Difference between revisions of "Rkhunter"

From SME Server
Jump to navigationJump to search
Line 46: Line 46:
 
  signal-event remoteaccess-update
 
  signal-event remoteaccess-update
 
====DIAG_SCAN====
 
====DIAG_SCAN====
DIAG_SCAN= no  - perform  normal  report scan (default)
+
* no  - perform  normal  report scan (default)
          yes - perform detailed report scan
+
* yes - perform detailed report scan (includes application check)
                  (includes application check)
+
                 
 
  config setprop rkhunter DIAG_SCAN yes
 
  config setprop rkhunter DIAG_SCAN yes
 
  signal-event remoteaccess-update
 
  signal-event remoteaccess-update
 +
 
====mailWarn====
 
====mailWarn====
 
recipient to send a mail in case of warning. Default is empty.
 
recipient to send a mail in case of warning. Default is empty.

Revision as of 20:46, 13 August 2015


Rkhunter SSH for SME7

Maintainer

Unnilennium aka Jean-Philippe PIALASSE (Contrib)

Description

  • Rkhunter searches for rootkits and other abnormalities.


it needs the packages smeserver-rkhunter and rkhunter

Installation

  1. Log in (with username root) to the SMEserver console.
  2. Install smeserver-Rkhunter
    /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
    You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server.
  3. you should then issue:
signal-event remoteaccess-update


Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,.


Editing configuration

as root you can check the current configuration :

db configuration show rkhunter
rkhunter=service
    DisableTests=apps,suspscan,system_commands
    status=enabled

to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):

db configuration setprop rkhunter OPTION VALUE
signal-event remoteaccess-update

DisableTests

here you can set a string of disabled tests separated by ","(default is apps,suspscan,system_commands)

as an example you can avoid alert about deleted file by adding ,deleted_files ( see bug [SME: 3830])

see rkhunter doc for more informations

mail

allow to set the mail where you want to send daily report, default is blank for "root"

config setprop rkhunter mail toto@toto.com
signal-event remoteaccess-update

DIAG_SCAN

  • no - perform normal report scan (default)
  • yes - perform detailed report scan (includes application check)
config setprop rkhunter DIAG_SCAN yes
signal-event remoteaccess-update

mailWarn

recipient to send a mail in case of warning. Default is empty. for example

config setprop rkhunter mailWarn toto@toto.com
signal-event remoteaccess-update

status

active or deactivate rkhunter : enabled (default)/ disabled

config setprop rkhunter status disabled
signal-event remoteaccess-update

Uninstall

yum remove smeserver-Rkhunter Rkhunter

or alternatively just remove them from the server-manager "Software installer"

Additional information

consult RKH documentation and mailing list in case of warnings, it could be false positive. See bug [SME:4614].

Check installed version

yum info installed smeserver-Rkhunter