feat(scanrootkit): add discovered date, 41 modern signatures, expanded tests

Add 41 new signatures for modern (mostly 2019+) Linux rootkits and a
few pre-2019 LD_PRELOAD/LKM rootkits previously missing from the
rkhunter set: Adore-NG, Azazel, BEURK, BPFDoor, Boopkit, CDRThief,
Cloud Snooper, Drovorub, Ebury 1.7/1.8, Father, HiddenWasp, Honey Pot
Bears, Kaiji, Kobalos, LightBasin, Lightning Framework, LilyOfTheValley,
Medusa, Migo, Nuk3Gh0st, OrBit, perfctl, PUMAKIT, Puszek, Pygmy Goat,
Reptile, Reveng_rtkit, RotaJakiro, sedexp, Skidmap, spy/kisni, SSHdoor,
Symbiote, Syslogk, TripleCross, Umbra, Umbreon, UNC3886, Winnti for
Linux, Zendar, bedevil. Sourced from ESET malware-ioc, fkie-cad/linux-
rootkit-iocs, Sandfly Security, Intezer, Elastic Security Labs,
Mandiant, Sophos, NCSC UK and others.

Add an optional `discovered` field (YYYY, YYYY-MM or YYYY-MM-DD) to
the signature schema. The plugin renders the year next to the rootkit
name in findings, e.g. "* CiNIK Worm (2002): /tmp/.cinik (File)".
Populated for ~90 of the 162 signatures based on the chkrootkit
changelog and vendor disclosure dates.

Fix directory indicators not being detected. The plugin previously
called lib.disk.file_exists() for both files and directories, but
that helper returns False for directories, so directory-only
signatures (e.g. KBeast /usr/_h4x_) silently never matched. Now uses
os.path.isdir() for directory checks.

Expand the unit test suite from 3 to 12 tests, covering directory
detection, kernel symbol detection (with a substring negative test
for the recently-fixed exact-match behavior), confidence-level
handling, the new discovered field, broken YAML and missing-key
error handling, and a confirmed+possible mix.

Add blank lines between the summary, "Rootkits" and "Possible
Rootkits" sections in the output for readability.

Update README and the Icinga Director template to mention the new
signature count and the discovered field, with a fresh usage example
showing all three indicator types (File, Dir, Kernel Symbol) and
the year-suffix rendering.

Author: markuslf

CHANGELOG.md

@@ -0,0 +1,11 @@
+# Source: https://github.com/fkie-cad/linux-rootkit-iocs/blob/main/ioc-table.md
+# Source: https://github.com/stealth/adore-ng
+# Published: 2024 FKIE-CAD
+name: 'Adore-NG LKM rootkit'
+files: []
+dirs: []
+ksyms:
+  - 'adore_cleanup'
+  - 'adore_init'
+discovered: '2004'
+cl: 100

check-plugins/scanrootkit/README.md

@@ -10,3 +10,4 @@ dirs:
   - '/dev/tux'
   - '/lib/.libgh-gh'
 ksyms: []
+discovered: '2003'

check-plugins/scanrootkit/assets/scanrootkit-adore-ng.yml

@@ -23,3 +23,4 @@ dirs:
   - '/usr/doc/.spool'
   - '/usr/lib/kterm'
 ksyms: []
+discovered: '2001'

check-plugins/scanrootkit/assets/scanrootkit-ajakit.yml

@@ -3,3 +3,4 @@ files:
   - '/bin/.log'
 dirs: []
 ksyms: []
+discovered: '2002'

check-plugins/scanrootkit/assets/scanrootkit-akit.yml

@@ -8,3 +8,4 @@ files:
 dirs:
   - '/dev/ptyxx'
 ksyms: []
+discovered: '2000'

check-plugins/scanrootkit/assets/scanrootkit-apacheworm.yml

@@ -0,0 +1,10 @@
+# Source: https://github.com/fkie-cad/linux-rootkit-iocs/blob/main/ioc-table.md
+# Source: https://github.com/chokepoint/azazel
+# Published: 2024 FKIE-CAD
+name: 'Azazel userland LD_PRELOAD rootkit'
+files:
+  - '/lib/libselinux.so'
+dirs: []
+ksyms: []
+discovered: '2014'
+cl: 75

check-plugins/scanrootkit/assets/scanrootkit-ark.yml

@@ -12,3 +12,4 @@ files:
 dirs:
   - '/lib/ldd.so/bktools'
 ksyms: []
+discovered: '2002'

check-plugins/scanrootkit/assets/scanrootkit-azazel.yml

@@ -0,0 +1,13 @@
+# Source: https://github.com/fkie-cad/linux-rootkit-iocs/blob/main/ioc-table.md
+# Published: 2022 fkie-cad (upstream: bedevil/bdvl GitHub)
+name: 'bedevil (bdvl) userland LD_PRELOAD rootkit'
+files: []
+dirs: []
+ksyms:
+  - 'forge_maps'
+  - 'forge_numamaps'
+  - 'forge_smaps'
+  - 'magicusr'
+  - 'pathtracked'
+discovered: '2018'
+cl: 100