RootKitScanner: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
m (Text replacement - "[[Kategorie:" to "[[Category:")
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie:Security]]
[[Category:Security]]
=RKHunter=
=RKHunter=
RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems.
RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems.
Line 5: Line 5:
==Installation==
==Installation==
First of all install it to your system:
First of all install it to your system:
<source lang=bash>
<syntaxhighlight lang=bash>
# aptitude install rkhunter
# aptitude install rkhunter
</source>
</syntaxhighlight>


==Update the rule base==
==Update the rule base==
After that (and do this from time to time) update the rule base:
After that (and do this from time to time) update the rule base:
<source lang=bash>
<syntaxhighlight lang=bash>
# rkhunter --update
# rkhunter --update
[ Rootkit Hunter version 1.4.0 ]
[ Rootkit Hunter version 1.4.0 ]
Line 27: Line 27:
   Checking file i18n/zh                                      [ No update ]
   Checking file i18n/zh                                      [ No update ]
   Checking file i18n/zh.utf8                                [ No update ]
   Checking file i18n/zh.utf8                                [ No update ]
</source>
</syntaxhighlight>
==Do the first check==
==Do the first check==
<source lang=bash>
<syntaxhighlight lang=bash>
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
Warning: Found enabled inetd service: rstatd/1-5
Warning: Found enabled inetd service: rstatd/1-5
Line 40: Line 40:
Warning: Hidden file found: /etc/.etckeeper: ASCII text
Warning: Hidden file found: /etc/.etckeeper: ASCII text
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'  
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'  
</source>
</syntaxhighlight>
Many warnings.
Many warnings.
Check which are false positives and modify your '''/etc/rkhunter.conf'''.
Check which are false positives and modify your '''/etc/rkhunter.conf'''.
Line 46: Line 46:
==Acknowledge false positives==
==Acknowledge false positives==
For example to get rid of the warnings above add this lines to the '''/etc/rkhunter.conf''':
For example to get rid of the warnings above add this lines to the '''/etc/rkhunter.conf''':
<source lang=bash>
<syntaxhighlight lang=bash>
ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENDIR="/etc/.bzr"
ALLOWHIDDENDIR="/etc/.bzr"
Line 55: Line 55:
INETD_ALLOWED_SVC=rstatd/1-5
INETD_ALLOWED_SVC=rstatd/1-5
ALLOW_SYSLOG_REMOTE_LOGGING=1
ALLOW_SYSLOG_REMOTE_LOGGING=1
</source>
</syntaxhighlight>
After that rkhunter should have no output:
After that rkhunter should have no output:
<source lang=bash>
<syntaxhighlight lang=bash>
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
#
#
</source>
</syntaxhighlight>
Now you have done your base setup. From now all further output should force you to get a closer look to your system.
Now you have done your base setup. From now all further output should force you to get a closer look to your system.


==Configure ongoing security checks==
==Configure ongoing security checks==
Configure the user which should get warnings via email in your '''/etc/rkhunter.conf''':
Configure the user which should get warnings via email in your '''/etc/rkhunter.conf''':
<source lang=bash>
<syntaxhighlight lang=bash>
MAIL-ON-WARNING="security-team@yourdomain.tld"
MAIL-ON-WARNING="security-team@yourdomain.tld"
</source>
</syntaxhighlight>

Latest revision as of 05:02, 26 November 2021

RKHunter

RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems. I will describe usage for Ubuntu/Linux here.

Installation

First of all install it to your system:

# aptitude install rkhunter

Update the rule base

After that (and do this from time to time) update the rule base:

# rkhunter --update
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ Updated ]
  Checking file i18n/en                                      [ Updated ]
  Checking file i18n/tr                                      [ Updated ]
  Checking file i18n/tr.utf8                                 [ Updated ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

Do the first check

# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
Warning: Found enabled inetd service: rstatd/1-5
Warning: syslog-ng configuration file allows remote logging: destination d_logserver { udp("logserver-1"); };
Warning: Suspicious file types found in /dev:
         /dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: '/etc/.bzr: directory '
Warning: Hidden directory found: '/dev/.udev: directory '
Warning: Hidden file found: /etc/.bzrignore: ASCII text
Warning: Hidden file found: /etc/.etckeeper: ASCII text
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

Many warnings. Check which are false positives and modify your /etc/rkhunter.conf.

Acknowledge false positives

For example to get rid of the warnings above add this lines to the /etc/rkhunter.conf:

ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENDIR="/etc/.bzr"
ALLOWHIDDENFILE="/etc/.bzrignore"
ALLOWHIDDENFILE="/etc/.etckeeper"
ALLOWHIDDENFILE="/dev/.initramfs"
ALLOWDEVFILE="/dev/.udev/rules.d/root.rules"
INETD_ALLOWED_SVC=rstatd/1-5
ALLOW_SYSLOG_REMOTE_LOGGING=1

After that rkhunter should have no output:

# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
#

Now you have done your base setup. From now all further output should force you to get a closer look to your system.

Configure ongoing security checks

Configure the user which should get warnings via email in your /etc/rkhunter.conf:

MAIL-ON-WARNING="security-team@yourdomain.tld"