One of the features of
rkhunter in CentOS that I miss is the ability to update
rkhunter‘s property database automatically after
yum is run. In Debian, it is possible to instruct
dpkg to run
rkhunter --propupd after each install/upgrade/removal operation automatically so that the user does not have to type
rkhunter --propupd manually.
It should be noted that this feature comes with two warnings:
When using automatic database update after each package install/upgrade, an attacker could replace a file after it is installed, and before
--propupdis run. On a highly protected machine, it is recommended to disable the automatic database update.
It is the users’ responsibility to ensure that the files on the system are genuine and from a reliable source.
rkhuntercan only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the
--propupdcommand option is used, then
rkhunterwill assume that the file is genuine.
When I manage a server for a client, for me this is an acceptable risk: I always have other means of intrusion detection, including integrity checks of critical files and directories, and I usually do not want a non-tech savvy client to be upset if they see a warning that a system file has changed.
Luckily, this is doable with the help of plugins (much like the way I have implemented this for
import re import os import os.path import yum from yum.plugins import TYPE_CORE requires_api_version = '2.1' plugin_type = (TYPE_CORE,) active = False def init_hook(conduit): global active active = False try: content = open('/etc/rkhunter.conf').read() if not re.match('^DISABLE_TESTS=.*(hashes.*attributes|attributes.*hashes|properties)', content) or re.match('^ENABLE_TESTS=.*(hashes|attributes|properties)', content): active = True except: pass def posttrans_hook(conduit): global active exe = '/usr/bin/rkhunter' if active and os.path.isfile(exe): conduit.info(2, 'Updating rkhunter property database') command = '%s --propupd --pkgmgr RPM --nolog' % exe os.system(command)
The plugin mimics Debian’s rkhunter behavior: if
attributes tests are disabled, property database is not updated automatically (this check is performed in
init_hook: if the database is to be updated,
active is set to
posttrans_hook checks the
active flag and whether
rkhunter binary exists. If both conditions are true, it runs
rkhunter --propupd --pkgmgr RPM --nolog (unlike Debian, the package manager is specified explicitly).
The full source code is available on GitHub.