18 October 2011 Home
q-Status™ Rkhunter q-Alerts
based on version rkhunter-1.3.8

Introduction

q-Status™ q-Alerts provides a demonstrate of log noise suppression alerts to identify warning changes of the log file generated by the popular root hunter security scanning shell script program called Rkhunter. To use q-Status™ q-Alerts with RKhunter:

  • RKhunter must be deployed on each server.
  • RKhunter must be configures to generate a rkhunter.log in the /var/log directory once a day.

The q-Status™ bin directory will automatically copy the rkhunter.log file to the q-Status™ web server with the other configuration date for processing by q-Status™ q-Alerts. This has already been pre-configured as of q-Status™ Linux 5.20 Update 04.

q-Status™ q-Alerts for Rkhunter is an example implementation of identify changes in output files on a daily bases. It works the same way as any of the other q-Status™ q-Alerts funtions and can be cleared from the q-Status™ Administrative GUI by generating another baseline.

RKhunter

Rkhunter is released as GPL licensed project and free for everyone to use.

Rkhunter is a shell script program written by Michael Boelen. It supports Unix, Linux and Solaris type operating systems. This tool scans for rootkits, backdoors and local exploits by running tests like:

  • MD5 hash compare
  • Look for default files used by rootkits
  • Wrong file permissions for binaries
  • Look for suspected strings in LKM and KLD modules
  • Look for hidden files
  • Optional scan within plaintext and binary files

Rkhunter is released as GPL licensed project and free for everyone.

Documentation and full description of Rkhunter can be found at http://www.rootkit.nl/projects/rootkit_hunter.html You can download the software from this site. For rpm Linux types (RedHat Fedora, Centos) user, Rkhunter is also part of Source Forge and can be installed and updated from their site. See note at end of document.

To use q-Status™ q-Alerts with Rkhunter must be installed and function on each server.

Installing Rkhunter for Linux using RPM

Documentation and full description of Rkhunter can be found at http://www.rootkit.nl/projects/rootkit_hunter.html You can download the software from this site. For RedHat Linux base user, Rkhunter is also part of Source Forge and can be installed and updated from their site. Current, if you install it from you own manually created rpm that is documented and configured in the tar-gz download, it will be in conflict with the Source Forge version. This has been reported as a bug, but as of this writing a fix to it is still pending. It is probably better to enable Source Forge and then perform a "yum install rkhunter".

for 64 bit
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
# rpm -Uhv rpmforge*
# yum install rkhunter
for 32 bit
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
# rpm -Uhv rpmforge*
# yum install rkhunter

To enable a cron entry, Logiqwest has provided the 'install_rkhunter_cron.sh' script (click link to download). This script will also automatically perform a property update for an initial install.

RKhunter Alerts

q-Status™ Rkhunter discrepancies alert is an automatic email notification if a discrepancy is evaluated between the last rkhunter.log baseline and the . It identify changes in the warning outputs. If the warnings are the same, no email is sent. New warning that are not in the last rkhunter.log baseline, will generate an email.rkhunter.log

A simple crontab entry will execute a script to compare the most recent baselines for Rkhunter and create an alert email of any discrepancies found. The email is then sent using smtp to a users in a configurable baseline alert mailing list.

q-Status™ Baseline Alerts requires little configuration set up to implement. Rkhunter discrepancy alerts are clear by simply generating a new baseline. If no discrepancies are found, no email baseline discrepancy alerts are sent.

The email alert summarizes each host and the number warning discrepancies. A q-Status™ link to its web page report is provides. Clicking this link will take the user to the Root Kit Hunter "Baseline Comparison" report page in the "Discrepancies Only" mode. This is displayed as a true table stating is a warning is present. The word "true" for a discrepancy will link the user to the full report and to the exact link where this entry appears.

Other links are provide such as "Search" and changing the report to "Full" display

Setting Up q-Status™ Rkhunter Alerts

Setting up q-Status™ RKhunter Alerts requires four steps:

  1. Editing Alert.conf to added web location of q-StatusLinux™.
  2. Adding email addresses to the mail_list_security.conf.
  3. Configuring the smtp or sendmail mail program.
  4. Adding crontab entries to call to the q-Status™ RKhunter Alert program.
Note: q-Status™ Alerts utilized an independent Perl Script smtpClient.pl located in the qAlert directory. This smtp Perl script support all types of mail servers including encrypted mail servers to provide q-Status™ the greatest flexibility. This script requires that two Perl libraries be installed on the server to support this security:
IO::Socket::SSL
Net::SSLeay

Even though this may not be required, LogiQwest wished to maintain this smtp Perl script in its full functional format. When you run any of the Perl scripts that call this program smtpClient.pl, an error message may be generated stating that these libraries cannot be found. To fix this issue, simply use Perl with the CPAN and shell options (e.g. perl -MCPAN -eshell) as root, to enter the interactive CPAN environment:

# perl -MCPAN -eshell

Then performing an install to install the missing libraries:

      ... ... ... ... ... 
cpan> install IO::Socket::SSL
      ... ... ... ... ... 
cpan> install Net::SSLeay 
      ... ... ... ... ...
cpan> quit
#

You may need to configure CPAN for the server before completing the install. This is documented when you execute perl the initial "-MCPAN -eshell" options.

Setting up q-Status™ Rkhunter Alerts crontab

All configuration files and the q-Status™ RKhunter Alert program are located in the directory qAlert/ of the q-Status™ program and is broken down this way:

Name Description
qAlert The qAlert Directory
baselineAlertLinux.pl q-Status™ Baseline email alert program. Set up to be called by crontab.
diskAlertsLinux.pl q-Status™ Disk threshold email alert program. Set up to be called by crontab.
rkhunterAlertLinux.pl q-Status™ RKhunter changes email alert program.
smtpClient.pl smtp Perl email program. Program is called by baselineAlertWindows.pl
conf Configuration Files directory
Alert.conf Contain entry of q-Status™ web location address and reports true or false parameters.
mail_list_base.conf Mailing list and parameters for baseline line alerts
mail_list_disk.conf Mailing list and parameters for disk threshold alerts
mail_list_security.conf Mailing list and parameters for RKhunter alerts
smtp.conf Configuration file for smtp for access to remote mail server. Copy smtp.conf.template to smtp.conf to activate.
smtp.conf.template Template Configuration file for smtp for access to remote mail server. Rename or copy to smtp.conf.
Goodies qAlert Miscellaneous directory
INSTALL_qAlerts_cronClassicUnix.sh Script to install qAlert crontab entires in Classic Unux (e.g. Solaris).
INSTALL_qAlerts_cronClassicUnixRKhunter.sh Script to install rkhunter crontab entires in Classic Unux (e.g. Solaris).
INSTALL_qAlerts_cronsLinux.sh Script to install qAlert crontab entires in Linux.
INSTALL_qAlerts_cronsLinuxRKhunter.sh Script to install rkhunter crontab entires in Linux.
tmp scratch write area for email message.

The Perl script rkhunterAlertLinux.pl, and the shell scripts INSTALL_qAlerts_cronClassicUnixRKhunter.sh and INSTALL_qAlerts_cronsLinuxRKhunter.sh are used to support RKhunter Alerts.

Note: In the directory qAlert/conf copy or rename "smtp.conf.template" to "smtp.conf" and edit as described below.

Configuring "Alert.conf"

The Alert.conf file contains for parameter entries.

  • The http_ref web location parameter is used for the hyperlinks displays in the email messages. It must consist an http entry for the parameter http_ref. Note that is must contain a ending slash (/).
  • The remaining parameters are used for baseline comparison and have no effect with q-Status™ RKhunter Alerts.

Configuring "mail_list_security.conf"

The "mail_list_security.conf" file consist of two sections. The first section defined the from-to-subject of the email that will appear when sent. Note the "FROM" and "TO" do not need to be valid email addresses. The "TO" can a group name such as "Database Group", "Production Group" or anything that may be appropriate. The from also does not need to be a real email address such as "qstatus alert" or "Server Monitoring". The "SUBJECT" parameter will display in the mail subject line of the receiver.

