Installing rkhunter on NethServer

Howto
,
#1

From shell;
cd /tmp
wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
md5sum rkhunter-1.4.2.tar.gz
Compare result to sourceforge.
tar xvfz rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./installer.sh --layout default --install
cd /
Just because.
/usr/local/bin/rkhunter --update
Not really necessary if run immediately after download.
/usr/local/bin/rkhunter -c
This runs rkhunter interactively, afterwards you can look through the rkhunter log since the warnings are explained in the log.
Obviously, rkhunter has lots of configurable options but that’a a little beyond the scope of this quick, fun run.

My results;
System checks summary

File properties checks…
Required commands check failed
Files checked: 135
Suspect files: 5

Rootkit checks…
Rootkits checked : 378
Possible rootkits: 0

Applications checks…
Applications checked: 5
Suspect applications: 1

The system checks took: 1 minute and 16 seconds

Another compromise check tool is chrootkit.

1 Like
#2

I ran all the commands exactly as posted and it worked just as described. Thanks!

#3

Rkhunter is known to have many false positive… use it "in a smart way"
BTW, AFAIR, there’s a rpm too, and that’s the way to go (google will tell you more)

#4

Thanks man good work! :smile:
Can I suggest to edit the title in “Installing rkunter on NethServer” ?
As @zamboni already said, can you try the rpm way? Could be cool! So we can edit the howto properly :wink:

1 Like
#5

I didn’t bother with rpm because the ones that I’ve seen were 1.4.0 and it’s so easy to pull the latest from sourceforge that I haven’t bothered to see if the rpm is backported.

#6

before using this script it mightbe usefull to finish your NethServer installation and consider it being in production

after that you should run to determine what is normal and not

# rkhunter --propupd

you could also receive email directly from rkhunter by giving your email into /etc/rkhunter

MAIL-ON-WARNING=“your_user@domain.com”

most of the time you will need to IGNORE .udev Warning, to do that find into /etc/rkhunter those further lines are an exemples and mightbe not fully suitable for your configuration.

#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.mdadm
…
ALLOWHIDDENFILE=/usr/share/man/man1/…1.gz
ALLOWHIDDENFILE=/usr/share/man/man5/..5.gz
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
…
#ALLOWDEVFILE=/dev/shm/pulse-shm-
#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
ALLOWDEVFILE=/dev/.udev/db/block:loop*
ALLOWDEVFILE=/dev/.udev/db/block:ram*
ALLOWDEVFILE=/dev/.udev/db/block:vda*
ALLOWDEVFILE=/dev/.udev/db/input:event*
ALLOWDEVFILE=/dev/.udev/db/input:mouse*
ALLOWDEVFILE=/dev/.udev/db/misc:kvm
ALLOWDEVFILE=/dev/.udev/db/serio:*
ALLOWDEVFILE=/dev/.udev/db/usb:*
ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
ALLOWDEVFILE=/dev/.udev/queue.bin…

##Now if you want to add CHRootKit and LogWatch and being noticed by email follow those line :smile:

###to install chkrootkit from EPEL

# yum --enablerepo=epel -y install chkrootkit

###Install logwatch

# yum install logwatch

###and receiving all those logs by email

touch /etc/cron.daily/report-log
chmod a+x /etc/cron.daily/report-log
vi /etc/cron.daily/report-log

with this report-log script

#!/bin/bash
date=$(date +"%m-%d-%Y")
**email="your email here"**

## rkhunter
rkhunter --update
rkhunter --checkall --cronjob --report-warnings-only > rkhunter-check-$date.log

## chkrootkit
chkrootkit | grep -v not > chkrootkit-$date.log

## logwatch
logwatch --output html --detail High --range All > logwatch-all-$date.html
logwatch --output html --detail High --range Today > logwatch-today-$date.html
logwatch --output html --detail High --range Yesterday > logwatch-yesterday-$date.html

## send them
echo "RKHunter, CHKRootkit and LogWatch Logs for $date" | mutt -s "log $date" -a "rkhunter-check-$date.log" -a "chkrootkit-$date.log" -a "logwatch-all-$date.html" -a "logwatch-today-$date.html" -a "logwatch-yesterday-$date.html" -- $email

\## remote those logs
rm -f rkhunter-check-$date.log chkrootkit-$date.log logwatch-*.html
#7

To avoid all the ALLOWDEVFILE= configuration part
it’s also possible to install RKHunter from EPEL

# yum --enablerepo=epel -y install rkhunter

if you like me and when you do

# whereis rkhunter

OR

# hash -t rkhunter

you still having /usr/local/bin/rkhunter
just do

# hash -p /usr/bin/rkhunter rkhunter

#8

@all: please be aware that RKHunter is (well) known to be prone to false positive… use it smartly :wink: