Howto check installed packages with Rkhunter?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Howto check installed packages with Rkhunter?

Bjoern Voigt
I use Rkhunter to check the installed packages for unallowed modifications.

Unfortunately by default, Rkhunter also reports all official openSUSE
Tumbleweed updates. E.g.

Warning: The file properties have changed:
         File: /bin/rpm
         Current inode: 9841456    Stored inode: 9847931
Warning: The file properties have changed:
         File: /bin/sort
         Current inode: 9830433    Stored inode: 9830466

I usually check some of the reported packages, if they were recently
updated. For the example the packages coreutils (contains /bin/sort) and
rpm (contains /bin/rpm):

mybox:~ # rpm -qf /bin/sort
coreutils-8.27-3.1.x86_64
mybox:~ # rpm -qf /bin/rpm
rpm-4.13.0.1-5.4.x86_64

One of my criterias I check is the RPM build time. For coreutils all
available times are in a short time interval:

mybox:~ # rpm -q --queryformat '%{NAME}\nBUILDTIME:    
%{BUILDTIME:date}\nCHANGELOGTIME: %{CHANGELOGTIME:date}\nFILEMTIMES:  
%{FILEMTIMES:date}\nINSTALLTIME:   %{INSTALLTIME:date}\n' coreutils
coreutils
BUILDTIME:     Wed Aug 16 14:00:00 2017
CHANGELOGTIME: Wed Aug 16 14:00:00 2017
FILEMTIMES:    Mon Aug 21 11:58:19 2017
INSTALLTIME:   Tue Aug 22 14:26:00 2017

But I do not understand the long time interval between build time/file
mtimes for package rpm:

mybox:~ # rpm -q --queryformat '%{NAME}\nBUILDTIME:    
%{BUILDTIME:date}\nCHANGELOGTIME: %{CHANGELOGTIME:date}\nFILEMTIMES:  
%{FILEMTIMES:date}\nINSTALLTIME:   %{INSTALLTIME:date}\n' rpm
rpm
BUILDTIME:     Wed Jul 26 14:00:00 2017
CHANGELOGTIME: Wed Jul 26 14:00:00 2017
FILEMTIMES:    Mon Aug 14 18:21:05 2017
INSTALLTIME:   Thu Aug 17 00:31:12 2017

Does it mean, that the package rpm was build on July 26, tested until
August 14, then somehow repacked to refresh the file mtimes and three
days later (August 17) I installed the update?

Greetings,
Björn
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto check installed packages with Rkhunter?

Martin Herkt
On 2017 M08 27, Sun 23:29:46 CEST Bjoern Voigt wrote:
> I use Rkhunter to check the installed packages for unallowed modifications.

FWIW, RPM has this feature built in. Just use 'rpm -Va'. This verifies not
only the size, digest, permissions, type, owner and group of each file, but
also package signatures, and executes verfication scripts if a package has
one.

Shouldn’t this be good enough? I mean, anyone who could tamper with your
package database or rpm itself would also have the power to do that with
rkhunter.

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Howto check installed packages with Rkhunter?

Bjoern Voigt
Martin Herkt wrote:

> On 2017 M08 27, Sun 23:29:46 CEST Bjoern Voigt wrote:
>> I use Rkhunter to check the installed packages for unallowed modifications.
> FWIW, RPM has this feature built in. Just use 'rpm -Va'. This verifies not
> only the size, digest, permissions, type, owner and group of each file, but
> also package signatures, and executes verfication scripts if a package has
> one.
>
> Shouldn’t this be good enough? I mean, anyone who could tamper with your
> package database or rpm itself would also have the power to do that with
> rkhunter.
One benefit of Rkhunter's RPM checking feature is, that it can save
confirmed RPM file changes. BTW, Rkhunter does not check the whole RPM
packages, but a list of binaries.

Reading the output of 'rpm -Va' means for instance on my desktop, that I
have to check hundreds of legitimate changes again and again.

Of course, there are alternatives for the file checking functions of
Rkhunter like AIDE. But probably (not checked) AIDE also has no
integration with the Zypper update process.

