNDSTRINGS}
${FNAME}:${STRING}:${INFO}"
				fi
			fi
		done

		IFS=$RKHIFS
	done


	#
	# Now display the results.
	#

	if [ $FOUND -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_MALWARE
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 STARTUP_CHECK_FILES_MALWARE

		IFS=$IFSNL

		FOUNDSTRINGS=`echo "${FOUNDSTRINGS}" | sed -e '/^$/d'`

		for RKHTMPVAR in ${FOUNDSTRINGS}; do
			FNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
			STRING=`echo "${RKHTMPVAR}" | cut -d: -f2`
			INFO=`echo "${RKHTMPVAR}" | cut -d: -f3`

			ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
			ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${INFO}, "

			display --to LOG --type WARNING ROOTKIT_POSS_STRINGS_FOUND "${STRING}" "${FNAME}" "${INFO}"
		done

		IFS=$RKHIFS
	fi

	return
}


pwdgrp_changes() {

	#
	# This function checks the changes made to the passwd and group files.
	#

	FNAME=$1
	LINES=$2

	SEEN_IDS=""

	IFS=$IFSNL

	for LINE in ${LINES}; do
		#
		# First we need to check if we have already dealt with
		# this id. If we have, then just get the next line.
		#

		PWDGRPID=`echo "${LINE}" | cut -d: -f1 | cut -c3-`
		IDGREP=`echo "${PWDGRPID}" | sed -e 's/\./\\\./g'`

		RKHTMPVAR=`echo "${SEEN_IDS}" | grep " ${IDGREP} "`

		test -n "${RKHTMPVAR}" && continue


		#
		# This id hasn't been seen before, so we record it.
		#

		SEEN_IDS="${SEEN_IDS} ${PWDGRPID} "

		#
		# Next we see if the id has just been added or removed.
		# To do this we simply see if it appears more than once.
		#

		RKHTMPVAR=`echo "${LINES}" | grep "^> ${IDGREP}:"`
		RKHTMPVAR2=`echo "${LINES}" | grep "^< ${IDGREP}:"`

		if [ \( -n "${RKHTMPVAR}" -a -z "${RKHTMPVAR2}" \) -o \( -z "${RKHTMPVAR}" -a -n "${RKHTMPVAR2}" \) ]; then
			if [ -n "${RKHTMPVAR}" ]; then
				if [ "${FNAME}" = "passwd" ]; then
					display --to LOG --type WARNING --log-indent 4 PWD_CHANGES_IDREM "${PWDGRPID}"
				else
					display --to LOG --type WARNING --log-indent 4 GROUP_CHANGES_IDREM "${PWDGRPID}"
				fi
			else
				if [ "${FNAME}" = "passwd" ]; then
					display --to LOG --type WARNING --log-indent 4 PWD_CHANGES_IDADD "${PWDGRPID}"
				else
					display --to LOG --type WARNING --log-indent 4 GROUP_CHANGES_IDADD "${PWDGRPID}"
				fi
			fi

			continue
		fi


		#
		# The id has changed in some way. We now need to
		# go through the fields and see what has changed.
		#

		FIELD_IDX=1

		OLD_LINE=`echo "${RKHTMPVAR}" | cut -d: -f2-`
		NEW_LINE=`echo "${RKHTMPVAR2}" | cut -d: -f2-`

		STR=${OLD_LINE}

		if [ "${FNAME}" = "passwd" ]; then
			display --to LOG --type WARNING PWD_CHANGES_FOUND "${PWDGRPID}"
		else
			display --to LOG --type WARNING GROUP_CHANGES_FOUND "${PWDGRPID}"
		fi

		while test -n "${STR}"; do
			OLD_FIELD=`echo "${OLD_LINE}" | cut -d: -f$FIELD_IDX`
			NEW_FIELD=`echo "${NEW_LINE}" | cut -d: -f$FIELD_IDX`

			if [ "${OLD_FIELD}" != "${NEW_FIELD}" ]; then
				if [ "${FNAME}" = "passwd" ]; then
					case $FIELD_IDX in
					1)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_PWD "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					2)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_UID "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					3)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_GID "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					4)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_COMM "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					5)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_HOME "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					6)
						display --to LOG --type PLAIN --log-indent 9 PWD_CHANGES_SHL "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					*)
						display --to LOG --type PLAIN --log-indent 9 PWDGRP_CHANGES_UNK "${FNAME}" "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					esac
				else
					case $FIELD_IDX in
					1)
						display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_PWD "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					2)
						display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GID "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					3)
						OLD_GRPUSRS=" `echo ${OLD_FIELD} | tr ',' ' '` "
						NEW_GRPUSRS=" `echo ${NEW_FIELD} | tr ',' ' '` "

						IFS=$RKHIFS

						for GRPUSR in ${OLD_GRPUSRS} ${NEW_GRPUSRS}; do
							RKHTMPVAR=`echo ${GRPUSR} | sed -e 's/\./\\\./g'`
							RKHTMPVAR2=`echo "${OLD_GRPUSRS}" | grep " ${RKHTMPVAR} "`
							RKHTMPVAR3=`echo "${NEW_GRPUSRS}" | grep " ${RKHTMPVAR} "`

							if [ -n "${RKHTMPVAR2}" -a -z "${RKHTMPVAR3}" ]; then
								display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GRPREM "${GRPUSR}"
							elif [ -z "${RKHTMPVAR2}" -a -n "${RKHTMPVAR3}" ]; then
								display --to LOG --type PLAIN --log-indent 9 GROUP_CHANGES_GRPADD "${GRPUSR}"
							fi
						done

						IFS=$IFSNL
						;;
					*)
						display --to LOG --type PLAIN --log-indent 9 PWDGRP_CHANGES_UNK "${FNAME}" "${OLD_FIELD}" "${NEW_FIELD}"
						;;
					esac
				fi
			fi

			FIELD_IDX=`expr $FIELD_IDX + 1`

			RKHTMPVAR=`echo "${STR}" | cut -d: -f2-`

			#
			# For the group file the last field may be
			# empty, so we need to cater for this.
			#

			if [ -z "${RKHTMPVAR}" ]; then
				if [ \( "${FNAME}" = "passwd" -a $FIELD_IDX -eq 6 \) -o \( "${FNAME}" = "group" -a $FIELD_IDX -eq 3 \) ]; then
						STR=""
						RKHTMPVAR="x"
				fi
			fi

			test "${RKHTMPVAR}" = "${STR}" && STR="" || STR=${RKHTMPVAR}
		done
	done

	IFS=$RKHIFS

	return
}


do_group_accounts_check() {

	#
	# This function carries out checks on the /etc/passwd and
	# /etc/group files.
	#

	if `check_test group_accounts`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST group_accounts
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 ACCOUNTS_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST group_accounts
		return
	fi

	#
	# First check that /etc/passwd exists.
	#

	if [ -s "/etc/passwd" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result FOUND --log-indent 2 --screen-indent 4 ACCOUNTS_PWD_FILE_CHECK
		display --to LOG --type INFO ACCOUNTS_FOUND_PWD_FILE "/etc/passwd"
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 ACCOUNTS_PWD_FILE_CHECK
		display --to LOG --type WARNING ACCOUNTS_NO_PWD_FILE "/etc/passwd"
	fi


	#
	# Next, check for root equivalent accounts. These will have
	# a UID of zero.
	#

	if [ -s "/etc/passwd" ]; then
		#
		# We need to ignore any whitelisted UID 0 accounts.
		#

		UID0_WHITELIST=`get_option 2 multi UID0_ACCOUNTS` || exit 1
		UID0_WHITELIST=" root ${UID0_WHITELIST} "

		UID_LIST=""
		RKHTMPVAR2=""

		if [ $MACOSX -eq 1 ]; then
			DSCL_CMD=`find_cmd dscl`

			if [ -n "${DSCL_CMD}" ]; then
				display --to LOG --type INFO FOUND_CMD 'dscl' "${DSCL_CMD}"

				RKHTMPVAR2=`${DSCL_CMD} . search /Users uid 0 | egrep '^[^ 	)]' | cut -d'	' -f1`
			else
				display --to LOG --type INFO NOT_FOUND_CMD "dscl"
			fi
		fi


		IFS=$IFSNL

		for RKHTMPVAR in `grep '^[^:]*:[^:]*:0:' /etc/passwd | cut -d: -f1` ${RKHTMPVAR2}; do
			test -z "${RKHTMPVAR}" && continue
			test "${RKHTMPVAR}" = "root" && continue

			RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`

			if [ -z "`echo \"${UID0_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
				UID_LIST="${UID_LIST}
${RKHTMPVAR}"
			else
				display --to LOG --type INFO ACCOUNTS_UID0_WL "${RKHTMPVAR}"
			fi
		done

		IFS=$RKHIFS


		#
		# Now display the results.
		#

		if [ -z "${UID_LIST}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 ACCOUNTS_UID0
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 ACCOUNTS_UID0

			IFS=$IFSNL

			for RKHTMPVAR in ${UID_LIST}; do
				test -z "${RKHTMPVAR}" && continue
				display --to LOG --type WARNING ACCOUNTS_UID0_FOUND "${RKHTMPVAR}"
			done

			IFS=$RKHIFS
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 ACCOUNTS_UID0
		display --to LOG --type INFO ACCOUNTS_NO_PWD_FILE "/etc/passwd"
	fi


	#
	# Now check for any passwordless accounts. We do this in two steps.
	# The first is to check the shadow file, and for TCB shadow files we
	# have to loop through all the shadow files in the /etc/tcb directory.
	# Then we check the /etc/passwd file for any passwordless accounts.
	# Finally we display the overall result.
	#

	#
	# We need to ignore any whitelisted passwordless accounts.
	#

	WL_SEEN=""

	PWD_WHITELIST=`get_option 2 multi PWDLESS_ACCOUNTS` || exit 1
	PWD_WHITELIST=" ${PWD_WHITELIST} "

	PWD_PWDLESS_LIST=""
	SHAD_PWDLESS_LIST=""


	#
	# Check for passwordless accounts in the shadow file(s).
	#

	if [ -n "${SHADOW_FILE}" -o $HAVE_TCB_SHADOW -eq 1 ]; then
		if [ -n "${SHADOW_FILE}" ]; then
			display --to LOG --type INFO ACCOUNTS_SHADOW_FILE "${SHADOW_FILE}"
		else
			display --to LOG --type INFO ACCOUNTS_SHADOW_TCB "/etc/tcb"
		fi

		#
		# We have do a bit of a kludge here. We need a loop in order to
		# cater for TCB shadow files in /etc/tcb. But at the same time
		# we only want to execute the loop once for non-TCB systems. To
		# do this we loop through either /etc or /etc/tcb. However, for
		# /etc we only execute the loop once because the grep statement
		# will have the exact shadow filename in SHADOW_FILE. For TCB
		# systems, SHADOW_FILE is set for each individual shadow file as
		# it pass round the loop.
		#

		if [ $HAVE_TCB_SHADOW -eq 1 ]; then
			RKHTMPVAR2="/etc/tcb"
		else
			RKHTMPVAR2="/etc"
		fi

		IFS=$IFSNL

		for DIR in ${RKHTMPVAR2}/*; do
			if [ $HAVE_TCB_SHADOW -eq 1 ]; then
				if [ -f "${DIR}/shadow" ]; then
					SHADOW_FILE="${DIR}/shadow"
				else
					continue
				fi
			fi

			for RKHTMPVAR in `grep '^[^:]*::' ${SHADOW_FILE} | cut -d: -f1`; do
				# Ignore any NIS/YP entries
				test "${RKHTMPVAR}" = "+" && continue

				RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`

				if [ -z "`echo \"${PWD_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
					SHAD_PWDLESS_LIST="${SHAD_PWDLESS_LIST}
${RKHTMPVAR}"
					test $HAVE_TCB_SHADOW -eq 1 && SHAD_PWDLESS_LIST="${SHAD_PWDLESS_LIST} (${SHADOW_FILE})"
				else
					WL_SEEN="${WL_SEEN} ${RKHTMPVAR} "

					display --to LOG --type INFO ACCOUNTS_PWDLESS_WL "${RKHTMPVAR}"
				fi
			done

			test $HAVE_TCB_SHADOW -eq 0 && break
		done

		IFS=$RKHIFS
	else
		#
		# No shadow file found.
		#

		SHAD_PWDLESS_LIST="RKH:No shadow file"
	fi


	#
	# Check for passwordless accounts in /etc/passwd.
	#

	if [ -s "/etc/passwd" ]; then
		IFS=$IFSNL

		for RKHTMPVAR in `grep '^[^:]*::' /etc/passwd | cut -d: -f1`; do
			# Ignore any NIS/YP entries
			test "${RKHTMPVAR}" = "+" && continue

			RKHUSERID=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`

			if [ -z "`echo \"${PWD_WHITELIST}\" | grep \" ${RKHUSERID} \"`" ]; then
				PWD_PWDLESS_LIST="${PWD_PWDLESS_LIST}
${RKHTMPVAR}"
			elif [ -z "`echo \"${WL_SEEN}\" | grep \" ${RKHUSERID} \"`" ]; then
				display --to LOG --type INFO ACCOUNTS_PWDLESS_WL "${RKHTMPVAR}"
			fi
		done

		IFS=$RKHIFS
	fi


	#
	# Now display the results.
	#

	if [ -z "${SHAD_PWDLESS_LIST}" -a -z "${PWD_PWDLESS_LIST}" ]; then
		display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 ACCOUNTS_PWDLESS
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 ACCOUNTS_PWDLESS

		#
		# Log the shadow file results.
		#

		if [ "${SHAD_PWDLESS_LIST}" = "RKH:No shadow file" ]; then
			display --to LOG --type WARNING ACCOUNTS_NO_SHADOW_FILE
		else
			IFS=$IFSNL

			for RKHTMPVAR in ${SHAD_PWDLESS_LIST}; do
				test -z "${RKHTMPVAR}" && continue
				display --to LOG --type WARNING ACCOUNTS_PWDLESS_FOUND "shadow" "${RKHTMPVAR}"
			done
		fi

		#
		# Log the passwd file results.
		#

		IFS=$IFSNL

		for RKHTMPVAR in ${PWD_PWDLESS_LIST}; do
			test -z "${RKHTMPVAR}" && continue
			display --to LOG --type WARNING ACCOUNTS_PWDLESS_FOUND "passwd" "${RKHTMPVAR}"
		done

		IFS=$RKHIFS
	fi


	#
	# Now we check for any changes that have occurred to the passwd
	# file since rkhunter was last run.
	#

	DIFF_CMD=`find_cmd diff`

	if `check_test passwd_changes`; then
		RKHTMPVAR=0
		display --to LOG --type INFO --nl STARTING_TEST passwd_changes
	else
		RKHTMPVAR=1
		display --to LOG --type INFO --nl USER_DISABLED_TEST passwd_changes
	fi

	if [ $RKHTMPVAR -eq 1 ]; then
		:
	elif [ ! -f "/etc/passwd" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 PASSWD_CHANGES
		display --to LOG --type INFO ACCOUNTS_NO_PWD_FILE "/etc/passwd"
	elif [ -z "${DIFF_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 PASSWD_CHANGES
		display --to LOG --type INFO NOT_FOUND_CMD "diff"

		cp -f -p /etc/passwd ${RKHTMPDIR}/passwd
	elif [ ! -f "${RKHTMPDIR}/passwd" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 PASSWD_CHANGES
		display --to LOG --type WARNING PASSWD_CHANGES_NO_TMP

		cp -f -p /etc/passwd ${RKHTMPDIR}/passwd
	else
		DIFFS=`${DIFF_CMD} /etc/passwd ${RKHTMPDIR}/passwd 2>/dev/null | grep '^[<>]'`

		if [ -z "${DIFFS}" ]; then
			display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 PASSWD_CHANGES
		else
			display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 PASSWD_CHANGES

			pwdgrp_changes "passwd" "${DIFFS}"

			#
			# Finally, move the current copy of the passwd file out
			# of the way, and take a new copy of the passwd file.
			# This allows the user to look back to see what the
			# last changes were, even if RKH is run again.
			#

			mv -f ${RKHTMPDIR}/passwd ${RKHTMPDIR}/passwd.old >/dev/null 2>&1
			cp -f -p /etc/passwd ${RKHTMPDIR}/passwd
		fi
	fi


	#
	# Next check for any changes that have occurred to the group
	# file since rkhunter was last run.
	#

	if `check_test group_changes`; then
		RKHTMPVAR=0
		display --to LOG --type INFO --nl STARTING_TEST group_changes
	else
		RKHTMPVAR=1
		display --to LOG --type INFO --nl USER_DISABLED_TEST group_changes
	fi

	if [ $RKHTMPVAR -eq 1 ]; then
		:
	elif [ ! -f "/etc/group" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 GROUP_CHANGES
		display --to LOG --type WARNING GROUP_CHANGES_NO_FILE "/etc/group"
	elif [ -z "${DIFF_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 GROUP_CHANGES
		display --to LOG --type INFO NOT_FOUND_CMD "diff"

		cp -f -p /etc/group ${RKHTMPDIR}/group
	elif [ ! -f "${RKHTMPDIR}/group" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 GROUP_CHANGES
		display --to LOG --type WARNING GROUP_CHANGES_NO_TMP

		cp -f -p /etc/group ${RKHTMPDIR}/group
	else
		DIFFS=`${DIFF_CMD} /etc/group ${RKHTMPDIR}/group 2>/dev/null | grep '^[<>]'`

		if [ -z "${DIFFS}" ]; then
			display --to SCREEN+LOG --type PLAIN --color GREEN --result NONE_FOUND --log-indent 2 --screen-indent 4 GROUP_CHANGES
		else
			display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 GROUP_CHANGES

			pwdgrp_changes "group" "${DIFFS}"

