Installing and setting up rkhunter

Installing rkhunter
rkhunter is a tool to check for rootkits and malicious software on your system. If you think Linux doesn't need security software, think again. It's definitely worthwhile installing but as part of more security measures. It also needs tuning to prevent you from receiving too many false positives. This is important as too much information will lead to oversight and a possible problem going undetected.

Standard installation

First we will use the standard Debian/Ubuntu install method to get rkhunter on our system:

apt install rkhunter

We set these options:

grep ^[^#] /etc/default/rkhunter

CRON_DAILY_RUN="yes"
CRON_DB_UPDATE="yes"
DB_UPDATE_EMAIL="false"
REPORT_EMAIL="root"
APT_AUTOGEN="yes"
NICE="0"
RUN_CHECK_ON_BATTERY="false"

Some basic commands. To update the rkhunter text data files:

rkhunter --update

Tell rkhunter to check the current values and store them. You need to do this to establish a base line. This means you trust the files on the base system when you execute this command.:

rkhunter --propupd

Perform an initial check:

rkhunter -c --enable all --disable none

You will get some/a lot of warnings on the first run. Go through these and adjust the config file /etc/rkhunter.conf. Some of the warnings after my first run (this was on Ubuntu):

• Warning using deleted files
Warning: The following processes are using deleted files:
Process: /usr/bin/dbus-daemon    PID: 1002    File: /var/lib/sss/mc/passwd
Process: /usr/sbin/rsyslogd    PID: 1053    File: /var/lib/sss/mc/initgroups
Process: /usr/sbin/sssd    PID: 1055    File: /var/lib/sss/mc/initgroups
Process: /usr/sbin/avahi-daemon    PID: 1056    File: /var/lib/sss/mc/initgroups
Process: /usr/sbin/avahi-daemon    PID: 1067    File: /var/lib/sss/mc/initgroups
Process: /sbin/upstart    PID: 1950    File: /home/user/.cache/upstart/window-stack-bridge.log.1
Process: /usr/lib/firefox/firefox    PID: 8339    File: /dev/shm/org.chromium.IyF9Rb
Process: /usr/lib/firefox/firefox    PID: 8557    File: /dev/shm/org.chromium.FEmQj3

• File warnings
File checked: Name: '/tmp/hsperfdata_root/10006' Score: 221
        Warning: File '/tmp/hsperfdata_root/10006' (score: 221) contains some suspicious content and should be checked.
File checked: Name: '/tmp/.x2gohost/Chost-51-1522754837_stDXFCE_dp32/session.log' Score: 220
        Warning: File '/tmp/.x2gohost/Chost-51-1522754837_stDXFCE_dp32/session.log' (score: 220) contains some suspicious content and
File checked: Name: '/tmp/.x2gohost/Chost-51-1522754837_stDXFCE_dp32/options' Score: 200
        Warning: File '/tmp/.x2gohost/Chost-51-1522754837_stDXFCE_dp32/options' (score: 200) contains some suspicious content and shou
  File checked: Name: '/tmp/.x2gohost/Chost-51-1522754837_stDXFCE_dp32/cmdoutput' Score: 220
        Warning: File '/tmp/.x2gohost/Chost-51-1522754837_stDXFCE_dp32/cmdoutput' (score: 220) contains some suspicious content and sh

• Warning: Suspicious file types found in /dev:

 /dev/shm/pulse-shm-2647207688: data
 /dev/shm/pulse-shm-3044473885: data
/dev/shm/pulse-shm-4155666732: data
/dev/shm/pulse-shm-626528498: data
/dev/shm/pulse-shm-1382227037: data
/dev/shm/pulse-shm-2231672304: data
/dev/shm/pulse-shm-3106908114: data

•  Warning: Hidden directory found: /etc/.java

Before we delve deeper in configuring rkhunter, chances are the version of rkhunter isn't the latest. To check the version of rkhunter:

rkhunter --version

Visit https://rkhunter.sourceforge.net/ to check the latest version.

How to install the latest version is explained in the next paragraph.