Greetings,
Björn
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto check installed packages with Rkhunter?

Carlos E. R.-2
In reply to this post by Bjoern Voigt
On 2017-08-27 23:29, Bjoern Voigt wrote:
> I use Rkhunter to check the installed packages for unallowed modifications.
>
> Unfortunately by default, Rkhunter also reports all official openSUSE
> Tumbleweed updates. E.g.

I don't think you can use rkhunter on TW.

The wikipedia describes what it does as:

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits,
backdoors and possible local exploits. It does this by comparing SHA-1
hashes of important files with known good ones in online databases,
searching for default directories (of rootkits), wrong permissions,
hidden files, suspicious strings in kernel modules, and special tests
for Linux and FreeBSD.


The database simply can not keep up, unless some process at the openSUSE
build system would upload new hashes at the same time the rpms are
published.


--
Cheers / Saludos,

                Carlos E. R.
                (from 42.2 x86_64 "Malachite" at Telcontar)


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Howto check installed packages with Rkhunter?

Bruno Friedmann-2
On mardi, 29 août 2017 13.00:02 h CEST Carlos E. R. wrote:

> On 2017-08-27 23:29, Bjoern Voigt wrote:
> > I use Rkhunter to check the installed packages for unallowed
> > modifications.
> >
> > Unfortunately by default, Rkhunter also reports all official openSUSE
> > Tumbleweed updates. E.g.
>
> I don't think you can use rkhunter on TW.
>
> The wikipedia describes what it does as:
>
> rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits,
> backdoors and possible local exploits. It does this by comparing SHA-1
> hashes of important files with known good ones in online databases,
> searching for default directories (of rootkits), wrong permissions,
> hidden files, suspicious strings in kernel modules, and special tests
> for Linux and FreeBSD.
>
>
> The database simply can not keep up, unless some process at the openSUSE
> build system would upload new hashes at the same time the rpms are
> published.

Before stating this kind of remarks, could you use man rkhunter and try to
understand how the software work.

That's again 2 mail (including mine) which doesn't make sense on this ml.

--

Bruno Friedmann
 Ioda-Net Sàrl www.ioda-net.ch
 Bareos Partner, openSUSE Member, fsfe fellowship
 GPG KEY : D5C9B751C4653227
 irc: tigerfoot


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto check installed packages with Rkhunter?

Carlos E. R.-2
On 2017-08-29 13:58, Bruno Friedmann wrote:

> On mardi, 29 août 2017 13.00:02 h CEST Carlos E. R. wrote:
>> On 2017-08-27 23:29, Bjoern Voigt wrote:
>>> I use Rkhunter to check the installed packages for unallowed
>>> modifications.
>>>
>>> Unfortunately by default, Rkhunter also reports all official openSUSE
>>> Tumbleweed updates. E.g.
>>
>> I don't think you can use rkhunter on TW.
>>
>> The wikipedia describes what it does as:
>>
>> rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits,
>> backdoors and possible local exploits. It does this by comparing SHA-1
>> hashes of important files with known good ones in online databases,
>> searching for default directories (of rootkits), wrong permissions,
>> hidden files, suspicious strings in kernel modules, and special tests
>> for Linux and FreeBSD.
>>
>>
>> The database simply can not keep up, unless some process at the openSUSE
>> build system would upload new hashes at the same time the rpms are
>> published.
>
> Before stating this kind of remarks, could you use man rkhunter and try to
> understand how the software work.
Then explain it.

--
Cheers / Saludos,

                Carlos E. R.
                (from 42.2 x86_64 "Malachite" at Telcontar)


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Howto check installed packages with Rkhunter?