			#
			# Finally, move the current copy of the group file out
			# of the way, and take a new copy of the group file.
			# This allows the user to look back to see what the
			# last changes were, even if RKH is run again.
			#

			mv -f ${RKHTMPDIR}/group ${RKHTMPDIR}/group.old >/dev/null 2>&1
			cp -f -p /etc/group ${RKHTMPDIR}/group
		fi
	fi


	#
	# Finally we do a check on the root account shell history files.
	# We check for bash, Korn, C-shell and zsh history files.
	#

	FOUND=0
	FOUNDFILES=""

	if [ -f "/root/.bash_history" ]; then
		FOUND=1

		if [ -h "/root/.bash_history" ]; then
			FOUNDFILES="${FOUNDFILES} bash:/root/.bash_history"
		fi
	fi

	if [ -f "/root/.sh_history" ]; then
		FOUND=1

		if [ -h "/root/.sh_history" ]; then
			FOUNDFILES="${FOUNDFILES} Korn:/root/.sh_history"
		fi
	fi

	if [ -f "/root/.history" ]; then
		FOUND=1

		if [ -h "/root/.history" ]; then
			FOUNDFILES="${FOUNDFILES} C-shell:/root/.history"
		fi
	fi

	if [ -f "/root/.zhistory" ]; then
		FOUND=1

		if [ -h "/root/.zhistory" ]; then
			FOUNDFILES="${FOUNDFILES} zsh:/root/.zhistory"
		fi
	fi


	#
	# Now display the results.
	#

	if [ -z "${FOUNDFILES}" ]; then
		test $FOUND -eq 1 && RKHTMPVAR="OK" || RKHTMPVAR="NONE_FOUND"

		display --to SCREEN+LOG --type PLAIN --color GREEN --result ${RKHTMPVAR} --log-indent 2 --screen-indent 4 HISTORY_CHECK
	else
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING --log-indent 2 --screen-indent 4 HISTORY_CHECK

		for RKHTMPVAR in ${FOUNDFILES}; do
			SHELLNAME=`echo "${RKHTMPVAR}" | cut -d: -f1`
			FILENAME=`echo "${RKHTMPVAR}" | cut -d: -f2`

			display --to LOG --type WARNING HISTORY_CHECK_FOUND "SHELLNAME" "FILENAME"
		done
	fi

	return
}


do_system_config_files_check() {

	#
	# This function carries out checks on some of the system
	# software configurations. At present this checks the SSH
	# and syslog configurations.
	#

	if `check_test system_configs`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST system_configs
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 SYSTEM_CONFIGS_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST system_configs
		return
	fi

	#
	# First find out where the SSH configuration file is located.
	#

	SSH_CONFIG_FILE=""

	if [ -n "${SSH_CONFIG_DIR}" ]; then
		RKHTMPVAR="${SSH_CONFIG_DIR}"
	else
		RKHTMPVAR="/etc /etc/ssh /usr/local/etc /usr/local/etc/ssh"
	fi

	for DIR in ${RKHTMPVAR}; do
		if [ -f "${DIR}/sshd_config" ]; then
			SSH_CONFIG_FILE="${DIR}/sshd_config"
			break
		fi
	done

	if [ -n "${SSH_CONFIG_FILE}" ]; then
		display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "SSH"

		display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND "SSH" "${SSH_CONFIG_FILE}"

		display --to LOG --type INFO CONFIG_SSH_ROOT "${ALLOW_SSH_ROOT_USER}"
		display --to LOG --type INFO CONFIG_SSH_PROTV1 $ALLOW_SSH_PROT_V1


		#
		# Now we check some of the configuration options.
		#
		# First we check for allowed root access.
		#

		RKHTMPVAR=`grep -i '^[ 	]*PermitRootLogin[ 	=]' ${SSH_CONFIG_FILE} | tail ${TAIL_OPT}1`

		if [ -n "${RKHTMPVAR}" ]; then
			#
			# Get the value that has been set.
			#

			RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ 	=]*[ 	]*=*[ 	]*\([^ 	#]*\).*$/\1/' | tr '[:upper:]' '[:lower:]'`

			if [ "${RKHTMPVAR2}" = "${ALLOW_SSH_ROOT_USER}" ]; then
				test "${RKHTMPVAR2}" = "no" && RKHTMPVAR="NOT_ALLOWED" || RKHTMPVAR="ALLOWED"
				display --to SCREEN+LOG --type PLAIN --result ${RKHTMPVAR} --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT

				display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_FOUND
				display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_ROOT_FOUND1 "${RKHTMPVAR2}"
				display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_ROOT_FOUND2 "${ALLOW_SSH_ROOT_USER}"
			fi
		elif [ "${ALLOW_SSH_ROOT_USER}" = "unset" ]; then
			display --to SCREEN+LOG --type PLAIN --result UNSET --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_ROOT
			display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND
		fi


		#
		# Next we check to see if protocol version 1 is allowed.
		#

		RKHTMPVAR=`grep -i '^[ 	]*Protocol[ 	=]' ${SSH_CONFIG_FILE} | tail ${TAIL_OPT}1`

		if [ -n "${RKHTMPVAR}" ]; then
			#
			# See if the set protocol versions includes '1'.
			#

			RKHTMPVAR2=`echo ${RKHTMPVAR} | sed -e 's/^[^ 	=]*[ 	]*=*[ 	]*\([^ 	#]*\).*$/\1/'`
			RKHTMPVAR3=`echo "${RKHTMPVAR2}" | grep '1'`

			if [ -z "${RKHTMPVAR3}" -a $ALLOW_SSH_PROT_V1 -eq 0 ]; then
				display --to SCREEN+LOG --type PLAIN --result NOT_ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
			elif [ -n "${RKHTMPVAR3}" -a $ALLOW_SSH_PROT_V1 -eq 1 ]; then
				display --to SCREEN+LOG --type PLAIN --result ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO

				display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_ROOT_FOUND
				display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_PROTO_DIFF1 "${RKHTMPVAR2}"
				display --to LOG --type PLAIN --log-indent 9 SYSTEM_CONFIGS_SSH_PROTO_DIFF2 "${ALLOW_SSH_PROT_V1}"
			fi
		elif [ $ALLOW_SSH_PROT_V1 -eq 2 ]; then
			display --to SCREEN+LOG --type PLAIN --result UNSET --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SSH_PROTO
			display --to LOG --type WARNING SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "SSH"
	fi


	#
	# Next we find out if the syslog daemon is running.
	#

	SYSLOG_SEEN=0
	METALOG_SEEN=0; SOCKLOG_SEEN=0

	if [ -n "${PS_CMD}" ]; then
		PS_ARGS="ax"

		test $SUNOS -eq 1 -o $IRIXOS -eq 1 && PS_ARGS="-ef"

		RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep '(syslogd|syslog-ng)( |$)' | grep -v 'egrep'`

		if [ -n "${RKHTMPVAR}" ]; then
			SYSLOG_SEEN=1

			display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
		else
			RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'metalog( |$)' | grep -v 'egrep'`

			if [ -n "${RKHTMPVAR}" ]; then
				METALOG_SEEN=1

				display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
				display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING
			else
				RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'socklog( |$)' | grep -v 'egrep'`

				if [ -n "${RKHTMPVAR}" ]; then
					SOCKLOG_SEEN=1

					display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
					display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_SOCKLOG_RUNNING
				else
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
					display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING
				fi
			fi
		fi
	else
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
		display --to LOG --type INFO NOT_FOUND_CMD "ps"
	fi


	#
	# Now loop through the syslog configuration files.
	#

	if [ -z "${SYSLOG_CONFIG_FILE}" ]; then
		SYSLOG_CONFIG_FILE="/etc/syslog.conf /etc/rsyslog.conf /etc/syslog-ng/syslog-ng.conf"
	fi

	if [ "${SYSLOG_CONFIG_FILE}" = "NONE" ]; then
		display --to SCREEN+LOG --type PLAIN --result WHITELISTED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
	else
		FILEFOUND=0
		REMLOGFOUND=""

		for FNAME in ${SYSLOG_CONFIG_FILE}; do
			if [ -f "${FNAME}" ]; then
				if [ $FILEFOUND -eq 0 ]; then
					test $ALLOW_SYSLOG_REMOTE_LOGGING -eq 1 && display --to LOG --type INFO SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED
				fi

				FILEFOUND=1
			else
				continue
			fi

			# First, log where the configuration file is located.

			if [ -n "`echo \"${FNAME}\" | grep '/rsyslog\.conf$'`" ]; then
				FTYPE="rsyslog"
			elif [ -n "`echo \"${FNAME}\" | grep '/syslog-ng\.conf$'`" ]; then
				FTYPE="syslog-ng"
			else
				FTYPE="syslog"
			fi

			display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND "${FTYPE}" "${FNAME}"


			# Next see if the configuration file allows remote logging.

			if [ -n "`echo \"${FNAME}\" | egrep '/r?syslog\.conf$'`" ]; then
				RKHTMPVAR=`egrep -i '^[^#].*[ 	](@|:omrelp:).' ${FNAME} | egrep -i -v '(@|:omrelp:)127\.'`
			else
				#
				# For syslog-ng we must look for a destination
				# block which uses TCP or UDP.
				#

				RKHTMPVAR=`awk '/^[ 	]*destination( |	|$)/, /}/ { print $0 }' ${FNAME} | egrep -i '( |	|\{|^)(tcp|udp)6?( |	|\(|$)' | egrep -v -i '(tcp|udp)6?[ 	]*\([ 	]*("[ 	]*)?127\.'`
			fi

			if [ -n "${RKHTMPVAR}" ]; then
				REMLOGFOUND="${REMLOGFOUND}
${FTYPE}:${RKHTMPVAR}"

				display --to LOG --type INFO SYSTEM_CONFIGS_SYSLOG_REMOTE_LOG "${RKHTMPVAR}"
			fi
		done


		#
		# Now display the results.
		#

		if [ $FILEFOUND -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
		elif [ $METALOG_SEEN -eq 1 -o $SOCKLOG_SEEN -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
		elif [ $SYSLOG_SEEN -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
			display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NO_FILE
		else
			display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
		fi

		#
		# We only display the remote logging result if a configuration file was found.
		#

		if [ $FILEFOUND -eq 1 ]; then
			if [ $ALLOW_SYSLOG_REMOTE_LOGGING -eq 1 ]; then
				display --to SCREEN+LOG --type PLAIN --result ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
			elif [ -z "${REMLOGFOUND}" ]; then
				display --to SCREEN+LOG --type PLAIN --result NOT_ALLOWED --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE
			else
				display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_REMOTE

				IFS=$IFSNL

				REMLOGFOUND=`echo "${REMLOGFOUND}" | sed -e '/^$/d'`

				for FNAME in ${REMLOGFOUND}; do
					FTYPE=`echo ${FNAME} | cut -d: -f1`
					RKHTMPVAR=`echo ${FNAME} | cut -d: -f2-`

					display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND "${FTYPE}" "${RKHTMPVAR}"
				done

				IFS=$RKHIFS
			fi
		fi
	fi

	return
}


do_dev_whitelist_check() {

	#
	# The check of /dev files has two methods. One uses a simple
	# top-level file check, the other is more thorough and does a
	# complete 'find' on the /dev directory. However, the check on
	# whether the given file is whitelisted is the same for both
	# methods. As such, it makes sense to use a function rather than
	# repeating the code for each method.
	#


	FTYPE=`${FILE_CMD} "${RKHTMPVAR}" 2>/dev/null | awk -F':' '{ print $NF }' | cut -c2-`

	if [ -z "`echo \"${FTYPE}\" | egrep -v '( character special| block special| socket| fifo \(named pipe\)| symbolic link to| empty| directory|/MAKEDEV:)'`" ]; then
		return
	fi

	FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`

	if [ -n "`echo \"${ALLOWDEVFILES}\" | grep \" ${FNAMEGREP} \"`" ]; then
		display --to LOG --type INFO FILESYSTEM_DEV_FILE_WL "${RKHTMPVAR}"
	else
		FOUNDFILES="${FOUNDFILES}
${RKHTMPVAR}: ${FTYPE}"
	fi

	return
}


do_filesystem_check() {

	#
	# This function carries out checks on the filesystem
	# for suspicious files.
	#

	if `check_test filesystem`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST filesystem
		display --to SCREEN+LOG --type PLAIN --screen-indent 2 FILESYSTEM_START
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST filesystem
		return
	fi


	if [ ! -d "/dev" ]; then
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
		display --to LOG --type WARNING FILESYSTEM_DEV_CHECK_NO_DEV
	elif [ -z "${FILE_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
		display --to LOG --type INFO NOT_FOUND_CMD "file"
	elif [ "${SCAN_MODE_DEV}" = "THOROUGH" -a -z "${FIND_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
		display --to LOG --type INFO NOT_FOUND_CMD "find"
	else
		#
		# Now we can run the check on /dev.
		#

		display --to LOG --type INFO CONFIG_SCAN_MODE_DEV "${SCAN_MODE_DEV}"


		#
		# First we re-evaluate the whitelist option to ensure
		# that any wildcard entries are the most recent.
		#

		if [ -n "${ALLOWDEVFILE_OPT}" ]; then
			ALLOWDEVFILES=`echo ${ALLOWDEVFILE_OPT}`
			ALLOWDEVFILES=`echo " ${ALLOWDEVFILES} " | tr '%' ' '`
		fi

		#
		# Note: We do not look for hidden files here - that is,
		# those beginning with a dot. Any hidden files will be
		# picked up in the next check.
		# Note2: Filenames can contain a colon (:), so we need to
		# be careful in separating the filename from the file type.
		# Note3: We have to cater for *BSD systems which may have
		# fdesc/fdescfs mounted. If it is, then we must skip over
		# any detected file descriptors.
		#

		FDESCFS=0
		FOUNDFILES=""

		if [ $BSDOS -eq 1 ]; then
			RKHTMPVAR=`find_cmd mount`

			if [ -n "${RKHTMPVAR}" ]; then
				test -n "`${RKHTMPVAR} 2>/dev/null | egrep '^fdesc(fs)? .*type fdesc'`" && FDESCFS=1
			else
				display --to LOG --type INFO NOT_FOUND_CMD "mount"
			fi
		fi


		if [ "${SCAN_MODE_DEV}" = "LAZY" ]; then
			for RKHTMPVAR in /dev/*; do
				test -s "${RKHTMPVAR}" -a ! -d "${RKHTMPVAR}" -a ! -h "${RKHTMPVAR}" || continue

				if [ $FDESCFS -eq 1 ]; then
					test -n "`echo \"${RKHTMPVAR}/\" | grep \"^/dev/fd/[0-9][0-9]*/\"`" && continue
				fi

				do_dev_whitelist_check
			done
		else
			IFS=$IFSNL

			for RKHTMPVAR in `${FIND_CMD} /dev ! -type d -a ! -type l 2>/dev/null`; do
				test -s "${RKHTMPVAR}" || continue

				if [ $FDESCFS -eq 1 ]; then
					test -n "`echo \"${RKHTMPVAR}/\" | grep \"^/dev/fd/[0-9][0-9]*/\"`" && continue
				fi

				test -z "`echo \"${RKHTMPVAR}\" | grep '/\.[^/]*$'`" && do_dev_whitelist_check
			done

			IFS=$RKHIFS
		fi


		#
		# Now display the results.
		#

		FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`

		if [ -z "${FOUNDFILES}" ]; then
			display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK
		else
			display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_DEV_CHECK

			display --to LOG --type WARNING FILESYSTEM_DEV_FILE_FOUND "/dev"

			IFS=$IFSNL

			for RKHTMPVAR in ${FOUNDFILES}; do
				display --to LOG --type PLAIN --log-indent 9 NAME "${RKHTMPVAR}"
			done

			IFS=$RKHIFS
		fi
	fi


	#
	# Now we check various directories for hidden files and
	# directories. We must have the 'file' command for this
	# test to run.
	#
	# First we look in two sets of directories. One set we search
	# recursively, using 'find', the other set we only search to
	# one-level. If we have no 'find' command, then all the
	# directories are only searched to one-level.
	#

	if [ -z "${FILE_CMD}" ]; then
		display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK
		display --to LOG --type INFO NOT_FOUND_CMD "file"
		return
	fi


	FOUNDDIRS=""
	FOUNDFILES=""
	LOOKINDIRS=""

	SHORTSEARCHDIRS="/usr /etc"

	LONGSEARCHDIRS="/dev /bin /usr/man /usr/share/man /usr/bin /usr/sbin /sbin"

	if [ -z "${FIND_CMD}" ]; then
		SHORTSEARCHDIRS="${SHORTSEARCHDIRS} ${LONGSEARCHDIRS}"
		LONGSEARCHDIRS=""
	fi

	for DIR in ${SHORTSEARCHDIRS}; do
		if [ -d ${DIR} ]; then
			RKHTMPVAR=`ls -1d ${DIR}/.* 2>/dev/null | egrep -v '/\.\.?$'`
			test -n "${RKHTMPVAR}" && LOOKINDIRS="${LOOKINDIRS}
${RKHTMPVAR}"
		fi
	done

	for DIR in ${LONGSEARCHDIRS}; do
		if [ -d ${DIR} ]; then
			RKHTMPVAR=`${FIND_CMD} ${DIR} -name ".*" 2>/dev/null`
			test -n "${RKHTMPVAR}" && LOOKINDIRS="${LOOKINDIRS}
${RKHTMPVAR}"
		fi
	done


