CentOS 5 RPMs for Rootkit Hunter and Lynis

CentOS 5 RPMs for Rootkit Hunter and Lynis

Rootkit Hunter and Lynis are two useful security tools provided by Michael Boelen at www.rootkit.nl. They perform local checks on your system looking for possible installed rootkits and compromised files and binaries.

Here you find the RPMs i made, they’ve been built on CentOS 5 but i don’t exclude you could be able to install them on any RPM capable distribution.

rkhunter-1.3.2-1.noarch.rpm – Binary RPM, platform independent
http://www.greci.cc/wp-content/uploads/2008/03/rkhunter-1.3.2-1.noarch.rpm

rkhunter-1.3.2-1.src.rpm – Source code RPM
http://www.greci.cc/wp-content/uploads/2008/03/rkhunter-1.3.2-1.src.rpm

lynis-1.0.8-1.noarch.rpm – Binary RPM, platform independent
http://www.greci.cc/wp-content/uploads/2008/03/lynis-1.0.8-1.noarch.rpm

lynis-1.0.8-1.src.rpm – Source code RPM
http://www.greci.cc/wp-content/uploads/2008/03/lynis-1.0.8-1.src.rpm

As usual they must be installed with rpm -i or (which i prefer) rpm -Uvh .
Once done test your installation with rkhunter -c and have a look at /var/log/rkhunter.log to see your results.

Do almost the same for Lynis, test it with lynis -c and inspect the log at /var/log/lynis.log .

You can edit configuration defaults (such as email alerts) by editing /etc/rkhunter.conf and /etc/lynis/default.prf .

To get the best out of these programs it’s recommended to run them on a regular basis. Assuming you want to run them once every day edit your crontab as follows:

(the RPM automatically creates its own cron entry in /etc/cron.daily/0logwatch, therefore you don’t need to add any)

10 0 * * * lynis -c

Which will run the checks every day respectively at midnight and ten minutes past midnight.

Unfortunately Lynis doesn’t provide a --cronjob flag to suppress console output, most *nix systems are set to send cron’s output via sendmail which could result annoying for some people. To suppress the output you can always use the well known > /dev/null 2>&1 , therefore your Lynis crontab entry will look like:

10 0 * * * lynis -c > /dev/null 2>&1

A deeper look at the help (shame on me) revealed you can use -Q flag to suppress output, therefore your Lynis crontab entry will look like:

10 0 * * * lynis -c -Q

Wish you a good scan and a clean system.

No comments: