RootKitScanner: Difference between revisions
No edit summary |
m (Text replacement - "<source" to "<syntaxhighlight") |
||
| Line 5: | Line 5: | ||
==Installation== | ==Installation== | ||
First of all install it to your system: | First of all install it to your system: | ||
< | <syntaxhighlight lang=bash> | ||
# aptitude install rkhunter | # aptitude install rkhunter | ||
</source> | </source> | ||
| Line 11: | Line 11: | ||
==Update the rule base== | ==Update the rule base== | ||
After that (and do this from time to time) update the rule base: | After that (and do this from time to time) update the rule base: | ||
< | <syntaxhighlight lang=bash> | ||
# rkhunter --update | # rkhunter --update | ||
[ Rootkit Hunter version 1.4.0 ] | [ Rootkit Hunter version 1.4.0 ] | ||
| Line 29: | Line 29: | ||
</source> | </source> | ||
==Do the first check== | ==Do the first check== | ||
< | <syntaxhighlight lang=bash> | ||
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only | # rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only | ||
Warning: Found enabled inetd service: rstatd/1-5 | Warning: Found enabled inetd service: rstatd/1-5 | ||
| Line 46: | Line 46: | ||
==Acknowledge false positives== | ==Acknowledge false positives== | ||
For example to get rid of the warnings above add this lines to the '''/etc/rkhunter.conf''': | For example to get rid of the warnings above add this lines to the '''/etc/rkhunter.conf''': | ||
< | <syntaxhighlight lang=bash> | ||
ALLOWHIDDENDIR="/dev/.udev" | ALLOWHIDDENDIR="/dev/.udev" | ||
ALLOWHIDDENDIR="/etc/.bzr" | ALLOWHIDDENDIR="/etc/.bzr" | ||
| Line 57: | Line 57: | ||
</source> | </source> | ||
After that rkhunter should have no output: | After that rkhunter should have no output: | ||
< | <syntaxhighlight lang=bash> | ||
# rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only | # rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only | ||
# | # | ||
| Line 65: | Line 65: | ||
==Configure ongoing security checks== | ==Configure ongoing security checks== | ||
Configure the user which should get warnings via email in your '''/etc/rkhunter.conf''': | Configure the user which should get warnings via email in your '''/etc/rkhunter.conf''': | ||
< | <syntaxhighlight lang=bash> | ||
MAIL-ON-WARNING="security-team@yourdomain.tld" | MAIL-ON-WARNING="security-team@yourdomain.tld" | ||
</source> | </source> | ||
Revision as of 17:01, 25 November 2021
RKHunter
RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems. I will describe usage for Ubuntu/Linux here.
Installation
First of all install it to your system: <syntaxhighlight lang=bash>
- aptitude install rkhunter
</source>
Update the rule base
After that (and do this from time to time) update the rule base: <syntaxhighlight lang=bash>
- rkhunter --update
[ Rootkit Hunter version 1.4.0 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ Updated ] Checking file i18n/en [ Updated ] Checking file i18n/tr [ Updated ] Checking file i18n/tr.utf8 [ Updated ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ]
</source>
Do the first check
<syntaxhighlight lang=bash>
- rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
Warning: Found enabled inetd service: rstatd/1-5 Warning: syslog-ng configuration file allows remote logging: destination d_logserver { udp("logserver-1"); }; Warning: Suspicious file types found in /dev:
/dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: '/etc/.bzr: directory ' Warning: Hidden directory found: '/dev/.udev: directory ' Warning: Hidden file found: /etc/.bzrignore: ASCII text Warning: Hidden file found: /etc/.etckeeper: ASCII text Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs' </source> Many warnings. Check which are false positives and modify your /etc/rkhunter.conf.
Acknowledge false positives
For example to get rid of the warnings above add this lines to the /etc/rkhunter.conf: <syntaxhighlight lang=bash> ALLOWHIDDENDIR="/dev/.udev" ALLOWHIDDENDIR="/etc/.bzr" ALLOWHIDDENFILE="/etc/.bzrignore" ALLOWHIDDENFILE="/etc/.etckeeper" ALLOWHIDDENFILE="/dev/.initramfs" ALLOWDEVFILE="/dev/.udev/rules.d/root.rules" INETD_ALLOWED_SVC=rstatd/1-5 ALLOW_SYSLOG_REMOTE_LOGGING=1 </source> After that rkhunter should have no output: <syntaxhighlight lang=bash>
- rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only
</source> Now you have done your base setup. From now all further output should force you to get a closer look to your system.
Configure ongoing security checks
Configure the user which should get warnings via email in your /etc/rkhunter.conf: <syntaxhighlight lang=bash> MAIL-ON-WARNING="security-team@yourdomain.tld" </source>