	#
	# We re-evaluate the whitelisting options to ensure that any
	# wildcard entries are the most recent.
	#

	if [ -n "${ALLOWHIDDENFILE_OPT}" ]; then
		ALLOWHIDDENFILES=`echo ${ALLOWHIDDENFILE_OPT}`
		ALLOWHIDDENFILES=`echo " ${ALLOWHIDDENFILES} " | tr '%' ' '`
	fi

	if [ -n "${ALLOWHIDDENDIR_OPT}" ]; then
		ALLOWHIDDENDIRS=`echo ${ALLOWHIDDENDIR_OPT}`
		ALLOWHIDDENDIRS=`echo " ${ALLOWHIDDENDIRS} " | tr '%' ' '`
	fi

	#
	# Next we look for any whitelisted files and directories. We also
	# exclude certain types of files.
	#

	IFS=$IFSNL

	for FNAME in ${LOOKINDIRS}; do
		if [ $FDESCFS -eq 1 ]; then
			test -n "`echo \"${FNAME}/\" | grep \"^/dev/fd/[0-9][0-9]*/\"`" && continue
		fi

		FTYPE=`${FILE_CMD} "${FNAME}" 2>/dev/null | awk -F':' '{ print $NF }' | cut -c2-`

		test -n "`echo \"${FTYPE}\" | egrep 'character special|block special|empty'`" && continue

		FNAMEGREP=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

		if [ -n "`echo \"${FTYPE}\" | grep 'directory'`" ]; then
			if [ -n "`echo \"${ALLOWHIDDENDIRS}\" | grep \" ${FNAMEGREP} \"`" ]; then
				display --to LOG --type INFO FILESYSTEM_HIDDEN_DIR_WL "${FNAME}"
			else
				if [ "${FTYPE}" = "directory" ]; then
					FOUNDDIRS="${FOUNDDIRS}
${FNAME}"
				else
					FOUNDDIRS="${FOUNDDIRS}
${FNAME}: ${FTYPE}"
				fi
			fi
		else
			if [ -n "`echo \"${ALLOWHIDDENFILES}\" | grep \" ${FNAMEGREP} \"`" ]; then
				display --to LOG --type INFO FILESYSTEM_HIDDEN_FILE_WL "${FNAME}"
			else
				FOUNDFILES="${FOUNDFILES}
${FNAME}: ${FTYPE}"
			fi
		fi
	done

	IFS=$RKHIFS

	FOUNDDIRS=`echo "${FOUNDDIRS}" | sed -e '/^$/d'`
	FOUNDFILES=`echo "${FOUNDFILES}" | sed -e '/^$/d'`


	#
	# Now display the results.
	#

	if [ -z "${FOUNDDIRS}" -a -z "${FOUNDFILES}" ]; then
		display --to SCREEN+LOG --type PLAIN --result NONE_FOUND --color GREEN --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK
	else
		display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 FILESYSTEM_HIDDEN_CHECK

		IFS=$IFSNL

		for RKHTMPVAR in ${FOUNDDIRS}; do
			display --to LOG --type WARNING FILESYSTEM_HIDDEN_DIR_FOUND "${RKHTMPVAR}"
		done

		for RKHTMPVAR in ${FOUNDFILES}; do
			display --to LOG --type WARNING FILESYSTEM_HIDDEN_FILE_FOUND "${RKHTMPVAR}"
		done

		IFS=$RKHIFS
	fi

	return
}


do_local_host_checks() {

	#
	# This function carries out a sequence of tests on the local
	# host.
	#

	if `check_test local_host`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST local_host
		display --to SCREEN+LOG --type PLAIN --color YELLOW CHECK_LOCALHOST
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST local_host
		return
	fi


	#
	# We start by performing checks on the startup files.
	#

	do_system_startup_file_checks


	#
	# Now we check the /etc/passwd file, and run some checks
	# on the accounts and groups.
	#

	do_group_accounts_check


	#
	# Next check some of the system configuration files.
	#

	do_system_config_files_check


	#
	# Finally check the filesystem for suspicious files.
	#

	do_filesystem_check

	keypresspause

	return
}


do_app_checks() {

	#
	# This function carries out a sequence of application checks.
	#

	if `check_test apps`; then
		display --to LOG --type INFO --screen-nl --nl STARTING_TEST apps
	else
		display --to LOG --type INFO --nl USER_DISABLED_TEST apps
		return
	fi


	#
	# First we check that our apps data file is usable.
	#

	if [ ! -e "${DB_PATH}/programs_bad.dat" -o ! -s "${DB_PATH}/programs_bad.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING CHECK_APPS
		display --to LOG --type WARNING APPS_DAT_MISSING "${DB_PATH}/programs_bad.dat"
		return
	elif [ ! -f "${DB_PATH}/programs_bad.dat" -o -h "${DB_PATH}/programs_bad.dat" ]; then
		display --to SCREEN+LOG --type PLAIN --color RED --result WARNING CHECK_APPS
		display --to LOG --type WARNING APPS_DAT_NOTAFILE "${DB_PATH}/programs_bad.dat"
		return
	fi

	display --to SCREEN+LOG --type PLAIN --color YELLOW --nl-after CHECK_APPS


	#
	# We loop through the applications and obtain the version number.
	# This is then checked against the file of known bad versions.
	# We build up a list of application names, the version number,
	# and whether it is known to be bad or not. When this has all
	# been done, we then display the results.
	#
	# The results line for each application is made up of percent (%)
	# delimited fields. They are:
	#
	#   application%description%version%if known bad%whole version number
	#
	# A 'version' number of '-1' means the application was not found.
	#
	# An 'if known bad' number of:
	#
	#	'-1' means a specific version of the application is whitelisted,
	#	'-2' means the application is whitelisted, regardless of version.
	#

	APPS_COUNT=0
	APP_RESULTS=""

	APP_NAMES="exim:Exim MTA
		   gpg:GnuPG
		   httpd:Apache
		   named:Bind DNS
		   openssl:OpenSSL
		   php:PHP
		   procmail:Procmail MTA
		   proftpd:ProFTPD
		   sshd:OpenSSH"

	APPS_TOTAL_COUNT=`echo "${APP_NAMES}" | wc -l | tr -d ' '`


	#
	# Get the list of whitelisted application versions.
	#

	APP_WHITELIST=""

	RKHTMVAR=`get_option 2 multi APP_WHITELIST` || exit 1

	test -n "${RKHTMVAR}" && APP_WHITELIST=`echo " ${RKHTMVAR} " | tr '[:upper:]' '[:lower:]'`


	IFS=$IFSNL

	for APP in ${APP_NAMES}; do
		APP=`echo ${APP} | sed -e 's/^[ 	]*//'`

		APPLICATION=`echo ${APP} | cut -d: -f1`
		APPLICATION_DESC=`echo ${APP} | cut -d: -f2-`

		IFS=$RKHIFS
		APP_CMD_FOUND=`find_cmd ${APPLICATION}`
		IFS=$IFSNL

		if [ -z "${APP_CMD_FOUND}" ]; then
			APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%-1"
			continue
		fi


		#
		# Find out the version of the application.
		#

		APPS_COUNT=`expr ${APPS_COUNT} + 1`

		VERSION=""
		WHOLE_VERSION=""

		#
		# Applications which are whitelisted completely (no specific
		# version number), are handled first.
		#

		if [ -n "`echo \"${APP_WHITELIST}\" | grep \" ${APPLICATION} \"`" ]; then
			APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%0%-2"
		else
			case "${APPLICATION}" in
			exim)
				WHOLE_VERSION=`${APP_CMD_FOUND} -bV 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^Exim version [0-9]' | awk '{ print $3 }'`
				;;
			gpg)
				WHOLE_VERSION=`${APP_CMD_FOUND} --version --homedir / 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep 'GnuPG' | awk '{ print $3 }'`
				;;
			httpd)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep -i '^Server version:[ 	][ 	]*Apache/[0-9]' | cut -d' ' -f3 | cut -d'/' -f2`
				;;
			named)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | egrep '^(named|BIND)[ 	][ 	]*[0-9]' | grep -v '/' | awk '{ print $2 }'`

				if [ -n "`echo \"${VERSION}\" | grep '^[^-]*\.[0-9][0-9]*-P[^-]*-'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'-' -f1-2`
				elif [ -n "`echo \"${VERSION}\" | grep '^[^-]*\.[0-9][0-9]*-[^P]'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'-' -f1`
				fi

				if [ -z "${VERSION}" ]; then
					VERSION=`${APP_CMD_FOUND} -v | awk '{ print $2 }'`
				fi
				;;
			openssl)
				WHOLE_VERSION=`${APP_CMD_FOUND} version 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^OpenSSL[ 	][ 	]*[0-9]' | cut -d' ' -f2`

				if [ -n "`echo \"${VERSION}\" | grep '^[^-]*-fips'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'-' -f1`
				fi
				;;
			php)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>/dev/null`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^PHP[ 	][ 	]*[0-9]' | awk '{ print $2 }' | cut -d'-' -f1`
				;;
			procmail)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>&1`
				VERSION=`echo "${WHOLE_VERSION}" | grep '^procmail[ 	][ 	]*v[0-9]' | awk '{ print $2 }' | sed -e 's/^v//'`
				;;
			proftpd)
				WHOLE_VERSION=`${APP_CMD_FOUND} -v 2>&1`
				VERSION=`echo "${WHOLE_VERSION}" | sed -e 's/^.*\(ProFTPD.*\)$/\1/' | grep '^ProFTPD[ 	][ 	]*Version[ 	][ 	]*[0-9]' | awk '{ print $3 }'`
				;;
			sshd)
				WHOLE_VERSION=`${APP_CMD_FOUND} -t -d 2>&1`
				VERSION=`echo "${WHOLE_VERSION}" | grep 'sshd version OpenSSH' | sed -e 's/^.*sshd version OpenSSH_//' | cut -d' ' -f1`

				if [ -n "`echo \"${VERSION}\" | grep '+'`" ]; then
					VERSION=`echo "${VERSION}" | cut -d'+' -f1`
				fi
				;;
			esac


			VERSION=`echo "${VERSION}" | tr -d '\r'`
			WHOLE_VERSION=`echo "${WHOLE_VERSION}" | tr -d '\r'`

			if [ -z "${VERSION}" ]; then
				WHOLE_VERSION=`echo "${WHOLE_VERSION}" | tr '\n' '%'`

				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%%0%${WHOLE_VERSION}"
				continue
			fi


			#
			# Now see if the application version is known to be bad.
			#

			RKHTMPVAR=`echo "${VERSION}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${APP_WHITELIST}\" | grep -i \" ${APPLICATION}:${RKHTMPVAR} \"`" ]; then
				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%-1"
			elif [ -n "`egrep -i \"^${APPLICATION}:.* ${RKHTMPVAR}( |$)\" ${DB_PATH}/programs_bad.dat 2>&1`" ]; then
				APPS_FAILED_COUNT=`expr ${APPS_FAILED_COUNT} + 1`

				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%1"
			else
				APP_RESULTS="${APP_RESULTS}
${APPLICATION}%${APPLICATION_DESC}%${VERSION}%0"
			fi
		fi
	done

	IFS=$RKHIFS


	#
	# Now display the results.
	#

	if [ $APPS_COUNT -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --color YELLOW --nl --result SKIPPED CHECK_APPS
		display --to LOG --type INFO APPS_NONE_FOUND
	else
		IFS=$IFSNL

		for RKHTMPVAR in ${APP_RESULTS}; do
			APPLICATION=`echo "${RKHTMPVAR}" | cut -d% -f1`
			APPLICATION_DESC=`echo "${RKHTMPVAR}" | cut -d% -f2`
			VERSION=`echo "${RKHTMPVAR}" | cut -d% -f3`

			if [ -z "${VERSION}" ]; then
				WHOLE_VERSION=`echo "${RKHTMPVAR}" | cut -d% -f5- | tr '%' '\n'`

				display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"

				if [ -n "${WHOLE_VERSION}" ]; then
					display --to LOG --type INFO APPS_CHECK_WHOLE_VERSION_USED "${APPLICATION}" "${WHOLE_VERSION}"
				else
					display --to LOG --type INFO APPS_CHECK_VERSION_UNKNOWN "${APPLICATION}"
				fi
			elif [ "${VERSION}" = "-1" ]; then
				display --to LOG --type INFO APPS_NOT_FOUND "${APPLICATION}"
			else
				ISBAD=`echo "${RKHTMPVAR}" | cut -d% -f4`

				if [ -n "`echo $ECHOOPT \"${ISBAD}\" | grep '[^-0-9]'`" ]; then
					display --to SCREEN+LOG --type PLAIN --result SKIPPED --color YELLOW --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
					display --to LOG --type INFO APPS_CHECK_VERSION_UNKNOWN "${APPLICATION}"
				elif [ $ISBAD -eq -2 ]; then
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
					display --to LOG --type INFO APPS_CHECK_WL "${APPLICATION}"
				elif [ $ISBAD -eq -1 ]; then
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
					display --to LOG --type INFO APPS_CHECK_VERSION_WL "${APPLICATION}" "${VERSION}"
				elif [ $ISBAD -eq 1 ]; then
					display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
					display --to LOG --type WARNING APPS_CHECK_FOUND "${APPLICATION}" "${VERSION}"
				else
					display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --log-indent 2 --screen-indent 4 APPS_CHECK "${APPLICATION_DESC}"
					display --to LOG --type INFO APPS_CHECK_VERSION_FOUND "${APPLICATION}" "${VERSION}"
				fi
			fi
		done

		IFS=$RKHIFS
	fi


	display --to LOG --type INFO APPS_TOTAL_COUNT $APPS_COUNT $APPS_TOTAL_COUNT

	return
}


display_check_summary() {

	#
	# This function displays a short summary of some of the
	# groups of checks performed.
	#

	if [ $QUIET -eq 0 -o \( $SHOWWARNINGSONLY -eq 1 -a $WARNING_COUNT -gt 0 \) ]; then
		RKHTMPVAR=2
	else
		RKHTMPVAR=1
	fi

	display --to SCREEN+LOG --type PLAIN --nl ${RKHTMPVAR} SUMMARY_TITLE1
	display --to SCREEN+LOG --type PLAIN SUMMARY_TITLE2


	#
	# Do file properties summary.
	#

	display --to SCREEN+LOG --type PLAIN --nl SUMMARY_PROP_SCAN

	if `check_test properties`; then
		if [ $SUMMARY_PROP_REQCMDS -eq 1 ]; then
			display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_REQCMDS
		fi

		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_COUNT $PROP_FILE_LIST_COUNT
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_PROP_FAILED $PROP_FAILED_COUNT
	else
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
	fi


	#
	# Do rootkit check summary.
	#

	display --to SCREEN+LOG --type PLAIN --nl SUMMARY_RKT_SCAN

	if `check_test rootkits || check_test startup_malware`; then
		RKHTMPVAR2=""

		if [ -n "${ROOTKIT_FAILED_NAMES}" ]; then
			ROOTKIT_FAILED_NAMES=`echo "${ROOTKIT_FAILED_NAMES}" | sed -e 's/, */,/g; s/,$//'`

			IFS=","

			for RTKT_NAME in ${ROOTKIT_FAILED_NAMES}; do
				if [ -z "`echo \" ${RKHTMPVAR2},\" | grep \" ${RTKT_NAME},\"`" ]; then
					RKHTMPVAR2="${RKHTMPVAR2}${RTKT_NAME}, "
				else
					ROOTKIT_FAILED_COUNT=`expr $ROOTKIT_FAILED_COUNT - 1`
				fi
			done

			IFS=$RKHIFS
			RKHTMPVAR2=`echo "${RKHTMPVAR2}" | sed -e 's/, $//'`
		fi

		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_COUNT $ROOTKIT_COUNT
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_FAILED $ROOTKIT_FAILED_COUNT

		test -n "${RKHTMPVAR2}" && display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_RKT_NAMES "${RKHTMPVAR2}"
	else
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
	fi


	#
	# Do application check summary.
	#

	display --to SCREEN+LOG --type PLAIN --nl SUMMARY_APPS_SCAN

	if `check_test apps`; then
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_APPS_COUNT $APPS_COUNT
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_APPS_FAILED $APPS_FAILED_COUNT
	else
		display --to SCREEN+LOG --type PLAIN --screen-indent 4 SUMMARY_CHKS_SKIPPED
	fi


	#
	# Display the amount of time the system check took.
	#

	if [ $BEGINTIME -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --nl SUMMARY_NO_SCAN_TIME
	else
		display --to SCREEN+LOG --type PLAIN --nl SUMMARY_SCAN_TIME "${TOTAL_SCANTIME}"
	fi


	#
	# Display where the log file is located, if there is one.
	#

	if [ $NOLOG -eq 0 ]; then
		display --to SCREEN --type PLAIN --nl --nl-after SUMMARY_LOGFILE "${RKHLOGFILE}"
	else
		display --to SCREEN --type PLAIN --nl --nl-after SUMMARY_NO_LOGFILE
	fi

	return
}


do_system_check() {

	#
	# This function performs the various rootkit and security checks
	# for the program. We start by initialising variables used for
	# the rootkit checks.
	#

	display --to LOG --type PLAIN --nl CHECK_START

	do_system_check_initialisation


	#
	# Next, for Solaris we see if we are running Solaris 10 or not.
	# This can be useful to know in some of the tests since we will
	# use different mechanisms on Solaris 10 from those on Solaris
	# 9 and before.
	#

	SOL_PROC=0
	SOLARISX=""

	if [ $SUNOS -eq 1 ]; then
		#
		# If we are running Solaris 10, then see if we have the
		# command pathname available.
		#
		# Solaris 10 and above should have the 'a.out' file
		# present. We use the PID of 1 here since it should exist
		# on all systems.
		#
		# If we are running Solaris 10 (or above), then we add
		# the '-X' option to the 'lsof' command in order to get
		# the deleted files.
		#

		if [ -h "/proc/1/path/a.out" ]; then
			SOLARISX='-X'
			test $HAVE_READLINK -eq 1 && SOL_PROC=1
		fi
	fi


	#
	# Record the start time if we can. The total time taken for
	# scanning will only be calculated and displayed if the
	# start time can be set.
	#

	BEGINTIME=0
	ENDTIME=0

	if [ -n "$SECONDS" ]; then
		BEGINTIME=`echo $SECONDS | cut -d. -f1`
	elif [ $BSDOS -eq 1 ]; then
		BEGINTIME=`date +%s`
	elif [ -n "${PERL_CMD}" ]; then
		BEGINTIME=`${PERL_CMD} -e 'printf "%d\n", time;'`
	fi


	#
	# Send a start message to syslog if the user requested that.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		${LOGGER_CMD} -t "${PROGRAM_NAME}" -p ${USE_SYSLOG} "Rootkit hunter check started (version ${PROGRAM_version})"
	fi


	#
	# We start with checks of some of the commands (binaries) and 
	# libraries on the system, to make sure that they have not
	# been tampered with.
	#

	do_system_commands_checks


	#
	# Next are the rootkit checks.
	#

	do_rootkit_checks


	#
	# Next are some network port, and interface checks.
	#

	do_network_checks


	#
	# Next are checks of the files for the local host.
	#

	do_local_host_checks


	#
	# Next are checks on specific applications.
	#

	do_app_checks


	#
	# Now record the end time.
	#

	if [ $BEGINTIME -ne 0 ]; then
		if [ -n "$SECONDS" ]; then
			ENDTIME=`echo $SECONDS | cut -d. -f1`
		elif [ $BSDOS -eq 1 ]; then
			ENDTIME=`date +%s`
		else
			ENDTIME=`${PERL_CMD} -e 'printf "%d\n", time;'`
		fi

		TOTAL_SCANTIME=`expr ${ENDTIME} - ${BEGINTIME}`
		TOTALMINS=`expr ${TOTAL_SCANTIME} / 60`
		TOTALSECS=`expr ${TOTAL_SCANTIME} % 60`

		if [ $TOTALMINS -gt 0 ]; then
			if [ $TOTALMINS -eq 1 ]; then
				TOTAL_SCANTIME="${TOTALMINS} minute and "
			else
				TOTAL_SCANTIME="${TOTALMINS} minutes and "
			fi
		else
			TOTAL_SCANTIME=""
		fi

		if [ $TOTALSECS -eq 1 ]; then
			TOTAL_SCANTIME="${TOTAL_SCANTIME}${TOTALSECS} second"
		else
			TOTAL_SCANTIME="${TOTAL_SCANTIME}${TOTALSECS} seconds"
		fi
	fi


	#
	# Display the summary of the results.
	#

	RKH_WARN_DISPLYD=0

	if [ $SHOW_SUMMARY -eq 1 ]; then
		#
		# Unfortunately we need to do a kludge here!
		# The user may have used the '--quiet' option,
		# so we need to force the summary to be displayed.
		# By resetting the NOTTY variable we can get
		# the output shown.
		#

		OLD_NOTTY=$NOTTY
		test $SHOW_SUMMARY_OPT -eq 1 && NOTTY=0

		display_check_summary

		if [ $WARNING_COUNT -eq 0 ]; then
			display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_NOT_FOUND
		else
			RKH_WARN_DISPLYD=1
			display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND

			if [ $NOLOG -eq 1 ]; then
				display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_FOUND_RERUN
			else
				display --to SCREEN --type PLAIN --nl-after CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
			fi
		fi

		NOTTY=$OLD_NOTTY
	fi


	#
	# Send a finish message to syslog if the user requested that.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		${LOGGER_CMD} -t "${PROGRAM_NAME}" -p ${USE_SYSLOG} "Scanning took ${TOTAL_SCANTIME}"
	fi


	#
	# If some warning or error has been seen, then make sure the
	# user is told about it. We also set the return code, to allow
	# the user to detect it being non-zero.
	#

	if [ $WARNING_COUNT -gt 0 ]; then
		if [ $SHOWWARNINGSONLY -eq 1 -a $RKH_WARN_DISPLYD -eq 0 ]; then
			#
			# Unfortunately we need to do a kludge again!
			# By requesting that only warnings are shown,
			# the following output would not normally be
			# displayed (because they are not warnings).
			#

			OLD_NOTTY=$NOTTY
			NOTTY=0

			display --to SCREEN --type PLAIN --nl CHECK_WARNINGS_FOUND

			if [ $NOLOG -eq 1 ]; then
				display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_RERUN
			else
				display --to SCREEN --type PLAIN CHECK_WARNINGS_FOUND_CHK_LOG "${RKHLOGFILE}"
			fi

			NOTTY=$OLD_NOTTY
		fi


		if [ -n "${USE_SYSLOG}" ]; then
			${LOGGER_CMD} -t "${PROGRAM_NAME}" -p ${USE_SYSLOG} "Please inspect this machine, because it may be infected."
		fi


		if [ -n "${MAILONWARNING}" ]; then
			eval "echo 'Please inspect this machine, because it may be infected.' | ${MAIL_CMD} ${MAILONWARNING}"
		fi

		RET_CODE=1
	fi

	return
}


check_os_info() {

	#
	# This function checks the current O/S information against
	# that stored in the rkhunter.dat file. Any change could
	# mean that the file properties checks could give several
	# false-positive answers. As such we warn users that
	# a change has occurred.
	#

	OS_CHANGED=0

	display --to LOG --type PLAIN --nl OSINFO_START

	#
	# First check if the host name has changed.
	#

	if [ $WARN_ON_OS_CHANGE -eq 1 ]; then
		IND_COUNT=9
		OSINFO_WARNING="WARNING"
	else
		IND_COUNT=6
		OSINFO_WARNING="INFO"
		display --to LOG --type INFO FILE_PROP_NO_OS_WARNING
	fi

	OLD_HOST=`grep '^Host:' ${RKHDAT_FILE} | cut -d: -f2-`

	if [ "${HOST_NAME}" != "${OLD_HOST}" ]; then
		OS_CHANGED=1
		display --to LOG --type "${OSINFO_WARNING}" OSINFO_HOST_CHANGE1
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_HOST_CHANGE2 "${OLD_HOST}" "${HOST_NAME}"
	fi


	#
	# Next check if the O/S name has changed.
	#

	OLD_OSNAME=`grep '^OS:' ${RKHDAT_FILE} | cut -d: -f2-`

	if [ "${OSNAME}" != "${OLD_OSNAME}" ]; then
		OS_CHANGED=1
		display --to LOG --type "${OSINFO_WARNING}" OSINFO_OSVER_CHANGE1
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_OSVER_CHANGE2 "${OLD_OSNAME}" "${OSNAME}"
	fi


	#
	# Check if the prelinking status has changed.
	#

	if [ -z "`grep '^Prelinked:Yes' ${RKHDAT_FILE}`" ]; then
		OLD_PRELINK=0
	else
		OLD_PRELINK=1
	fi

	if [ $PRELINKED -ne $OLD_PRELINK ]; then
		OS_CHANGED=1
		if [ $PRELINKED -eq 1 ]; then
			display --to LOG --type "${OSINFO_WARNING}" OSINFO_PRELINK_CHANGE ''
		else
			display --to LOG --type "${OSINFO_WARNING}" OSINFO_PRELINK_CHANGE 'not '
		fi
	fi


	#
	# Check if the system architecture has changed. We treat
	# the i386-type architectures as the same. We also treat
	# the sun-type archictures the same as 'sparc'.
	#

	OLD_ARCH=`grep '^Arch:' ${RKHDAT_FILE} | cut -d: -f2-`

	if [ -n "`echo ${OLD_ARCH} | grep 'i[0-9]86'`" ]; then
		OLD_ARCH_TYPE="i386"
	elif [ -n "`echo ${OLD_ARCH} | grep 'sun[0-9][a-z]'`" -o -n "`echo ${OLD_ARCH} | grep 'sparc'`" ]; then
		OLD_ARCH_TYPE="sparc"
	else
		OLD_ARCH_TYPE=$OLD_ARCH
	fi

	if [ -n "`echo ${ARCH} | grep 'i[0-9]86'`" ]; then
		ARCH_TYPE="i386"
	elif [ -n "`echo ${ARCH} | grep 'sun[0-9][a-z]'`" -o -n "`echo ${ARCH} | grep 'sparc'`" ]; then
		ARCH_TYPE="sparc"
	else
		ARCH_TYPE=$ARCH
	fi

	if [ "${OLD_ARCH_TYPE}" != "${ARCH_TYPE}" ]; then
		OS_CHANGED=1
		display --to LOG --type "${OSINFO_WARNING}" OSINFO_ARCH_CHANGE1
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_ARCH_CHANGE2 "${OLD_ARCH}" "${ARCH}"
	fi

	if [ $OS_CHANGED -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_MSG1

		if [ $UPDT_ON_OS_CHANGE -eq 0 ]; then
			display --to LOG --type PLAIN --log-indent $IND_COUNT OSINFO_MSG2

			test $WARN_ON_OS_CHANGE -eq 1 && display --to LOG --type WARNING --nl PROPUPD_WARN
		else
			PROP_UPDATE=1
			display --to LOG --type INFO OSINFO_DO_UPDT
		fi
	else
		display --to LOG --type INFO OSINFO_END
	fi

	return
}


set_file_prop_dirs_files() {

	#
	# This function sets up the list of directories we look in,
	# and the list of files we look for, in order to perform
	# the file properties checks.
	#
	# Any non-existent files are simply left in for the checks
	# to skip over. However, any symbolic links are expanded and
	# the result of the link is added to the list. This avoids
	# any attempt to simply replace a link, and avoid it being
	# detected by the file hash value check.
	#
	# We also check to see if any of the directories are links.
	# If it is then we add the link target directory.
	#

	PROP_DIR_LIST=""

	for DIR in ${BINPATHS} ${USER_DIR_LIST}; do
		LINKDIR="${DIR}"

		test ! -d "${LINKDIR}" && continue

		if [ -h "${LINKDIR}" -a $HAVE_READLINK -eq 1 ]; then
			LINKDIR=`${READLINK_CMD} -f ${LINKDIR}`
		fi

		if [ -z "`echo \" ${PROP_DIR_LIST} \" | grep \" ${LINKDIR} \"`" ]; then
			PROP_DIR_LIST="${PROP_DIR_LIST} ${LINKDIR}"
		fi
	done


	PROP_FILE_LIST="adduser amd awk basename bash bget cat chattr checkproc
	    chkconfig chmod chown chroot cp cron csh curl cut date depmod df
	    diff dirname dmesg dpkg dpkg-query du echo ed egrep elinks env fgrep
	    file find fsck fuser GET grep groupadd groupdel groupmod groups grpck head id
	    ifconfig ifdown ifstatus ifup inetd init insmod ip kallsyms kill
	    killall ksyms kudzu last lastlog ldd less links locate logger login
	    ls lsattr lsmod lsof lynx mail md5 md5sum mktemp mlocate modinfo
	    modload modprobe modstat modunload more mount mv netstat newgrp
	    newsyslog nologin passwd perl pgrep ping pkgdb pkg_info pkill prelink ps pstree pwck
	    pwd readlink rkhunter rmmod route rpm rsyslogd runcon runlevel sed sestatus sh
	    sha1 sha1sum sha224 sha224sum sha256 sha256sum sha384 sha384sum sha512
	    sha512sum size skdet slocate sockstat sort stat strace strings su sudo
	    sulogin sysctl syslogd systat tail tcpd test top touch tr uname
	    uniq useradd userdel usermod users vipw vmstat w watch wc wget whatis
	    whereis which who whoami xinetd"

	#
	# We add in some extra commands to check depending on the O/S.
	#

	case "${OPERATING_SYSTEM}" in
	SunOS)
		PROP_FILE_LIST="${PROP_FILE_LIST} gawk gbasename gcat gchmod gchown
				gcksum gcp gcut gdate gdiff gdiff3 gdirname gdu gecho
				gegrep genv gfile gfind ggrep ggroups ghead gid glocate
				gls gmd5sum gmv gpwd gsed gsize gsort gstrings gsum
				gtail gtest gtouch guname guniq gusers gwc gwho gwhoami
				inetadm nawk truss unhide unhide-tcp unhide.rb"
		;;
	FreeBSD|DragonFly)
		PROP_FILE_LIST="${PROP_FILE_LIST} fstat kldload kldstat kldunload procstat
				unhide unhide-tcp unhide.rb"
		;;
	*BSD)
		PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-tcp unhide.rb"
		;;
	Linux)
		PROP_FILE_LIST="${PROP_FILE_LIST} unhide unhide-tcp unhide.rb"

		if [ -n "`uname -r | grep '^2\.6'`" ]; then
			PROP_FILE_LIST="${PROP_FILE_LIST} unhide-linux26"
		fi
		;;
	Darwin)
		PROP_FILE_LIST="${PROP_FILE_LIST} shasum launchctl dscl"
		;;
	esac


	#
	# Next we quickly loop through the user supplied list of files,
	# and ignore any that are already in the builtin list.
	#

	PROP_FILE_LIST=`echo ${PROP_FILE_LIST}`

	if [ -n "${USER_SIMPLE_FILE_LIST}" ]; then
		RKHTMPVAR=""

		for FNAME in ${USER_SIMPLE_FILE_LIST}; do
			FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

			test -z "`echo \" ${PROP_FILE_LIST} \" | grep \" ${FNAMEGREP} \"`" && RKHTMPVAR="${RKHTMPVAR} ${FNAME}"
		done

		USER_SIMPLE_FILE_LIST=`echo ${RKHTMPVAR}`

		PROP_FILE_LIST="${PROP_FILE_LIST} ${USER_SIMPLE_FILE_LIST}"
	fi


	#
	# Now loop through the file list and look for any
	# symbolic links. If a link is found, then add on
	# the file and directory that the link points to.
	#

	if [ $HAVE_READLINK -eq 1 ]; then
		EXTRA_DIRS=""
		EXTRA_FILES=""

		for DIR in ${PROP_DIR_LIST}; do
			for FNAME in ${PROP_FILE_LIST}; do
				if [ -h "${DIR}/${FNAME}" ]; then
					RKHTMPVAR=`${READLINK_CMD} -f ${DIR}/${FNAME}`

					test ! -f "${RKHTMPVAR}" && continue

					#
					# Get the link target directory name.
					#

					test -n "${DIRNAME_CMD}" && LINKDIR=`${DIRNAME_CMD} ${RKHTMPVAR}` || LINKDIR=`echo "${RKHTMPVAR}" | sed -e 's:/[^/]*$::'`

					#
					# Now see if we already have the directory listed.
					# If not, then we add it on.
					#

					if [ -z "`echo \" ${PROP_DIR_LIST} ${EXTRA_DIRS} \" | grep \" ${LINKDIR} \"`" ]; then
						EXTRA_DIRS="${EXTRA_DIRS} ${LINKDIR}"
					fi


					#
					# Now get the link target file name.
					#

					LINKFNAME=`echo "${RKHTMPVAR}" | sed -e 's:^.*/::'`

					FNAMEGREP=`echo "${LINKFNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

					#
					# And finally check if we already have it listed.
					#

					if [ -z "`echo \" ${PROP_FILE_LIST} ${EXTRA_FILES} \" | grep \" ${FNAMEGREP} \"`" ]; then
						EXTRA_FILES="${EXTRA_FILES} ${LINKFNAME}"
					fi
				fi
			done
		done

		test -n "${EXTRA_DIRS}" && PROP_DIR_LIST="${PROP_DIR_LIST} ${EXTRA_DIRS}"
		test -n "${EXTRA_FILES}" && PROP_FILE_LIST="${PROP_FILE_LIST} ${EXTRA_FILES}"
	fi

	PROP_FILE_LIST_TOTAL=`echo ${PROP_FILE_LIST} | wc -w | tr -d ' '`

	return
}


check_test() {

	#
	# This function will check whether a given test name should
	# be run or not. It returns 0 if the test is to be run,
	# and 1 if it is not.
	#

	if [ "${ENABLE_TESTS}" = "all" -o -n "`echo \" ${ENABLE_TESTS} \" | grep \" $1 \"`" ]; then
		if [ "${DISABLE_TESTS}" = "none" -o -z "`echo \" ${DISABLE_TESTS} \" | grep \" $1 \"`" ]; then
			return 0
		fi
	fi

	return 1
}


display_tests() {

	#
	# This function is used to simply output all the available
	# tests and test group names. If a group name itself contains
	# a group name, then that second group name is omitted. It
	# could be confusing if it was included.
	#

	RKHTMPVAR2=`echo "all none ${KNOWN_TESTS}" | tr ' ' '\n' | sort | tr '\n' ' '`
	GROUPED_TESTS=`echo "${GROUPED_TESTS}" | tr ' ' '\n' | sort | tr '\n' ' '`


	display --to SCREEN --type PLAIN --nl LIST_TESTS

	while test -n "${RKHTMPVAR2}"; do
		STR=`echo ${RKHTMPVAR2} | cut -d' ' -f1-6`
		RKHTMPVAR2=`echo ${RKHTMPVAR2} | cut -d' ' -f7-`

		echo "    ${STR}"

		test "${STR}" = "${RKHTMPVAR2}" && RKHTMPVAR2=""
	done


	display --to SCREEN --type PLAIN --nl LIST_GROUPED_TESTS

	#
	# Sort out the maximum group name length, so we can do some
	# simple formatting of the output.
	#

	MAX=0

	for STR in ${GROUPED_TESTS}; do
		LEN=`echo "${STR}" | cut -d: -f1 | wc -c | tr -d ' '`
		test $LEN -gt $MAX && MAX=$LEN
	done


