Go to Qiita Advent Calendar 2024 Top
LoginSignup
6
10

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@bezeklik(Bezeklik)

ルートキット検出ツール Rootkit Hunter (rkhunter)

Last updated at Posted at 2016-08-07

Rootkit Hunter

http://rkhunter.sourceforge.net/
Linux の著名なルートキット検出ツールで、同様のツールとして chkrootkit がある。
最新版は 2014/02/24 リリースの 1.4.2 になる。

インストール

yum install epel-release
yum install rkhunter unhide

unhide は Checking for hidden processes で必要。

アップデート

rkhunter --update
rkhunter --propupd

実行

rkhunter -c --rwo --sk

デフォルト設定ファイル

/etc/cron.daily/rkhunter
XITVAL=0
TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1
if [ ! -e /var/lock/subsys/rkhunter ]; then
  /bin/touch /var/lock/subsys/rkhunter
  if [ -e /etc/sysconfig/rkhunter ] ; then
    . /etc/sysconfig/rkhunter
  else
    MAILTO=root@localhost
  fi
  if [ "$DIAG_SCAN" = "yes" ]; then
    RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet --appendlog --display-logfile"
  else
    RKHUNTER_FLAGS="--cronjob --nocolors --report-warnings-only"
  fi
  RKHUNTER=/usr/bin/rkhunter
  LOGFILE=/var/log/rkhunter/rkhunter.log
  if [ -x $RKHUNTER ]; then
    /bin/echo -e "\n--------------------- Start Rootkit Hunter Update ---------------------" \
      > $TMPFILE1
    /bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1
    /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \
      >> $TMPFILE1
    /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1
    XITVAL=$?
    /bin/echo -e "\n----------------------- End Rootkit Hunter Scan -----------------------" \
      >> $TMPFILE1
    if [ $XITVAL != 0 ]; then
         /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
    fi
    /bin/cat $TMPFILE1 >> $LOGFILE
  fi
  /bin/rm -f /var/lock/subsys/rkhunter
fi
/bin/rm -f $TMPFILE1
exit $XITVAL
/etc/sysconfig/rkhunter
# System configuration file for Rootkit Hunter which
# stores RPM system specifics for cron run, etc.
#
#    MAILTO= <email address to send scan report>
# DIAG_SCAN= no  - perform  normal  report scan
#            yes - perform detailed report scan
#                  (includes application check)

MAILTO=root@localhost
DIAG_SCAN=no
/etc/rkhunter.conf
TMPDIR=/var/lib/rkhunter
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
LOGFILE=/var/log/rkhunter/rkhunter.log
APPEND_LOG=1
AUTO_X_DETECT=1
ALLOW_SSH_ROOT_USER=unset
ALLOW_SSH_PROT_V1=2
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps
PKGMGR=RPM
EXISTWHITELIST=/bin/ad
EXISTWHITELIST=/var/log/pki-ca/system
EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
EXISTWHITELIST=/usr/bin/GET
EXISTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown
ALLOWHIDDENDIR="/etc/.java"
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/dev/.SRC-unix
ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENDIR=/dev/.systemd
ALLOWHIDDENDIR=/dev/.mount
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENDIR=/etc/.bzr
ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac
ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac
ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
ALLOWHIDDENFILE=/dev/.mdadm.map
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWHIDDENFILE=/etc/.gitignore
ALLOWHIDDENFILE=/etc/.bzrignore
ALLOWHIDDENFILE=/etc/.updated
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/md/md-device-map
ALLOWDEVFILE="/dev/shm/mono.*"
ALLOWDEVFILE="/dev/shm/libv4l-*"
ALLOWDEVFILE="/dev/shm/spice.*"
ALLOWDEVFILE="/dev/md/autorebuild.pid"
ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
ALLOWDEVFILE=/dev/shm/squid-cf*
RTKT_FILE_WHITELIST=/bin/ad
RTKT_FILE_WHITELIST=/var/log/pki-ca/system
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
INSTALLDIR="/usr"

セキュリティ関連記事

6
10
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
6
10

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?