Rkhunter
 | |
| rkhunter logo | |
| Maintainer | Unnilennium |
|---|---|
| Source: | smeserver-rkhunter |
| Category | |
| Tags | Remote access, Security |
Rkhunter
Version
Maintainer
Unnilennium aka Jean-Philippe PIALASSE (Contrib)
Description
- Rkhunter searches for rootkits and other abnormalities.
It needs the packages smeserver-rkhunter and rkhunter.
Installation
/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
- Log in (with username root) to the SMEserver console.
- Install smeserver-Rkhunter
/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server. Note: for SME10, you need to add the epel repository to get the latest rkhunter:/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs,epel
- you should then issue:
signal-event remoteaccess-update
Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,.
Editing configuration
As root you can check the current configuration :
db configuration show rkhunter
rkhunter=service
DisableTests=apps,suspscan,system_commands
status=enabled
to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):
db configuration setprop rkhunter OPTION VALUE signal-event remoteaccess-update
DisableTests
Here you can set a string of disabled tests separated by ","(default is apps,suspscan,system_commands).
As an example you can avoid alert about deleted file by adding ,deleted_files ( see bug [SME: 3830]).
See rkhunter doc for more informations.
Allow to set the mail where you want to send daily report, default is blank for "root".
config setprop rkhunter mail toto@toto.com signal-event remoteaccess-update
DIAG_SCAN
Default is blank
- no - perform normal report scan (default)
- yes - perform detailed report scan (includes application check)
config setprop rkhunter DIAG_SCAN yes signal-event remoteaccess-update
MailWarn
Recipient to send a mail in case of warning. Default is empty. For example:
config setprop rkhunter mailWarn toto@toto.com signal-event remoteaccess-update
Status
Active or deactivate rkhunter : enabled (default)/ disabled
config setprop rkhunter status disabled signal-event remoteaccess-update
UpdateMirrors=
This configuration was removed for SME10 version >= 6 as the issue has been resolved in the rkhunter code.
enabled or disabled (default is empty for disabled.
As per issue CVE-2017-7480 you should keep this as disabled !
Uninstall
yum remove smeserver-Rkhunter Rkhunter
or alternatively just remove them from the server-manager "Software installer"
Additional information
Consult RKH documentation and mailing list in case of warnings, it could be false positive. See bug [SME:4614].
Check installed version
yum info installed smeserver-rkhunter
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-rkhunter component or use this link
Changelog
Only versions released in smecontrib are listed here.
- Add Update event to createlinks [SME: 11025]
2021/03/29 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
- Revert patch to suppress update as the exploit has been fixed [SME: 11025]
- Import in SME10 tree [SME: 11025]
2017/07/06 Jean-Philipe Pialasse 1.4.0-4.sme
- disabling as default update for rkh because of CVE-2017-7480 [SME: 10376]
