Sane use of rkhunter in CentOS 7

Danila Vershinin

5 years ago

rkhunter is the last thing you should use

If there is a rootkit in your system, it has all the privileges in the system. These include complete hiding from any tool like rkhunter. The rkhunter is only useful as detection for lazy rootkits, that is, authored by lazy hackers 🙂 Or, as a supplementary tool for checking validity of a few base system programs it monitors, against RPM database. Which might be only useful to detect corrupted hard drives..

With all this in mind, proceed.

The problem of broken/unfinished rkhunter workflow

So you’ve installed rkhunter and let its cron run every day? Only to nag you with false positive every time you update a package via yum.

You have installed rkhunter
You did the right thing of setting PKGMGR=RPM in rkhunter configuration
Ran initial rkhunter --propupd
Ran yum upgrade which resulted in an update of some of the files monitored by rkhunter
Now you’re getting daily alerts from rkhunter about modified files until you run rkhunter --propupd again

E.g. rkhunter output after updating system via yum upgrade:

Warning: The file properties have changed:
        File: /usr/bin/pgrep
        Current inode: 470397    Stored inode: 34965
Warning: The file properties have changed:
        File: /usr/bin/pkill

But why?

With PKGMGR=RPM in /etc/rkhunter.conf you tell rkhunter the source of information about genuine, unmodified system programs. RPM database is being consulted only when you run --propupd. But not when you run --check!

So rkhunter does not do any magic check against RPM database after every yum update.

How can we make things better?

If we install packages from a YUM repository, we already assume that the repository is giving us genuine and secure packages. So in general, having rkhunter trust yum installed/updated packages automatically is a good idea to reduce false positives.

rkhunter + yum updates setup

yum -y install yum-plugin-post-transaction-actions
echo '*:any:echo $name >> /var/lib/rkhunter/updated.txt' > /etc/yum/post-actions/rkhunter.action

Create file /etc/cron.daily/0rkhunter:

#!/bin/bash

if [[ -f /var/lib/rkhunter/updated.txt ]] ; then
    while read in; do /usr/bin/rkhunter --propupdate "$in" > /dev/null; done < /var/lib/rkhunter/updated.txt
    rm -rf /var/lib/rkhunter/updated.txt
fi

Setup permissions:

chmod 0755 /etc/cron.daily/0rkhunter

So what we do is:

When a package is updated, add its name to /var/lib/rkhunter/updated.txt
Add a special cron, which is run before the main rkhunter cron: check /var/lib/rkhunter/updated.txt and update properties of the packages listed in the file

We could directly run /usr/bin/rkhunter --propupdate package-name in the yum hook, but I chose the flat file approach so that every yum transaction would not be slowed down.

You may think that between the time a package is installed and the 0rkhunter cron run, which enables trust of its files, our lazy hacker would be able to replace the package’s files manually and the change will be undetected. No, their manual changes would still be reported by rkhunter later on. Imagine the following to happen:

You have installed a package foo
Hacker modifies /usr/bin/foo (part of that package from earlier) manually
0rkhunter runs rkhunter --propupdate foo, but this consults and trusts properties from the RPM database and not the current properties of /usr/bin/foo

So manual changes to files managed by RPM will be alerted later anyway.

We let rkhunter only nag us when someone manually replaces system files (not via RPM repositories). The convenience of less nagging comes with sort of lessened security.

Potentially a hacker would be able to configure a yum repository in the system and install malicious packages. These changes would not be flagged by rkhunter anymore. But come to think of it:

What hackers resort to packaging their stuff, really?
We should already have mechanisms to watch configured yum repositories in the system

So trusting yum updates by rkhunter seems like a sane use of it.

Bonus tip. Know your tool

The rkhunter utility does not check file properties of every system file or package you have. It only checks files which are more often replaced by rootkits, the list of which is coded in /bin/rkhunter script source itself under PROP_FILE_LIST.

So if you are to run rkhunter --propupd artbitrary-package-name, you may get:

File or package name is not in the “rkhunter.dat” file: php-pecl-igbinary

Warning: The file exists on the system, but it is not present in the rkhunter.dat file

Sources:

rkhunter in Centos (French)