You are here: Home / Debian GNU/Linux / System / Security / Install Rootkit Hunter (rkhunter) on Debian

Install Rootkit Hunter (rkhunter) on Debian

by Pierre-Yves Landuré last modified Nov 26, 2016 12:53

Rootkit Hunter is a tool dedicated to rootkit detection. It send alerts when your system has been compromised.

This howto is tested on :

  • Debian 5.0 Lenny
  • Debian 6.0 Squeeze
  • Debian 7.0 Wheezy

Setup

To quickly setup the tool, follow the commands bellow:

Install the software:

if [ -n "$(command apt-cache pkgnames libmd5-perl)" ]; then
  command apt-get -y install rkhunter libmd5-perl
else
  command apt-get -y install rkhunter libdigest-md5-file-perl
fi

Adjust the configuration to the system:

command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.udev\)$|\1|' \
            -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.static\)$|\1|' \
            -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.initramfs\)$|\1|' \
         "/etc/rkhunter.conf"
if [ -e "/etc/.java" ]; then
  command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/etc/.java\)$|\1|' \
         "/etc/rkhunter.conf"
fi
if [ -x "/sbin/mdadm" ]; then
  command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.mdadm\)$|\1|' \
         "/etc/rkhunter.conf"
fi
if [ -x "/sbin/hdparm" ]; then
  command sed -i -e 's|^[#]*\(RTKT_FILE_WHITELIST="\)\(.*\)$|\1/etc/init.d/.depend.boot /etc/init.d/hdparm\2|' \
         "/etc/rkhunter.conf"
fi
if [ ! -e "/proc/modules" ]; then
command sed -i -e 's|^[#]*\(DISABLE_TESTS="\)\(.*\)$|\1os_specific \2|' \
"/etc/rkhunter.conf"
fi
command sed -i -e '0,/ALLOWHIDDENFILE/{//a\ ALLOWHIDDENFILE=/dev/.tmp-block-* ;}' \ "/etc/rkhunter.conf" if [ -e "/dev/shm/network/ifstate" ]; then command sed -i -e '0,/ALLOWDEVFILE/{//a\ ALLOWDEVFILE=/dev/shm/network/ifstate ;}' \ "/etc/rkhunter.conf" fi if [ -n "$(command apt-cache show ssh | command grep "5.1p1")" ]; then command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"exim:4.69 gpg:1.4.9 openssl:0.9.8g sshd:5.1p1"|' \ "/etc/rkhunter.conf" fi if [ -n "$(command apt-cache show ssh | command grep "5.5p1")" ]; then command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"gpg:1.4.10 openssl:0.9.8o sshd:5.5p1"|' \ "/etc/rkhunter.conf" fi SSH_ROOT_ALLOWED=no TEST_ROOT_ALLOWED=$(/bin/grep -i "PermitRootLogin.*yes" /etc/ssh/sshd_config) if [ -n "$TEST_ROOT_ALLOWED" ]; then SSH_ROOT_ALLOWED=yes fi command sed -i \ -e "s|^[#]*\\(ALLOW_SSH_ROOT_USER=\\).*$|\\1${SSH_ROOT_ALLOWED}|" \ "/etc/rkhunter.conf" command sed -i -e 's|^[#]*\(HASH_FUNC=\).*$|\1md5sum|' \ -e 's|^[#]*\(PKGMGR=\).*$|\1DPKG|' \ "/etc/rkhunter.conf" if [[ ! -e '/etc/apt/apt.conf.d/90rkhunter' ]]; then
command echo '// Update rkhunter file signatures databases after running dpkg. DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ]; then if [ $(/usr/bin/rkhunter --help | /bin/grep "propupd" | /usr/bin/wc -l) -gt 0 ]; then /usr/bin/rkhunter --propupd; fi; fi"; };' > '/etc/apt/apt.conf.d/90rkhunter'
fi
[[ -e '/etc/default/rkhunter' ]] && command sed -i -e 's/^APT_AUTOGEN=.*$/APT_AUTOGEN="yes"/' '/etc/default/rkhunter' command rkhunter --propupdate command rkhunter --update

Check that the configuration is well ajusted:

command rkhunter --configfile /etc/rkhunter.conf --report-warnings-only --checkall

Setup details

Install the software:

if [ -n "$(command apt-cache pkgnames libmd5-perl)" ]; then
  command apt-get -y install rkhunter libmd5-perl
else
  command apt-get -y install rkhunter libdigest-md5-file-perl
fi