# Mail List Version 1.02
#-------------------------------------------------------------------------------
# Mail HEADER parameters
# FROM - general from list 
# TO - mailing general name 
# SUBJECT - general subject
FROM|qstatus@mycompany.com
TO|Server Group
SUBJECT|TEST q-Status Linux RKhunter Security Discrepancy Detected
#-------------------------------------------------------------------------------
#email|name|note
#john.doe@mycompany.com|John Doe|Comment out person
mbarto@logiqwest.com|The Support|Test
support@logiqwest.com|The Support|Test
admin@logiqwest.com|administrator|PRODUCT ANNOUNCEMENT
#sales@logiqwest.com|

The second part consist of the email addresses in the following format:

email address Name Note

separated by a bar (|). You may comment out an email address, by enter in a pound (#) at the beginning of the line. This email address will not be processed. Both Note and Name are not used for the email.

q-Status "smtp.conf"

In the directory qAlert/conf copy of rename "smtp.conf.template" to "smtp.conf". The "smtp.conf" file contains the smtp mail parameters. The consist of:

Name Default Description
MAIL_METHOD

has two options:

  • smtpmail - user smtp mail server requiring password and userid
  • unixmail - uses standard Unix sendmail
MAILSERVER   smtp mail server name or address
PORT 25 mail server port. Normally 25
USER   mail server login name. Setting this value to NULL, specifies that the mail server requires no password or userid to be accessed to send mail.
PASSWORD   mail server login name password
FROM   A real email user address (must be a valid email address)
BASEMAILIST mail_list_base.conf baseline alert mailing list. Default is mail_list_base.conf
DISKMAILIST mail_list_disk.conf disk alert mailing list. Default is mail_list_disk.conf
SECUREMAILIST mail_list_security.conf security (rkhunter) alert mailing list. Default is mail_list_security.conf
MESSAGE_DIR tmp/ temporary directory where email message is written. Do not change.
VERBOSE FALSE User for debugging. VERBOSE has three parameters: TRUE, FALSE and NOMAIL
  • FALSE - the default setting when configured correctly
  • TRUE - displays mail debugging messages and sends mail.
  • NOMAIL - Run discrepancy report without sending mail. Results displayed on screen.

smtp.conf
###SMTP Parameter File Version 2.01
# MAIL_METHOD has two options:
#           smtpmail - user smtp mail server requiring password and userid 
#           unixmail - uses standard Unix sendmail
# When MAIL_METHOD is set to unixmail, USER and PASSWORD are ignored.
MAIL_METHOD|smtpmail
# MAIL_METHOD|unixmail
MAILSERVER|smtp.mycompany.com
PORT|25
USER|mail_user
PASSWORD|abcdefg
FROM|mail_user@mycompany.com
BASEMAILIST|mail_list_base.conf
DISKMAILIST|mail_list_disk.conf
SECUREMAILIST|mail_list_security.conf
MESSAGE_DIR|tmp/
# VERBOSE has three parameters: TRUE, FALSE and NOMAIL
#               FALSE  - the default setting when configured correctly.
#               TRUE   - displays mail debugging messages and sends mail.
#               NOMAIL - Run discrepancy report without sending mail. Results 
#                        displayed on screen.
VERBOSE|TRUE 

These setting are the same that you set up for a email program on a computer. Check with the mail administrator or provide to obtain the correct values.

Note: Using MAIL_METHOD equal 'unixmail', it is assume that the q-Status™ Linux Web server has been configurate properly (e.g. mailhost) to support a sendmail process.

Testing q-Status™ Alerts

q-Status™ Linux RKhunter Alerts will only generate email if there is a change from the previous RKhunter report collected as a baseline. If no discrepancy exist for any of the rkhunter report comparisons, no email will be sent. Therefore to test the alerts, one may need to create a rkhunter report discrepancy. Say by editing an existing rkhunter file (e.g in data directory <hostname>.rkhunter) .

q-Status™ Linux RKhunter Alerts can then be tested by simply running the rkhunterAlertLinux.pl Perl script from the command line.

