One of the features of rkhunter in CentOS that I miss is the ability to update rkhunter‘s property database automatically after yum is run. In Debian, it is possible to instruct dpkg to run rkhunter --propupd after each install/upgrade/removal operation automatically so that the user does not have to type rkhunter --propupd manually.

It should be noted that this feature comes with two warnings:

When using automatic database update after each package install/upgrade, an attacker could replace a file after it is installed, and before --propupd is run. On a highly protected machine, it is recommended to disable the automatic database update.

It is the users’ responsibility to ensure that the files on the system are genuine and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.

When I manage a server for a client, for me this is an acceptable risk: I always have other means of intrusion detection, including integrity checks of critical files and directories, and I usually do not want a non-tech savvy client to be upset if they see a warning that a system file has changed.

Luckily, this is doable with the help of plugins (much like the way I have implemented this for monit).

The plugin mimics Debian’s rkhunter behavior: if hashes and attributes tests are disabled, property database is not updated automatically (this check is performed in init_hook: if the database is to be updated, active is set to True). posttrans_hook checks the active flag and whether rkhunter binary exists. If both conditions are true, it runs rkhunter --propupd --pkgmgr RPM --nolog (unlike Debian, the package manager is specified explicitly).

The full source code is available on GitHub.

How to Integrate rkhunter with yum
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *