CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F11 Security RKhunter

Department of Electrical and Computer Engineering
Assistant Professor Gregory R. Kriehn
 Forums
Wiki
F11 RKhunter
rkhunter is another nifty program, similar to blockhosts, whose purpose is to scan for rootkits or other malware on your system such as trojans, backdoors, and local exploits. rkhunter differs from blockhosts in that it is a passive program that only reports (potential) problems. It does not provide any active prevention or protection. But what it does do, it does very well. With a typical installation of rkhunter, the following checks are performed:

    1.  MD5 has comparisons.
    2.  Default files commonly used by rootkits.
    3.  Incorrect file placement (moved binaries).
    4.  Search for suspect strings in LKM and KLD modules.
    5.  Hidden files.
    6.  Optional scan within plain text and binary files.
    7.  Search for old versions of software packages.

rkhunter used to be a part of Fedora Extras, but was taken out of FC6 due to the fact that "in the second quarter of 2006, the founder of Rookit Hunter found out the hard way that maintaining FOSS can be difficult when real-life commitments overrule. Management of the project was taken over by unSpawn, and a project group comprising of developers and testers was formed..." LOL.  But as of Fedora 9, its back in, so use yum to install it:
~> sudo yum install rkhunter
Hit Enter, followed by y when you are asked if it is ok to install rkhunter after the header is downloaded and a transaction check has been performed.

We are now ready to edit the /etc/rkhunter.conf file using sudo. The first thing we need to do is specify the logfile location, whitelist a few scripts that are a part of a typical installation for Fedora 11, and add options for allowing a few hidden directories and a temporary Pulse Audio file in /dev/shm. For example, the following information should be added/uncommented:
LOGFILE=/var/log/rkhunter/rkhunter.log

ALLOW_SSH_ROOT_USER=no

SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/whatis

ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev

ALLOWHIDDENFILE=/etc/.java
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/etc/.pwd.lock

ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/shm/*

XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync

SYSLOG_CONFIG_FILE=/etc/rsyslog.conf
Save and exit. Next, run rkhunter using sudo and check for any updates and update the properties of various commands:
~> sudo rkhunter --update
~> sudo rkhunter --propupd
Then you can run an initial test scan:
~> sudo rkhunter -c
If you have a warning about /bin/su, try executing the following command to resolve dependency errors:
~> sudo prelink /bin/su
RKhunter now automatically runs on a daily basis, but if you want to change the settings, edit /etc/cron.daily/rkhunter.

I rarely, if ever, log in as root, so I find it useful to put a forward in root's home directory to forward any e-mails sent to root to your user directory instead. First, login as root:
~> su -
Type in root's password, and change your directory into root's home directory:
# cd ~
# pwd
/root
Then put a .forward file in root's home directory so that it forwards any e-mail sent to root to your account. This is done by placing an appropriate e-mail address (where you want it forwarded to) in the /root/.forward file:
[username]@[domain].[name]
Save and exit, and log out of root:
# exit
~>
rkhunter is now setup, and will send you an e-mail report every morning with the results of the scan. If a problem shows up in the report, it gives you a starting point to determine whether your system has been broken into. It is by no means failsafe, as logs can be edited and deleted, but it does provide another layer of defense against a potential hacker.