Rkhunter (x86 and x86_64)

This section is designed for your 'porteus build scripts' which create Porteus modules for your favorite applications. Scripts should work like the well-known 'SlackBuilds' with minimum user interaction.
Post Reply
User avatar
BlackRider
Black ninja
Black ninja
Posts: 70
Joined: 13 Jul 2011, 11:04
Location: Nowhere
Contact:

Rkhunter (x86 and x86_64)

Post#1 by BlackRider » 17 Jul 2011, 00:20

RKHunter is a scanning tool that scans for rootkits, backdoors, and
local exploits by running tests like:

MD5 hash comparison, known rootkit files, incorrect permissions on
binaries, suspect strings in LKM and LKD modules, and hidden files

Rootkit Hunter is released as a GPL licensed project and is free for
everyone to use.
I have packaged this PorteusBuild pack to emulate the packaging process
of SlackBuilds. To compile and create the package, just place the source
tarball in the same folder as the uncompressed script
(rkhunter.PorteusBuild). Then, execute the script with root privileges.

A package will be generated in /tmp

I have not included the source in the build pack. You can download it using the link I provide you with.

NOTES: rkhunter is prone to false positives. It will trigger many of them
in Porteus. It is the duty of the administrator to read the documentation
and to review every alarm to decide what is dangerous and what is not.

The documentation of /usr/doc/... has been included compressed.
I know it can be considered a lack of space by some, but I like having the
documentation in my system. You can modify the script so documentation is
deleted, if you like.

INFORMATION------------------------------------
rkhunter website: http://rootkit.nl/projects/rootkit_hunter.html
rkhunter's source (direct link): http://porteus.olympe-network.com/black ... 3.8.tar.gz
MD5 checksum for the source:0c34eb2a2d0caa384f442c11fcbb0c46
SHA512 checksum for the source:b1cf308f06a2744b5addf3dc96638
15832a1878e3cb7fe281bfa83f8c293803b1e9cfd34c4f39e5707618beb6
b852a5220e3cd52c93fcbb354a2c638acd76c5b
-----------------------------------------------

This has been tested with Porteus v1.0 x86_64, but the same pack is supposed to work on old good x86.

http://porteus.olympe-network.com/black ... sBuild.tar
Last edited by BlackRider on 21 Jul 2011, 13:37, edited 3 times in total.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: PorteusBuild: rkhunter.

Post#2 by Hamza » 17 Jul 2011, 08:23

Is your package compatible with Slack13.37 ?
NjVFQzY2Rg==

User avatar
BlackRider
Black ninja
Black ninja
Posts: 70
Joined: 13 Jul 2011, 11:04
Location: Nowhere
Contact:

Re: PorteusBuild: rkhunter.

Post#3 by BlackRider » 17 Jul 2011, 08:39

Hamza wrote:Is your package compatible with Slack13.37 ?
Yes, it is. Is this a "must be" condition?

I tested the same source and a similar script under Slackware 13.37 x86_64 before making the build pack and testing it under Porteus.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: PorteusBuild: rkhunter.

Post#4 by Hamza » 17 Jul 2011, 09:06

Yes, it is. Is this a "must be" condition?
Yes, Otherwise, your module will be not compatible with the current version of Porteus. And It can make some troubles if the user use it for V1.0

The last question,
Did you tested your module under a Fresh Porteus Installation without changes and any modules ?
NjVFQzY2Rg==

User avatar
BlackRider
Black ninja
Black ninja
Posts: 70
Joined: 13 Jul 2011, 11:04
Location: Nowhere
Contact:

Re: PorteusBuild: rkhunter.

Post#5 by BlackRider » 17 Jul 2011, 10:11

Hamza wrote: The last question,
Did you tested your module under a Fresh Porteus Installation without changes and any modules ?
GOOD NEWS:
Yes, it was tested in a brand new Porteus, without changes nor modules.

BAD NEWS: The file I uploaded got corrupted in the process (God damn my ISP). I have just uploaded a working one and edited the link.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: PorteusBuild: rkhunter.

Post#6 by Hamza » 17 Jul 2011, 10:40

Let us know when it is ready for the community.

Good Job!
NjVFQzY2Rg==

User avatar
BlackRider
Black ninja
Black ninja
Posts: 70
Joined: 13 Jul 2011, 11:04
Location: Nowhere
Contact:

Re: PorteusBuild: rkhunter.

Post#7 by BlackRider » 17 Jul 2011, 14:33

REPORT OF KNOWN ISSUES

One of the problems I am having with this build is that rkhunter is really paranoid!

I am having a HUGE amount of warnings each time I run the whole set of tests inside the Porteus environment. Sure they are false positives, but an app is not supposed to say that a clean OS has been compromised fifty thousand times...

I have thought about including a configuration file that skips or mitigates the false positives inside Porteus, but, on the other hand, many rkhunter users would surely use this build to check usual operating systems from Porteus. Running a rkhunter check on an Always Fresh Porteus makes little sense, but using rkhunter to check if you Red Hat machine is doing well is something different. Having a default config file adapted to Porteus could confuse someone who is trying to check something that is not Porteus.

