rkhunterことはじめ

rkhunterについて調べる機会があったので導入から検証までをまとめました

スペック

$ cat /etc/centos-release
CentOS release 6.5 (Final)

インストール

SourceForgeからrkhunter-1.4.2をダウンロードする

ダウンロードしたtar.gzを展開し、インストール

# tar zxvf rkhunter-1.4.2.tar.gz; cd rkhunter-1.4.2
# ./install.sh --install

定義ファイルを更新する

# rkhunter --update
# rkhunter --propupd

チェックを実行する

オプションは非対話モード、エラーのみ表示

# rkhunter --check --skip-keypress --report-warnings-only

Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
/usr/local/bin/rkhunter: line 13967: [: -ne: unary operator expected
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
         The default value may be 'yes', to allow root access.
Warning: Suspicious file types found in /dev:
         /dev/.udev/queue.bin: data
         /dev/.udev/db/block:sda1: ASCII text
         /dev/.udev/db/block:dm-0: ASCII text
         /dev/.udev/db/block:dm-1: ASCII text
         /dev/.udev/db/net:eth0: ASCII text
         /dev/.udev/db/block:sda2: ASCII text
         /dev/.udev/db/input:event1: ASCII text
         /dev/.udev/db/block:ram9: ASCII text
         /dev/.udev/db/block:ram8: ASCII text
         /dev/.udev/db/block:ram7: ASCII text
         /dev/.udev/db/block:ram5: ASCII text
         /dev/.udev/db/block:ram6: ASCII text
         /dev/.udev/db/block:ram3: ASCII text
         /dev/.udev/db/block:ram4: ASCII text
         /dev/.udev/db/block:ram15: ASCII text
         /dev/.udev/db/block:ram2: ASCII text
         /dev/.udev/db/block:ram14: ASCII text
         /dev/.udev/db/block:ram11: ASCII text
         /dev/.udev/db/block:ram0: ASCII text
         /dev/.udev/db/block:ram13: ASCII text
         /dev/.udev/db/block:ram12: ASCII text
         /dev/.udev/db/block:loop7: ASCII text
         /dev/.udev/db/block:ram10: ASCII text
         /dev/.udev/db/block:ram1: ASCII text
         /dev/.udev/db/block:loop6: ASCII text
         /dev/.udev/db/block:loop5: ASCII text
         /dev/.udev/db/block:loop0: ASCII text
         /dev/.udev/db/block:loop4: ASCII text
         /dev/.udev/db/block:loop3: ASCII text
         /dev/.udev/db/block:loop2: ASCII text
         /dev/.udev/db/block:loop1: ASCII text
         /dev/.udev/db/input:event3: ASCII text
         /dev/.udev/db/input:mouse1: ASCII text
         /dev/.udev/db/input:event2: ASCII text
         /dev/.udev/db/serio:serio0: ASCII text
         /dev/.udev/db/block:sda: ASCII text
         /dev/.udev/db/block:sr0: ASCII text
         /dev/.udev/db/input:event0: ASCII text
         /dev/.udev/rules.d/99-root.rules: ASCII text
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'openssl', version '1.0.1e', is out of date, and possibly a security risk.

Warningの解消

Bourne-Again shell script text executable

シェルスクリプトがWarningとしてあがってしまうので、rkhunter.confのSCRIPTWHITELISTを編集する

SCRIPTWHITELIST="/usr/bin/ldd"
SCRIPTWHITELIST="/usr/bin/whatis"
SCRIPTWHITELIST="/sbin/ifdown"
SCRIPTWHITELIST="/sbin/ifup"

The SSH configuration option 'PermitRootLogin' has not been set.

/etc/ssh/sshd_configのPermitRootLoginが設定されていない。
また、rootでのログインを許可するのであればrkhunter.confのALLOW_SSH_ROOT_USERをyesとする必要がある。

ALLOW_SSH_ROOT_USER=yes

Suspicious file types found in /dev:

rkhunter.confのALLOWDEVFILEを編集する

ALLOWDEVFILE="/dev/.udev/queue.bin"
ALLOWDEVFILE="/dev/.udev/db/block:*"
ALLOWDEVFILE="/dev/.udev/db/net:*"
ALLOWDEVFILE="/dev/.udev/db/input:*"
ALLOWDEVFILE="/dev/.udev/db/serio:*"
ALLOWDEVFILE="/dev/.udev/rules.d/99-root.rules"

Hidden directory found: /dev/.udev

rkhunter.confのALLOWHIDDENDIRを編集する

ALLOWHIDDENDIR=/dev/.udev

Hidden file found

rkhunter.confのALLOWHIDDENFILEを編集する

ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac

Application 'openssl', version '1.0.1e', is out of date, and possibly a security risk.

opensslのバージョンが古いと言われる。最新に上げるに越したことはないが、
故あって上げられない場合はrkhunter.confのAPP_WHITELISTを編集する

APP_WHITELIST="openssl:1.0.1e"

/usr/local/bin/rkhunter: line 13967: [: -ne: unary operator expected

このエラーが消えなくてなんだこれと思っていたが、どうやらrkhunterのバグで1.4.2-3.el6で直っているとのこと

検証

/usr/bin/lddを改変してチェックを実行してみる

# mv ldd ldd.org
# echo -e "#\!/bin/bash\n\necho \"backdoor\"" > ldd; chmod +x ldd
# rkhunter -c --nomow --rwo --sk
Warning: The file properties have changed:
         File: /usr/bin/ldd
         Current hash: aac474be840be4bf9270b715660eb93100ba2547
         Stored hash : a2d5716c8c367b0bbf9030380a2ba48816bb85b6
         Current inode: 920144    Stored inode: 915318
         Current size: 29    Stored size: 5325
         Current file modification time: 1436943327 (15- 7月-2015 15:55:27)
         Stored file modification time : 1385068923 (22-11月-2013 06:22:03)

ちゃんとlddが改変されているというWarningが報告された