Sorting out Rkhunter on Fedora 13 and hooking it up to Anacron

I’ve used rkhunter (Root Kit Hunter) in the past (on my old Ubuntu machine) and even though it might be a little overtly paranoid it’s not a bad idea to run sometimes and check your system integrity. Now that I’ve recently got a fresh Fedora 13 install I wanted to set up rkhunter again on my clean system.

I installed it with YUM:


# yum install rkhunter

and invoked it to make it update it’s file properties database (basically saying: this system is clean, use it as a reference for future checks)

# rkhunter --propupd

(note: run as root)

And then proceeded to run a check on the system (not really needed, since I just propupd’ it but I just wanted to check to see if things worked):

# rkhunter --check
Invalid XINETD_CONF_PATH configuration option - non-existent pathname specified: /etc/xinetd.conf

(my highlighting)..

Ok, so apparently this is a known problem on Fedora since version 11 and is fixed by commenting out the following line in the /etc/rkhunter.conf file:

XINETD_CONF_PATH=/etc/xinetd.conf

Having done that rkhunter runs as expected and checks the system for problems.
Btw, you can get more detailed info on rkhunter here.

Now I wanted to add rkhunter updates and checks to Anacron so that it could be run every couple of days. Since I’m on a laptop that isn’t always on Anacron is the right choice (as opposed to Cron.) More on that can be found here.

To make this work I had to edit the /etc/anacrontab file which lists the different tasks to be run. By default it contains some entries related to cron, there’s some trickery involved between the two, but that’s not relevant to the task at hand. All that was needed was to add the following two lines to the file:

5 5 rkhunter.update rkhunter --update
5 15 rkhunter.check rkhunter --check --sk --rwo

This reads:
No earlier than every 5 days, no earlier than 5 minutes after anacron first starts, a task we identify as “rkhunter.update” is run and the command is “rkhunter –update”…simples.

Similar for the next line, which is the actual rootkit check. (The parameters “–sk” and “–rwo” mean: don’t ask for key presses and only output warnings.)

NOTE: I had to search around a bit before I realized that all the tasks in the anacron (and presumably cron-) -tab files are run as root…

Anacron (and cron) both email the output from these runs to the root account. To see what’s been emailed the simple (but not elegant!) method is this:

cat /var/spool/mail/root

So now you know how to install and run rkhunter on Fedora 13 and to get it set up to run on a regular basis using anacron.

Advertisements

One thought on “Sorting out Rkhunter on Fedora 13 and hooking it up to Anacron

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s