Rootkit hunter¶
Introduction¶
Rootkit hunter (rkhunter) is a well known tool for checking vulnerabilities, rootkits, back doors, and possible local exploits on a server. It is possible to use it on any server used for any purpose. When tuned and automated, it can report any suspicious activity to the system administrator. This procedure outlines the installation, tuning, and use of rootkit hunter.
rkhunter is just one possible part of a hardened server setup. Use it alone or with other tools to maximize security.
Prerequisites¶
- Proficiency with a command-line editor (using
viin this example) - A comfort level with issuing commands from the command-line, viewing logs, and other general systems administrator duties
- An understanding of what can trigger a response to changed files on the file system (such as package updates) is helpful
- Running all commands as root or as a regular user with
sudo
This document was originally written in conjunction with the apache hardened web server routines, but works equally well on a server running any software.
General steps¶
- install
rkhunter - configure
rkhunter - configure email and ensure it will work correctly
- run
rkhuntermanually to generate a list of warnings to test your email settings (rkhunter --check) - run
rkhunter --propupdto generate a cleanrkhunter.datfile thatrkhunterwill use from this point forward as a baseline for further checks.
Installing rkhunter¶
rkhunter requires the EPEL (Extra Packages for Enterprise Linux) repository. Install that repository if you do not have it installed already:
dnf install epel-release
Install rkhunter:
dnf install rkhunter
Configuring rkhunter¶
The only configuration options that you need to set are those dealing with mailing reports to the Administrator.
Warning
Modification of any configuration file in Linux carries risk. Before altering any configuration file in Linux, creating a backup of the original file is recommended.
To change the configuration file, run:
vi /etc/rkhunter.conf
Search for:
#MAIL-ON-WARNING=me@mydomain root@mydomain
Remove the remark here and change the me@mydomain.com to reflect your email address.
Change the root@mydomain to root@whatever_the_server_name_is.
You will probably also want to remove the remark (and edit the line to fit your needs) from the MAIL-CMD line:
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
You might also need to setup Postfix Email for Reporting to get the email section to work correctly.
Running rkhunter¶
Run rkhunter manually by typing it at the command-line. A cron job takes care of running rkhunter for you automatically in /etc/cron.daily. If you want to automate the procedure on a different schedule, examine Automating cron jobs guide.
You will also need to move the script somewhere other than /etc/cron.daily/, such as /usr/local/sbin/ and call it from your custom cron job. The easiest method is to leave the default cron.daily setup intact.
If you want to test rkhunter before you start, including all email functionality, run rkhunter --check from the command line. If installed and functioning correctly, you should receive an output similar to the following:
[root@sol admin]# rkhunter --check
[Rootkit Hunter version 1.4.6]
Checking system commands...
Performing 'strings' command checks
- Checking 'strings' command [OK]
Performing 'shared libraries' checks
- Checking for preloading variables [None found]
- Checking for preloaded libraries [None found]
- Checking LD_LIBRARY_PATH variable [Not found]
Performing file properties checks
- Checking for prerequisites [Warning]
- /usr/bin/awk [OK]
- /usr/bin/basename [OK]
