RootKitScanner: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "<source" to "<syntaxhighlight") |
m (Text replacement - "[[Kategorie:" to "[[Category:") |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
[[ | [[Category:Security]] | ||
=RKHunter= | =RKHunter= | ||
RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems. | RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems. | ||
Line 7: | Line 7: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# aptitude install rkhunter | # aptitude install rkhunter | ||
</ | </syntaxhighlight> | ||
==Update the rule base== | ==Update the rule base== | ||
Line 27: | Line 27: | ||
Checking file i18n/zh [ No update ] | Checking file i18n/zh [ No update ] | ||
Checking file i18n/zh.utf8 [ No update ] | Checking file i18n/zh.utf8 [ No update ] | ||
</ | </syntaxhighlight> | ||
==Do the first check== | ==Do the first check== | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
Line 40: | Line 40: | ||
Warning: Hidden file found: /etc/.etckeeper: ASCII text | Warning: Hidden file found: /etc/.etckeeper: ASCII text | ||
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs' | Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs' | ||
</ | </syntaxhighlight> | ||
Many warnings. | Many warnings. | ||
Check which are false positives and modify your '''/etc/rkhunter.conf'''. | Check which are false positives and modify your '''/etc/rkhunter.conf'''. | ||
Line 55: | Line 55: | ||
INETD_ALLOWED_SVC=rstatd/1-5 | INETD_ALLOWED_SVC=rstatd/1-5 | ||
ALLOW_SYSLOG_REMOTE_LOGGING=1 | ALLOW_SYSLOG_REMOTE_LOGGING=1 | ||
</ | </syntaxhighlight> | ||
After that rkhunter should have no output: | After that rkhunter should have no output: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only | # rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only | ||
# | # | ||
</ | </syntaxhighlight> | ||
Now you have done your base setup. From now all further output should force you to get a closer look to your system. | Now you have done your base setup. From now all further output should force you to get a closer look to your system. | ||
Line 67: | Line 67: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
MAIL-ON-WARNING="security-team@yourdomain.tld" | MAIL-ON-WARNING="security-team@yourdomain.tld" | ||
</ | </syntaxhighlight> |
Latest revision as of 05:02, 26 November 2021
RKHunter
RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems. I will describe usage for Ubuntu/Linux here.
Installation
First of all install it to your system:
# aptitude install rkhunter
Update the rule base
After that (and do this from time to time) update the rule base:
# rkhunter --update
[ Rootkit Hunter version 1.4.0 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ Updated ]
Checking file i18n/en [ Updated ]
Checking file i18n/tr [ Updated ]
Checking file i18n/tr.utf8 [ Updated ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Do the first check
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
Warning: Found enabled inetd service: rstatd/1-5
Warning: syslog-ng configuration file allows remote logging: destination d_logserver { udp("logserver-1"); };
Warning: Suspicious file types found in /dev:
/dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: '/etc/.bzr: directory '
Warning: Hidden directory found: '/dev/.udev: directory '
Warning: Hidden file found: /etc/.bzrignore: ASCII text
Warning: Hidden file found: /etc/.etckeeper: ASCII text
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
Many warnings. Check which are false positives and modify your /etc/rkhunter.conf.
Acknowledge false positives
For example to get rid of the warnings above add this lines to the /etc/rkhunter.conf:
ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENDIR="/etc/.bzr"
ALLOWHIDDENFILE="/etc/.bzrignore"
ALLOWHIDDENFILE="/etc/.etckeeper"
ALLOWHIDDENFILE="/dev/.initramfs"
ALLOWDEVFILE="/dev/.udev/rules.d/root.rules"
INETD_ALLOWED_SVC=rstatd/1-5
ALLOW_SYSLOG_REMOTE_LOGGING=1
After that rkhunter should have no output:
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
#
Now you have done your base setup. From now all further output should force you to get a closer look to your system.
Configure ongoing security checks
Configure the user which should get warnings via email in your /etc/rkhunter.conf:
MAIL-ON-WARNING="security-team@yourdomain.tld"