Rootkit hunter¶
Introduction¶
Rootkit hunter (rkhunter
) is a well known tool for checking vulnerabilities, rootkits, back doors, and possible local exploits on a server. It is possible to use it on any server used for any purpose. When tuned and automated, it can report any suspicious activity to the system administrator. This procedure outlines the installation, tuning, and use of rootkit hunter.
rkhunter
is just one possible part of a hardened server setup. Use it alone or with other tools to maximize security.
Prerequisites¶
- Proficiency with a command-line editor (using
vi
in this example) - A comfort level with issuing commands from the command-line, viewing logs, and other general systems administrator duties
- An understanding of what can trigger a response to changed files on the file system (such as package updates) is helpful
- Running all commands as root or as a regular user with
sudo
This document was originally written in conjunction with the apache hardened web server routines, but works equally well on a server running any software.
General steps¶
- install
rkhunter
- configure
rkhunter
- configure email and ensure it will work correctly
- run
rkhunter
manually to generate a list of warnings to test your email settings (rkhunter --check
) - run
rkhunter --propupd
to generate a cleanrkhunter.dat
file thatrkhunter
will use from this point forward as a baseline for further checks.
Installing rkhunter
¶
rkhunter
requires the EPEL (Extra Packages for Enterprise Linux) repository. Install that repository if you do not have it installed already:
dnf install epel-release
Install rkhunter
:
dnf install rkhunter
Configuring rkhunter
¶
The only configuration options that you need to set are those dealing with mailing reports to the Administrator.
Warning
Modification of any configuration file in Linux carries risk. Before altering any configuration file in Linux, creating a backup of the original file is recommended.
To change the configuration file, run:
vi /etc/rkhunter.conf
Search for:
#MAIL-ON-WARNING=me@mydomain root@mydomain
Remove the remark here and change the me@mydomain.com
to reflect your email address.
Change the root@mydomain
to root@whatever_the_server_name_is
.
You will probably also want to remove the remark (and edit the line to fit your needs) from the MAIL-CMD
line:
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
You might also need to setup Postfix Email for Reporting to get the email section to work correctly.
Running rkhunter
¶
Run rkhunter
manually by typing it at the command-line. A cron job takes care of running rkhunter
for you automatically in /etc/cron.daily
. If you want to automate the procedure on a different schedule, examine Automating cron jobs guide.
You will also need to move the script somewhere other than /etc/cron.daily/
, such as /usr/local/sbin/
and call it from your custom cron job. The easiest method is to leave the default cron.daily
setup intact.
If you want to test rkhunter
before you start, including all email functionality, run rkhunter --check
from the command line. If installed and functioning correctly, you should receive an output similar to the following:
[root@sol admin]# rkhunter --check
[Rootkit Hunter version 1.4.6]
Checking system commands...
Performing 'strings' command checks
- Checking 'strings' command [OK]
Performing 'shared libraries' checks
- Checking for preloading variables [None found]
- Checking for preloaded libraries [None found]
- Checking LD_LIBRARY_PATH variable [Not found]
Performing file properties checks
- Checking for prerequisites [Warning]
- /usr/bin/awk [OK]
- /usr/bin/basename [OK]