	#
	# Now loop through the group names.
	#

	RKHTMPVAR2=" `echo ${GROUPED_TESTS}`"

	for STR in ${GROUPED_TESTS}; do
		TEST_NAMES=""
		GROUP_NAME=`echo "${STR}" | cut -d: -f1`

		#
		# Add on spaces to expand the group name to the maximum.
		#

		LEN=`echo "${GROUP_NAME}" | wc -c | tr -d ' '`
		LEN=`expr $MAX - $LEN`

		test $LEN -gt 0 && GROUP_NAME="${GROUP_NAME} `echo \"${BLANK_LINE}\" | cut -d' ' -f1-$LEN`"


		#
		# Check through the list of tests for this group name.
		# If the test name is a group name itself, then go to
		# the next test name, otherwise add it to our list of
		# test names.
		#

		for TEST in `echo "${STR}" | cut -d: -f2- | tr ':' ' '`; do
			RKHTMPVAR=`echo "${RKHTMPVAR2}" | grep " ${TEST}:"`

			if [ -z "${RKHTMPVAR}" ]; then
				TEST_NAMES="${TEST_NAMES}:${TEST}"
			else
				continue
			fi
		done


		#
		# Finally, sort our list of test names and display them.
		#

		TEST_NAMES=`echo "${TEST_NAMES}" | sed -e 's/^://' | tr ':' '\n' | sort | tr '\n' ' '`

		echo "    ${GROUP_NAME} => ${TEST_NAMES}"
	done

	return
}


display_languages() {

	#
	# This function is used to simply output all the available
	# languages in a basic format of 10 per line.
	#

	KNOWN_LANGS=`ls -1 ${DB_PATH}/i18n 2>/dev/null | sort`


	display --to SCREEN --type PLAIN --nl LIST_LANGS

	while test -n "${KNOWN_LANGS}"; do
		STR=`echo ${KNOWN_LANGS} | cut -d' ' -f1-10`
		KNOWN_LANGS=`echo ${KNOWN_LANGS} | cut -d' ' -f11-`

		echo "    ${STR}"

		test "${STR}" = "${KNOWN_LANGS}" && KNOWN_LANGS=""
	done

	return
}


display_perl_modules() {

	#
	# This function is used to display the status of
	# the installed perl modules which may be required.
	#

	display --to SCREEN --type PLAIN --nl LIST_PERL

	for MODNAME in perl ${LIST_MODULES}; do
		if [ "${MODNAME}" = "perl" ]; then
			MODNAME="perl command"

			test -n "${PERL_CMD}" && MOD_INSTALLED="" || MOD_INSTALLED="NOT installed"
		else
			MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl ${MODNAME} 2>/dev/null | grep 'NOT installed'`
		fi

		MODLEN=`echo "${MODNAME}" | wc -c | tr -d ' '`
		NUM_SPACES=`expr 28 - ${MODLEN}`
		test $NUM_SPACES -lt 1 && NUM_SPACES=1
		SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES`

		if [ -z "${MOD_INSTALLED}" ]; then
			echo $ECHOOPT "    ${MODNAME}${SPACES}Installed"
		else
			echo $ECHOOPT "    ${MODNAME}${SPACES} MISSING"
		fi

		test "${MODNAME}" = "perl command" -a -z "${PERL_CMD}" && break
	done

	return
}


display_propfiles() {

	#
	# This function is used to display the list of files which
	# would be searched for when using the '--propupd' function.
	#

	# Get any user-supplied files and directories.
	get_user_fileprop_list

	# Get the builtin list of files and directories.
	set_file_prop_dirs_files

	# Create the file of entries used by the '--propupd' function.
	create_rkh_file_prop_list

	# Finally just dump out the list of file names.
	awk -F'/' '{ print $NF }' ${RKH_FILEPROP_LIST} | sort | uniq

	return
}


display_rootkits() {

	#
	# This function is used to simply output all the rootkit
	# names which rkhunter will check for.
	#

	RKHTMPVAR2=`echo ${KNOWN_ROOTKITS} | sed -e 's/^,*//; s/,$//'`


	display --to SCREEN --type PLAIN --nl LIST_RTKTS

	while test -n "${RKHTMPVAR2}"; do
		STR=`echo ${RKHTMPVAR2} | cut -d',' -f1-6`
		RKHTMPVAR2=`echo ${RKHTMPVAR2} | cut -d',' -f7-`

		if [ "${STR}" = "${RKHTMPVAR2}" -o -z "${RKHTMPVAR2}" ]; then
			RKHTMPVAR2=""
		else
			STR="${STR},"
		fi

		echo "    ${STR}"
	done

	return
}


get_lock() {

	#
	# This function attempts to get the lock file. If it cannot
	# get the lock then it waits for 10 seconds, and then tries
	# again. It repeats this until the timeout has passed.
	#
	# We cannot log anything at this time, but we can use
	# 'display' to display messages on the users screen.
	#

	RKHTMPVAR=0

	while test $RKHTMPVAR -lt $LOCK_TIMEOUT; do
		if [ -f "${RKHTMPDIR}/rkhunter.LCK" ]; then
			test $SHOW_LOCK_MSGS -eq 1 -a $RKHTMPVAR -eq 0 && display --to SCREEN --type PLAIN --nonl LOCK_WAIT

			sleep 10;

			RKHTMPVAR=`expr ${RKHTMPVAR} + 10`

			test $SHOW_LOCK_MSGS -eq 1 && display --to SCREEN --type PLAIN --nonl NAME "..${RKHTMPVAR}"
		else
			break
		fi
	done

	if [ $RKHTMPVAR -lt $LOCK_TIMEOUT -o ! -f "${RKHTMPDIR}/rkhunter.LCK" ]; then
		touch ${RKHTMPDIR}/rkhunter.LCK

		test $SHOW_LOCK_MSGS -eq 1 -a $RKHTMPVAR -gt 0 -a $NOTTY -eq 0 && echo ""

		#
		# We handle any subsequent exit conditions by setting a trap.
		#

		trap "rm -f ${RKHTMPDIR}/rkhunter.LCK >/dev/null 2>&1" 0 >/dev/null 2>&1
	else
		#
		# We need to be careful here. We do not want to display the message if the user
		# has explicitly requested not to, but we must display it if the user has set
		# the '--report-warnings-only' option (we treat it as a warning), or the
		# '--cronjob' option. If we did not, then the user may think that rkhunter has
		# run and that there were no warnings. If the user used the '--quiet' option,
		# then this message won't be displayed. However, that is okay because they
		# should be checking the return-code.
		#

		if [ $SHOWWARNINGSONLY -eq 1 -o $CRONJOB -eq 1 ]; then
			NOTTY=0
			RKHTMPVAR=""
		else
			RKHTMPVAR="--nl"
		fi

		test $SHOW_LOCK_MSGS -eq 1 -o $NOTTY -eq 0 && display --to SCREEN --type PLAIN ${RKHTMPVAR} LOCK_FAIL

		exit 1
	fi

	return
}


help() {

	#
	# This function outputs the help menu.
	#

	echo $ECHOOPT ""
	echo $ECHOOPT "Usage: rkhunter {--check | --unlock | --update | --versioncheck |"
	echo $ECHOOPT "                 --propupd [{filename | directory | package name},...] |"
	echo $ECHOOPT "                 --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |"
	echo $ECHOOPT "                 --config-check | --version | --help} [options]"
	echo $ECHOOPT ""

	echo $ECHOOPT "Current options are:"
	echo $ECHOOPT "         --append-log                  Append to the logfile, do not overwrite"
	echo $ECHOOPT "         --bindir <directory>...       Use the specified command directories"
	echo $ECHOOPT "     -c, --check                       Check the local system"
	echo $ECHOOPT "     -C, --config-check                Check the configuration file(s), then exit"
	echo $ECHOOPT "  --cs2, --color-set2                  Use the second color set for output"
	echo $ECHOOPT "         --configfile <file>           Use the specified configuration file"
	echo $ECHOOPT "         --cronjob                     Run as a cron job"
	echo $ECHOOPT "                                       (implies -c, --sk and --nocolors options)"
	echo $ECHOOPT "         --dbdir <directory>           Use the specified database directory"
	echo $ECHOOPT "         --debug                       Debug mode"
	echo $ECHOOPT "                                       (Do not use unless asked to do so)"
	echo $ECHOOPT "         --disable <test>[,<test>...]  Disable specific tests"
	echo $ECHOOPT "                                       (Default is to disable no tests)"
	echo $ECHOOPT "         --display-logfile             Display the logfile at the end"
	echo $ECHOOPT "         --enable  <test>[,<test>...]  Enable specific tests"
	echo $ECHOOPT "                                       (Default is to enable all tests)"
	echo $ECHOOPT "         --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |"
	echo $ECHOOPT "                 NONE | <command>}     Use the specified file hash function"
	echo $ECHOOPT "                                       (Default is SHA1, then MD5)"
	echo $ECHOOPT "     -h, --help                        Display this help menu, then exit"
	echo $ECHOOPT " --lang, --language <language>         Specify the language to use"
	echo $ECHOOPT "                                       (Default is English)"
	echo $ECHOOPT "         --list [tests | languages |   List the available test names, languages,"
	echo $ECHOOPT "                 rootkits | perl |     rootkit names, perl module status"
	echo $ECHOOPT "                 propfiles]            or file properties database, then exit"
	echo $ECHOOPT "     -l, --logfile [file]              Write to a logfile"
	echo $ECHOOPT "                                       (Default is $DFLT_LOGFILE)"
	echo $ECHOOPT "         --noappend-log                Do not append to the logfile, overwrite it"
	echo $ECHOOPT "         --nocf                        Do not use the configuration file entries"
	echo $ECHOOPT "                                       for disabled tests (only valid with --disable)"
	echo $ECHOOPT "         --nocolors                    Use black and white output"
	echo $ECHOOPT "         --nolog                       Do not write to a logfile"
	echo $ECHOOPT "--nomow, --no-mail-on-warning          Do not send a message if warnings occur"
	echo $ECHOOPT "   --ns, --nosummary                   Do not show the summary of check results"
	echo $ECHOOPT " --novl, --no-verbose-logging          No verbose logging"
	echo $ECHOOPT "         --pkgmgr {RPM | DPKG | BSD |  Use the specified package manager to obtain or"
	echo $ECHOOPT "                   SOLARIS | NONE}     verify file property values. (Default is NONE)"
	echo $ECHOOPT "         --propupd [file | directory | Update the entire file properties database,"
	echo $ECHOOPT "                    package]...        or just for the specified entries"
	echo $ECHOOPT "     -q, --quiet                       Quiet mode (no output at all)"
	echo $ECHOOPT "  --rwo, --report-warnings-only        Show only warning messages"
	echo $ECHOOPT "   --sk, --skip-keypress               Don't wait for a keypress after each test"
	echo $ECHOOPT "         --summary                     Show the summary of system check results"
	echo $ECHOOPT "                                       (This is the default)"
	echo $ECHOOPT "         --syslog [facility.priority]  Log the check start and finish times to syslog"
	echo $ECHOOPT "                                       (Default level is $SYSLOG_DFLT_PRIO)"
	echo $ECHOOPT "         --tmpdir <directory>          Use the specified temporary directory"
	echo $ECHOOPT "         --unlock                      Unlock (remove) the lock file"
	echo $ECHOOPT "         --update                      Check for updates to database files"
	echo $ECHOOPT "   --vl, --verbose-logging             Use verbose logging (on by default)"
	echo $ECHOOPT "     -V, --version                     Display the version number, then exit"
	echo $ECHOOPT "         --versioncheck                Check for latest version of program"
	echo $ECHOOPT "     -x, --autox                       Automatically detect if X is in use"
	echo $ECHOOPT "     -X, --no-autox                    Do not automatically detect if X is in use"
	echo $ECHOOPT ""

	return
}


######################################################################
#
# Initialisation
#
######################################################################


#
# Unfortunately, for the Korn shell if we are debugging then
# we need to enable tracing in each of the functions.
#

if [ $DEBUG_OPT -eq 1 -a "${MYSHELL}" = "ksh" ]; then
	RKHTMPVAR=`typeset +f`

	for RKHTMPVAR2 in ${RKHTMPVAR}; do
		typeset -ft ${RKHTMPVAR2}
	done
fi

#
# We reset the SIGPIPE signal to its default
# to try and avoid any output write errors.
#

trap - 13 >/dev/null 2>&1


#
# Initialise the variables used throughout the program.
#

PROGRAM_NAME="Rootkit Hunter"
PROGRAM_version="1.4.0"
PROGRAM_copyright_owner="Michael Boelen"
PROGRAM_copyright="Copyright (c) 2003-2012, ${PROGRAM_copyright_owner}"
PROGRAM_blurb="
Currently under active development by the ${PROGRAM_NAME} project team.
Please review your rkhunter.conf before using.
Please review the documentation before posting bug reports or questions.
To report bugs, obtain updates, or provide patches or comments, please go to:
http://rkhunter.sourceforge.net

To ask questions about rkhunter, please use the rkhunter-users mailing list.
Note this is a moderated list: please subscribe before posting.

${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the
terms of the GNU General Public License. See the LICENSE file for details.
"
PROGRAM_license="
${PROGRAM_NAME} ${PROGRAM_version}, ${PROGRAM_copyright}
${PROGRAM_blurb}
"

# Set to run as a cron job.
CRONJOB=0
CHECK=0

# Set to display the logfile at the end.
CATLOGFILE=0

NOLOG=0
RKHLOGFILE=""
DFLT_LOGFILE="/var/log/rkhunter.log"

# Set to have the logfile appended to rather than overwritten.
APPEND_LOG=0
APPEND_OPT=0

# Set to have the logfile copied if there was an error.
COPY_LOG_ON_ERROR=0

# Set to have rkhunter start/finish messages, and warnings,
# logged to syslog. The priority/severity can be set on the
# command-line or in the configuration file.
USE_SYSLOG=""
SYSLOG_DFLT_PRIO="authpriv.notice"

# By default do not send a mail-on-warning message.
NOMOW=0
MAILONWARNING=""

HASH_FUNC=""
OLD_HASH_FUNC=""
PKGMGR=""
OLD_PKGMGR=""
OLD_ATTRUPD=""
HASH_OPT=0
SHA_SIZE=0
HASH_FLD_IDX=1
PROP_DIR_LIST=""
PROP_FILE_LIST=""
PROP_FILE_LIST_COUNT=0
PROP_FILE_LIST_TOTAL=0

PRELINKED=0
PRELINK_CMD=""
PRELINK_HASH=""
PKGMGR_MD5_HASH=""
MD5_CMD=""
EPOCH_DATE_CMD=""
PKGMGRNOVRFY=""

UPDATE=0
PROP_UPDATE=0
PROPUPD_OPT=""
VERSIONCHECK=0

# By default use coloured output.
COLORS=1
CLRSET2=0

# Are whitelisted results to be shown as white?
WLIST_IS_WHITE=0

# Set to automatically detect if X is in use, and
# hence use the second colour set.
AUTO_X_DTCT=0
AUTO_X_OPT=0

# Set to be quiet. No output, but the return code will be set.
QUIET=0

# Set to only show warnings.
SHOWWARNINGSONLY=0

# This will be set if the file properties hash value check
# or the file attributes check is to be performed.
HASH_CHECK_ENABLED=0
SKIP_HASH_MSG=0

# Users can reset this to a new temporary directory.
RKHTMPDIR=""

# Users can reset this to a new database directory.
DB_PATH=""

# Users can reset this to a new configuration file.
CONFIGFILE=""

# Users cannnot reset this. The local config file must
# be in the same directory as the main config file.
LOCALCONFIGFILE=""

# This will be set similar to the current root PATH. Users can
# include new command directories to use as well.
BINPATHS=""
DFLT_BINPATHS="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
BINDIR_OPT=0

# Default 'id' command. Solaris may reset this.
ID_CMD="id"

# Set if we don't want to wait for a keypress after each test.
SKIP_KEY_PRESS=0

# Does 'grep' need an extra option to check binary files?
GREP_OPT=""

# Set the O/S type if necessary.
BSDOS=0
SUNOS=0
IRIXOS=0
MACOSX=0
LINUXOS=0

case "${OPERATING_SYSTEM}" in
Linux)
	LINUXOS=1
	;;
*BSD|DragonFly)
	BSDOS=1
	HASH_FLD_IDX=4
	GREP_OPT="-a"
	;;
SunOS)
	SUNOS=1
	;;
IRIX*)
	IRIXOS=1
	;;
Darwin)
	MACOSX=1
	;;
esac

# This will be set if the local host or O/S has changed in some way.
OS_CHANGED=0

# By default we want a warning if the O/S has changed.
WARN_ON_OS_CHANGE=1

# If set, then automatically perform a properties update if the O/S changes.
UPDT_ON_OS_CHANGE=0

# These SSH options can only be set in the configuration file.
ALLOW_SSH_PROT_V1=0
ALLOW_SSH_ROOT_USER=""
SSH_CONFIG_DIR=""

