Koozali.org: home of the SME Server

Contrib Feedback: Root Kit Hunter

Offline wellsi

  • *
  • 475
  • +0/-0
    • http://www.wellsi.com
Contrib Feedback: Root Kit Hunter
« on: July 18, 2004, 05:43:02 PM »
Root Kit Hunter

Rootkit scanner is scanning tool to ensure you for about 99.9% you\'re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits.

Author(s): Duncan Thomas
Contributor(s):
License: GPL

How To Link: http://no.longer.valid/phpwiki/index.php/RootKitHunter%20how%20to
Topic Page: Intrusion Detection

This thread is for feedback specificaly related to this How To & Contrib.
Reports of success are welcome, as well as any problems and suggested improvements.
............

Muzo

Contrib Feedback: Root Kit Hunter
« Reply #1 on: July 19, 2004, 04:34:44 PM »
Hi,

What is the difference between duncan's rpm and this how to : http://no.longer.valid/phpwiki/index.php/HowToInstallRootKitHunter ?

Is RKHunter optimized for SME?

Offline wellsi

  • *
  • 475
  • +0/-0
    • http://www.wellsi.com
Contrib Feedback: Root Kit Hunter
« Reply #2 on: July 19, 2004, 06:41:15 PM »
A very good question which I was also thinking of whilst adding Duncan's info to the How To Classification.

I noticed that your (& mbachmann's) HowTo is "Tested on SME Version 5.6 GPL", have you also tested it on 6.0?

Is the core SW the same for both and the only difference being how it is packaged RPM vs TGZ? I can see a benefit of having both (as we have for other packages).

Or are these two different projects?

Could someone check and report back with the details?
............

duncan

Contrib Feedback: Root Kit Hunter
« Reply #3 on: July 20, 2004, 12:17:10 AM »
There is no real difference - Its just a package I made for easy installation onto my customers machines.

I added a cronjob that runs weekly and emails its findings to admin.

Regards Duncan

Muzo

Contrib Feedback: Root Kit Hunter
« Reply #4 on: July 20, 2004, 09:27:46 AM »
Oh! ok, good job Duncan!  :hammer:

But i see that RKHunter change quickly, i'll write the how to with 1.0.5 revision, and now the revision number is 1.1.2. Good luck!


Wellsi, i'm still on SME 5.6, but i think mbachmann has a sme 6.0.

Now, if you want to test it, use Duncan RPM, because you can remove the rpm.
If you want to use it in production, i prefere to use tgz file. In tgz there is an installation script. But you can't remove it.(huh... i never try it) And ... i never test an update of my RKHunter 1.0.5 .. :idea:

Duncan, i got a question, supposed i install your RPM. Can i update it with last tgz ?

duncan

Contrib Feedback: Root Kit Hunter
« Reply #5 on: July 20, 2004, 09:44:34 AM »
Yes, At this rate I will probably be putting out an rpm per week  :roll:

The configs are in a different location on the rpm than the source. I am not sure how that would affect things for you. I will update the package shortly.

Duncan

mbachmann

Contrib Feedback: Root Kit Hunter
« Reply #6 on: July 22, 2004, 11:48:35 AM »
Yes, i run 2 SME 6.0.1 and i have not tested Muzo's contrib on these machines, i just added the cron part in the howto just for completness. I tried Duncan's contrib first and found it working and easy. Actually the cron part is obsolete, because of the rkhunter --cronjob switch in Duncan's rpm.

Offline wellsi

  • *
  • 475
  • +0/-0
    • http://www.wellsi.com
Contrib Feedback: Root Kit Hunter
« Reply #7 on: July 22, 2004, 12:31:44 PM »
Nice to see the active discussion.

I just tested the TGZ install on 6.0.1 it works fine.

Both are now listed together at the Topic Page: Intrusion Detection

The RPM install: ( I have added usage instructions now )
http://no.longer.valid/phpwiki/index.php/RootKitHunter%20how%20to

The TGZ install:
http://no.longer.valid/phpwiki/index.php/HowToInstallRootKitHunter


From the discussion it appears that the RPM would be used for most installs (easy and can be removed).
But that the TGZ is used for getting the latest update (in between releases of the RPM) and for cases where you prefer not to use the RPM.

It would be good to know if the TGZ can be used as an update - and add that to the How-To(s).

You may also want to consider pointing the feedback on the TGZ How-To to this thread (or create a new one).
............

Muzo

Contrib Feedback: Root Kit Hunter
« Reply #8 on: July 22, 2004, 04:16:47 PM »
Ok, i got an idea.

We used Duncan RPM. To used same things. And I supposed that if Duncan change configuration files place, he has good reasons.

I suggest that to update faster, and let Duncan breath a little  ;-) , we used TGZ files, but we must modified install.sh script to put those configuration files in the rigth place (Duncan's rpm place).

Duncan, do you think my idea is realizable?

duncan

Contrib Feedback: Root Kit Hunter
« Reply #9 on: July 23, 2004, 12:35:01 AM »
I would say that if you are currently installing from source - then just stay with that. There is really no need to jump between the two.

The rpm might end up being a hit and miss thing - getting done when I have the time (Which is sometimes really lacking  ;-) )

There are times when rpm packages save a huge amount of time. This is not one of them.

duncan

Contrib Feedback: Root Kit Hunter
« Reply #10 on: July 26, 2004, 02:07:21 AM »
I have updated rkhunter to 1.1.3. However - I have changed the install paths to the defaults so those using this rpm will need to remove the original before installing the new package.

rpm -e smeserver-rkhunter
then
rpm -ivh smeserver-rkhunter-1.1.3-1.noarch.rpm

I have done this to make building packages quicker and easier at my end.

Regards Duncan.

Offline mdo

  • *
  • 355
  • +0/-0
Contrib Feedback: Root Kit Hunter
« Reply #11 on: August 07, 2004, 10:33:47 PM »
Duncan,

I appreciate your work on building the smeserver-rkhunter rpm. I prefer to install rpms on production machines as this makes administration easier.

Can I suggest to change the weekly cron job to include the full path to rkhunter? Rather than

rkhunter --cronjob | /bin/mail xxxx it should be
/usr/local/bin/rkhunter --cronjob | /bin/mail xxxx.

Regards,
Michael Doerner
...

duncan

Contrib Feedback: Root Kit Hunter
« Reply #12 on: August 11, 2004, 01:46:03 AM »
I have made the change in the latest build - 1.1.4.1

Regards Duncan

Offline mdo

  • *
  • 355
  • +0/-0
Contrib Feedback: Root Kit Hunter
« Reply #13 on: August 11, 2004, 07:48:26 AM »
Duncan,

Excellent. Many thanks for your update and the ongoing work on that software. It's much appreciated.

Regards,
Michael
...

mbachmann

Contrib Feedback: Root Kit Hunter
« Reply #14 on: August 11, 2004, 09:22:26 AM »
I second that. Tanks, Duncan.