Shall I leave the default configuration file as it is, and let each user do whatever he wants with it? Or am I supposed to adapt rkhunter.conf to Porteus?

Another issue I am finding with the actual build is that some tests (or some components of the tests) are being skipped because of the lack of external tools, like Tripwire or Unhide. This is not fatal and does not render the app unusable, as most checks do go on anyway. However, it would be of some help to package this tools. I might do it if I find the time.

Finally, running the whole rkhunter tests set against a traditional installed Slackware from Porteus seems to lead to a infinite loop trouble. To put it simple, some tests will behave badly when used on a halted OS, as far as I have noticed. I am still investigating this.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: PorteusBuild: rkhunter.

Post#8 by Hamza » 17 Jul 2011, 14:38

Sure they are false positives,

Looks like, it is a commercial product.
NjVFQzY2Rg==

User avatar
BlackRider
Black ninja
Black ninja
Posts: 70
Joined: 13 Jul 2011, 11:04
Location: Nowhere
Contact:

Re: PorteusBuild: rkhunter.

Post#9 by BlackRider » 17 Jul 2011, 14:48

Looks like, it is a commercial product.
¿¿¡¡!!??

I did not know it's a commercial product. In fact, their web site does not seem to be trying to make money from the users. No payed support, no "Donate" button.

I don't mind if they sell support, are into drug dealing or make porn films. As long as rkhunter is GPL-ware and I can package it, all is OK.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: PorteusBuild: rkhunter.

Post#10 by Hamza » 17 Jul 2011, 15:00

I don't know if it is a really a commercial product.

Because, if in the settings, there is not a parameters to set the "false warnings"...

Do you understand ?
NjVFQzY2Rg==

User avatar
BlackRider
Black ninja
Black ninja
Posts: 70
Joined: 13 Jul 2011, 11:04
Location: Nowhere
Contact:

Re: PorteusBuild: rkhunter.

Post#11 by BlackRider » 17 Jul 2011, 18:52

Oh, I see.

In fact, you can configure rkhunter to whitelist certain behaviours for the files you designate, if you need it. An administrator could review each positive one by one, check it and modify the configuration file so these alarms do not ring again. The problem is that, in Porteus, many scripts and symlinks are looked as suspicious, so tweaking /etc/rkhunter.conf would take much time.

The infinite loop issue has shown to be just a danm slow test that lasted for some hours, while giving the impression of repeating itself once and again and again... It finished, at least. Luckily, it is not a default test.

I think this build pack is ready for use, if the administrator is ready to edit the config file. The defaults are not very good, but any configuration I could do would surely be worse for many other users. It is the duty of the security auditor to set the parameters for rkhunter to run properly for his environment.

I am planning to build Unhide, Tripwire and the other components soon, so the lack of external tools stops being a problem. Until then, this build pack can perform many tests without problem.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: PorteusBuild: rkhunter.

Post#12 by Hamza » 18 Jul 2011, 08:53

I agree with you. Only the administrators can set this software for his environment.
NjVFQzY2Rg==

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: PorteusBuild: rkhunter.

Post#13 by fanthom » 18 Jul 2011, 20:30

hello BlackRider,

i would insist on creating slackware txz packages first in your PorteusBuilds and then use txz2xzm instead of dir2xzm.
on may ask why:

a) Porteus claims to be slackware compatible and we would like to have all packages (even in xzm modules format) manageable by standard
pkgtools. YES - you can activate xzm module and then remove it by slackware 'removepkg' command. despite of being shown as activated in 'Porteus Module Manager' and listed in /mnt/live/memory/images application all files will be "removed" from the system (in fact, they are not removed in real as xzm is read-only - they are just marked as "removed" in aufs).
b) porteus tools like 'extpkg' and 'rempkg' relies on /var/log/packages/application_name info files.

Thanks for your contributions.
Please add [Solved] to your thread title if the solution was found.

User avatar
BlackRider
Black ninja
Black ninja
Posts: 70
Joined: 13 Jul 2011, 11:04
Location: Nowhere
Contact:

Re: PorteusBuild: rkhunter.

Post#14 by BlackRider » 19 Jul 2011, 23:19

i would insist on creating slackware txz packages first in your PorteusBuilds and then use txz2xzm instead of dir2xzm.
Then, so be it.

I will remake the scripts and correct them when I find the time to do it and upload them. My Internet access is so lame that it may take the same time to upload the files to FileFactory than to package the application and test it both in Slackware and Porteus.

It's a joke, I test the apps better than that :) Anyway, uploading the files is a pain.

Maybe I take advantage of having to make .txz packages and upload some stuff to SlackBuilds.org

Posted after 1 day 2 hours 19 minutes 40 seconds:
Ok, it is done. I have just remade my scripts as indicated.

I hope you will like them.

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: PorteusBuild: rkhunter.

Post#15 by fanthom » 20 Jul 2011, 07:32

@BlackRider
yep - that's perfect now :)

Thanks.
Please add [Solved] to your thread title if the solution was found.

Post Reply