RKHunter warnings improvement

APPLIES TO:

Plesk 12.0 for Linux
Plesk 11.0 for Linux
Plesk 11.5 for Linux

Symptoms

I started a security check through Parallels Plesk Panel at Modules -> Watchdog -> Security -> Start. The process finished successfully, however, the following warning messages are reported in the Watchdog security check log (/var/log/rkhunter.log):

Warning: The command ‘/usr/bin/GET’ has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command ‘/usr/bin/groups’ has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command ‘/usr/bin/ldd’ has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command ‘/sbin/ifdown’ has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command ‘/sbin/ifup’ has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

These files exist in the system. How can I reconfigure RKHunter to verify the existence of the binaries and remove the warning messages?
Resolution

It is recommended that you add the following directives into the RKHunter configuration file:

/usr/local/psa/etc/modules/watchdog/rkhunter.conf
—>8—
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/sbin/ifdown
SCRIPTWHITELIST=/sbin/ifup
—8<--- If you want to disable emails, check the log file at /usr/local/psa/etc/modules/watchdog/rkhunter.conf and set it to

/usr/local/psa/etc/modules/watchdog/rkhunter.conf

Or in /etc/cron.daily/01-rkhunter

Install rkhunter on CentOS 6.6

Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. Rootkits are self-hiding toolkits secretly installed by a malicious intruder to allow that user to gain access to the server. Rootkit Hunter offers protection by comparing SHA-1 hashes of important files with known good ones in a online database as well as:

MD5 hash compare
Look for default files used by rootkits
Wrong file permissions for binaries
Look for suspected strings in LKM and KLD modules
Look for hidden files
Optional scan within plaintext and binary files

yum install rkhunter

Check the version

# rkhunter --versioncheck
Rootkit Hunter version 1.4.2

Checking rkhunter version...
  This version  : 1.4.2
  Latest version: 1.4.2

Manual Scan

# rkhunter -c

Or,

# rkhunter -c -l /var/log/rkhunter.log

Automate Rootkit Hunter

Rkhunter can be setup to run checks every day so that we always have up-to-date information about intrusions. This can be accomplished by creating a cronjob.
2.1 Create Cron File

Create the run-file in the following location (RHEL based distributions only):

#nano -w /etc/cron.daily/rkhunter.sh

Install into shell script

#!/bin/sh
(
/usr/bin/rkhunter --versioncheck
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Scan Report (ServerNameHere)' your@email.here

Set Execute Permissions

Set execute permission on the file you have just created:

# chmod 755 /etc/cron.daily/rkhunter.sh

The cron utility will run once daily, and if a threat is detected, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.

Rootkit Hunter configuration

The configuration file for rkhunter can be found at:

# /etc/rkhunter.conf

SSHD Root Logon

The parameter ALLOW_SSH_ROOT_USER tells rkhunter whether or not the root user is allowed to ssh into the system. This is unset by default in the rkhunter.conf file. Rkhunter will complain about this on every run. If you have disabled root login, you should set this parameter to “no”.

ALLOW_SSH_ROOT_USER=no

If you need root login over SSH, you should change this parameter to “yes” so that rkhunter can check this and will mark this setting as valid:

ALLOW_SSH_ROOT_USER=yes

Security practices recommend disabling root login.

Update rkhunter

To check the currently installed version enter the following:

# rkhunter --versioncheck

Run the updater by issuing the following command:

# rkhunter --update

With our database files refreshed, we need to tell rkhunter to check the current values and store them as known-good values:

# rkhunter --propupd

Rkhunter Emails

Getting rkhunter failed emails in your email? Here is how to configure the email to send to a correct address.

Edit /etc/sysconfig/rkhunter:


nano /etc/sysconfig/rkhunter

# System configuration file for Rootkit Hunter which
# stores RPM system specifics for cron run, etc.
#
#    MAILTO= <email address to send scan report>
# DIAG_SCAN= no  - perform  normal  report scan
#            yes - perform detailed report scan
#                  (includes application check)

MAILTO=root@localhost
DIAG_SCAN=no

Change the email to your email.

# System configuration file for Rootkit Hunter which
# stores RPM system specifics for cron run, etc.
#
#    MAILTO= <email address to send scan report>
# DIAG_SCAN= no  - perform  normal  report scan
#            yes - perform detailed report scan
#                  (includes application check)

MAILTO=admin@yourdomain.com
DIAG_SCAN=no

Save and you are all set!