One of the features of
rkhunter in CentOS that I miss is the ability to update
rkhunter‘s property database automatically after
yum is run. In Debian, it is possible to instruct
dpkg to run
rkhunter --propupd after each install/upgrade/removal operation automatically so that the user does not have to type
rkhunter --propupd manually.
It should be noted that this feature comes with two warnings:
When using automatic database update after each package install/upgrade, an attacker could replace a file after it is installed, and before
--propupdis run. On a highly protected machine, it is recommended to disable the automatic database update.
It is the users’ responsibility to ensure that the files on the system are genuine and from a reliable source.
rkhuntercan only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the
--propupdcommand option is used, then
rkhunterwill assume that the file is genuine.
When I manage a server for a client, for me this is an acceptable risk: I always have other means of intrusion detection, including integrity checks of critical files and directories, and I usually do not want a non-tech savvy client to be upset if they see a warning that a system file has changed.
Luckily, this is doable with the help of plugins (much like the way I have implemented this for
from yum.plugins import TYPE_CORE
requires_api_version = '2.1'
plugin_type = (TYPE_CORE,)
active = False
active = False
content = open('/etc/rkhunter.conf').read()
if not re.match('^DISABLE_TESTS=.*(hashes.*attributes|attributes.*hashes|properties)', content) or re.match('^ENABLE_TESTS=.*(hashes|attributes|properties)', content):
active = True
exe = '/usr/bin/rkhunter'
if active and os.path.isfile(exe):
conduit.info(2, 'Updating rkhunter property database')
command = '%s --propupd --pkgmgr RPM --nolog' % exe
The plugin mimics Debian’s rkhunter behavior: if
attributes tests are disabled, property database is not updated automatically (this check is performed in
init_hook: if the database is to be updated,
active is set to
posttrans_hook checks the
active flag and whether
rkhunter binary exists. If both conditions are true, it runs
rkhunter --propupd --pkgmgr RPM --nolog (unlike Debian, the package manager is specified explicitly).
The full source code is available on GitHub.