rkhunter
作者:精灵 发布时间:2010-10-22 20:36. 分类: 技术相关
rkhunter具有比chrootkit更为全面的扫描范围。除rootkit特征码扫描外,rkhunter还支持端口扫描,常用开源软件版本和文件变动情况检查等。
rkhunter快速安装
cd /tmp
rm -fR rkhunter*
wget -N http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.6/rkhunter-1.3.6.tar.gz
gzip -d -c rkhunter-1.3.6.tar.gz | gtar xvf -
cd rkhunter-1.3.6
./installer.sh --install
./installer.sh --show
rkhunter配置文件调整
sed -i 's/DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"/DISABLE_TESTS="suspscan deleted_files"/'
/etc/rkhunter.conf
sed -i 's/ALLOW_SSH_ROOT_USER=no/ALLOW_SSH_ROOT_USER=without-password/' /etc/rkhunter.conf
sed -i 's/#ATTRWHITELIST=\/bin\/ps/ATTRWHITELIST=\/bin\/ps/' /etc/rkhunter.conf
sed -i 's/#WRITEWHITELIST=\/bin\/ps/WRITEWHITELIST=\/bin\/ps/' /etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifup/SCRIPTWHITELIST=\/sbin\/ifup/' /etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifdown/SCRIPTWHITELIST=\/sbin\/ifdown/' /etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/usr\/bin\/groups/SCRIPTWHITELIST=\/usr\/bin\/groups/' /etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENDIR=\/dev\/.udev/ALLOWHIDDENDIR=\/dev\/.udev/' /etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENDIR=\/dev\/.udevdb/ALLOWHIDDENDIR=\/dev\/.udevdb/' /etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENFILE=\/usr\/sbin\/.sshd.hmac/ALLOWHIDDENFILE=\/usr\/sbin\/.sshd.hmac/' /etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENFILE=\/usr\/bin\/.ssh.hmac/ALLOWHIDDENFILE=\/usr\/bin\/.ssh.hmac/' /etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENFILE=\/usr\/bin\/.fipscheck.hmac/ALLOWHIDDENFILE=\/usr\/bin\/.fipscheck.hmac/' /etc/rkhunter.conf
echo 'ALLOWHIDDENDIR=/dev/ida' >> /etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifdown/SCRIPTWHITELIST=\/sbin\/ifdown/' /etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/usr\/bin\/groups/SCRIPTWHITELIST=\/usr\/bin\/groups/' /etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/ldd' >> /etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/whatis' >> /etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/GET' >> /etc/rkhunter.conf
## 更新rkhunter数据库 ##
rkhunter --update
rkhunter --propupd
/usr/local/bin/rkhunter --cronjob -l --nomow --rwo
rkhunter的crontab定期扫描
运行crontab -e添加以下信息。
3 * * * (/usr/local/bin/rkhunter --cronjob -l --nomow --rwo | mail -s "【标题】rkhunter report" 【邮箱】)
使用方法
Usage:
rkhunter
--checkall (or -c)
Check the system, performs all tests.
--createlogfile*
Create a logfile (default /var/log/rkhunter.log)
--cronjob
Run as cronjob (removes colored layout)
--help (or -h)
Show help about usage
--nocolors*
Don't use colors for output (some terminals don't like colors or extended layout characters)
--report-mode*
Don't
show uninteresting information for reports, like header/footer.
Interesting when scanning from crontab or with usage of other
applications.
--skip-keypress*
Don't wait after every test (makes it non-interactive)
--quick*
Perform quick scan (instead of full scan). Skips some tests and performs some enhanced tests (less suitable for normal scans).
--version
Show version and quit
--versioncheck
Check for latest version
Dynamic paths
--bindir *
Uses another directory when search for binaries (use instead of using default binaries)
--configfile *
Uses a different configuration file (instead of default one)
--dbdir *
Uses another directory for the databases (instead of the default one, often /usr/local/rkhunter/db)
--rootdir *
Uses
another rootdirectory (normally '/'). So all binaries and tests will be
performed on this directory instead of the default .
--tmpdir *
Uses another directory for temporary storage of files
Explicit scan options:
--disable-md5-check*
Disable MD5 checks
--disable-passwd-check*
Disable passwd/group checks
--scan-knownbad-files*
Perform besides 'known good' check a 'known bad' check
发表评论