[5] RKHunter – Detektor Rootkit’ów

14 marca 2022 Wyłączono przez Adam [zicherka] Nogły

Zainstaluj RKHunter, który jest narzędziem do wykrywania rootkitów.

[1] Zainstaluj RKHuntera.

# zainstaluj z EPEL
[root@vlsr01 ~]# dnf --enablerepo=epel install rkhunter

[2] Skonfiguruj i używaj RKHuntera.

W celu regularnego sprawdzania, skrypt sprawdzający jest instalowany w katalogu [/etc/cron.daily] i jest wykonywany codziennie przez Cron.

[root@vlsr01 ~]# mcedit /etc/sysconfig/rkhunter
# adres odbiorcy raportów
MAILTO=root@localhost
# jeśli ustawisz [yes] skanowanie będzie dokładniejsze
DIAG_SCAN=no

# zaktualizuj bazę danych
[root@vlsr01 ~]# rkhunter –update
# zaktualizuj właściwości systemu plików
[root@vlsr01 ~]# rkhunter –propupd

# uruchom sprawdzanie
# [--sk] pomija po naciśnieciu klawisza [Enter]
# [--rwo] tylko pokazuje ostrzeżenia
[root@vlsr01 ~]# rkhunter --check --sk
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]
  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]
  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/sbin/adduser                                        [ OK ]
. . . . .
    /usr/lib/systemd/systemd                                 [ OK ]
Checking for rootkits...
  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
. . . . .
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Not found ]
  Performing additional rootkit checks
    Suckit Rootkit additional checks                         [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]
  Performing malware checks
    Checking running processes for suspicious files          [ None found ]
    Checking for hidden processes                            [ Skipped ]
    Checking for login backdoors                             [ None found ]
    Checking for sniffer log files                           [ None found ]
    Checking for suspicious directories                      [ None found ]
    Checking for Apache backdoor                             [ Not found ]
  Performing Linux specific checks
    Checking loaded kernel modules                           [ OK ]
    Checking kernel module names                             [ OK ]
Checking the network...
  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
  Performing checks on the network interfaces
    Checking for promiscuous interfaces                      [ None found ]
Checking the local host...
  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for system startup files                        [ Found ]
    Checking system startup files for malware                [ None found ]
  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
    Checking root account shell history files                [ OK ]
  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Allowed ]
    Checking if SSH protocol v1 is allowed                   [ Not set ]
    Checking for other suspicious configuration settings     [ None found ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]
  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ None found ]
System checks summary
=====================
File properties checks...
    Files checked: 126
    Suspect files: 0
Rootkit checks...
    Rootkits checked : 489
    Possible rootkits: 0
Applications checks...
    All checks skipped
The system checks took: 1 minute and 39 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)