Travis Kuennen

Travis Kuennen

Site Reliability Engineer with a focus on security & usability.

Rkhunter

1 minute read

Installation

Download the source files

http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/
Verify checksum and tar -xzvf ./rkhunter-1.4.2.tar.gz
cd ./rkhunter-1.4.2
./installer.sh

rkhunter.cron under /etc/cron.daily (This does an update, then scans and emails the report)

#!/bin/sh
# 01-rkhunter  A shell script to update and run rkhunter via CRON
XITVAL=0
# Get a secure tempfile
TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1
if [ ! -e /var/lock/subsys/rkhunter ]; then
  # Try to keep the SysInit boot scan from colliding with us (highly unlikely)
  /bin/touch /var/lock/subsys/rkhunter
  # Source system configuration parameters.
  if [ -e /etc/sysconfig/rkhunter ] ; then
    . /etc/sysconfig/rkhunter
  else
    MAILTO=root@localhost
  fi
  # If a diagnostic mode scan was requested, setup the parameters
  if [ "$DIAG_SCAN" = "yes" ]; then
    RKHUNTER_FLAGS="--update --checkall --skip-keypress --nocolors --quiet --appendlog --display-logfile"
  else
    RKHUNTER_FLAGS="--update --cronjob --nocolors --report-warnings-only"
  fi
  # Set a few critical parameters
  RKHUNTER=/usr/bin/rkhunter
  LOGFILE=/var/log/rkhunter/rkhunter.log
  # Run RootKit Hunter if available
  if [ -x $RKHUNTER ]; then
    /bin/echo -e "\n--------------------- Start Rootkit Hunter Update ---------------------" \
      > $TMPFILE1
    /bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1
    /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \
      >> $TMPFILE1
    /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1
    XITVAL=$?
    /bin/echo -e "\n----------------------- End Rootkit Hunter Scan -----------------------" \
      >> $TMPFILE1
    if [ $XITVAL != 0 ]; then
         /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
    fi
    /bin/cat $TMPFILE1 >> $LOGFILE
  fi
  # Delete the gating lockfile
  /bin/rm -f /var/lock/subsys/rkhunter
fi
# Delete the secure tempfile
/bin/rm -f $TMPFILE1
exit $XITVAL

The proupd flag should not be run during the nightly cron. It should be manually run with the monthly update-security.sh script

To allow xinetd services /etc/rkhunter.conf

XINETD_ALLOWED_SVC=/etc/xinetd.d/check-mk-agent
XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp

Only allow tftp on the kickstart/puppetmaster server

To add valid hidden files

/etc/rkhunter.conf

ALLOWHIDDENFILE=/etc/.updated To allow remote syslogging

ALLOW_SYSLOG_REMOTE_LOGGING=1 The yum cron job should include an rkhunter –update and –propupd post processors to avoid sending warnings about changes that we made

References:

http://www.rackspace.com/knowledge_center/article/scanning-for-rootkits-with-rkhunter

https://www.digitalocean.com/community/tutorials/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps

Updated:

You May Also Enjoy

Installing A Local Debian Mirror

1 minute read

A local software mirror can be very useful if you are on a slow/metered connection or if you are managing hundreds of systems at the edge. A local mirror can...