Rkhunter

From SME Server
Jump to: navigation, search


Warning.png Warning:
because of recent security issue, you should process with caution with this contrib. See http://seclists.org/oss-sec/2017/q2/643 . As default we have disabled the auto update feature of the script to prevent the issue described as CVE-2017-7480 to occurs, but the situation raise the question of the use of a script to improve security that could create a breach.

Rkhunter

Contrib 9:
smeserver-rkhunter
The latest version of smeserver-rkhunter is available in the SME repository, click on the version number(s) for more information.

Maintainer

Unnilennium aka Jean-Philippe PIALASSE (Contrib)

Description

  • Rkhunter searches for rootkits and other abnormalities.


it needs the packages smeserver-rkhunter and rkhunter

Installation

  1. Log in (with username root) to the SMEserver console.
  2. Install smeserver-Rkhunter
    /usr/bin/yum install smeserver-rkhunter --enablerepo=smecontribs
    You will get a y/N-question, answer y if it looks fine. There is no need to reboot the server.
  3. you should then issue:
signal-event remoteaccess-update


Alternatively you can use the server-manager panel "Software installer" to add a new package and select smeserver-Rkhunter (repo smecontribs must be enabled) then do the reconfiguration and reboot task, instead of steps 1 and 2, then refresh your browser and configure Rkhunter,.


Editing configuration

as root you can check the current configuration :

db configuration show rkhunter
rkhunter=service
    DisableTests=apps,suspscan,system_commands
    status=enabled

to set a new value just issue ( where you change VALUE and OPTION by the appropriate data):

db configuration setprop rkhunter OPTION VALUE
signal-event remoteaccess-update

DisableTests

here you can set a string of disabled tests separated by ","(default is apps,suspscan,system_commands)

as an example you can avoid alert about deleted file by adding ,deleted_files ( see bug [SME: 3830])

see rkhunter doc for more informations

mail

allow to set the mail where you want to send daily report, default is blank for "root"

config setprop rkhunter mail toto@toto.com
signal-event remoteaccess-update

DIAG_SCAN

default is blank

  • no - perform normal report scan (default)
  • yes - perform detailed report scan (includes application check)
config setprop rkhunter DIAG_SCAN yes
signal-event remoteaccess-update

mailWarn

recipient to send a mail in case of warning. Default is empty. for example

config setprop rkhunter mailWarn toto@toto.com
signal-event remoteaccess-update

status

active or deactivate rkhunter : enabled (default)/ disabled

config setprop rkhunter status disabled
signal-event remoteaccess-update

updateMirrors=

enabled or disabled (default is empty for disabled. As per issue CVE-2017-7480 you should keep this as disabled !

Uninstall

yum remove smeserver-Rkhunter Rkhunter

or alternatively just remove them from the server-manager "Software installer"

Additional information

consult RKH documentation and mailing list in case of warnings, it could be false positive. See bug [SME:4614].

Check installed version

yum info installed smeserver-rkhunter

Bugs

Please raise bugs under the SME Contribs section in bugzilla .


IDProductVersionStatusSummary
10376SME Contribs9.2IN_PROGRESSSecurity issue CVE-2017-7480 ; updates downloaded in clear http could allow remote execution

Changelog

Only released version in smecontrib are listed here.

smeserver-rkhunter Changelog: SME 9 (smecontribs)

2017/07/06 Jean-Philipe Pialasse 1.4.0-4.sme
- disabling as default update for rkh because of CVE-2017-7480 [SME: 10376]

- added property updateMirrors to handle this
2015/08/18 stephane de Labrusse 1.4.0-3.sme
- add smeserver-rkhunter-1.4.0.more_options2rkhunter-conf.patch
2015/08/13 stephane de Labrusse 1.4.0-2.sme
- change path to rsyslog.conf
2015/08/13 stephane de Labrusse 1.4.0-1.sme
- First Import to contribs9

2013/09/17 JP Pialasse 1.2.0-10
- fix not run in cron daily [SME: 7800]

- typos in patchs