# These syslog options can only be set in the configuration file.
ALLOW_SYSLOG_REMOTE_LOGGING=0
SYSLOG_CONFIG_FILE=""

# Set check counters to be used by the summary.
ROOTKIT_COUNT=0
ROOTKIT_FAILED_COUNT=0
ROOTKIT_FAILED_NAMES=""

PROP_FAILED_COUNT=0
SUMMARY_PROP_REQCMDS=0

APPS_COUNT=0
APPS_TOTAL_COUNT=0
APPS_FAILED_COUNT=0

# Timers for the system check.
BEGINTIME=0
TOTAL_SCANTIME=""

# This will be set if a warning message is logged.
WARNING_COUNT=0

# Ksyms or kallsyms file used in some checks.
KSYMS_FILE=""

# Record for logging the command-line being used.
CMD_LINE="$0 $*"

# Create a spaced-separated PATH variable.
RKHROOTPATH=`echo ${PATH} | tr ':' ' '`

# List of commands used during RKH. If a command does not exist, then
# the code may use an alternative method.
CMDLIST="basename diff dirname file find ifconfig ip ldd lsattr lsmod lsof mktemp netstat perl pgrep ps pwd readlink stat strings"

# Commands that are required to exist for RKH to run. The absolutely
# required commands are tested early on using just the root PATH. Then
# BINDIR is checked, and finally the rest of the commands are then
# checked using the new PATH from BINDIR.
ABSOLUTELY_REQUIRED_CMDS="cut egrep grep sed tail tr"
REQCMDS="awk cat chmod chown cp cut date egrep grep head ls mv sed sort tail touch tr uname uniq wc"

# List of commands used to download files from the web. This list is 
# used by the '--update' and '--versioncheck' options. Preferred commands
# are listed first. This can be overridden by the config file.
WEBCMDLIST="wget curl elinks links lynx bget GET"

RKHWEBCMD=""
RKHWEBCMD_OPTS=""
RKHWEBCMD_BASE=""

HOST_NAME=""

# This is the return code for the program actions - update, check, etc.
# Its value may either be 0 (no error) or 1 (an error occurred).
# The '--versioncheck' option may set the return code to 2 to
# indicate that an update is available.
# The '--update' option may set the return code to 2 to
# indicate that an update occurred.
RET_CODE=0

# Initially there is no language, this will be set later.
LANGUAGE=""
UPDATE_LANG=""

LOCALE_CMD=""
ICONV_CMD=""
RKHCHRMAP=""
RKHCHKLOCALE=0

# A space-separated list of test names we recognise.
KNOWN_TESTS="strings properties hashes scripts immutable attributes
	     deleted_files packet_cap_apps apps rootkits known_rkts
	     additional_rkts malware local_host network passwd_changes
	     group_changes possible_rkts possible_rkt_files possible_rkt_strings
	     system_commands shared_libs shared_libs_path running_procs
	     hidden_procs trojans other_malware os_specific startup_malware
	     startup_files group_accounts system_configs filesystem suspscan
	     ports hidden_ports promisc loaded_modules avail_modules"

# A space-separated list of test 'group names'. This list allows test
# names to be grouped together. For example, 'system_commands' can include
# the specific tests of 'strings' and 'hashes'. Both test
# group names, and specific test names, can be used with the test
# enable/disable options. In this list group names are colon-separated
# from the specific test names.
#
GROUPED_TESTS="system_commands:properties:strings:hashes:scripts:shared_libs:shared_libs_path:immutable:attributes
	       properties:hashes:scripts:immutable:attributes
	       shared_libs:shared_libs_path
	       rootkits:known_rkts:additional_rkts:possible_rkts:possible_rkt_files:possible_rkt_strings:malware:running_procs:hidden_procs:deleted_files:trojans:other_malware:os_specific:suspscan:loaded_modules:avail_modules
	       additional_rkts:possible_rkts:possible_rkt_files:possible_rkt_strings
	       possible_rkts:possible_rkt_files:possible_rkt_strings
	       network:packet_cap_apps:ports:hidden_ports:promisc
	       malware:running_procs:hidden_procs:deleted_files:suspscan:other_malware
	       local_host:startup_files:passwd_changes:group_changes:startup_malware:group_accounts:system_configs:filesystem
	       startup_files:startup_malware
	       os_specific:loaded_modules:avail_modules
	       group_accounts:passwd_changes:group_changes"

# A comma-separated list of rootkits we check for.
# NOTE: This is a COMMA separated list. Any single quotes need to be handled specially - i.e.
# put between double-quotes.
KNOWN_ROOTKITS='55808 Trojan - Variant A, AjaKit, aPa Kit, Adore, Apache Worm, Ambient (ark),
  Balaur, BeastKit, beX2, BOBKit, Boonana (Koobface.A), cb, CiNIK Worm (Slapper.B variant), CX,
  Danny-Boy'"'"'s Abuse Kit, Devil, Dica, Dreams, Duarawkz, Enye LKM, Flea Linux, FreeBSD, Fu,
  Fuck`it, GasKit, Heroin LKM, HjC Kit, ignoKit, iLLogiC, Inqtana-A, Inqtana-B, Inqtana-C,
  IntoXonia-NG, Irix, Jynx, KBeast, Kitko, Knark, ld-linuxv.so, Li0n Worm, Lockit/LJK2, Mood-NT, MRK, Ni0,
  Ohhara, Optic Kit (Tux), OSXRK, Oz, Phalanx, Phalanx2, Portacelo, R3dstorm Toolkit,
  RH-Sharpe'"'"'s, RSHA'"'"'s, Scalper Worm, Shutdown, SHV4, SHV5, Sin, SInAR, Slapper,
  Sneakin, Solaris Wanuk, Spanish, Suckit, SunOS / NSDAP, SunOS Rootkit, Superkit, TBD (Telnet BackDoor),
  TeLeKiT, Togroot, T0rn, trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire, VcKit, Volc, w00tkit,
  weaponX, Xzibit, X-Org SunOS, zaRwT.KiT, ZK'

# A space-separated list of perl modules that may be required.
LIST_MODULES="File::stat Getopt::Long Crypt::RIPEMD160 Digest::MD5 Digest::SHA Digest::SHA1 Digest::SHA256
	      Digest::SHA::PurePerl Digest::Whirlpool LWP URI HTTP::Status HTTP::Date Socket Carp"

# The program defaults of which tests to perform will be set later.
ENABLE_TESTS=""
DISABLE_TESTS=""
CL_ENABLE_TESTS=""
CL_DISABLE_TESTS=""
CONFIG_DISABLE_TESTS=""

# These get set if the '--enable' or '--disable' command-line options have been used.
ENDIS_OPT=0
ENABLE_OPT=0

# This gets set to zero if the '--nocf' command-line option is used.
USECF=1

# This gets set if the '--list' command-line option is used.
LIST_OPT=""

# Space-filled line used for the display function.
BLANK_LINE="                                                              "

# Initially say that we are connected to a terminal.
NOTTY=0

# By default show the system check summary.
SHOW_SUMMARY=1
SHOW_SUMMARY_OPT=0

# By default log most things that are checked.
VERBOSE_LOGGING=1

# We copy the original IFS value, and set RKHIFS to space, tab, newline.
# IFSNL is set to just a newline.
ORIGIFS=$IFS
RKHIFS=" 	
"
IFSNL="
"
IFS=$RKHIFS

# No default set for the system startup files and directories.
STARTUP_PATHS=""
STARTUP_PATHS_LOGGED=0

# Set a default for the inetd configuration file.
INETD_CONF_PATH="/etc/inetd.conf"
INETDALLOWEDSVCS=""

# Set a default for the xinetd configuration file.
XINETD_CONF_PATH="/etc/xinetd.conf"
XINETDALLOWEDSVCS=""

# Set if only the '--update' option is used.
UPDATE_ONLY=0

# Set if UPDATE_ONLY is set, and some language files are missing.
RKHLANGUPDT=0

# By default we rotate the mirrors in the mirrors.dat file,
# and we update the file when the '--update' option is used.
# The default MIRRORS_MODE is set such that we use both local
# and remote mirrors.
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0

# By default suspscan verbose logging should be initialised and off.
SUSPSCAN_DEBUG=0

# SELinux runcon usage as determined by get_if_prelinked.
USE_RUNCON=0
SELINUX_ENABLED=0

# These get set if any network ports are to be whitelisted.
PORT_WHITELIST=""
PORT_WHITELIST_PATH=""
PORT_WHITELIST_ALL_TRUSTED=0

# This will be set to the shadow file location if required.
SHADOW_FILE=""
HAVE_TCB_SHADOW=0

# The O/S 'release' file location.
OS_VERSION_FILE=""

# By default no rootkit files or directories are whitelisted.
RTKT_DIR_WHITELIST=""
RTKT_FILE_WHITELIST=""

# The full pathname of the 'rkhunter.dat' file.
RKHDAT_FILE=""

# The full pathname of the 'rkhunter_prop_list.dat' file.
RKH_FILEPROP_LIST=""

# This gets set if we have a working readlink command.
HAVE_READLINK=0

# By default no commands are to be exempt from dependency errors.
PRELINK_DEP_ERR_CMDS=""

# User provided files/dirs for the file properties check.
USER_FILE_LIST=""
USER_SIMPLE_FILE_LIST=""
USER_DIR_LIST=""
USER_EXCLUDE_PROP=""

# This gets set if any shared libraries are to be whitelisted.
SHARED_LIB_WHITELIST=""

# If used, these lock values must be set in the config file.
USE_LOCKING=0
LOCK_TIMEOUT=0
SHOW_LOCK_MSGS=1

# This gets set if the '--unlock' command-line option is used.
UNLOCK=0

# This gets set if any files or directories need
# whitelisting from 'existence' checks.
EXISTWHITELIST=""

# This will be set if we are just doing a config file check.
CONFIG_CHECK=0


######################################################################
#
# Command-line option processing
#
######################################################################


#
# Display the help menu if no options were given.
#

if [ $# -eq 0 ]; then
	help
	exit 0
fi


#
# Check the command-line options. If set, these will override the
# configuration file options.
#

while [ $# -ge 1 ]; do
	case "$1" in
	--append-log | --appendlog)
		APPEND_LOG=1
		APPEND_OPT=1
		;;
	--bindir)
		RKHTMPVAR="$2"

		case "${RKHTMPVAR}" in
		"")
			;;
		-*)
			RKHTMPVAR=""
			;;
		*)
			shift
			BINPATHS="${BINPATHS} ${RKHTMPVAR}"
			BINDIR_OPT=1
			;;
		esac

		if [ -z "${RKHTMPVAR}" ]; then
			echo "No command directories specified with '--bindir' option."
			exit 1
		fi
		;;
	-c | --check | --checkall | --check-all)
		CHECK=1
		;;
	-C | --config-check | --configcheck | --check-config | --checkconfig)
		CONFIG_CHECK=1
		;;
	--configfile)
		CONFIGFILE=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			CONFIGFILE="$1"
			;;
		esac

		if [ -z "${CONFIGFILE}" ]; then
			echo "No configuration file specified with '--configfile' option."
			exit 1
		fi
		;;
	--cronjob)
		CHECK=1
		CRONJOB=1
		COLORS=0
		SKIP_KEY_PRESS=1
		;;
	--cs2 | --colorset2 | --color-set2)
		CLRSET2=1
		;;
	--dbdir)
		DB_PATH=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			DB_PATH="$1"
			;;
		esac

		if [ -z "${DB_PATH}" ]; then
			echo "No database directory specified with '--dbdir' option."
			exit 1
		fi
		;;
	--debug)
		SKIP_KEY_PRESS=1
		;;
	--display-logfile | --displaylogfile | --display-log | --displaylog)
		CATLOGFILE=1
		;;
	--disable)
		RKHTMPVAR="$2"

		case "${RKHTMPVAR}" in
		"")
			;;
		-*)
			RKHTMPVAR=""
			;;
		*)
			shift
			ENDIS_OPT=1
			CL_DISABLE_TESTS="${CL_DISABLE_TESTS} ${RKHTMPVAR}"
			;;
		esac

		if [ -z "${RKHTMPVAR}" ]; then
			echo "No tests specified with '--disable' option."
			exit 1
		fi
		;;
	--enable)
		RKHTMPVAR="$2"

		case "${RKHTMPVAR}" in
		"")
			;;
		-*)
			RKHTMPVAR=""
			;;
		*)
			shift
			ENDIS_OPT=1
			ENABLE_OPT=1
			CL_ENABLE_TESTS="${CL_ENABLE_TESTS} ${RKHTMPVAR}"
			;;
		esac

		if [ -z "${RKHTMPVAR}" ]; then
			echo "No tests specified with '--enable' option."
			exit 1
		fi
		;;
	--hash)
		HASH_FUNC=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			HASH_FUNC="$1"
			HASH_OPT=1
			;;
		esac

		if [ -z "${HASH_FUNC}" ]; then
			echo "No hash function specified with '--hash' option."
			exit 1
		fi
		;;
	-h | --help)
		help
		exit 0
		;;
	-l | --log | --logfile | --createlogfile | --createlog | --create-log | --create-logfile)
		RKHLOGFILE="${DFLT_LOGFILE}"

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			RKHLOGFILE="$1"
			;;
		esac
		;;
	--lang | --language)
		LANGUAGE=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			LANGUAGE="$1"
			;;
		esac

		if [ -z "${LANGUAGE}" ]; then
			echo "No language specified with '$1' option."
			exit 1
		fi
		;;
	--list)
		case "$2" in
		test | tests | check | checks)
			shift
			LIST_OPT="${LIST_OPT} tests "
			;;
		lang | langs | language | languages)
			shift
			LIST_OPT="${LIST_OPT} languages "
			;;
		rootkit | rootkits)
			shift
			LIST_OPT="${LIST_OPT} rootkits "
			;;
		perl | modules)
			shift
			LIST_OPT="${LIST_OPT} perl "
			;;
		propfiles)
			shift
			LIST_OPT="${LIST_OPT} propfiles "
			;;
		"")
			LIST_OPT="${LIST_OPT} tests languages rootkits perl "
			;;
		*)
			echo "Invalid '--list' option specified: $2"
			exit 1
			;;
		esac
		;;
	--noappend-log | --no-append-log | --noappendlog)
		APPEND_LOG=0
		APPEND_OPT=1
		;;
	--nocf)
		USECF=0
		;;
	--nocolors | --no-colors | --nocolor | --no-color)
		COLORS=0
		;;
	--nolog | --no-log)
		RKHLOGFILE="/dev/null"
		;;
	--nomow | --no-mow | --no-mailonwarning | --no-mail-on-warning)
		NOMOW=1
		;;
	--novl | --noverboselogging | --no-verbose-logging)
		VERBOSE_LOGGING=0
		;;
	--ns | --nosummary | --no-summary)
		SHOW_SUMMARY=0
		SHOW_SUMMARY_OPT=1
		;;
	--pkgmgr)
		PKGMGR=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			PKGMGR="$1"
			;;
		esac

		if [ -z "${PKGMGR}" ]; then
			echo "No package manager specified with '--pkgmgr' option."
			exit 1
		fi
		;;
	--propupd | --prop-update | --propupdate | --properties-update | --hashupd)
		PROP_UPDATE=1
		PROPUPD_OPT=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			PROPUPD_OPT="$1"
			;;
		esac
		;;
	-q | --quiet)
		QUIET=1
		;;
	--rwo | --swo | --report-warnings-only | --show-warnings-only)
		QUIET=1
		SHOWWARNINGSONLY=1
		;;
	-r | --rootdir)
		echo "The '$1' option is now deprecated."
		shift
		;;
	-sk | --sk | --skip-keypress | --skipkeypress)
		SKIP_KEY_PRESS=1
		;;
	--summary)
		SHOW_SUMMARY=1
		SHOW_SUMMARY_OPT=1
		;;
	--syslog)
		USE_SYSLOG="${SYSLOG_DFLT_PRIO}"

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			USE_SYSLOG="$1"
			;;
		esac
		;;
	--tmpdir)
		RKHTMPDIR=""

		case "$2" in
		"")
			;;
		-*)
			;;
		*)
			shift
			RKHTMPDIR="$1"
			;;
		esac

		if [ -z "${RKHTMPDIR}" ]; then
			echo "No temporary directory specified with '--tmpdir' option."
			exit 1
		fi
		;;
	--unlock)
		UNLOCK=1
		;;
	--update)
		UPDATE=1
		;;
	--vl | --verboselogging | --verbose-logging)
		VERBOSE_LOGGING=1
		;;
	-V | --version)
		echo "${PROGRAM_NAME} ${PROGRAM_version}"
		echo "${PROGRAM_blurb}"
		exit 0
		;;
	--versioncheck)
		VERSIONCHECK=1
		;;
	-x | --autox)
		AUTO_X_OPT=1
		AUTO_X_DTCT=1
		;;
	-X | --no-autox)
		AUTO_X_OPT=1
		AUTO_X_DTCT=0
		;;
	*)
		echo "Invalid option specified: $1"
		exit 1
		;;
	esac

	shift
done


#
# We check that we are root. If we are not, then only the
# help and version command-line options are valid.
#

if [ $SUNOS -eq 1 ]; then
	test -x "/usr/xpg4/bin/id" && ID_CMD="/usr/xpg4/bin/id"
fi

RKHTMPVAR=`${ID_CMD} -u 2>/dev/null`

if [ "${RKHTMPVAR}" != "0" -a "${RKHTMPVAR}" != "root" ]; then
	echo "You must be the root user to run this program."
	exit 1
fi


#
# We need to see if we are to run a check before we get to the
# configuration file processing code. Basically if either of the
# '--enable' or '--disable' options are used, and this is not a
# property update run, then we will do a check. For update runs
# only the 'hashes' or 'attributes' tests are likely to be named.
#

if [ $ENDIS_OPT -eq 1 ]; then
	CL_ENABLE_TESTS=`echo ${CL_ENABLE_TESTS}`
	CL_DISABLE_TESTS=`echo ${CL_DISABLE_TESTS}`