- /usr/bin/bash [OK]
- /usr/bin/cat [OK]
- /usr/bin/chattr [OK]
- /usr/bin/chmod [OK]
- /usr/bin/chown [OK]
- /usr/bin/cp [OK]
- /usr/bin/curl [OK]
- /usr/bin/cut [OK]
- /usr/bin/date [OK]
- /usr/bin/df [OK]
- /usr/bin/diff [OK]
- /usr/bin/dirname [OK]
- /usr/bin/dmesg [OK]
- /usr/bin/du [OK]
- /usr/bin/echo [OK]
- /usr/bin/ed [OK]
- /usr/bin/egrep [Warning]
- /usr/bin/env [OK]
- /usr/bin/fgrep [Warning]
- /usr/bin/file [OK]
- /usr/bin/find [OK]
- /usr/bin/GET [OK]
- /usr/bin/grep [OK]
- /usr/bin/groups [OK]
- /usr/bin/head [OK]
- /usr/bin/id [OK]
- /usr/bin/ipcs [OK]
- /usr/bin/kill [OK]
- /usr/bin/killall [OK]
- /usr/bin/last [OK]
- /usr/bin/lastlog [OK]
- /usr/bin/ldd [OK]
- /usr/bin/less [OK]
- /usr/bin/locate [OK]
- /usr/bin/logger [OK]
- /usr/bin/login [OK]
- /usr/bin/ls [OK]
- /usr/bin/lsattr [OK]
- /usr/bin/lsof [OK]
- /usr/bin/mail [OK]
- /usr/bin/md5sum [OK]
- /usr/bin/mktemp [OK]
- /usr/bin/more [OK]
- /usr/bin/mount [OK]
- /usr/bin/mv [OK]
- /usr/bin/netstat [OK]
- /usr/bin/newgrp [OK]
- /usr/bin/passwd [OK]
- /usr/bin/perl [OK]
- /usr/bin/pgrep [OK]
- /usr/bin/ping [OK]
- /usr/bin/pkill [OK]
- /usr/bin/ps [OK]
- /usr/bin/pstree [OK]
- /usr/bin/pwd [OK]
- /usr/bin/readlink [OK]
- /usr/bin/rkhunter [OK]
- /usr/bin/rpm [OK]
- /usr/bin/runcon [OK]
- /usr/bin/sed [OK]
- /usr/bin/sestatus [OK]
- /usr/bin/sh [OK]
- /usr/bin/sha1sum [OK]
- /usr/bin/sha224sum [OK]
- /usr/bin/sha256sum [OK]
- /usr/bin/sha384sum [OK]
- /usr/bin/sha512sum [OK]
- /usr/bin/size [OK]
- /usr/bin/sort [OK]
- /usr/bin/ssh [OK]
- /usr/bin/stat [OK]
- /usr/bin/strace [OK]
- /usr/bin/strings [OK]
- /usr/bin/su [OK]
- /usr/bin/sudo [OK]
- /usr/bin/tail [OK]
- /usr/bin/test [OK]
- /usr/bin/top [OK]
- /usr/bin/touch [OK]
- /usr/bin/tr [OK]
- /usr/bin/uname [OK]
- /usr/bin/uniq [OK]
- /usr/bin/users [OK]
- /usr/bin/vmstat [OK]
- /usr/bin/w [OK]
- /usr/bin/watch [OK]
- /usr/bin/wc [OK]
- /usr/bin/wget [OK]
- /usr/bin/whatis [OK]
- /usr/bin/whereis [OK]
- /usr/bin/which [OK]
- /usr/bin/who [OK]
- /usr/bin/whoami [OK]
- /usr/bin/numfmt [OK]
- /usr/bin/gawk [OK]
- /usr/bin/s-nail [OK]
- /usr/bin/whatis.man-db [OK]
- /usr/bin/kmod [OK]
- /usr/bin/systemctl [OK]
- /usr/sbin/adduser [OK]
- /usr/sbin/chroot [OK]
- /usr/sbin/depmod [OK]
- /usr/sbin/fsck [OK]
- /usr/sbin/fuser [OK]
- /usr/sbin/groupadd [OK]
- /usr/sbin/groupdel [OK]
- /usr/sbin/groupmod [OK]
- /usr/sbin/grpck [OK]
- /usr/sbin/ifconfig [OK]
- /usr/sbin/init [OK]
- /usr/sbin/insmod [OK]
- /usr/sbin/ip [OK]
- /usr/sbin/lsmod [OK]
- /usr/sbin/modinfo [OK]
- /usr/sbin/modprobe [OK]
- /usr/sbin/nologin [OK]
- /usr/sbin/ping [OK]
- /usr/sbin/pwck [OK]
- /usr/sbin/rmmod [OK]
- /usr/sbin/route [OK]
- /usr/sbin/rsyslogd [OK]
- /usr/sbin/runlevel [OK]
- /usr/sbin/sestatus [OK]
- /usr/sbin/sshd [OK]
- /usr/sbin/sulogin [OK]
- /usr/sbin/sysctl [OK]
- /usr/sbin/useradd [OK]
- /usr/sbin/userdel [OK]
- /usr/sbin/usermod [OK]
- /usr/sbin/vipw [OK]
- /usr/libexec/gawk [OK]
- /usr/lib/systemd/systemd [OK]
[Press <ENTER> to continue]
Hold off completing the remaining steps if problems exist with the email setup. When confirming email works, but before allowing rkhunter to run automatically, run the command manually again with the "--propupd" flag to create the rkhunter.dat file. This ensures recognition of your environment and configuration:
rkhunter --propupd
Conclusion¶
rkhunter is one part of a hardened server strategy that can help monitor the file system and report any issues to the administrator. It is perhaps one of the easiest hardening tools to install, configure, and run.
Author: Steven Spencer
Contributors: Ezequiel Bruni, Andrew Thiesen, Ganna Zhyrnova