CSUF LogoCSUF Site Navigation
optics.csufresno.edu

FC6 Security & Spam RKhunter

Department of Electrical and Computer Engineering
Assistant Professor Gregory R. Kriehn
Forums
Wiki
FC6 RKhunter
rkhunter is another nifty program, similar to blockhosts, whose purpose is to scan for rootkits or other malware on your system such as trojans, backdoors, and local exploits. rkhunter differs from blockhosts in that it is a passive program that only reports (potential) problems. It does not provide any active prevention or protection. But what it does do, it does very well. With a typical installation of rkhunter, the following checks are performed:

    1.  MD5 has comparisons.
    2.  Default files commonly used by rootkits.
    3.  Incorrect file placement (moved binaries).
    4.  Search for suspect strings in LKM and KLD modules.
    5.  Hidden files.
    6.  Optional scan within plain text and binary files.
    7.  Search for old versions of software packages.

rkhunter used to be a part of Fedora Extras, but was taken out of FC6 due to the fact that "in the second quarter of 2006, the founder of Rookit Hunter found out the hard way that maintaining FOSS can be difficult when real-life commitments overrule. Management of the project was taken over by unSpawn, and a project group comprising of developers and testers was formed..." LOL.

This means that we will have to install it from source. Head over to the new RKhunter website:

http://rkhunter.sourceforge.net/

Click on the SF project page link, followed by the Download Rootkit Hunter link. Download the latest version, which at the time of this writing is rkhunter-1.2.9.tar.gz, as well as the hashupd.sh script.
Next, create an appropriate directory to install RKhunter under /usr/local/src:
~> sudo mkdir -p /usr/local/src/rkhunter
Move the source tarball to the directory:
~> sudo mv ~/Desktop/rkhunter-1.2.9.tar.gz /usr/local/src/rkhunter/.
Change into the rkhunter directory:
~> cd /usr/local/src/rkhunter
and decompress the source:
~> sudo tar vfzx rkhunter-1.2.9.tar.gz
Once the package has been decompressed, delete the source file, and change the ownership of the rkhunter-1.2.9 directory to root:
~> sudo rm rkhunter-1.2.9.tar.gz
~> sudo chown root.root -R rkhunter-1.2.9
Next, login as root and change into the rkhunter-1.2.9/files directory:
~> su
# cd rkhunter-1.2.9/files
Before we run the installer script, we have to provide a modification to the source code to avoid a problem that rkhunter has with prelinked files, such as in Fedora Core. See the following page for details:

http://www.mail-archive.com/rkhunter-users@lists.sourceforge.net/msg00303.html

Open up the rkhunter file using sudo, and perform a search for:

PRELINKVERIFY=`${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst`
Delete the entire line, and replace it with:
PRELINKVERIFY=`runcon -t unconfined_t -- ${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst 2>/dev/null`
Make sure that it fits on a single line. Save and exit.

Next, run the installer script to install rkhunter:

# cd ..
# ./installer.sh
Logout of root, and change into the /usr/local/etc directory to configure rkhunter:
# exit
~> cd /usr/local/etc
We are now ready to edit the /usr/local/etc/rkhunter.conf file using sudo. The first thing we need to do is add options for allowing a few hidden directories and files that are a part of a typical installation for Fedora Core 6. For example, the following information should be added/uncommented:
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev

ALLOWHIDDENFILE=/etc/.java
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/etc/.pwd.lock
Save and exit. Next, run rkhunter using sudo and check for any updates:
~> sudo /usr/local/bin/rkhunter --update
Hit Enter, and allow rkhunter to update its database. Then you can run an initial test scan:
~> sudo /usr/local/bin/rkhunter -c
The first time you run it, you will see a bunch of bad/unknown hashes. To get around this problem, we are going to have to update the prelinking database with the rkhunter local MD5 hash values. This requires rebuilding the prelinking database and the rkhunter local hash values using the hashupd.sh script. See the RKhunter FAQ for further information.

First, we need to temporarily disable SELinux:

~> sudo setenforce 0
Then check to make sure that we are in permissive mode:
~> sestatus
You should see a line that says:
Current mode:                   permissive
With SELinux disabled, delete the prelink cache, and run the daily prelink update script:
~> sudo rm /etc/prelink.cache
~> sudo /etc/cron.daily/prelink
The prelink command will take a while to complete. When it is finally done, run the hashupd.sh script:
~> sudo sh ~/Desktop/hashupd.sh
Run rkhunter again, and everything should be fine:
~> sudo /usr/local/bin/rkhunter -c
Finally, re-enable SELinux:
~> sudo setenforce 1
Verify that we are back in enforcing mode:
~> sestatus
You should ses a line that says:
Current mode:                   enforcing
If you have any other major problems, depending upon what is found, you may need to do some serious digging to determine whether or not your system has been compromised. If it is a matter of warnings about old/outdated packages, use yum to first update your system and check it again.

Running rkhunter manually on a regular basis is tedious, so let's set up a daily scan report. Create an /etc/cron.daily/rkhunter file with the following information in it:

#!/bin/sh

(/usr/local/bin/rkhunter --versioncheck; /usr/local/bin/rkhunter
--update; /usr/local/bin/rkhunter --cronjob --report-mode --createlogfile /var/log/rkhunter/rkhunter.log | /bin/mail -s 'rkhunter Daily Run' root
Make sure that everything fits on a single line. Save and exit. Then make the file executable:
~> sudo chmod ugo+x rkhunter
The logfile is to be placed in /var/log/rkhunter, so create the directory:
sudo mkdir /var/log/rkhunter
Next, create an /etc/logrotate.d/rkhunter file for log rotation with the following information:
/var/log/rkhunter/rkhunter.log {
    weekly
    notifempty
    create 640 root root
}  
Save and exit. Now, whenever rkhunter is run on a daily basis through cron.daily, a report will be generated and sent to root's e-mail. A log of the results will also be stored in /var/log/rkhunter/rkhunter.log. I rarely, if ever, log in as root, so I find it useful to put a forward in root's home directory to forward any e-mails sent to root to your user directory instead. First, login as root:
~> su -
Type in root's password, and change your directory into root's home directory:
# cd ~
# pwd
/root
Then put a .forward file in root's home directory so that it forwards any e-mail sent to root to your account. This is done by placing an appropriate e-mail address (where you want it forwarded to) in the /root/.forward file:
[username]@[domain].[name]
Save and exit, and log out of root:
# exit
~>
rkhunter is now setup, and will send you an e-mail report every morning with the results of the scan. If a problem shows up in the report, it gives you a starting point to determine whether your system has been broken into. It is by no means failsafe, as logs can be edited and deleted, but it does provide another layer of defense against a potential hacker.