Linux
CentOS
セキュリティ
rkhunter

ルートキット検出ツール Rootkit Hunter (rkhunter)

More than 1 year has passed since last update.


Rootkit Hunter

http://rkhunter.sourceforge.net/

Linux の著名なルートキット検出ツールで、同様のツールとして chkrootkit がある。

最新版は 2014/02/24 リリースの 1.4.2 になる。


インストール

yum install epel-release

yum install rkhunter unhide

unhide は Checking for hidden processes で必要。


アップデート

rkhunter --update

rkhunter --propupd


実行

rkhunter -c --rwo --sk


デフォルト設定ファイル


/etc/cron.daily/rkhunter

XITVAL=0

TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1
if [ ! -e /var/lock/subsys/rkhunter ]; then
/bin/touch /var/lock/subsys/rkhunter
if [ -e /etc/sysconfig/rkhunter ] ; then
. /etc/sysconfig/rkhunter
else
MAILTO=root@localhost
fi
if
[ "$DIAG_SCAN" = "yes" ]; then
RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet --appendlog --display-logfile"
else
RKHUNTER_FLAGS="--cronjob --nocolors --report-warnings-only"
fi
RKHUNTER=/usr/bin/rkhunter
LOGFILE=/var/log/rkhunter/rkhunter.log
if [ -x $RKHUNTER ]; then
/bin/echo -e "\n--------------------- Start Rootkit Hunter Update ---------------------" \
> $TMPFILE1
/bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1
/bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \
>> $TMPFILE1
/bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1
XITVAL=$?
/bin/echo -e "\n----------------------- End Rootkit Hunter Scan -----------------------" \
>> $TMPFILE1
if [ $XITVAL != 0 ]; then
/bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
fi
/bin/cat $TMPFILE1 >> $LOGFILE
fi
/bin/rm -f /var/lock/subsys/rkhunter
fi
/bin/rm -f $TMPFILE1
exit $XITVAL


/etc/sysconfig/rkhunter

# System configuration file for Rootkit Hunter which

# stores RPM system specifics for cron run, etc.
#
# MAILTO= <email address to send scan report>
# DIAG_SCAN= no - perform normal report scan
# yes - perform detailed report scan
# (includes application check)

MAILTO=root@localhost
DIAG_SCAN=no


/etc/rkhunter.conf

TMPDIR=/var/lib/rkhunter

DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
LOGFILE=/var/log/rkhunter/rkhunter.log
APPEND_LOG=1
AUTO_X_DETECT=1
ALLOW_SSH_ROOT_USER=unset
ALLOW_SSH_PROT_V1=2
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps
PKGMGR=RPM
EXISTWHITELIST=/bin/ad
EXISTWHITELIST=/var/log/pki-ca/system
EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
EXISTWHITELIST=/usr/bin/GET
EXISTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown
ALLOWHIDDENDIR="/etc/.java"
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/dev/.SRC-unix
ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENDIR=/dev/.systemd
ALLOWHIDDENDIR=/dev/.mount
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENDIR=/etc/.bzr
ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac
ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac
ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
ALLOWHIDDENFILE=/dev/.mdadm.map
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWHIDDENFILE=/etc/.gitignore
ALLOWHIDDENFILE=/etc/.bzrignore
ALLOWHIDDENFILE=/etc/.updated
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/md/md-device-map
ALLOWDEVFILE="/dev/shm/mono.*"
ALLOWDEVFILE="/dev/shm/libv4l-*"
ALLOWDEVFILE="/dev/shm/spice.*"
ALLOWDEVFILE="/dev/md/autorebuild.pid"
ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
ALLOWDEVFILE=/dev/shm/squid-cf*
RTKT_FILE_WHITELIST=/bin/ad
RTKT_FILE_WHITELIST=/var/log/pki-ca/system
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
INSTALLDIR="/usr"


セキュリティ関連記事