RootKitScanner

From Lolly's Wiki
Revision as of 17:01, 25 November 2021 by Lollypop (talk | contribs) (Text replacement - "<source" to "<syntaxhighlight")
Jump to navigationJump to search

Kategorie:Security

RKHunter

RKHunter is a local security scanner for Linux, Solaris and some other UNIX operating systems. I will describe usage for Ubuntu/Linux here.

Installation

First of all install it to your system: <syntaxhighlight lang=bash>

  1. aptitude install rkhunter

</source>

Update the rule base

After that (and do this from time to time) update the rule base: <syntaxhighlight lang=bash>

  1. rkhunter --update

[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...

 Checking file mirrors.dat                                  [ No update ]
 Checking file programs_bad.dat                             [ Updated ]
 Checking file backdoorports.dat                            [ No update ]
 Checking file suspscan.dat                                 [ No update ]
 Checking file i18n/cn                                      [ No update ]
 Checking file i18n/de                                      [ Updated ]
 Checking file i18n/en                                      [ Updated ]
 Checking file i18n/tr                                      [ Updated ]
 Checking file i18n/tr.utf8                                 [ Updated ]
 Checking file i18n/zh                                      [ No update ]
 Checking file i18n/zh.utf8                                 [ No update ]

</source>

Do the first check

<syntaxhighlight lang=bash>

  1. rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only

Warning: Found enabled inetd service: rstatd/1-5 Warning: syslog-ng configuration file allows remote logging: destination d_logserver { udp("logserver-1"); }; Warning: Suspicious file types found in /dev:

        /dev/.udev/rules.d/root.rules: ASCII text

Warning: Hidden directory found: '/etc/.bzr: directory ' Warning: Hidden directory found: '/dev/.udev: directory ' Warning: Hidden file found: /etc/.bzrignore: ASCII text Warning: Hidden file found: /etc/.etckeeper: ASCII text Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs' </source> Many warnings. Check which are false positives and modify your /etc/rkhunter.conf.

Acknowledge false positives

For example to get rid of the warnings above add this lines to the /etc/rkhunter.conf: <syntaxhighlight lang=bash> ALLOWHIDDENDIR="/dev/.udev" ALLOWHIDDENDIR="/etc/.bzr" ALLOWHIDDENFILE="/etc/.bzrignore" ALLOWHIDDENFILE="/etc/.etckeeper" ALLOWHIDDENFILE="/dev/.initramfs" ALLOWDEVFILE="/dev/.udev/rules.d/root.rules" INETD_ALLOWED_SVC=rstatd/1-5 ALLOW_SYSLOG_REMOTE_LOGGING=1 </source> After that rkhunter should have no output: <syntaxhighlight lang=bash>

  1. rkhunter --check --pkgmgr DPKG --skip-keypress --report-warnings-only

</source> Now you have done your base setup. From now all further output should force you to get a closer look to your system.

Configure ongoing security checks

Configure the user which should get warnings via email in your /etc/rkhunter.conf: <syntaxhighlight lang=bash> MAIL-ON-WARNING="security-team@yourdomain.tld" </source>