Ignore the false positives triggered by hidden system files and folders :

command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.udev\)$|\1|' \
            -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.static\)$|\1|' \
            -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.initramfs\)$|\1|' \
         "/etc/rkhunter.conf"

If Java is installed, ignore the corresponding folder :

if [ -e "/etc/.java" ]; then
  command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/etc/.java\)$|\1|' \
         "/etc/rkhunter.conf"
fi

If the system use software RAID, ignore the corresponding folder :

if [ -x "/sbin/mdadm" ]; then
  command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.mdadm\)$|\1|' \
         "/etc/rkhunter.conf"
fi

If the system use hdparm, ignore the corresponding files :

if [ -x "/sbin/hdparm" ]; then
  command sed -i -e 's|^[#]*\(RTKT_FILE_WHITELIST="\)\(.*\)$|\1/etc/init.d/.depend.boot /etc/init.d/hdparm\2|' \
         "/etc/rkhunter.conf"
fi

If the system miss the file /proc/module, disable the os_specific test:

if [ ! -e "/proc/modules" ]; then
  command sed -i -e 's|^[#]*\(DISABLE_TESTS="\)\(.*\)$|\1os_specific \2|' \
         "/etc/rkhunter.conf"
fi

Ignore temporary block files :

command sed -i -e '0,/ALLOWHIDDENFILE/{//a\
ALLOWHIDDENFILE=/dev/.tmp-block-*
;}' \
           "/etc/rkhunter.conf"

Allow the ifstate device :

if [ -e "/dev/shm/network/ifstate" ]; then
  command sed -i -e '0,/ALLOWDEVFILE/{//a\
ALLOWDEVFILE=/dev/shm/network/ifstate
;}' \
           "/etc/rkhunter.conf"
fi

Debian apply security patches without upgrading softwares versions. Disable the alerts for such packages :

if [ -n "$(command apt-cache show ssh | command grep "5.1p1")" ]; then
  command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"exim:4.69 gpg:1.4.9 openssl:0.9.8g sshd:5.1p1"|' \
      "/etc/rkhunter.conf"
fi
if [ -n "$(command apt-cache show ssh | command grep "5.5p1")" ]; then
  command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"gpg:1.4.10 openssl:0.9.8o sshd:5.5p1"|' \
      "/etc/rkhunter.conf"
fi

If the system allow root user access by SSH, disable the corresponding alert :

SSH_ROOT_ALLOWED=no
TEST_ROOT_ALLOWED=$(/bin/grep -i "PermitRootLogin.*yes" /etc/ssh/sshd_config)
if [ -n "$TEST_ROOT_ALLOWED" ]; then
  SSH_ROOT_ALLOWED=yes
fi
command sed -i \
            -e "s|^[#]*\\(ALLOW_SSH_ROOT_USER=\\).*$|\\1${SSH_ROOT_ALLOWED}|" \
         "/etc/rkhunter.conf"

Rootkit Hunter allow to check the systems files versus the Debian packages file checksums. This allow to detect unwanted changes in system files. Enable the check :

command sed -i -e 's|^[#]*\(HASH_FUNC=\).*$|\1md5sum|' \
            -e 's|^[#]*\(PKGMGR=\).*$|\1DPKG|' \
    "/etc/rkhunter.conf"

Setup the checksums database update after each apt-get use:

if [[ ! -e '/etc/apt/apt.conf.d/90rkhunter' ]]; then
command echo '// Update rkhunter file signatures databases after running dpkg. DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ]; then if [ $(/usr/bin/rkhunter --help | /bin/grep "propupd" | /usr/bin/wc -l) -gt 0 ]; then /usr/bin/rkhunter --propupd; fi; fi"; };' > '/etc/apt/apt.conf.d/90rkhunter'
fi
[[ -e '/etc/default/rkhunter' ]] && command sed -i -e 's/^APT_AUTOGEN=.*$/APT_AUTOGEN="yes"/' '/etc/default/rkhunter'

Update the checksums database :

command rkhunter --propupdate

Update the threats database (the update is done weekly afterwards) :

command rkhunter --update

The command below is run daily. Its results are send by e-mail to the root user if a problem appear. Run it once to check that everything is setted up right :

command rkhunter --configfile /etc/rkhunter.conf --report-warnings-only --checkall

Thanks