Posted at

rkhunterことはじめ

More than 3 years have passed since last update.

rkhunterについて調べる機会があったので導入から検証までをまとめました


スペック

$ cat /etc/centos-release

CentOS release 6.5 (Final)


インストール

SourceForgeからrkhunter-1.4.2をダウンロードする

http://sourceforge.net/projects/rkhunter/files/

ダウンロードしたtar.gzを展開し、インストール

# tar zxvf rkhunter-1.4.2.tar.gz; cd rkhunter-1.4.2

# ./install.sh --install


定義ファイルを更新する

# rkhunter --update

# rkhunter --propupd


チェックを実行する

オプションは非対話モード、エラーのみ表示

# rkhunter --check --skip-keypress --report-warnings-only

Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
/usr/local/bin/rkhunter: line 13967: [: -ne: unary operator expected
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Suspicious file types found in /dev:
/dev/.udev/queue.bin: data
/dev/.udev/db/block:sda1: ASCII text
/dev/.udev/db/block:dm-0: ASCII text
/dev/.udev/db/block:dm-1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/block:sda2: ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/block:ram9: ASCII text
/dev/.udev/db/block:ram8: ASCII text
/dev/.udev/db/block:ram7: ASCII text
/dev/.udev/db/block:ram5: ASCII text
/dev/.udev/db/block:ram6: ASCII text
/dev/.udev/db/block:ram3: ASCII text
/dev/.udev/db/block:ram4: ASCII text
/dev/.udev/db/block:ram15: ASCII text
/dev/.udev/db/block:ram2: ASCII text
/dev/.udev/db/block:ram14: ASCII text
/dev/.udev/db/block:ram11: ASCII text
/dev/.udev/db/block:ram0: ASCII text
/dev/.udev/db/block:ram13: ASCII text
/dev/.udev/db/block:ram12: ASCII text
/dev/.udev/db/block:loop7: ASCII text
/dev/.udev/db/block:ram10: ASCII text
/dev/.udev/db/block:ram1: ASCII text
/dev/.udev/db/block:loop6: ASCII text
/dev/.udev/db/block:loop5: ASCII text
/dev/.udev/db/block:loop0: ASCII text
/dev/.udev/db/block:loop4: ASCII text
/dev/.udev/db/block:loop3: ASCII text
/dev/.udev/db/block:loop2: ASCII text
/dev/.udev/db/block:loop1: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/serio:serio0: ASCII text
/dev/.udev/db/block:sda: ASCII text
/dev/.udev/db/block:sr0: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/rules.d/99-root.rules: ASCII text
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'openssl', version '1.0.1e', is out of date, and possibly a security risk.


Warningの解消


Bourne-Again shell script text executable

シェルスクリプトがWarningとしてあがってしまうので、rkhunter.confのSCRIPTWHITELISTを編集する

SCRIPTWHITELIST="/usr/bin/ldd"

SCRIPTWHITELIST="/usr/bin/whatis"
SCRIPTWHITELIST="/sbin/ifdown"
SCRIPTWHITELIST="/sbin/ifup"


The SSH configuration option 'PermitRootLogin' has not been set.

/etc/ssh/sshd_configのPermitRootLoginが設定されていない。

また、rootでのログインを許可するのであればrkhunter.confのALLOW_SSH_ROOT_USERをyesとする必要がある。

ALLOW_SSH_ROOT_USER=yes


Suspicious file types found in /dev:

rkhunter.confのALLOWDEVFILEを編集する

ALLOWDEVFILE="/dev/.udev/queue.bin"

ALLOWDEVFILE="/dev/.udev/db/block:*"
ALLOWDEVFILE="/dev/.udev/db/net:*"
ALLOWDEVFILE="/dev/.udev/db/input:*"
ALLOWDEVFILE="/dev/.udev/db/serio:*"
ALLOWDEVFILE="/dev/.udev/rules.d/99-root.rules"


Hidden directory found: /dev/.udev

rkhunter.confのALLOWHIDDENDIRを編集する

ALLOWHIDDENDIR=/dev/.udev


Hidden file found

rkhunter.confのALLOWHIDDENFILEを編集する

ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz

ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac


Application 'openssl', version '1.0.1e', is out of date, and possibly a security risk.

opensslのバージョンが古いと言われる。最新に上げるに越したことはないが、

故あって上げられない場合はrkhunter.confのAPP_WHITELISTを編集する

APP_WHITELIST="openssl:1.0.1e"


/usr/local/bin/rkhunter: line 13967: [: -ne: unary operator expected

このエラーが消えなくてなんだこれと思っていたが、どうやらrkhunterのバグで1.4.2-3.el6で直っているとのこと

https://bugzilla.redhat.com/show_bug.cgi?id=1105008


検証

/usr/bin/lddを改変してチェックを実行してみる

# mv ldd ldd.org

# echo -e "#\!/bin/bash\n\necho \"backdoor\"" > ldd; chmod +x ldd
# rkhunter -c --nomow --rwo --sk
Warning: The file properties have changed:
File: /usr/bin/ldd
Current hash: aac474be840be4bf9270b715660eb93100ba2547
Stored hash : a2d5716c8c367b0bbf9030380a2ba48816bb85b6
Current inode: 920144 Stored inode: 915318
Current size: 29 Stored size: 5325
Current file modification time: 1436943327 (15- 7月-2015 15:55:27)
Stored file modification time : 1385068923 (22-11月-2013 06:22:03)

ちゃんとlddが改変されているというWarningが報告された