Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

rkhunter and portage: a hook to avoid false positives
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
hujuice
Guru
Guru


Joined: 16 Oct 2007
Posts: 336
Location: Rome, Italy
PostPosted: Thu Mar 23, 2017 3:19 pm    Post subject: rkhunter and portage: a hook to avoid false positives Reply with quote
rkhunter is a precious tool to keep a system under watch against rootkits.
It is a bit boring when you use it in a often updated Gentoo system, because when you emerge watched files (see 'rkhunter --list propfiles'), rkhunter detect false positives.

I wrote a simple portage hook to keep rkhunter updated when a watched file is updated. It works for me.
/etc/portage/bashrc:
# /etc/portage/bashrc

PROPFILES="/tmp/rkhunter.propfiles"
PROPS=""

# postinst, if rkhunter is installed
if [ "${EBUILD_PHASE}" == "postinst" ] && qlist -I app-forensics/rkhunter > /dev/null;
then
    # Keep rkhunter updated
    if [ "${CATEGORY}/${PN}" == "app-forensics/rkhunter" ] || [ ! -e "$PROPFILES" ];
    then
        # Generate new propfiles list
        for i in $(/usr/sbin/rkhunter --list propfiles); do
            PROPS="${PROPS}"$'\n'$(/usr/bin/which ${i} 2>/dev/null)
        done
        /bin/echo -e "$PROPS" | /bin/sed '/^$/d' > "$PROPFILES"
        # Cleanup
        PROPS=""
    fi

    # Check and update
    for i in $(/usr/bin/comm -12 <(/usr/bin/qlist "${CATEGORY}/${PN}" | /usr/bin/sort) <(/usr/bin/sort "$PROPFILES"));
    do
        /bin/echo ":: Updating rkhunter for ${i}"
        /usr/sbin/rkhunter --propupd "$i"
    done
fi


I hope it helps.
Please, tell me about possible errors and critics.

Regards,
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046
PostPosted: Thu Mar 23, 2017 3:34 pm    Post subject: Reply with quote
Thanks for that. I expect some will chime in with other ways to skin the cat. I have some ideas myself, but in this case I am going to be a slight contrarian.

I like that rkhunter reports these false positives" to me. rkhunter has, from time to time, stopped working altogether, and without much in the way of notice. I am more likely to notice this failure if I recall emerging a watched file, and not getting a report from rkhunter - or getting an rkhunter report on one machine but not another.
Back to top
View user's profile Send private message
hujuice
Guru
Guru


Joined: 16 Oct 2007
Posts: 336
Location: Rome, Italy
PostPosted: Thu Mar 23, 2017 3:52 pm    Post subject: Reply with quote
cboldt wrote:
Thanks for that. I expect some will chime in with other ways to skin the cat. I have some ideas myself, but in this case I am going to be a slight contrarian.

I like that rkhunter reports these false positives" to me. rkhunter has, from time to time, stopped working altogether, and without much in the way of notice. I am more likely to notice this failure if I recall emerging a watched file, and not getting a report from rkhunter - or getting an rkhunter report on one machine but not another.


Your way, we are humans and different, luckily.
I keep cron-updated half a dozen of systems. Email notifications from rkhunter became so "daily" for me that I didn't have the time/will/patience to update. As result, next morning I found new emails, often with the same warnings, and as result I often didn't check them. That frustrated the rkhunter sense.

The hook way, anyway, could be useful for any way to manage.

Redards,
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046
PostPosted: Thu Mar 23, 2017 4:01 pm    Post subject: Reply with quote
I only update once a week, but agree, daily updating of rkhunter database across half a dozen systems would get tiresome.

I would be tempted to take an easy way out, putting a wrapper around the emerge update.

Code:
/etc/cron.daily/rkhunter
emerge -uDN @world
rkhunter --propupd


The first command would report any "intrusions" just before updating (between the last update and this one, in other words), then update the system, then just assume that any files that rkhunter would have noticed being changed, are still okay as changed. Same effect as your script but runs just once per system update.
Back to top
View user's profile Send private message
hujuice
Guru
Guru


Joined: 16 Oct 2007
Posts: 336
Location: Rome, Italy
PostPosted: Thu Mar 23, 2017 4:27 pm    Post subject: Reply with quote
cboldt wrote:
Code:
/etc/cron.daily/rkhunter
emerge -uDN @world
rkhunter --propupd

This is what I did, in the last weeks, to avoid repeated emails.
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy