Rootkit Hunter (rkhunter) is a security monitoring tool. It scans for root kits and other basic vulnerabilities. To be effective it needs to be run on a system initially known to be in a good state, and then have ts properties updated after every system update.
Installation
As is common for me, I have created a SaltStack state to install, configure and maintain rkhunter across all our network nodes. While I initially was maintaining different config files for each type of whitelist I needed to enable, it quicckly becaime unwieldym so new machines have all the witelist items added to the machine specfic scriptwhitelist.conf file. Once I go back through the earlier install machines the below can be greatly simplified.
The above state installs, creates configuration directory, poplulares with machine specific files ore a “fallback” config file if no machine specific file exists. The software package is installed, configured and updated by running:
Usage
After install, but before first check, rkhungter should have it’s properties updated as per installed configuration files, the command to do this while on a node itself is:
The output of the command should look something like this:
Before updating system check for changes. The command to do this is
The output of the command should look some thing like the following:
–check directs checks be run against system, –sk tels program to skip pausing between checks, and –rwo tells the program to remain silent unless the checks identify something to warn about.
If theire is no output from running the check, then the system is ready for whatever updates you need to apply. Once updates have neen applied, run the check command again and this time there could well be warnings in the outpot.
All warnings should be investigated and corrected or if understood and required, whitelisted by adding to the configuration files. If the warnings are related to known changes or have been investigated nd eliminated, run the property update again to accept the new state of the system:
As a final check, run the check command one more time and the output should come back empty.
Chrls is currently a technology transformation leader at one of the oldest American investment banking services holding companies, headquartered in New York City. Previous roles at current employer include project manager, front office support, retail and enterprise global Windows server support. Currently residing in Tennessee on the Cumberland Plateau and enjoying life, family and open source.