One of the features of `rkhunter` in CentOS that I miss is the ability to update `rkhunter`’s property database automatically after `yum` is run. In Debian, it is possible to instruct `dpkg` to run `rkhunter –propupd` after each install/upgrade/removal operation automatically so that the user does not have to type `rkhunter –propupd` manually.
It should be noted that this feature comes with two warnings:
When using automatic database update after each package install/upgrade, an attacker could replace a file after it is installed, and before `–propupd` is run. On a highly protected machine, it is recommended to disable the automatic database update.
It is the users’ responsibility to ensure that the files on the system are genuine and from a reliable source. `rkhunter` can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the `–propupd` command option is used, then `rkhunter` will assume that the file is genuine.
When I manage a server for a client, for me this is an acceptable risk: I always have other means of intrusion detection, including integrity checks of critical files and directories, and I usually do not want a non-tech savvy client to be upset if they see a warning that a system file has changed.
Luckily, this is doable with the help of plugins (much like the way I have implemented this for `monit`).
import re
import os
import os.path
import yum
from yum.plugins import TYPE_CORE
requires_api_version = '2.1'
plugin_type = (TYPE_CORE,)
active = False
def init_hook(conduit):
global active
active = False
try:
content = open('/etc/rkhunter.conf').read()
if not re.match('^DISABLE_TESTS=.*(hashes.*attributes|attributes.*hashes|properties)', content) or re.match('^ENABLE_TESTS=.*(hashes|attributes|properties)', content):
active = True
except:
pass
def posttrans_hook(conduit):
global active
exe = '/usr/bin/rkhunter'
if active and os.path.isfile(exe):
conduit.info(2, 'Updating rkhunter property database')
command = '%s --propupd --pkgmgr RPM --nolog' % exe
os.system(command)
[main] enabled=1
The plugin mimics Debian’s rkhunter behavior: if `hashes` and `attributes` tests are disabled, property database is not updated automatically (this check is performed in `init_hook`: if the database is to be updated, `active` is set to `True`). `posttrans_hook` checks the `active` flag and whether `rkhunter` binary exists. If both conditions are true, it runs `rkhunter –propupd –pkgmgr RPM –nolog` (unlike Debian, the package manager is specified explicitly).
The full source code is available on GitHub.