- /usr/bin/bash [OK]
- /usr/bin/cat [OK]
- /usr/bin/chattr [OK]
- /usr/bin/chmod [OK]
- /usr/bin/chown [OK]
- /usr/bin/cp [OK]
- /usr/bin/curl [OK]
- /usr/bin/cut [OK]
- /usr/bin/date [OK]
- /usr/bin/df [OK]
- /usr/bin/diff [OK]
- /usr/bin/dirname [OK]
- /usr/bin/dmesg [OK]
- /usr/bin/du [OK]
- /usr/bin/echo [OK]
- /usr/bin/ed [OK]
- /usr/bin/egrep [Warning]
- /usr/bin/env [OK]
- /usr/bin/fgrep [Warning]
- /usr/bin/file [OK]
- /usr/bin/find [OK]
- /usr/bin/GET [OK]
- /usr/bin/grep [OK]
- /usr/bin/groups [OK]
- /usr/bin/head [OK]
- /usr/bin/id [OK]
- /usr/bin/ipcs [OK]
- /usr/bin/kill [OK]
- /usr/bin/killall [OK]
- /usr/bin/last [OK]
- /usr/bin/lastlog [OK]
- /usr/bin/ldd [OK]
- /usr/bin/less [OK]
- /usr/bin/locate [OK]
- /usr/bin/logger [OK]
- /usr/bin/login [OK]
- /usr/bin/ls [OK]
- /usr/bin/lsattr [OK]
- /usr/bin/lsof [OK]
- /usr/bin/mail [OK]
- /usr/bin/md5sum [OK]
- /usr/bin/mktemp [OK]
- /usr/bin/more [OK]
- /usr/bin/mount [OK]
- /usr/bin/mv [OK]
- /usr/bin/netstat [OK]
- /usr/bin/newgrp [OK]
- /usr/bin/passwd [OK]
- /usr/bin/perl [OK]
- /usr/bin/pgrep [OK]
- /usr/bin/ping [OK]
- /usr/bin/pkill [OK]
- /usr/bin/ps [OK]
- /usr/bin/pstree [OK]
- /usr/bin/pwd [OK]
- /usr/bin/readlink [OK]
- /usr/bin/rkhunter [OK]
- /usr/bin/rpm [OK]
- /usr/bin/runcon [OK]
- /usr/bin/sed [OK]
- /usr/bin/sestatus [OK]
- /usr/bin/sh [OK]
- /usr/bin/sha1sum [OK]
- /usr/bin/sha224sum [OK]
- /usr/bin/sha256sum [OK]
- /usr/bin/sha384sum [OK]
- /usr/bin/sha512sum [OK]
- /usr/bin/size [OK]
- /usr/bin/sort [OK]
- /usr/bin/ssh [OK]
- /usr/bin/stat [OK]
- /usr/bin/strace [OK]
- /usr/bin/strings [OK]
- /usr/bin/su [OK]
- /usr/bin/sudo [OK]
- /usr/bin/tail [OK]
- /usr/bin/test [OK]
- /usr/bin/top [OK]
- /usr/bin/touch [OK]
- /usr/bin/tr [OK]
- /usr/bin/uname [OK]
- /usr/bin/uniq [OK]
- /usr/bin/users [OK]
- /usr/bin/vmstat [OK]
- /usr/bin/w [OK]
- /usr/bin/watch [OK]
- /usr/bin/wc [OK]
- /usr/bin/wget [OK]
- /usr/bin/whatis [OK]
- /usr/bin/whereis [OK]
- /usr/bin/which [OK]
- /usr/bin/who [OK]
- /usr/bin/whoami [OK]
- /usr/bin/numfmt [OK]
- /usr/bin/gawk [OK]
- /usr/bin/s-nail [OK]
- /usr/bin/whatis.man-db [OK]
- /usr/bin/kmod [OK]
- /usr/bin/systemctl [OK]
- /usr/sbin/adduser [OK]
- /usr/sbin/chroot [OK]
- /usr/sbin/depmod [OK]
- /usr/sbin/fsck [OK]
- /usr/sbin/fuser [OK]
- /usr/sbin/groupadd [OK]
- /usr/sbin/groupdel [OK]
- /usr/sbin/groupmod [OK]
- /usr/sbin/grpck [OK]
- /usr/sbin/ifconfig [OK]
- /usr/sbin/init [OK]
- /usr/sbin/insmod [OK]
- /usr/sbin/ip [OK]
- /usr/sbin/lsmod [OK]
- /usr/sbin/modinfo [OK]
- /usr/sbin/modprobe [OK]
- /usr/sbin/nologin [OK]
- /usr/sbin/ping [OK]
- /usr/sbin/pwck [OK]
- /usr/sbin/rmmod [OK]
- /usr/sbin/route [OK]
- /usr/sbin/rsyslogd [OK]
- /usr/sbin/runlevel [OK]
- /usr/sbin/sestatus [OK]
- /usr/sbin/sshd [OK]
- /usr/sbin/sulogin [OK]
- /usr/sbin/sysctl [OK]
- /usr/sbin/useradd [OK]
- /usr/sbin/userdel [OK]
- /usr/sbin/usermod [OK]
- /usr/sbin/vipw [OK]
- /usr/libexec/gawk [OK]
- /usr/lib/systemd/systemd [OK]
[Press <ENTER> to continue]
Hold off completing the remaining steps if problems exist with the email setup. When confirming email works, but before allowing rkhunter
to run automatically, run the command manually again with the "--propupd" flag to create the rkhunter.dat
file. This ensures recognition of your environment and configuration:
rkhunter --propupd
Conclusion¶
rkhunter
is one part of a hardened server strategy that can help monitor the file system and report any issues to the administrator. It is perhaps one of the easiest hardening tools to install, configure, and run.
Author: Steven Spencer
Contributors: Ezequiel Bruni, Andrew Thiesen, Ganna Zhyrnova