'''Note: This has not been reviewed by Enterprise Engineering at this time'''
=Purpose=

This is inteded as a companion to maldet-per-user. This is intended to find and catalogue caches of symlinks. These caches of symlinks, are often associated with the existance of shell scripts and other nastyness on accounts and servers.

=Function=

This script first creates a .pid file '''/var/run/symlinkhunter.pid'''. This file will contain the pid of the running script. It then checks the EasyApache logs for what SymlinkProtection was set to in the last five (5) runs of EasyApache. Next it will create a .lock file '''/var/run/symlinkhunter.pid'''. This will contain both the pid of the script and the name/location of the log file for this scan.

=The Script= To use, download and run from the server. http://axeblade.net/symlinkhunter.sh
This will be placed on layer3, or scripts.ent after it has been reviewed mkdir -p /root/bin wget -q -O /root/bin/symlinkhunter.sh axeblade.net/symlinkhunter.sh chmod +x /root/bin/symlinkhunter.sh /root/bin/symlinkhunter.sh =Usage= When using '''symlinkhunter''' you can interrupt a scan using '''^C''', and it will clean up its .pid file. It will however leave a .lock file in place. This .lock file will inform the next run that it was previously interrupted and ask if you want to resume. It does not at this time remember any additional scan options, but will resume the scan on the account that it was reading previously. ==Help Ouput==
  symlinkhunter.sh -h

  Usage: ./symlinkhunter.sh [OPTIONS]

  -f ... Fast Mode, set scan directory depth to 3
  -t ... Threshold count of links to be logged
  -u ... User list: 

  -h ... Print this help information and quit.
==Default Output==
--------------------------------------------------------------------------------
  Symlink Protection Status
----------------------------------------

      "SymlinkProtection": Enabled :: 2015-10-13
      "SymlinkProtection": Enabled :: 2015-10-13
      "SymlinkProtection": Enabled :: 2015-11-25
      "SymlinkProtection": Enabled :: 2016-01-18
      "SymlinkProtection": Enabled :: 2016-01-18

--------------------------------------------------------------------------------
  Symlink Search Results
----------------------------------------

   20000 :: /home/killingstroke/public_html/                                                
                                                                                
--------------------------------------------------------------------------------
  Scan log: /usr/local/symdetect/symlinkhunter_2016-01-27_6247.log
----------------------------------------
==Example Option Usage==
# Limit scan depth to 3 folders past the public_html
symlinkhunter.sh -f

# Set a threshold count to actually log
symlinkhunter.sh -t 10

# Scan only a subset of users
symlinkhunter.sh -u user1,user2,user3
=Logging= Logs are created in the folder '''/usr/local/symdetect/''' with the naming convention '''symlinkhunter_(date)_(pid).log'''. This nomenclature and the internal formatting does intentionally mimic the output of Maldet logs. Logs are intended to be more verbose than the output to the terminal. Logs will contain start and end time of the scan, along with a count per folder for the number of symlinks, and the total for the account.
/usr/local/symdetect/symlinkhunter_2016-01-27_6247.log

--------------------------------------------------------------------------------
  Symlink Protection Status
----------------------------------------

      "SymlinkProtection": Enabled :: 2015-10-13
      "SymlinkProtection": Enabled :: 2015-10-13
      "SymlinkProtection": Enabled :: 2015-11-25
      "SymlinkProtection": Enabled :: 2016-01-18
      "SymlinkProtection": Enabled :: 2016-01-18

--------------------------------------------------------------------------------
  Symlink Search Results
----------------------------------------

START_SCAN: 2016-01-27_18:33:29

   20000 :: /home/killingstroke/public_html/                                                
   10000 :: {SYM} :: /home/killingstroke/public_html/test1/
   10000 :: {SYM} :: /home/killingstroke/public_html/test2/

  END_SCAN: 2016-01-27_18:33:31
=Bugs=

I would love to get the '''-u''' flag to take regex and match groups of accounts. I have not figured out how to do this, so ... a feature request for the future.

Please submit any other bugs and/or feature requests to: mcunningham@liquidweb.com [[Category:Enterprise]]