|
| 1 | +--- |
| 2 | +title: Rootkit Hunter |
| 3 | +author: Steven Spencer |
| 4 | +contributors: Ezequiel Bruni, Andrew Thiesen, Ganna Zhyrnova |
| 5 | +tested_with: "9.2" |
| 6 | +tags: |
| 7 | + - server |
| 8 | + - Sicherheit |
| 9 | + - rkhunter |
| 10 | +--- |
| 11 | + |
| 12 | +!!! warning "Das Projekt `rkhunter` wird seit 2018 nicht mehr gepflegt" |
| 13 | + |
| 14 | + Obwohl Sie `rkhunter` weiterhin in Rocky Linux 9 installieren können, sollten Sie sich bewusst sein, dass das Projekt seit 2018 funktional obsolet ist. Die Entwicklung des Projekts wurde damals eingestellt. Eine gute Firewall und andere Sicherheitsmaßnahmen sollten heute ausreichen, um Ihren Server sicher zu halten. |
| 15 | + |
| 16 | +## Einleitung |
| 17 | + |
| 18 | +Rootkit Hunter (`rkhunter`) is a well known tool for checking vulnerabilities, rootkits, back doors, and possible local exploits on a server. It is possible to use it on _any_ server used for _any_ purpose. When tuned and automated, it can report any suspicious activity to the system administrator. This procedure outlines the installation, tuning, and use of Rootkit Hunter. |
| 19 | + |
| 20 | +`rkhunter` is just one possible part of a hardened server setup. Use it alone or with other tools to maximize security. |
| 21 | + |
| 22 | +## Voraussetzungen |
| 23 | + |
| 24 | +- Proficiency with a command-line editor (using `vi` in this example) |
| 25 | +- A comfort level with issuing commands from the command-line, viewing logs, and other general systems administrator duties |
| 26 | +- An understanding of what can trigger a response to changed files on the file system (such as package updates) is helpful |
| 27 | +- Running all commands as root or as a regular user with `sudo` |
| 28 | + |
| 29 | +This document was originally written in conjunction with the apache hardened web server routines, but works equally well on a server running any software. |
| 30 | + |
| 31 | +## Allgemeine Schritte |
| 32 | + |
| 33 | +1. install `rkhunter` |
| 34 | +2. configure `rkhunter` |
| 35 | +3. configure email and ensure it will work correctly |
| 36 | +4. run `rkhunter` manually to generate a list of warnings to test your email settings (`rkhunter --check`) |
| 37 | +5. run `rkhunter --propupd` to generate a clean `rkhunter.dat` file that `rkhunter` will use from this point forward as a baseline for further checks. |
| 38 | + |
| 39 | +## Installing `rkhunter` |
| 40 | + |
| 41 | +`rkhunter` requires the EPEL (Extra Packages for Enterprise Linux) repository. Install that repository if you do not have it installed already: |
| 42 | + |
| 43 | +```bash |
| 44 | +dnf install epel-release |
| 45 | +``` |
| 46 | + |
| 47 | +Install `rkhunter`: |
| 48 | + |
| 49 | +```bash |
| 50 | +dnf install rkhunter |
| 51 | +``` |
| 52 | + |
| 53 | +## Configuring `rkhunter` |
| 54 | + |
| 55 | +The only configuration options that you _need_ to set are those dealing with mailing reports to the Administrator. |
| 56 | + |
| 57 | +!!! warning |
| 58 | + |
| 59 | + Modification of _any_ configuration file in Linux carries risk. Before altering **any** configuration file in Linux, creating a backup of the _original_ file is recommended. |
| 60 | + |
| 61 | +To change the configuration file, run: |
| 62 | + |
| 63 | +```bash |
| 64 | +vi /etc/rkhunter.conf |
| 65 | +``` |
| 66 | + |
| 67 | +Suche nach: |
| 68 | + |
| 69 | +```bash |
| 70 | +#MAIL-ON-WARNING=me@mydomain root@mydomain |
| 71 | +``` |
| 72 | + |
| 73 | +Remove the remark here and change the `me@mydomain.com` to reflect your email address. |
| 74 | + |
