20100720 rkhunter - plembo/onemoretech GitHub Wiki

title: rkhunter link: https://onemoretech.wordpress.com/2010/07/20/rkhunter/ author: lembobro description: post_id: 139 created: 2010/07/20 17:49:22 created_gmt: 2010/07/20 17:49:22 comment_status: open post_name: rkhunter status: publish post_type: post

rkhunter

Some basic configurations for rkhunter, a root kit detector tool that I’ve found useful.

I installed the EPEL package for CentOS (RHEL) 5, currently rkhunter-1.3.6-7.el5.noarch.rpm.

Basic Commands

rkhunter --update

Updates the signature files, should be run regularly.

rkhunter --propupd

Creates or updates the properties database. Run after first install and then as needed.

rkhunter -c --cronjob --rwo

Does its checks and provides a detailed log of results, displaying only warnings to the console. The –cronjob option turns off certain display features that wouldn’t be useful when run under cron.

Scheduling

Here’s what my root’s crontab looks like:

0 1 * * * /usr/bin/rkhunter -q --update
0 3 * * * /usr/bin/rkhunter -c --cronjob --rwo

Dealing with False Positives

I had to do this right at the start because a commercial vendor’s init script had a suspect command in it.

Here’s the procedure:

1. Verify it is indeed a false positive. Be very sure before you do anything to circumvent rkhunter’s normal operation. Carefully review the full /var/log/rkhunter/rkhunter.log file. Google anything you don’t understand.

2. Add a line like this to /etc/rkhunter.conf:

USER_FILEPROP_FILES_DIRS="[i]fully path of script[/i]"

like

USER_FILEPROP_FILES_DIRS="/etc/rc.d/init.d/vendor-script"

This step makes sure the file in question will continue to be monitored for changes, even though its white listed for other purposes.

NOTE: FULL PATH means real full path, not a path containing symlinks. For example, /etc/rc.d/init.d is symlinked to /etc/init.d, so in rkhunter.conf you will always use the /etc/rc.d/init.d path, NOT /etc/init.d to get rkhunter to recognize it.

3. Add the script to the script white list by adding to /etc/rkhunter.conf:

SCRIPTWHITELIST=/etc/rc.d/init.d/vendor-script

4. Finally, if the script is triggering a rootkit warning, add it to the rootkit white list:

RTKT_FILE_WHITELIST=/etc/rc.d/init.d/vendor-script

5. Run rkhunter –propupd to commit changes and then re-run rkhunter -c to check on the result.

A Final Word

Like other tools of this type (e.g. tripwire) getting the configuration right will take time and involve lots of trial and error. But the result will be a far greater degree of confidence that you have a good handle on what’s happening on the machine being monitored.

Copyright 2004-2019 Phil Lembo