Installing latest version

If the latest version isn't available as a backport, you will need to download rkhunter from the rkhunter website. Go to the project page and download the latest version, the .asc and .sha512 file. I want to hold on to the download so I copy it from the Downloads directory to my src directory. YMMV.:

mkdir ~/src/rkhunter
mv ~/Downloads/rkh* ~/src/rkhunter

When installing from the site, you should check both the checksum and the gpg signature. Verify the checksum:

shasum -a 512 rkhunter-1.4.6.tar.gz -c rkhunter-1.4.6.tar.gz.sha512

Verify the gpg signature:

gpg --verify  rkh*.asc rkh*.gz

If you get a message "public key not found", you will need to download the public key:

gpg --keyserver pgp.mit.edu --recv-keys D13AAA83

After verifying the files, unpack the tar archive:

cd ~/src/rkhunter
tar xzvf rkhunter-1.4.6.tar.gz

Install:

sudo ./installer.sh --install

This installs by default in /usr/local/bin. If you already had the default rkhunter from your distro, you will get this message when installing.

Note

PLEASE NOTE: inspect for update changes in "/etc/rkhunter.conf.20180331101218", and apply to either "/etc/rkhunter.conf" or your local configuration file before running Rootkit Hunter.

First you might want to backup your /etc/rkhunter.conf file or review the options. To review the options:

grep ^[^#] /etc/rkhunter.conf

Next copy the new version. Mind that the file name of the new file will be different on your system depending on when you run this.:

mv /etc/rkhunter.conf.20180331101218 /etc/rkhunter.conf

The config file I ended up with. I had to disable the "suspscan" test as it kept on producing warnings on legitimate files:

cat /etc/rkhunter.conf

MAIL-ON-WARNING=root
LOGFILE=/var/log/rkhunter.log
AUTO_X_DETECT=1
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
ALLOWHIDDENDIR=/etc/.java
ALLOWPROCDELFILE=/usr/bin/dbus-daemon
ALLOWPROCDELFILE=/usr/sbin/rsyslogd
ALLOWPROCDELFILE=/usr/sbin/sssd
ALLOWPROCDELFILE=/usr/sbin/avahi-daemon
ALLOWPROCDELFILE=/opt/kaspersky/kesl/libexec/kesl
ALLOWPROCDELFILE=/sbin/upstart
ALLOWPROCDELFILE=/usr/lib/firefox/firefox
ALLOWPROCDELFILE=/usr/sbin/anacron
ALLOWPROCDELFILE=/bin/dash
ALLOWPROCDELFILE=/bin/run-parts
ALLOWPROCDELFILE=/usr/bin/python3.5
ALLOWPROCDELFILE=/usr/bin/thunar
ALLOWPROCDELFILE=/usr/bin/bsd-mailx
ALLOWPROCDELFILE=/usr/local/bin/rkhunter
ALLOWPROCDELFILE=/usr/sbin/cron
ALLOWPROCDELFILE=rkhunter:/tmp/*
ALLOWPROCDELFILE=/bin/grep:/tmp/*
ALLOWPROCDELFILE=grep:/tmp/*
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWIPCPROC=/usr/bin/xfdesktop
ALLOWIPCPROC=/usr/lib/x86_64-linux-gnu/notify-osd
SHOW_SUMMARY_WARNINGS_NUMBER=1
INSTALLDIR=/usr/local
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/local/lib/rkhunter/scripts
TMPDIR=/var/lib/rkhunter/tmp
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf

Note

If you enable MAIL-ON-WARNING, be sure to have a correct mail setup. See the last paragraph on a short working Postfix config.

After changing the config, always run --propupd:

/usr/local/bin/rkhunter --propupd

Next try a check:

/usr/local/bin/rkhunter --check --report-warnings-only

If you don't get any warnings anymore, it's time to automate a daily check. Check the log file as well:

vi /var/log/rkhunter.log

Cron

When dealing with cron, you have the option of using crontab or properly setting up a cron file in /etc/cron.d or /etc/crond.daily. We'll use /etc/cron.d, again YMMV.:

vi /etc/cron.d/rkhunter

# /etc/cron.d/rkhunter: crontab entry for rkhunter

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

05 12 * * *   root    ( /usr/local/bin/rkhunter --cronjob --update --rwo && echo "" )  | /usr/bin/mail -s "Rkhunter daily run on `uname -n`" root

Postfix config

As mentioned above, this is only a short config to enable sending messages out:

cat /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = <host.domain.tld>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, <host.domain.ltd>, localhost.domain.ltd, , localhost
relayhost = <mail.domain.ltd>
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 127.0.0.1
inet_protocols = all

Check if root has a valid e-mail destination:

vi /etc/aliases
...
postmaster:    root
root: <e-mail address>

newaliases

This is only one of many ways to make your system more secure.