CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F14 Security RKhunter

Department of Electrical and Computer Engineering
Associate Professor Gregory R. Kriehn
Forums
Wiki
F14 RKhunter

rkhunter is another nifty program, similar to blockhosts, whose purpose is to scan for rootkits or other malware on your system such as trojans, backdoors, and local exploits. rkhunter differs from blockhosts in that it is a passive program that only reports (potential) problems. It does not provide any active prevention or protection. But what it does do, it does very well. With a typical installation of rkhunter, the following checks are performed:

    1.  MD5 has comparisons.
    2.  Default files commonly used by rootkits.
    3.  Incorrect file placement (moved binaries).
    4.  Search for suspect strings in LKM and KLD modules.
    5.  Hidden files.
    6.  Optional scan within plain text and binary files.
    7.  Search for old versions of software packages.

rkhunter used to be a part of Fedora Extras, but was taken out of FC6 due to the fact that "in the second quarter of 2006, the founder of Rookit Hunter found out the hard way that maintaining FOSS can be difficult when real-life commitments overrule. Management of the project was taken over by unSpawn, and a project group comprising of developers and testers was formed..." LOL.  But as of Fedora 9, its back in, so use yum to install it:
~> sudo yum install rkhunter
Hit Enter, followed by y when you are asked if it is ok to install rkhunter after the header is downloaded and a transaction check has been performed.

We are now ready to edit the /etc/rkhunter.conf file using sudo. The first thing we need to do is specify the logfile location, whitelist a few scripts that are a part of a typical installation for Fedora 14, and add options for allowing a few hidden directories and a temporary Pulse Audio file in /dev/shm. For example, the following information should be added/uncommented:
LOGFILE=/var/log/rkhunter/rkhunter.log

ALLOW_SSH_ROOT_USER=no

SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/etc/group
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown

ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.mdadm

ALLOWHIDDENFILE=/etc/.java
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/etc/.pwd.lock

ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/shm/sem.*

XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync

SYSLOG_CONFIG_FILE=/etc/rsyslog.conf
Save and exit. Next, run rkhunter using sudo and check for any updates and update the properties of various commands:
~> sudo rkhunter --update
~> sudo rkhunter --propupd
Then you can run an initial test scan:
~> sudo rkhunter -c
If you see a bunch of Warning messages, check /var/log/rkhunter/rkhunter.log. If you scan the logfile, you will probably have to prelink several of the files. Use sudo, and follow the directions. You will also get a warning regarding your /etc/passwd file the first time you run it, since RKhunter does not have anything to compare it to yet.

RKhunter is now automatically setup as a cron job, and will also automatically e-mail you if there are any warnings that it has to report. This is quite useful, since we no longer have to set these things up by hand. The default location for the e-mail to be sent to is the root account, and since I rarely, if ever, log in as root, I find it useful to put a forward in root's home directory to forward any e-mails to your user directory instead. First, login as root:
~> su -
Type in root's password, and change your directory into root's home directory:
# cd ~
# pwd
/root
Then put a .forward file in root's home directory so that it forwards any e-mail sent to root to your account. This is done by placing an appropriate e-mail address (where you want it forwarded to) in the /root/.forward file:
[username]@[domain].[name]
Save and exit, and log out of root:
# exit
~>
rkhunter is now setup, and will send you an e-mail report every morning with the results of the scan. If a problem shows up in the report, it gives you a starting point to determine whether your system has been broken into. It is by no means failsafe, as logs can be edited and deleted, but it does provide another layer of defense against a potential hacker.