One of the features of rkhunter in CentOS that I miss is the ability to update rkhunter’s property database automatically after yum is run. In Debian, it is possible to instruct dpkg to run rkhunter --propupd after each install/upgrade/removal operation automatically so that the user does not have to type rkhunter --propupd manually.

It should be noted that this feature comes with two warnings:

When using automatic database update after each package install/upgrade, an attacker could replace a file after it is installed, and before --propupd is run. On a highly protected machine, it is recommended to disable the automatic database update.

It is the users’ responsibility to ensure that the files on the system are genuine and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.

When I manage a server for a client, for me this is an acceptable risk: I always have other means of intrusion detection, including integrity checks of critical files and directories, and I usually do not want a non-tech savvy client to be upset if they see a warning that a system file has changed.

Luckily, this is doable with the help of plugins (much like the way I have implemented this for monit).

import re
import os
import os.path
import yum
from yum.plugins import TYPE_CORE

requires_api_version = '2.1'
plugin_type = (TYPE_CORE,)

active = False

def init_hook(conduit):
    global active
    active = False
    try:
        content = open('/etc/rkhunter.conf').read()
        if not re.match('^DISABLE_TESTS=.*(hashes.*attributes|attributes.*hashes|properties)', content) or re.match('^ENABLE_TESTS=.*(hashes|attributes|properties)', content):
            active = True
    except:
        pass

def posttrans_hook(conduit):
    global active
    exe = '/usr/bin/rkhunter'
    if active and os.path.isfile(exe):
        conduit.info(2, 'Updating rkhunter property database')
        command = '%s --propupd --pkgmgr RPM --nolog' % exe
        os.system(command)

[main]
enabled=1

The plugin mimics Debian’s rkhunter behavior: if hashes and attributes tests are disabled, property database is not updated automatically (this check is performed in init_hook: if the database is to be updated, active is set to True). posttrans_hook checks the active flag and whether rkhunter binary exists. If both conditions are true, it runs rkhunter --propupd --pkgmgr RPM --nolog (unlike Debian, the package manager is specified explicitly).

The full source code is available on GitHub.

How to Integrate rkhunter with yum
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *