Rkhunter

From SME Server
Revision as of 06:11, 25 July 2022 by Unnilennium (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Rkhunter

Contrib 10:
Contrib 9:
smeserver-rkhunter
The latest version of smeserver-rkhunter is available in the SME repository, click on the version number(s) for more information.


Maintainer

Unnilennium aka Jean-Philippe PIALASSE (Contrib)

Description

  • Rkhunter searches for rootkits and other abnormalities.


it needs the packages smeserver-rkhunter and rkhunter

Installation

 /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
  1. Log in (with username root) to the SMEserver console.
  2. Install smeserver-Rkhunter
    /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
    You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server. Note: for SME10, you need to add the epel repository to get the latest rkhunter:
    /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs,epel
  1. you should then issue:
signal-event remoteaccess-update

Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,.

Editing configuration

as root you can check the current configuration :

db configuration show rkhunter
rkhunter=service
    DisableTests=apps,suspscan,system_commands
    status=enabled

to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):

db configuration setprop rkhunter OPTION VALUE
signal-event remoteaccess-update

DisableTests

here you can set a string of disabled tests separated by ","(default is apps,suspscan,system_commands)

as an example you can avoid alert about deleted file by adding ,deleted_files ( see bug [SME: 3830])

see rkhunter doc for more informations

mail

allow to set the mail where you want to send daily report, default is blank for "root"

config setprop rkhunter mail toto@toto.com
signal-event remoteaccess-update

DIAG_SCAN

default is blank

  • no - perform normal report scan (default)
  • yes - perform detailed report scan (includes application check)
config setprop rkhunter DIAG_SCAN yes
signal-event remoteaccess-update

mailWarn

recipient to send a mail in case of warning. Default is empty. for example

config setprop rkhunter mailWarn toto@toto.com
signal-event remoteaccess-update

status

active or deactivate rkhunter : enabled (default)/ disabled

config setprop rkhunter status disabled
signal-event remoteaccess-update

updateMirrors=

This configuration was removed for SME10 version >= 6 as the issue has been resolved in the rkhunter code.

enabled or disabled (default is empty for disabled. As per issue CVE-2017-7480 you should keep this as disabled !

Uninstall

yum remove smeserver-Rkhunter Rkhunter

or alternatively just remove them from the server-manager "Software installer"

Additional information

consult RKH documentation and mailing list in case of warnings, it could be false positive. See bug [SME:4614].

Check installed version

yum info installed smeserver-rkhunter

Bugs

Please raise bugs under the SME Contribs section in bugzilla .


"No open bugs found."

Changelog

Only released version in smecontrib are listed here.

smeserver-rkhunter Changelog: SME 10 (smecontribs)
2021/03/29 Brian Read 1.4.0-7.sme
- Add Update event to createlinks [SME: 11025]

2021/03/29 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,

by assuming the date is correct and changing the weekday.
2020/12/30 Brian Read 1.4.0-6.sme
- Revert patch to suppress update as the exploit has been fixed [SME: 11025]
2020/10/09 Brian Read 1.4.0-5.sme
- Import in SME10 tree [SME: 11025]

2017/07/06 Jean-Philipe Pialasse 1.4.0-4.sme
- disabling as default update for rkh because of CVE-2017-7480 [SME: 10376]

- added property updateMirrors to handle this