| 75 | +Change the `root@mydomain` to `root@whatever_the_server_name_is`. |
| 76 | + |
| 77 | +You will probably also want to remove the remark (and edit the line to fit your needs) from the `MAIL-CMD` line: |
| 78 | + |
| 79 | +```bash |
| 80 | +MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" |
| 81 | +``` |
| 82 | + |
| 83 | +You might also need to setup [Postfix Email for Reporting](../../email/postfix_reporting.md) to get the email section to work correctly. |
| 84 | + |
| 85 | +## Running `rkhunter` |
| 86 | + |
| 87 | +Run `rkhunter` manually by typing it at the command-line. A cron job takes care of running `rkhunter` for you automatically in `/etc/cron.daily`. If you want to automate the procedure on a different schedule, examine [Automating cron jobs guide](../../automation/cron_jobs_howto.md). |
| 88 | + |
| 89 | +You will also need to move the script somewhere other than `/etc/cron.daily/`, such as `/usr/local/sbin/` and call it from your custom cron job. The easiest method is to leave the default `cron.daily` setup intact. |
| 90 | + |
| 91 | +If you want to test `rkhunter` before you start, including all email functionality, run `rkhunter --check` from the command line. If installed and functioning correctly, you should receive an output similar to the following: |
| 92 | + |
| 93 | +```bash |
| 94 | +[root@sol admin]# rkhunter --check |
| 95 | +[Rootkit Hunter version 1.4.6] |
| 96 | + |
| 97 | +Checking system commands... |
| 98 | + |
| 99 | +Performing 'strings' command checks |
| 100 | +- Checking 'strings' command [OK] |
| 101 | + |
| 102 | +Performing 'shared libraries' checks |
| 103 | +- Checking for preloading variables [None found] |
| 104 | +- Checking for preloaded libraries [None found] |
| 105 | +- Checking LD_LIBRARY_PATH variable [Not found] |
| 106 | + |
| 107 | +Performing file properties checks |
| 108 | +- Checking for prerequisites [Warning] |
| 109 | +- /usr/bin/awk [OK] |
| 110 | +- /usr/bin/basename [OK] |
| 111 | +- /usr/bin/bash [OK] |
| 112 | +- /usr/bin/cat [OK] |
| 113 | +- /usr/bin/chattr [OK] |
| 114 | +- /usr/bin/chmod [OK] |
| 115 | +- /usr/bin/chown [OK] |
| 116 | +- /usr/bin/cp [OK] |
| 117 | +- /usr/bin/curl [OK] |
| 118 | +- /usr/bin/cut [OK] |
| 119 | +- /usr/bin/date [OK] |
| 120 | +- /usr/bin/df [OK] |
| 121 | +- /usr/bin/diff [OK] |
| 122 | +- /usr/bin/dirname [OK] |
| 123 | +- /usr/bin/dmesg [OK] |
| 124 | +- /usr/bin/du [OK] |
| 125 | +- /usr/bin/echo [OK] |
| 126 | +- /usr/bin/ed [OK] |
| 127 | +- /usr/bin/egrep [Warning] |
| 128 | +- /usr/bin/env [OK] |
| 129 | +- /usr/bin/fgrep [Warning] |
| 130 | +- /usr/bin/file [OK] |
| 131 | +- /usr/bin/find [OK] |
| 132 | +- /usr/bin/GET [OK] |
| 133 | +- /usr/bin/grep [OK] |
| 134 | +- /usr/bin/groups [OK] |
| 135 | +- /usr/bin/head [OK] |
| 136 | +- /usr/bin/id [OK] |
| 137 | +- /usr/bin/ipcs [OK] |
| 138 | +- /usr/bin/kill [OK] |
| 139 | +- /usr/bin/killall [OK] |
| 140 | +- /usr/bin/last [OK] |
| 141 | +- /usr/bin/lastlog [OK] |
| 142 | +- /usr/bin/ldd [OK] |
| 143 | +- /usr/bin/less [OK] |
| 144 | +- /usr/bin/locate [OK] |
| 145 | +- /usr/bin/logger [OK] |
| 146 | +- /usr/bin/login [OK] |
| 147 | +- /usr/bin/ls [OK] |
| 148 | +- /usr/bin/lsattr [OK] |
| 149 | +- /usr/bin/lsof [OK] |
| 150 | +- /usr/bin/mail [OK] |
| 151 | +- /usr/bin/md5sum [OK] |
| 152 | +- /usr/bin/mktemp [OK] |
| 153 | +- /usr/bin/more [OK] |
| 154 | +- /usr/bin/mount [OK] |
| 155 | +- /usr/bin/mv [OK] |
| 156 | +- /usr/bin/netstat [OK] |
| 157 | +- /usr/bin/newgrp [OK] |
| 158 | +- /usr/bin/passwd [OK] |
| 159 | +- /usr/bin/perl [OK] |
