Difference between revisions of "Rkhunter"

From SME Server
Jump to navigationJump to search
 
(21 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Languages|Rkhunter}}
 
{{Languages|Rkhunter}}
=Rkhunter SSH for SME7=
 
  
 +
=Rkhunter=
 +
{{ #smeversion: smeserver-rkhunter}}
 
=== Maintainer ===
 
=== Maintainer ===
 
[http://smeserver.pialasse.com/ Unnilennium aka Jean-Philippe PIALASSE] (Contrib)
 
[http://smeserver.pialasse.com/ Unnilennium aka Jean-Philippe PIALASSE] (Contrib)
Line 14: Line 15:
 
=== Installation ===
 
=== Installation ===
  
 +
<tabs container><tab name="For SME 10">
 +
  /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
 +
</tab>
 +
<tab name="For SME 9">
 
# Log in (with username root) to the SMEserver console.
 
# Log in (with username root) to the SMEserver console.
# Install smeserver-Rkhunter<pre>/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs</pre> You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server.
+
# Install smeserver-Rkhunter<pre>/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs</pre> You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server. Note: for SME10, you need to add the epel repository to get the latest rkhunter:<pre>/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs,epel</pre>
 +
 
 
# you should then issue:
 
# you should then issue:
 
  signal-event remoteaccess-update
 
  signal-event remoteaccess-update
 
+
</tab>
 +
</tabs>
  
 
Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh  your browser and configure Rkhunter,.
 
Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh  your browser and configure Rkhunter,.
 
  
 
=== Editing configuration ===
 
=== Editing configuration ===
Line 32: Line 38:
 
to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):
 
to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):
 
  db configuration setprop rkhunter OPTION VALUE
 
  db configuration setprop rkhunter OPTION VALUE
 
+
signal-event remoteaccess-update
====DIAG_SCAN====
 
set to yes or no, default : '''no'''
 
 
 
 
====DisableTests====
 
====DisableTests====
 
here you can set a string of disabled tests separated by ","(default is '''apps,suspscan,system_commands''')
 
here you can set a string of disabled tests separated by ","(default is '''apps,suspscan,system_commands''')
  
as an example you can avoid alert about deleted file by adding ''',deleted_files'''
+
as an example you can avoid alert about deleted file by adding ''',deleted_files''' ( see bug [SME: 3830])
  
see rkhunter doc for more informations
+
see [http://rkhunter.sourceforge.net/ rkhunter ] doc for more informations
  
 
====mail====
 
====mail====
 
allow to set the mail where you want to send daily report, default is blank for "'''root'''"
 
allow to set the mail where you want to send daily report, default is blank for "'''root'''"
 +
 +
config setprop rkhunter mail toto@toto.com
 +
signal-event remoteaccess-update
 +
====DIAG_SCAN====
 +
default is blank
 +
* no  - perform  normal  report scan (default)
 +
* yes - perform detailed report scan (includes application check)
 +
                 
 +
config setprop rkhunter DIAG_SCAN yes
 +
signal-event remoteaccess-update
  
 
====mailWarn====
 
====mailWarn====
 
recipient to send a mail in case of warning. Default is empty.
 
recipient to send a mail in case of warning. Default is empty.
 +
for example
 +
config setprop rkhunter mailWarn toto@toto.com
 +
signal-event remoteaccess-update
 +
====status====
 +
active or deactivate rkhunter : enabled (default)/ '''disabled'''
 +
config setprop rkhunter status disabled
 +
signal-event remoteaccess-update
 +
 +
====updateMirrors=====
 +
 +
This configuration was removed for SME10 version >= 6 as the issue has been resolved in the rkhunter code.
  
====status====
+
<del>enabled or disabled (default is empty for disabled.
active or deactivate rkhunter : activated / '''deactivated'''(default)
+
As per issue CVE-2017-7480 you should keep this as disabled !</del>
  
 
=== Uninstall ===
 
=== Uninstall ===
Line 59: Line 83:
 
=== Additional information ===
 
=== Additional information ===
  
you can change the destination email account, instead of the default admin account, for this contribs using :
+
consult RKH documentation and mailing list in case of warnings, it could be false positive. See bug [SME:4614].
  
config setprop Rkhunter AdminEmail youremail@yourdomaine.tld
+
=== Check installed version ===
  signal-event conf-Rkhunter
+
  yum info installed smeserver-rkhunter
  
 +
=== Bugs===
 +
Please raise bugs under the SME Contribs section in {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-rkhunter|title=bugzilla}}.
 +
 +
 +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-rkhunter|noresultsmessage="No open bugs found."}}
 +
 +
===Changelog===
 +
Only released version in smecontrib are listed here.
 +
 +
{{ #smechangelog: smeserver-rkhunter}}
  
=== Check installed version ===
 
yum info installed smeserver-Rkhunter
 
 
----
 
----
  
 
[[Category: Contrib]]
 
[[Category: Contrib]]
 
[[Category: Administration:Remote Access]]{{Languages|Rkhunter}}
 
[[Category: Administration:Remote Access]]{{Languages|Rkhunter}}
 +
[[Category:Security]]

Latest revision as of 06:11, 25 July 2022


Rkhunter

Contrib 10:
Contrib 9:
smeserver-rkhunter
The latest version of smeserver-rkhunter is available in the SME repository, click on the version number(s) for more information.


Maintainer

Unnilennium aka Jean-Philippe PIALASSE (Contrib)

Description

  • Rkhunter searches for rootkits and other abnormalities.


it needs the packages smeserver-rkhunter and rkhunter

Installation

 /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
  1. Log in (with username root) to the SMEserver console.
  2. Install smeserver-Rkhunter
    /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
    You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server. Note: for SME10, you need to add the epel repository to get the latest rkhunter:
    /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs,epel
  1. you should then issue:
signal-event remoteaccess-update

Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,.

Editing configuration

as root you can check the current configuration :

db configuration show rkhunter
rkhunter=service
    DisableTests=apps,suspscan,system_commands
    status=enabled

to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):

db configuration setprop rkhunter OPTION VALUE
signal-event remoteaccess-update

DisableTests

here you can set a string of disabled tests separated by ","(default is apps,suspscan,system_commands)

as an example you can avoid alert about deleted file by adding ,deleted_files ( see bug [SME: 3830])

see rkhunter doc for more informations

mail

allow to set the mail where you want to send daily report, default is blank for "root"

config setprop rkhunter mail toto@toto.com
signal-event remoteaccess-update

DIAG_SCAN

default is blank

  • no - perform normal report scan (default)
  • yes - perform detailed report scan (includes application check)
config setprop rkhunter DIAG_SCAN yes
signal-event remoteaccess-update

mailWarn

recipient to send a mail in case of warning. Default is empty. for example

config setprop rkhunter mailWarn toto@toto.com
signal-event remoteaccess-update

status

active or deactivate rkhunter : enabled (default)/ disabled

config setprop rkhunter status disabled
signal-event remoteaccess-update

updateMirrors=

This configuration was removed for SME10 version >= 6 as the issue has been resolved in the rkhunter code.

enabled or disabled (default is empty for disabled. As per issue CVE-2017-7480 you should keep this as disabled !

Uninstall

yum remove smeserver-Rkhunter Rkhunter

or alternatively just remove them from the server-manager "Software installer"

Additional information

consult RKH documentation and mailing list in case of warnings, it could be false positive. See bug [SME:4614].

Check installed version

yum info installed smeserver-rkhunter

Bugs

Please raise bugs under the SME Contribs section in bugzilla .


"No open bugs found."

Changelog

Only released version in smecontrib are listed here.

smeserver-rkhunter Changelog: SME 10 (smecontribs)
2021/03/29 Brian Read 1.4.0-7.sme
- Add Update event to createlinks [SME: 11025]

2021/03/29 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,

by assuming the date is correct and changing the weekday.
2020/12/30 Brian Read 1.4.0-6.sme
- Revert patch to suppress update as the exploit has been fixed [SME: 11025]
2020/10/09 Brian Read 1.4.0-5.sme
- Import in SME10 tree [SME: 11025]

2017/07/06 Jean-Philipe Pialasse 1.4.0-4.sme
- disabling as default update for rkh because of CVE-2017-7480 [SME: 10376]

- added property updateMirrors to handle this