The commands is run in a quiet mode, so no command line out will be displayed. But mail should be delivered. You can enable some diagnostic by changing the value of the VERBOSE option in the smtp.conf file. The VERSOSE parameter has three parameters: TRUE, FALSE and NOMAIL:

  • FALSE - the default setting when configured correctly.
  • TRUE - displays mail debugging messages with mail.
  • Run discrepancy report without sending mail. Results displayed on screen.

Debugging q-Status Alerts

If the smtp mail seems to not work correctly or there is general failure, edit the "smtp.conf" file and change the parameter "VERBOSE" to 'TRUE". Now when "baselineAlertRKhunter.pl" is run, results, outputs and email server dialog will be displayed at the command line. This maybe useful to locate configuration errors.

Notes:
  1. q-Status™ Disks Alerts will only generate email if a threshold has been exceeded. If there is no threshold is exceeded, no Disk Alert will be sent.
  2. q-Status™ Baseline Alerts require that baselines be created and updated on a regular bases. If no baselines exist for a specified server, evaluation of that server will not be processed and no email will be sent.
  3. Many mail servers support a security check where the "USER" and the "FROM" entry must be the same. If not mail is send when tested, try assigning these values to be the same.

Setting up the crontab

In the qAlert/Goodies/ directory are two files:

  • INSTALL_qAlerts_cronsLinuxRKhunter.sh -Script to install qAlert crontab entires for Linux web server.
  • INSTALL_qAlerts_cronClassicUnixRKhunter.sh - Script to install qAlert crontab entires in Classic Unux (e.g. Solaris web server).

Running this scripts as root wil not only install the qAlerts crons for baseline and disks, but will also install the crontab to generate new baselines every week. "INSTALL_qAlert_cronsLinux.sh" will places entries in the cron.weekly, cron.daily and cron.hourly directories for Linux.

This scripts calculate the location of the q-Status™ Linux Web server and create cron entries to call the Perl Scripts.

Name Description
qAlert The qAlert Directory
Goodies qAlert Miscellaneous directory
INSTALL_qAlerts_cronClassicUnixRKhunter.sh Script to install rkhunter crontab entires in Classic Unux (e.g. Solaris).
INSTALL_qAlerts_cronsLinuxRKhunter.sh Script to install rkhunter crontab entires in Linux.

These scripts will install two cron entries as follow:

  • daily crontab entry for rkhunter alerts - calling q-statusLinux/qAlert/baselineAlertsRKhunter.pl
  • weekly crontab for baseline creation - calling q-statusLinux/Goodies/baseUnixCreateSolaris.pl

How Alert Flag is Evaluated

q-Status™ RKhunter Alerts contain a flag associated with the summary of each alert. The values are "Warning", "Alert" and "Critical". Since it is highly subjective as to what this means, q-Status™ uses a special method for this classification.

For each RKhunter discrepancy, each list of servers has a maximum number of discrepancies found per server. If the maximum number is less than 3, all discrepancy flags will be considered a "Warning". Above or equal to 3, the maximum discrepancies is divided by 3. If the number of discrepancies falls in the first third, it is considered to be just a "Warning". If it falls in the second third is an "Alert" and the last third it will be considered "Critical".

Client Feedback

q-Status™ Alerts is a new function to q-Status™. Feedback to q-Status™ Alerts is always welcome. LogiQwest would really appreciate suggestion. Request for Enhancements to the alerts is alway welcome.

Support

LogiQwest does provide to a clients any technical information of programs structure for any custom implementation using its tools and under its LICENSE agreement included with the program. q-Status™

LogiQwest also provides custom implementation of q-Status™ technology on a time and material base. For any effort where LogiQwest has performed the development, LogiQwest supports the life cycle of the program, maintain it and make sure that it will run with all future revision of q-Status™.

Support is easily obtained through the Email at support@logiqwest.com

Or by phone:

LogiQwest, Inc.
16458 Bolsa Chica Street #15
Huntington Beach, CA 92649
USA
Telephone 714.377.3705
Facsimile 714.840.3937
Cell Phone: 714-883-1949
Email:mbarto@logiQwest.com

LogiQwest, Inc. - USA        sales@logiqwest.com       Phone 714.377.3705        Fax 714.840.3937