	# The '--nocf' option is only for disabled tests.
	test -z "${CL_DISABLE_TESTS}" && USECF=1

	test $PROP_UPDATE -eq 0 && CHECK=1
else
	USECF=1
fi


#
# See if only the '--update' option has been used.
#

test $UPDATE -eq 1 -a $CHECK -eq 0 -a $PROP_UPDATE -eq 0 -a $VERSIONCHECK -eq 0 && UPDATE_ONLY=1


#
# Before going too much further we need to ensure that some basic
# commands are present on the system. We cannot do this using
# the BINDIR option because that requires processing the configuration
# file, which in turn requires the commands we want to check on. As
# such we use the default command directory list. We do not assign
# these commands to variables, but will do for other commands which we
# look for later on.
#

check_required_commands 1


######################################################################
#
# Configuration file processing
#
######################################################################


#
# Now we check for the configuration file. We then see if there is a
# local configuration file present in the same directory, and finally
# check the various options within them.
#
# NOTE: Do not change the format of the following 'if' statement.
# The installer script will modify it directly during installation.
#

if [ -z "${CONFIGFILE}" ]; then
	if [ -f /etc/rkhunter.conf ]; then
		CONFIGFILE="/etc/rkhunter.conf"
	else
		CONFIGFILE="/usr/local/etc/rkhunter.conf"
	fi
fi

if [ ! -f "${CONFIGFILE}" ]; then
	echo "Unable to find configuration file: ${CONFIGFILE}"
	exit 1
elif [ ! -r "${CONFIGFILE}" ]; then
	echo "Configuration file is not readable: ${CONFIGFILE}"
	exit 1
elif [ ! -s "${CONFIGFILE}" ]; then
	echo "Configuration file is empty: ${CONFIGFILE}"
	exit 1
fi

RKHTMPVAR=`echo "${CONFIGFILE}" | sed -e 's:/[^/]*$::'`

test -f "${RKHTMPVAR}/rkhunter.conf.local" && LOCALCONFIGFILE="${RKHTMPVAR}/rkhunter.conf.local"

get_configfile_options

#
# If we are doing a configuration file
# check, then this is as far as we go.
#

if [ $CONFIG_CHECK -eq 1 ]; then
	do_config_check
	exit $RET_CODE
fi


######################################################################
#
# Option processing
#
######################################################################


#
# Next we check some of the options to make sure we can proceed. We
# also set up some final variables based on the combination of options
# we have been given.
#

#
# First we process the '--list' option if it has been given.
#

if [ -n "${LIST_OPT}" ]; then
	for RKHTMPVAR in ${LIST_OPT}; do
		case "${RKHTMPVAR}" in
		tests)
			display_tests
			;;
		languages)
			display_languages
			;;
		perl)
			display_perl_modules
			;;
		propfiles)
			display_propfiles
			;;
		*)
			display_rootkits
			;;
		esac
	done

	exit 0
fi


#
# Next we must see if we are doing an update only, and if there were
# some language file problems. If so, then we must not log or display
# anything.
#

if [ $RKHLANGUPDT -eq 1 ]; then
	QUIET=1
	COLORS=0
	RKHLOGFILE="/dev/null"
fi


#
# If the logfile has been disabled, then we cannot let the
# program run when certain options are used. If we did, the user
# would see no output and might assume that all was well.
#

if [ "${RKHLOGFILE}" = "/dev/null" ]; then
	NOLOG=1
	VERBOSE_LOGGING=0
	COPY_LOG_ON_ERROR=0

	if [ $SHOWWARNINGSONLY -eq 1 ]; then
		echo "The logfile has been disabled - unable to report warnings."
		exit 1
	elif [ $CATLOGFILE -eq 1 ]; then
		echo "The logfile has been disabled - unable to display the log file."
		exit 1
	fi
fi


#
# Set up the colors to be used.
#

if [ $COLORS -eq 1 ]; then
	NORMAL="[0;39m"		# Foreground colour to default

	if [ $CLRSET2 -eq 0 ]; then
		RED="[1;31m"		# Bright red
		GREEN="[1;32m"	# Bright green
		YELLOW="[1;33m"	# Bright yellow
		WHITE="[1;37m"	# White
	else
		RED="[1;31m"		# Bright red
		GREEN="[0;32m"	# Green
		YELLOW="[0;35m"	# Purple
		WHITE="[0;30m"	# Black
	fi
fi


if [ $CHECK -eq 1 ]; then
	#
	# Check if we have a ksyms or kallsyms file.
	#

	if [ -f "/proc/ksyms" ]; then
		KSYMS_FILE="/proc/ksyms"
	elif [ -f "/proc/kallsyms" ]; then
		KSYMS_FILE="/proc/kallsyms"
	fi

	#
	# Check to make sure that the symbols are readable
	# as certain security frameworks hide this.
	#

	if [ -z "`head ${HEAD_OPT}1 /proc/kallsyms 2>/dev/null`" ]; then
		KSYMS_FILE=""
	fi
fi


if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 ]; then
	if [ -e ${RKHDAT_FILE} ]; then
		if [ -h ${RKHDAT_FILE} ]; then
			echo "The rkhunter.dat file is a symbolic link: ${RKHDAT_FILE}"
			echo "This is a security problem. The link points to another file, and that file may be modified by rkhunter."
			exit 1
		elif [ ! -f ${RKHDAT_FILE} ]; then
			echo "The rkhunter.dat file is not a file: ${RKHDAT_FILE}"
			exit 1
		fi
	fi

	if [ -e ${RKH_FILEPROP_LIST} ]; then
		if [ -h ${RKH_FILEPROP_LIST} ]; then
			echo "The rkhunter_prop_list.dat file is a symbolic link: ${RKH_FILEPROP_LIST}"
			echo "This is a security problem. The link points to another file, and that file may be modified by rkhunter."
			exit 1
		elif [ ! -f ${RKH_FILEPROP_LIST} ]; then
			echo "The rkhunter_prop_list.dat file is not a file: ${RKH_FILEPROP_LIST}"
			exit 1
		fi
	fi


	#
	# Check if the file properties option has been set. If so, then
	# check that the files and directories are valid. Once that has
	# been done, we can then set up the file properties check directories
	# and file names.
	#

	if [ -n "${PROPUPD_OPT}" ]; then
		if [ ! -f ${RKHDAT_FILE} ]; then
			echo "The file properties file does not exist: ${RKHDAT_FILE}"
			exit 1
		fi

		LEAVE=0
		RKHTMPVAR=""

		PROPUPD_OPT=`echo "${PROPUPD_OPT}" | tr ',' ' ' | tr -s '	 ' '  '`
		test "${PROPUPD_OPT}" = " " -o "${PROPUPD_OPT}" = "/" && PROPUPD_OPT=""

		for FNAME in ${PROPUPD_OPT}; do
			if [ -n "`echo \"${FNAME}\" | grep ':'`" ]; then
				# Filename contains ':'
				LEAVE=1
				echo "Invalid file or package name specified: ${FNAME}"
			elif [ -n "`echo \"${FNAME}\" | grep '^[^/].*/'`" ]; then
				# Filename is relative
				LEAVE=1
				echo "Relative file or directory name specified: ${FNAME}"
			elif [ -n "`echo \"${FNAME}\" | grep '^/'`" ]; then
				# Filename is absolute
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

				RKHTMPVAR2=`grep "^File:${FNAMEGREP}:" ${RKHDAT_FILE} 2>/dev/null | cut -d: -f2 | tr '\n' ' '`

				if [ -z "${RKHTMPVAR2}" ]; then
					if [ -d "${FNAME}" ]; then
						# Filename is a directory
						RKHTMPVAR2=`grep "^File:${FNAMEGREP}/[^:]*:" ${RKHDAT_FILE} 2>/dev/null | cut -d: -f2 | tr '\n' ' '`

						if [ -n "${RKHTMPVAR2}" ]; then
							RKHTMPVAR="${RKHTMPVAR} ${RKHTMPVAR2}"
						else
							LEAVE=1
							echo "Directory is not in the \"rkhunter.dat\" file: ${FNAME}"
						fi
					else
						LEAVE=1
						echo "Filename is not in the \"rkhunter.dat\" file: ${FNAME}"
					fi
				else
					RKHTMPVAR="${RKHTMPVAR} ${RKHTMPVAR2}"
				fi
			else
				# Filename could be a package name
				# The package names are in field 10 in the rkhunter.dat file
				FNAMEGREP=`echo "${FNAME}" | sed -e 's/\([.[]\)/\\\\\1/g'`

				RKHTMPVAR2=`grep "^File:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:${FNAMEGREP}:" ${RKHDAT_FILE} 2>/dev/null | cut -d: -f2 | tr '\n' ' '`

				if [ -z "${RKHTMPVAR2}" ]; then
					# Filename is just a plain filename
					RKHTMPVAR2=`grep "^File:[^:]*/${FNAMEGREP}:" ${RKHDAT_FILE} 2>/dev/null | cut -d: -f2 | tr '\n' ' '`

					if [ -n "${RKHTMPVAR2}" ]; then
						RKHTMPVAR="${RKHTMPVAR} ${RKHTMPVAR2}"
					else
						LEAVE=1
						echo "File or package name is not in the \"rkhunter.dat\" file: ${FNAME}"
					fi
				else
					RKHTMPVAR="${RKHTMPVAR} ${RKHTMPVAR2}"
				fi
			fi
		done

		if [ $LEAVE -eq 0 ]; then
			PROPUPD_OPT=""
			test -n "${RKHTMPVAR}" && PROPUPD_OPT=" ${RKHTMPVAR} "
		else
			exit 1
		fi
	fi

	if `check_test properties` || test $PROP_UPDATE -eq 1; then
		set_file_prop_dirs_files
	fi


	#
	# We need to record the previously used
	# hash function and package manager.
	#

	if [ -s ${RKHDAT_FILE} ]; then
		OLD_HASH_FUNC=`grep '^Hash:' ${RKHDAT_FILE} | cut -d: -f2-`

		OLD_PKGMGR=`grep '^Pkgmgr:' ${RKHDAT_FILE} | cut -d: -f2`

		OLD_ATTRUPD=`grep '^Attributes:' ${RKHDAT_FILE} | cut -d: -f2`
	fi
fi


if [ $PROP_UPDATE -eq 1 -a $PRELINKED -eq 1 -a -z "${PKGMGR}" -a "${HASH_FUNC}" != "NONE" ]; then
	#
	# For a hash update on a prelinked system, we must have
	# a valid hash function to use. The package managers use
	# an MD5 hash function by default.
	#

	if [ -z "${PRELINK_HASH}" ]; then
		if [ -z "`echo \"${HASH_FUNC}\" | egrep '(/filehashsha\.pl Digest::MD5|/filehashsha\.pl .* 1$|shasum -a 1$)'`" ]; then
			RKHTMPVAR=`echo "${HASH_FUNC}" | cut -d' ' -f1`

			if [ -z "`echo ${RKHTMPVAR} | egrep -i 'sha1|md5'`" ]; then
				if [ $HASH_OPT -eq 1 ]; then
					echo "This system uses prelinking, but the '--hash' option (${HASH_FUNC}) does not look like SHA1 or MD5."
				else
					echo "This system uses prelinking, but the hash function (${HASH_FUNC}) does not look like SHA1 or MD5."
				fi

				exit 1
			fi
		fi
	fi
fi


#
# For the update and versioncheck options, we need to make sure
# we have a command capable of downloading files from the web.
# The first command found is used, unless it has been set in
# the configuration file.
#

if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 ]; then
	if [ -z "${RKHWEBCMD}" ]; then
		FOUND=0

		for CMD in ${WEBCMDLIST}; do
			#
			# Ignore perl commands if perl is not present, or if
			# certain modules are not present.
			#

			if [ "${CMD}" = "GET" ]; then
				test -z "${PERL_CMD}" && continue

				RKHTMPVAR=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl LWP URI HTTP::Status HTTP::Date Getopt::Long 2>&1 | grep 'NOT'`

				test -n "${RKHTMPVAR}" && continue
			elif [ "${CMD}" = "bget" ]; then
				test -z "${PERL_CMD}" && continue

				RKHTMPVAR=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl Socket Carp 2>&1 | grep 'NOT'`

				test -n "${RKHTMPVAR}" && continue
			fi


			RKHTMPVAR=`find_cmd ${CMD}`

			if [ -n "${RKHTMPVAR}" ]; then
				FOUND=1
				RKHWEBCMD="${RKHTMPVAR}"
				RKHWEBCMD_BASE="${CMD}"
				break
			fi
		done

		if [ $FOUND -eq 0 ]; then
			echo "The '--update' and '--versioncheck' options require a command able to"
			echo "download files from the web. No such command can be found on the system."
			echo "Examples of commands that could be used are: ${WEBCMDLIST}"
			exit 1
		fi
	fi
fi


#
# If no option is given for the program to action, then say so and exit.
#

if [ $CHECK -eq 0 -a $VERSIONCHECK -eq 0 -a $UPDATE -eq 0 -a $PROP_UPDATE -eq 0 -a $UNLOCK -eq 0 ]; then
	echo "You must enter an option for the program to perform."
	echo "Type in 'rkhunter --help' to see the available options,"
	echo "or read the rkhunter man page."
	exit 1
fi


#
# Handle any locking straight away.
#

if [ $UNLOCK -eq 1 ]; then
	rm -f ${RKHTMPDIR}/rkhunter.LCK >/dev/null 2>&1

	# If we are just unlocking the lock file, then exit.
	test $CHECK -eq 0 -a $VERSIONCHECK -eq 0 -a $UPDATE -eq 0 -a $PROP_UPDATE -eq 0 && exit 0
fi


#
# Before writing anything to the screen or log file, we need to
# set some variables.
#
# First we set whether we should be displaying anything on the
# screen or not.
#
test $CRONJOB -eq 1 -o $QUIET -eq 1 && NOTTY=1

#
# Next we get the message types and results from the language file,
# and set them to variables. We have to look in the English file since
# that is the definitive one. We then look for the corresponding keyword
# in the actual language file. This allows the language files to work
# even if we add or remove any of the TYPE or RESULT keywords.
#
IFS=$IFSNL

for LINE in `egrep '^MSG_(TYPE|RESULT)_' ${DB_PATH}/i18n/en 2>/dev/null`; do
	TYPE=`echo "${LINE}" | cut -d: -f1`

	if [ "${LANGUAGE}" != "en" ]; then
		RKHTMPVAR=`grep "^${TYPE}:" ${DB_PATH}/i18n/${LANGUAGE} 2>/dev/null`
		test -n "${RKHTMPVAR}" && LINE=`echo "${RKHTMPVAR}" | sed -e 's/\`/\\\\\`/g'`
	fi

	RKHTMPVAR=`echo "${LINE}" | cut -d: -f2-`

	eval $TYPE=\"${RKHTMPVAR}\"
done

IFS=$RKHIFS


#
# Before we touch the log file we must see if locking is being used.
#

if [ $USE_LOCKING -eq 1 ]; then
	get_lock
fi

#
# Sort out the logfile before we write to it.
#

if [ $NOLOG -eq 0 ]; then
	if [ $APPEND_LOG -eq 0 ]; then
		if [ -f "${RKHLOGFILE}" ]; then
			cp -f -p ${RKHLOGFILE} ${RKHLOGFILE}.old >/dev/null 2>&1

			# Overwrite the log file with a null string.
			if [ "${ECHON}" = "c" ]; then
				echo $ECHOOPT "\c" >${RKHLOGFILE}
			else
				echo $ECHON $ECHOOPT "" >${RKHLOGFILE}
			fi
		else
			# Create a new log file.
			touch ${RKHLOGFILE} >/dev/null 2>&1
			chmod 600 ${RKHLOGFILE} >/dev/null 2>&1
		fi
	else
		if [ ! -f "${RKHLOGFILE}" ]; then
			# Create a new log file.
			touch ${RKHLOGFILE} >/dev/null 2>&1
			chmod 600 ${RKHLOGFILE} >/dev/null 2>&1
		fi

		echo "" >>${RKHLOGFILE}
		echo "" >>${RKHLOGFILE}
	fi
fi


#
# Record the hostname. This will be used at several points
# throughout the program. A specific test will specify if
# a hostname has been found or not, so we don't need to
# do anything special here.
#

HOST_NAME=`hostname 2>/dev/null`
test -z "${HOST_NAME}" && HOST_NAME=`uname -n 2>/dev/null`
test -z "${HOST_NAME}" && HOST_NAME="${HOSTNAME}"
HOST_NAME=`echo ${HOST_NAME} | cut -d. -f1`


######################################################################
#
# Initial logging
#
######################################################################


#
# Write out various information messages to the logfile. The first
# set of messages can be skipped if no logfile is to be created.
#

display --to SCREEN --type PLAIN VERSIONLINE "${PROGRAM_NAME}" "${PROGRAM_version}"

if [ $NOLOG -eq 0 ]; then
	if [ -n "${HOST_NAME}" ]; then
		display --to LOG --type PLAIN VERSIONLINE2 "${PROGRAM_NAME}" "${PROGRAM_version}" ${HOST_NAME}
	else
		display --to LOG --type PLAIN VERSIONLINE3 "${PROGRAM_NAME}" "${PROGRAM_version}"
	fi

	display --to LOG --type INFO --nl RKH_STARTDATE "`date`"

	display --to LOG --type PLAIN --nl CONFIG_CHECK_START

	display --to LOG --type INFO OPSYS "${OPERATING_SYSTEM}"

	if [ -s ${RKHDAT_FILE} ]; then
		RKHTMPVAR=`grep '^OS:' ${RKHDAT_FILE} 2>/dev/null | sed -e 's/^OS://'`

		if [ -n "${RKHTMPVAR}" ]; then
			display --to LOG --type INFO PROPUPD_OSNAME_FOUND "${RKHTMPVAR}"
		else
			display --to LOG --type INFO UNAME "`uname -a`"
		fi
	else
		display --to LOG --type INFO UNAME "`uname -a`"
	fi

	display --to LOG --type INFO CONFIG_CMDLINE "${CMD_LINE}"

	test $DEBUG_OPT -eq 1 && display --to LOG --type INFO CONFIG_DEBUGFILE "${RKHDEBUGFILE}"

	display --to LOG --type INFO CONFIG_ENVSHELL ${SHELL} ${MYSHELL}

	display --to LOG --type INFO CONFIG_CONFIGFILE "${CONFIGFILE}"

	test -n "${LOCALCONFIGFILE}" && display --to LOG --type INFO CONFIG_LOCALCONFIGFILE "${LOCALCONFIGFILE}"

	display --to LOG --type INFO CONFIG_INSTALLDIR "${RKHINSTALLDIR}"

	display --to LOG --type INFO CONFIG_LANGUAGE "${LANGUAGE}"

	display --to LOG --type INFO CONFIG_DBDIR "${DB_PATH}"

	display --to LOG --type INFO CONFIG_SCRIPTDIR "${SCRIPT_PATH}"

	display --to LOG --type INFO CONFIG_BINDIR "${BINPATHS}"

	display --to LOG --type INFO CONFIG_TMPDIR "${RKHTMPDIR}"

	if [ $CHECK -eq 1 ]; then
		if [ $NOMOW -eq 1 ]; then
			display --to LOG --type INFO CONFIG_MOW_DISABLED
		elif [ -z "${MAILONWARNING}" ]; then
			display --to LOG --type INFO CONFIG_NO_MAIL_ON_WARN
		else
			display --to LOG --type INFO CONFIG_MAIL_ON_WARN "${MAILONWARNING}" "${MAIL_CMD}"
		fi
	fi

	test $AUTO_X_DTCT -eq 1 && display --to LOG --type INFO CONFIG_X_AUTO
	test $CLRSET2 -eq 1 && display --to LOG --type INFO CONFIG_CLRSET2

	for CMD in ${CMDLIST}; do
		RKHTMPVAR=`echo ${CMD} | tr '[:lower:]' '[:upper:]'`
		RKHTMPVAR=`eval echo "\\$${RKHTMPVAR}_CMD"`

		if [ -n "${RKHTMPVAR}" ]; then
			display --to LOG --type INFO FOUND_CMD "${CMD}" "${RKHTMPVAR}"
		else
			display --to LOG --type INFO NOT_FOUND_CMD "${CMD}"
		fi
	done

	test -n "${RKHWEBCMD}" && display --to LOG --type INFO FOUND_CMD "${RKHWEBCMD_BASE}" "${RKHWEBCMD}"
fi

if [ $PROP_UPDATE -eq 1 -o $HASH_CHECK_ENABLED -eq 1 ]; then
	if [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then
		HASH_CHECK_ENABLED=0
		DISABLE_TESTS="${DISABLE_TESTS} hashes"
		display --to LOG --type INFO HASH_FUNC_DISABLED
	fi

	if [ $PRELINKED -eq 1 ]; then
		display --to LOG --type INFO SYS_PRELINK

		display --to LOG --type INFO FOUND_CMD 'prelink' "${PRELINK_CMD}"

		if [ -n "${SESTATUS_CMD}" ]; then
			display --to LOG --type INFO FOUND_CMD 'sestatus' "${SESTATUS_CMD}"

			if [ $SELINUX_ENABLED -eq 1 ]; then
				display --to LOG --type INFO SYS_SELINUX

				if [ $USE_RUNCON -eq 1 ]; then
					display --to LOG --type INFO FOUND_CMD 'runcon' "${RUNCON_CMD}"
				else
					display --to LOG --type INFO NOT_FOUND_CMD 'runcon'
				fi
			else
				display --to LOG --type INFO SYS_NO_SELINUX
			fi
		else
			display --to LOG --type INFO NOT_FOUND_CMD 'sestatus'
		fi

		if [ "${HASH_FUNC}" = "NONE" ]; then
			if [ -n "${PKGMGR}" ]; then
				display --to LOG --type INFO HASH_FUNC_NONE_PKGMGR
			else
				display --to LOG --type INFO HASH_FUNC_NONE
			fi
		elif [ -n "${PRELINK_HASH}" ]; then
			display --to LOG --type INFO HASH_FUNC_PRELINK "${PRELINK_HASH}"
		elif [ -z "`echo \"${HASH_FUNC}\" | egrep -i 'sha1|md5'`" ]; then
			SKIP_HASH_MSG=1
		else
			display --to LOG --type INFO HASH_FUNC "${HASH_FUNC}"
		fi
	else
		display --to LOG --type INFO SYS_NO_PRELINK

		if [ "${HASH_FUNC}" = "NONE" ]; then
			if [ -n "${PKGMGR}" ]; then
				display --to LOG --type INFO HASH_FUNC_NONE_PKGMGR
			else
				display --to LOG --type INFO HASH_FUNC_NONE
			fi
		elif [ -n "`echo \"${HASH_FUNC}\" | grep '/filehashsha\.pl '`" ]; then
			RKHTMPVAR=`echo "${HASH_FUNC}" | cut -d' ' -f3`

			if [ $SHA_SIZE -eq 0 ]; then
				display --to LOG --type INFO HASH_FUNC_PERL "${RKHTMPVAR}"
			else
				display --to LOG --type INFO HASH_FUNC_PERL_SHA "${RKHTMPVAR}" "SHA${SHA_SIZE}"
			fi
		else
			display --to LOG --type INFO HASH_FUNC "${HASH_FUNC}"
		fi
	fi

	if [ -s ${RKHDAT_FILE} ]; then
		if [ "${OLD_HASH_FUNC}" = "Disabled" ]; then
			display --to LOG --type INFO HASH_FUNC_OLD_DISABLED
		else
			display --to LOG --type INFO HASH_FUNC_OLD "${OLD_HASH_FUNC}"
		fi

		if [ -z "${OLD_PKGMGR}" ]; then
			display --to LOG --type INFO HASH_PKGMGR_OLD_UNSET
		else
			display --to LOG --type INFO HASH_PKGMGR_OLD "${OLD_PKGMGR}"
		fi
	fi

	display --to LOG --type INFO HASH_FIELD_INDEX "$HASH_FLD_IDX"

	if [ $PROP_UPDATE -eq 1 ]; then
		if ! `check_test hashes` && test $ENDIS_OPT -eq 0; then
			display --to LOG --type INFO HASHUPD_DISABLED
		elif [ -z "${PKGMGR}" ]; then
			if [ $PRELINKED -eq 1 ]; then
				if [ -n "${PRELINK_HASH}" ]; then
					display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC_PRELINKED "${PRELINK_HASH}"
				else
					display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC "${HASH_FUNC}"
				fi
			else
				display --to LOG --type INFO HASHUPD_PKGMGR_NOT_SPEC "${HASH_FUNC}"
			fi
		else
			display --to LOG --type INFO HASHUPD_PKGMGR "${PKGMGR}"

			case "${PKGMGR}" in
			RPM)
				display --to LOG --type INFO FOUND_CMD "rpm" "${RPM_CMD}"
				;;
			DPKG)
				if [ -z "`echo \"${DPKG_CMD}\" | grep '/dpkg$'`" ]; then
					display --to LOG --type INFO FOUND_CMD "dpkg-query" "${DPKG_CMD}"
				else
					display --to LOG --type INFO FOUND_CMD "dpkg" "${DPKG_CMD}"
				fi
				;;
			BSD)
				display --to LOG --type INFO FOUND_CMD "pkg-info" "${PKG_CMD}"
				;;
			SOLARIS)
				if [ $USE_SUNSUM -eq 1 ]; then
					display --to LOG --type INFO HASH_PKGMGR_SUM
					display --to LOG --type INFO FOUND_CMD "sum" "${SUM_CMD}"
				fi
				;;
			esac
		fi
	fi

	if [ $HASH_CHECK_ENABLED -eq 1 ]; then
		if [ -z "${PKGMGR}" ]; then
			if [ $PRELINKED -eq 1 ]; then
				if [ -n "${PRELINK_HASH}" ]; then
					display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC_PRELINKED "${PRELINK_HASH}"
				else
					display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC "${HASH_FUNC}"
				fi
			else
				display --to LOG --type INFO HASH_PKGMGR_NOT_SPEC "${HASH_FUNC}"
			fi
		else
			display --to LOG --type INFO HASH_PKGMGR "${PKGMGR}"

			case "${PKGMGR}" in
			RPM)
				display --to LOG --type INFO FOUND_CMD "rpm" "${RPM_CMD}"
				;;
			DPKG)
				if [ -z "`echo \"${DPKG_CMD}\" | grep '/dpkg$'`" ]; then
					display --to LOG --type INFO FOUND_CMD "dpkg-query" "${DPKG_CMD}"
				else
					display --to LOG --type INFO FOUND_CMD "dpkg" "${DPKG_CMD}"
				fi

				display --to LOG --type INFO HASH_PKGMGR_MD5 "${PKGMGR_MD5_HASH}"
				;;
			BSD)
				display --to LOG --type INFO FOUND_CMD "pkg-info" "${PKG_CMD}"
				display --to LOG --type INFO HASH_PKGMGR_MD5 "${PKGMGR_MD5_HASH}"
				;;
			SOLARIS)
				if [ $USE_SUNSUM -eq 1 ]; then
					display --to LOG --type INFO HASH_PKGMGR_SUM
					display --to LOG --type INFO FOUND_CMD "sum" "${SUM_CMD}"
				fi
				;;
			esac
		fi
	fi
fi

RKHTMPVAR=0
test $CHECK -eq 1 && `check_test attributes` && RKHTMPVAR=1

if [ $RKHTMPVAR -eq 1 ]; then
	if [ "${OLD_ATTRUPD}" = "Disabled" ]; then
		display --to LOG --type INFO ATTRUPD_OLD_DISABLED
	elif [ "${OLD_ATTRUPD}" = "Nostatcmd" ]; then
		display --to LOG --type INFO ATTRUPD_OLD_NOSTATCMD
	else
		display --to LOG --type INFO ATTRUPD_OLD_OK
	fi
fi

if [ $PROP_UPDATE -eq 1 ]; then
	if ! `check_test attributes` && test $ENDIS_OPT -eq 0; then
		display --to LOG --type INFO ATTRUPD_DISABLED
	elif [ -z "${STAT_CMD}" ]; then
		display --to LOG --type INFO ATTRUPD_NOSTATCMD
	else
		display --to LOG --type INFO ATTRUPD_OK
	fi
fi

if [ $CHECK -eq 1 -o $PROP_UPDATE -eq 1 ]; then
	display --to LOG --type INFO ENABLED_TESTS "${ENABLE_TESTS}"
	display --to LOG --type INFO DISABLED_TESTS "${DISABLE_TESTS}"
fi

if `check_test properties` || test $PROP_UPDATE -eq 1; then
	if [ -n "${USER_FILE_LIST}" ]; then
		display --to LOG --type INFO USER_FILE_LIST

		for FNAME in ${USER_FILE_LIST}; do
			display --to LOG --type PLAIN --log-indent 6 NAME "${FNAME}"
		done
	fi

	if [ -n "${USER_SIMPLE_FILE_LIST}" ]; then
		display --to LOG --type INFO USER_CMD_LIST

		for FNAME in ${USER_SIMPLE_FILE_LIST}; do
			display --to LOG --type PLAIN --log-indent 6 NAME "${FNAME}"
		done
	fi

	if [ -n "${USER_DIR_LIST}" ]; then
		display --to LOG --type INFO USER_DIR_LIST

		for FNAME in ${USER_DIR_LIST}; do
			display --to LOG --type PLAIN --log-indent 6 NAME "${FNAME}"
		done
	fi

	if [ -n "${USER_EXCLUDE_PROP}" ]; then
		display --to LOG --type INFO USER_EXCLUDE_PROP

		for FNAME in ${USER_EXCLUDE_PROP}; do
			display --to LOG --type PLAIN --log-indent 6 NAME "${FNAME}"
		done
	fi
fi

if [ $UPDATE -eq 1 -o $VERSIONCHECK -eq 1 ]; then
	if [ $ROTATE_MIRRORS -eq 0 ]; then
		display --to LOG --type INFO CONFIG_NO_ROTATE_MIRRORS
	else
		display --to LOG --type INFO CONFIG_ROTATE_MIRRORS
	fi

	if [ $MIRRORS_MODE -eq 0 ]; then
		display --to LOG --type INFO CONFIG_MIRRORS_MODE0
	elif [ $MIRRORS_MODE -eq 1 ]; then
		display --to LOG --type INFO CONFIG_MIRRORS_MODE1
	else
		display --to LOG --type INFO CONFIG_MIRRORS_MODE2
	fi

	if [ $UPDATE -eq 1 ]; then
		if [ $UPDATE_MIRRORS -eq 0 ]; then
			display --to LOG --type INFO CONFIG_NO_UPDATE_MIRRORS
		else
			display --to LOG --type INFO CONFIG_UPDATE_MIRRORS
		fi
	fi
fi

if [ $CHECK -eq 1 ]; then
	test $VERBOSE_LOGGING -eq 0 && display --to LOG --type INFO CONFIG_NO_VL

	if [ -n "${KSYMS_FILE}" ]; then
		display --to LOG --type INFO KSYMS_FOUND "${KSYMS_FILE}"
	elif [ -f "/proc/ksyms" ]; then
		display --to LOG --type INFO KSYMS_FOUND "/proc/ksyms"
		display --to LOG --type INFO KSYMS_UNAVAIL
	elif [ -f "/proc/kallsyms" ]; then
		display --to LOG --type INFO KSYMS_FOUND "/proc/kallsyms"
		display --to LOG --type INFO KSYMS_UNAVAIL
	else
		display --to LOG --type INFO KSYMS_MISSING
	fi

	test $SHOW_SUMMARY -eq 0 && display --to LOG --type INFO CONFIG_NO_SHOW_SUMMARY


	#
	# To use syslog we must have the logger command present.
	#

	if [ -n "${USE_SYSLOG}" ]; then
		if [ "${USE_SYSLOG}" = "none" ]; then
			USE_SYSLOG=""
			display --to LOG --type INFO SYSLOG_DISABLED
		else
			LOGGER_CMD=`find_cmd logger`

			if [ -n "${LOGGER_CMD}" ]; then
				display --to LOG --type INFO SYSLOG_ENABLED "${USE_SYSLOG}"
			else
				USE_SYSLOG=""
				display --to LOG --type INFO SYSLOG_NO_LOGGER
			fi
		fi
	fi


	if [ "${EPOCH_DATE_CMD}" = "NONE" ]; then
		:
	elif [ -n "${EPOCH_DATE_CMD}" ]; then
		display --to LOG --type INFO FILE_PROP_EPOCH_DATE_CMD "${EPOCH_DATE_CMD}"
	elif [ -n "${PERL_CMD}" ]; then
		display --to LOG --type INFO FILE_PROP_EPOCH_DATE_CMD "${PERL_CMD}"
	fi


	#
	# If the user wants to run the file properties checks, and the
	# rkhunter.dat file exists, then check the O/S info. If the
	# rkhunter.dat file does not exist, then this will be logged
	# later on.
	#

	if `check_test properties`; then
		if [ -s ${RKHDAT_FILE} ]; then
			#
			# We perform a simple check on some of the stored
			# O/S information, and compare it to the current
			# info. Basically we are just seeing if the system
			# has changed at all because it could affect the
			# file properties checks.
			#

			rkh_dat_get_os_info

			check_os_info
		fi
	fi
fi

if [ $USE_LOCKING -eq 1 ]; then
	display --to LOG --type INFO LOCK_USED "$LOCK_TIMEOUT"
else
	display --to LOG --type INFO LOCK_UNUSED
fi


######################################################################
#
# Start of program actions and checks
#
######################################################################


#
# We can now start to run the actions the user has requested on
# the command-line. We run the update type commands first before
# doing any full system check.
#


#
# The user wants to update the O/S and the file properties data.
#

test $PROP_UPDATE -eq 1 && do_prop_update


#
# The user wants to update the supplied RKH *.dat files.
#

test $UPDATE -eq 1 && do_update


#
# The user wants to check for the latest program version.
#

test $VERSIONCHECK -eq 1 && do_versioncheck


#
# The user wants to check the local system for anomalies.
#

test $CHECK -eq 1 -o $ENDIS_OPT -eq 1 && do_system_check


#
# If there were errors or warnings, and the
# log file is to be copied, then log it.
#

COPIEDLOG=""

if [ $RET_CODE -gt 0 -o $WARNING_COUNT -gt 0 ]; then
	if [ $COPY_LOG_ON_ERROR -eq 1 -a $NOLOG -eq 0 ]; then
		COPIEDLOG="${RKHLOGFILE}.`date +%Y-%m-%d_%H:%M:%S`"

		display --to LOG --type INFO --nl SUMMARY_LOGFILE_COPIED "${COPIEDLOG}"
	fi
fi

display --to LOG --type INFO --nl RKH_ENDDATE "`date`"


#
# Now actually copy the log file.
#

test -n "${COPIEDLOG}" && cp -p ${RKHLOGFILE} ${COPIEDLOG}


#
# If the user asked to see the logfile, then show it.
#

test $CATLOGFILE -eq 1 && cat ${RKHLOGFILE}


IFS=$ORIGIFS

exit $RET_CODE
