Difference between revisions of "Rkhunter"
Unnilennium (talk | contribs) |
|||
(12 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{Languages|Rkhunter}} | {{Languages|Rkhunter}} | ||
− | |||
+ | =Rkhunter= | ||
+ | {{ #smeversion: smeserver-rkhunter}} | ||
=== Maintainer === | === Maintainer === | ||
[http://smeserver.pialasse.com/ Unnilennium aka Jean-Philippe PIALASSE] (Contrib) | [http://smeserver.pialasse.com/ Unnilennium aka Jean-Philippe PIALASSE] (Contrib) | ||
Line 14: | Line 15: | ||
=== Installation === | === Installation === | ||
+ | <tabs container><tab name="For SME 10"> | ||
+ | /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs | ||
+ | </tab> | ||
+ | <tab name="For SME 9"> | ||
# Log in (with username root) to the SMEserver console. | # Log in (with username root) to the SMEserver console. | ||
− | # Install smeserver-Rkhunter<pre>/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs</pre> You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server. | + | # Install smeserver-Rkhunter<pre>/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs</pre> You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server. Note: for SME10, you need to add the epel repository to get the latest rkhunter:<pre>/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs,epel</pre> |
+ | |||
# you should then issue: | # you should then issue: | ||
signal-event remoteaccess-update | signal-event remoteaccess-update | ||
− | + | </tab> | |
+ | </tabs> | ||
Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,. | Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,. | ||
− | |||
=== Editing configuration === | === Editing configuration === | ||
Line 32: | Line 38: | ||
to set a new value just issue ( where you change VALUE and OPTION by the appropriate data): | to set a new value just issue ( where you change VALUE and OPTION by the appropriate data): | ||
db configuration setprop rkhunter OPTION VALUE | db configuration setprop rkhunter OPTION VALUE | ||
− | + | signal-event remoteaccess-update | |
− | |||
− | |||
− | |||
====DisableTests==== | ====DisableTests==== | ||
here you can set a string of disabled tests separated by ","(default is '''apps,suspscan,system_commands''') | here you can set a string of disabled tests separated by ","(default is '''apps,suspscan,system_commands''') | ||
Line 47: | Line 50: | ||
config setprop rkhunter mail toto@toto.com | config setprop rkhunter mail toto@toto.com | ||
− | + | signal-event remoteaccess-update | |
====DIAG_SCAN==== | ====DIAG_SCAN==== | ||
− | + | default is blank | |
− | + | * no - perform normal report scan (default) | |
− | + | * yes - perform detailed report scan (includes application check) | |
+ | |||
config setprop rkhunter DIAG_SCAN yes | config setprop rkhunter DIAG_SCAN yes | ||
+ | signal-event remoteaccess-update | ||
+ | |||
====mailWarn==== | ====mailWarn==== | ||
recipient to send a mail in case of warning. Default is empty. | recipient to send a mail in case of warning. Default is empty. | ||
for example | for example | ||
config setprop rkhunter mailWarn toto@toto.com | config setprop rkhunter mailWarn toto@toto.com | ||
− | + | signal-event remoteaccess-update | |
====status==== | ====status==== | ||
active or deactivate rkhunter : enabled (default)/ '''disabled''' | active or deactivate rkhunter : enabled (default)/ '''disabled''' | ||
+ | config setprop rkhunter status disabled | ||
+ | signal-event remoteaccess-update | ||
+ | |||
+ | ====updateMirrors===== | ||
+ | |||
+ | This configuration was removed for SME10 version >= 6 as the issue has been resolved in the rkhunter code. | ||
+ | |||
+ | <del>enabled or disabled (default is empty for disabled. | ||
+ | As per issue CVE-2017-7480 you should keep this as disabled !</del> | ||
=== Uninstall === | === Uninstall === | ||
Line 71: | Line 86: | ||
=== Check installed version === | === Check installed version === | ||
− | yum info installed smeserver- | + | yum info installed smeserver-rkhunter |
+ | |||
+ | === Bugs=== | ||
+ | Please raise bugs under the SME Contribs section in {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-rkhunter|title=bugzilla}}. | ||
+ | |||
+ | |||
+ | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-rkhunter|noresultsmessage="No open bugs found."}} | ||
+ | |||
+ | ===Changelog=== | ||
+ | Only released version in smecontrib are listed here. | ||
+ | |||
+ | {{ #smechangelog: smeserver-rkhunter}} | ||
+ | |||
---- | ---- | ||
Latest revision as of 06:11, 25 July 2022
Rkhunter
Maintainer
Unnilennium aka Jean-Philippe PIALASSE (Contrib)
Description
- Rkhunter searches for rootkits and other abnormalities.
it needs the packages smeserver-rkhunter and rkhunter
Installation
/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
- Log in (with username root) to the SMEserver console.
- Install smeserver-Rkhunter
/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server. Note: for SME10, you need to add the epel repository to get the latest rkhunter:/usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs,epel
- you should then issue:
signal-event remoteaccess-update
Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,.
Editing configuration
as root you can check the current configuration :
db configuration show rkhunter rkhunter=service DisableTests=apps,suspscan,system_commands status=enabled
to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):
db configuration setprop rkhunter OPTION VALUE signal-event remoteaccess-update
DisableTests
here you can set a string of disabled tests separated by ","(default is apps,suspscan,system_commands)
as an example you can avoid alert about deleted file by adding ,deleted_files ( see bug [SME: 3830])
see rkhunter doc for more informations
allow to set the mail where you want to send daily report, default is blank for "root"
config setprop rkhunter mail toto@toto.com signal-event remoteaccess-update
DIAG_SCAN
default is blank
- no - perform normal report scan (default)
- yes - perform detailed report scan (includes application check)
config setprop rkhunter DIAG_SCAN yes signal-event remoteaccess-update
mailWarn
recipient to send a mail in case of warning. Default is empty. for example
config setprop rkhunter mailWarn toto@toto.com signal-event remoteaccess-update
status
active or deactivate rkhunter : enabled (default)/ disabled
config setprop rkhunter status disabled signal-event remoteaccess-update
updateMirrors=
This configuration was removed for SME10 version >= 6 as the issue has been resolved in the rkhunter code.
enabled or disabled (default is empty for disabled.
As per issue CVE-2017-7480 you should keep this as disabled !
Uninstall
yum remove smeserver-Rkhunter Rkhunter
or alternatively just remove them from the server-manager "Software installer"
Additional information
consult RKH documentation and mailing list in case of warnings, it could be false positive. See bug [SME:4614].
Check installed version
yum info installed smeserver-rkhunter
Bugs
Please raise bugs under the SME Contribs section in bugzilla .
Changelog
Only released version in smecontrib are listed here.
- Add Update event to createlinks [SME: 11025]
2021/03/29 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
- Revert patch to suppress update as the exploit has been fixed [SME: 11025]
- Import in SME10 tree [SME: 11025]
2017/07/06 Jean-Philipe Pialasse 1.4.0-4.sme
- disabling as default update for rkh because of CVE-2017-7480 [SME: 10376]