| 160 | +- /usr/bin/pgrep [OK] |
| 161 | +- /usr/bin/ping [OK] |
| 162 | +- /usr/bin/pkill [OK] |
| 163 | +- /usr/bin/ps [OK] |
| 164 | +- /usr/bin/pstree [OK] |
| 165 | +- /usr/bin/pwd [OK] |
| 166 | +- /usr/bin/readlink [OK] |
| 167 | +- /usr/bin/rkhunter [OK] |
| 168 | +- /usr/bin/rpm [OK] |
| 169 | +- /usr/bin/runcon [OK] |
| 170 | +- /usr/bin/sed [OK] |
| 171 | +- /usr/bin/sestatus [OK] |
| 172 | +- /usr/bin/sh [OK] |
| 173 | +- /usr/bin/sha1sum [OK] |
| 174 | +- /usr/bin/sha224sum [OK] |
| 175 | +- /usr/bin/sha256sum [OK] |
| 176 | +- /usr/bin/sha384sum [OK] |
| 177 | +- /usr/bin/sha512sum [OK] |
| 178 | +- /usr/bin/size [OK] |
| 179 | +- /usr/bin/sort [OK] |
| 180 | +- /usr/bin/ssh [OK] |
| 181 | +- /usr/bin/stat [OK] |
| 182 | +- /usr/bin/strace [OK] |
| 183 | +- /usr/bin/strings [OK] |
| 184 | +- /usr/bin/su [OK] |
| 185 | +- /usr/bin/sudo [OK] |
| 186 | +- /usr/bin/tail [OK] |
| 187 | +- /usr/bin/test [OK] |
| 188 | +- /usr/bin/top [OK] |
| 189 | +- /usr/bin/touch [OK] |
| 190 | +- /usr/bin/tr [OK] |
| 191 | +- /usr/bin/uname [OK] |
| 192 | +- /usr/bin/uniq [OK] |
| 193 | +- /usr/bin/users [OK] |
| 194 | +- /usr/bin/vmstat [OK] |
| 195 | +- /usr/bin/w [OK] |
| 196 | +- /usr/bin/watch [OK] |
| 197 | +- /usr/bin/wc [OK] |
| 198 | +- /usr/bin/wget [OK] |
| 199 | +- /usr/bin/whatis [OK] |
| 200 | +- /usr/bin/whereis [OK] |
| 201 | +- /usr/bin/which [OK] |
| 202 | +- /usr/bin/who [OK] |
| 203 | +- /usr/bin/whoami [OK] |
| 204 | +- /usr/bin/numfmt [OK] |
| 205 | +- /usr/bin/gawk [OK] |
| 206 | +- /usr/bin/s-nail [OK] |
| 207 | +- /usr/bin/whatis.man-db [OK] |
| 208 | +- /usr/bin/kmod [OK] |
| 209 | +- /usr/bin/systemctl [OK] |
| 210 | +- /usr/sbin/adduser [OK] |
| 211 | +- /usr/sbin/chroot [OK] |
| 212 | +- /usr/sbin/depmod [OK] |
| 213 | +- /usr/sbin/fsck [OK] |
| 214 | +- /usr/sbin/fuser [OK] |
| 215 | +- /usr/sbin/groupadd [OK] |
| 216 | +- /usr/sbin/groupdel [OK] |
| 217 | +- /usr/sbin/groupmod [OK] |
| 218 | +- /usr/sbin/grpck [OK] |
| 219 | +- /usr/sbin/ifconfig [OK] |
| 220 | +- /usr/sbin/init [OK] |
| 221 | +- /usr/sbin/insmod [OK] |
| 222 | +- /usr/sbin/ip [OK] |
| 223 | +- /usr/sbin/lsmod [OK] |
| 224 | +- /usr/sbin/modinfo [OK] |
| 225 | +- /usr/sbin/modprobe [OK] |
| 226 | +- /usr/sbin/nologin [OK] |
| 227 | +- /usr/sbin/ping [OK] |
| 228 | +- /usr/sbin/pwck [OK] |
| 229 | +- /usr/sbin/rmmod [OK] |
| 230 | +- /usr/sbin/route [OK] |
| 231 | +- /usr/sbin/rsyslogd [OK] |
| 232 | +- /usr/sbin/runlevel [OK] |
| 233 | +- /usr/sbin/sestatus [OK] |
| 234 | +- /usr/sbin/sshd [OK] |
| 235 | +- /usr/sbin/sulogin [OK] |
| 236 | +- /usr/sbin/sysctl [OK] |
| 237 | +- /usr/sbin/useradd [OK] |
| 238 | +- /usr/sbin/userdel [OK] |
| 239 | +- /usr/sbin/usermod [OK] |
| 240 | +- /usr/sbin/vipw [OK] |
| 241 | +- /usr/libexec/gawk [OK] |
| 242 | +- /usr/lib/systemd/systemd [OK] |
| 243 | + |
| 244 | +[Press <ENTER> to continue] |
| 245 | +``` |
| 246 | + |
| 247 | +Hold off completing the remaining steps if problems exist with the email setup. When confirming email works, but before allowing `rkhunter` to run automatically, run the command manually again with the "--propupd" flag to create the `rkhunter.dat` file. This ensures recognition of your environment and configuration: |
| 248 | + |
| 249 | +```bash |
| 250 | +rkhunter --propupd |
| 251 | +``` |
| 252 | + |
| 253 | +## Zusammenfassung |
| 254 | + |
| 255 | +`rkhunter` is one part of a hardened server strategy that can help monitor the file system and report any issues to the administrator. It is perhaps one of the easiest hardening tools to install, configure, and run. |
0 commit comments