Bruno Friedmann-2
On mardi, 29 août 2017 14.51:45 h CEST Carlos E. R. wrote:

> On 2017-08-29 13:58, Bruno Friedmann wrote:
> > On mardi, 29 août 2017 13.00:02 h CEST Carlos E. R. wrote:
> >> On 2017-08-27 23:29, Bjoern Voigt wrote:
> >>> I use Rkhunter to check the installed packages for unallowed
> >>> modifications.
> >>>
> >>> Unfortunately by default, Rkhunter also reports all official openSUSE
> >>> Tumbleweed updates. E.g.
> >>
> >> I don't think you can use rkhunter on TW.
> >>
> >> The wikipedia describes what it does as:
> >>
> >> rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits,
> >> backdoors and possible local exploits. It does this by comparing SHA-1
> >> hashes of important files with known good ones in online databases,
> >> searching for default directories (of rootkits), wrong permissions,
> >> hidden files, suspicious strings in kernel modules, and special tests
> >> for Linux and FreeBSD.
> >>
> >>
> >> The database simply can not keep up, unless some process at the openSUSE
> >> build system would upload new hashes at the same time the rpms are
> >> published.
> >
> > Before stating this kind of remarks, could you use man rkhunter and try to
> > understand how the software work.
>
> Then explain it.

Not me the authors :-)
https://linux.die.net/man/8/rkhunter


--

Bruno Friedmann
 Ioda-Net Sàrl www.ioda-net.ch
 Bareos Partner, openSUSE Member, fsfe fellowship
 GPG KEY : D5C9B751C4653227
 irc: tigerfoot


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto check installed packages with Rkhunter?

Carlos E. R.-2
On 2017-08-29 15:02, Bruno Friedmann wrote:

> On mardi, 29 août 2017 14.51:45 h CEST Carlos E. R. wrote:
>> On 2017-08-29 13:58, Bruno Friedmann wrote:
>>> On mardi, 29 août 2017 13.00:02 h CEST Carlos E. R. wrote:
>>>> On 2017-08-27 23:29, Bjoern Voigt wrote:
>>>>> I use Rkhunter to check the installed packages for unallowed
>>>>> modifications.
>>>>>
>>>>> Unfortunately by default, Rkhunter also reports all official openSUSE
>>>>> Tumbleweed updates. E.g.
>>>>
>>>> I don't think you can use rkhunter on TW.
>>>>
>>>> The wikipedia describes what it does as:
>>>>
>>>> rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits,
>>>> backdoors and possible local exploits. It does this by comparing SHA-1
>>>> hashes of important files with known good ones in online databases,
>>>> searching for default directories (of rootkits), wrong permissions,
>>>> hidden files, suspicious strings in kernel modules, and special tests
>>>> for Linux and FreeBSD.
>>>>
>>>>
>>>> The database simply can not keep up, unless some process at the openSUSE
>>>> build system would upload new hashes at the same time the rpms are
>>>> published.
>>>
>>> Before stating this kind of remarks, could you use man rkhunter and try to
>>> understand how the software work.
>>
>> Then explain it.
>
> Not me the authors :-)
> https://linux.die.net/man/8/rkhunter
Ah, the man page.

Which means only read this paragraph of interest - I'm not going to read
the options, though (perhaps I would read a howto) -:

+++------------------
Description
rkhunter is a shell script which carries out various checks on the local
system to try and detect known rootkits and malware. It also performs
checks to see if commands have been modified, if the system startup
files have been modified, and various checks on the network interfaces,
including checks for listening applications.

rkhunter has been written to be as generic as possible, and so should
run on most Linux and UNIX systems. It is provided with some support
scripts should certain commands be missing from the system, and some of
these are perl scripts. rkhunter does require certain commands to be
present for it to be able to execute. Additionally, some tests require
specific commands, but if these are not present then the test will be
skipped. rkhunter needs to be run under a Bourne-type shell, typically
bash or ksh. rkhunter can be run as a cron job or from the command-line.
------------------++-


I'm centering only on the part that checks modified commands. This needs
some database, and it needs be updated simultaneously with the system. I
read elsewhere that the database is online. If wrong, then it is local.

Doing this on a TW system means that someone has to update that database
daily. Who?

--
Cheers / Saludos,

                Carlos E. R.
                (from 42.2 x86_64 "Malachite" at Telcontar)


signature.asc (188 bytes) Download Attachment