rkhunter is the last thing you should use
If there is a rootkit in your system, it has all the privileges in the system. These include complete hiding from any tool like
rkhunter is only useful as detection for lazy rootkits, that is, authored by lazy hackers 🙂 Or, as a supplementary tool for checking validity of a few base system programs it monitors, against RPM database. Which might be only useful to detect corrupted hard drives..
With all this in mind, proceed.
The problem of broken/unfinished rkhunter workflow
So you’ve installed
rkhunter and let its cron run every day? Only to nag you with false positive every time you update a package via
- You have installed
- You did the right thing of setting
- Ran initial
yum upgradewhich resulted in an update of some of the files monitored by
- Now you’re getting daily alerts from
rkhunterabout modified files until you run
rkhunter output after updating system via
Warning: The file properties have changed: File: /usr/bin/pgrep Current inode: 470397 Stored inode: 34965 Warning: The file properties have changed: File: /usr/bin/pkill
/etc/rkhunter.conf you tell
rkhunter the source of information about genuine, unmodified system programs. RPM database is being consulted only when you run
--propupd. But not when you run
rkhunter does not do any magic check against RPM database after every
How can we make things better?
If we install packages from a YUM repository, we already assume that the repository is giving us genuine and secure packages. So in general, having
yum installed/updated packages automatically is a good idea to reduce false positives.
rkhunter + yum updates setup
yum -y install yum-plugin-post-transaction-actions echo '*:any:echo $name >> /var/lib/rkhunter/updated.txt' > /etc/yum/post-actions/rkhunter.action
#!/bin/bash if [[ -f /var/lib/rkhunter/updated.txt ]] ; then while read in; do /usr/bin/rkhunter --propupdate "$in" > /dev/null; done < /var/lib/rkhunter/updated.txt rm -rf /var/lib/rkhunter/updated.txt fi
chmod 0755 /etc/cron.daily/0rkhunter
So what we do is:
- When a package is updated, add its name to
- Add a special cron, which is run before the main
/var/lib/rkhunter/updated.txtand update properties of the packages listed in the file
We could directly run
/usr/bin/rkhunter --propupdate package-name in the
yum hook, but I chose the flat file approach so that every
yum transaction would not be slowed down.
You may think that between the time a package is installed and the
0rkhunter cron run, which enables trust of its files, our lazy hacker would be able to replace the package’s files manually and the change will be undetected. No, their manual changes would still be reported by
rkhunter later on. Imagine the following to happen:
- You have installed a package
- Hacker modifies
/usr/bin/foo(part of that package from earlier) manually
rkhunter --propupdate foo, but this consults and trusts properties from the RPM database and not the current properties of
So manual changes to files managed by RPM will be alerted later anyway.
rkhunter only nag us when someone manually replaces system files (not via RPM repositories). The convenience of less nagging comes with sort of lessened security.
Potentially a hacker would be able to configure a yum repository in the system and install malicious packages. These changes would not be flagged by
rkhunter anymore. But come to think of it:
- What hackers resort to packaging their stuff, really?
- We should already have mechanisms to watch configured yum repositories in the system
yum updates by
rkhunter seems like a sane use of it.
Bonus tip. Know your tool
rkhunter utility does not check file properties of every system file or package you have. It only checks files which are more often replaced by rootkits, the list of which is coded in
/bin/rkhunter script source itself under
So if you are to run
rkhunter --propupd artbitrary-package-name, you may get:
File or package name is not in the “rkhunter.dat” file: php-pecl-igbinary
Warning: The file exists on the system, but it is not present in the rkhunter.dat file