Securing Fedora with rkhunter.

travisdh1

Assumes Fedora 27 with dnf-automatic and wget already installed.

Install rkhunter

dnf install -y rkhunter

Update known file properties

rkhunter --propupd 

Update to the latest version

rkhunter --update  

In /etc/rkhunter.conf set
MAIL-ON-WARNING="root@localhost" (or your preferred email address)

Part of what rkhunter does is maintain a list of file properties for system files. If the system files change, you'll get a bunch of errors the next time rkhunter runs. Thankfully dnf-automatic makes it easy to run another command any time that it runs.

Edit /etc/dnf/automatic.conf [command] section:
Add: "rkhunter --propupd" on a new line.

Scan the system, no user interaction and all output goes to log file

rkhunter --cronjob

Add a crontab entry to update and scan the system, I chose 3am every day

crontab -e
* 3 * * * /usr/bin/rkhunter --update && /usr/bin/rkhunter --crontab  

Monitor for errors by searching the log file for warnings:

cat /var/log/rkhunter/rkhunter.log  | grep "warning"

You shouldn't see any warnings right now. If it does find something, it may be time to nuke it from orbit, with the caveat that you'll get lots of warnings if the system is updated without updating the file definitions with --propupd.

rkhunter is available in all the major distributions software libraries. So installation is easy, just setting rkhunter to re-scan file properties after a system update will be a little different.

wirestyle22

@zachary715

black3dynamite

Any SELinux alerts while using rkhunter?

travisdh1

@black3dynamite said in Securing Fedora with rkhunter.:

Any SELinux alerts while using rkhunter?

I haven't seen any, and being that it's generally only read access, I doubt anyone would have issues with it. Doesn't mean it won't happen, just that it's not common.

travisdh1

For those that aren't already familiar with rkhunter, it is a way to detect if a system has been compromised.

It checks for rootkits in many ways today. Like checking file statistics compared to a known good version. Looking for rootkit specific files and directories. Looking for known strings in kernel modules, settings files, running processes, and shell variables. Checking network ports and interfaces. Anything odd with group, user, or passwd files.

You can enable or disable different tests as you see fit. There are even more available than what normally run in the default profile.

Obsolesce

@travisdh1 Does it self-update definitions and such?

JaredBusch

@tim_g said in Securing Fedora with rkhunter.:

@travisdh1 Does it self-update definitions and such?

His instructions say to run an update as part of dnf-automatic.

Though he specified the wrong location for the conf file.

Not sure if that is a full update or what.

Obsolesce

@jaredbusch said in Securing Fedora with rkhunter.:

@tim_g said in Securing Fedora with rkhunter.:

@travisdh1 Does it self-update definitions and such?

His instructions say to run an update as part of dnf-automatic.

Though he specified the wrong location for the conf file.

Not sure if that is a full update or what.

Ah I see, I only skimmed it over quickly and didn't catch that.

travisdh1

@jaredbusch said in Securing Fedora with rkhunter.:

@tim_g said in Securing Fedora with rkhunter.:

@travisdh1 Does it self-update definitions and such?

His instructions say to run an update as part of dnf-automatic.

Though he specified the wrong location for the conf file.

Not sure if that is a full update or what.

Doh! Fixing.