q-Status™ Rkhunter q-Alerts Setup

Introduction

q-Status™ q-Alerts provides a demonstrate of log noise suppression alerts to identify warning changes of the log file generated by the popular root hunter security scanning shell script program called Rkhunter. To use q-Status™ q-Alerts with RKhunter:

RKhunter must be deployed on each server.
RKhunter must be configures to generate a rkhunter.log in the /var/log directory once a day.

The q-Status™ bin directory will automatically copy the rkhunter.log file to the q-Status™ web server with the other configuration date for processing by q-Status™ q-Alerts. This has already been pre-configured as of q-Status™ Linux 5.20 Update 09 or later.

q-Status™ q-Alerts for Rkhunter is an example implementation of identify changes in output files on a daily bases. It works the same way as any of the other q-Status™ q-Alerts funtions and can be cleared from the q-Status™ Administrative GUI by generating another baseline.

RKhunter

Rkhunter is released as GPL licensed project and free for everyone to use.

Rkhunter is a shell script program written by Michael Boelen. It supports Unix, Linux and Solaris type operating systems. This tool scans for rootkits, backdoors and local exploits by running tests like:

MD5 hash compare
Look for default files used by rootkits
Wrong file permissions for binaries
Look for suspected strings in LKM and KLD modules
Look for hidden files
Optional scan within plaintext and binary files

Rkhunter is released as GPL licensed project and free for everyone.

Documentation and full description of Rkhunter can be found at http://rootkit.nl/projects/rootkit_hunter.html . Also you may be intersted in the following article by Jon Watson https://www.comparitech.com/antivirus/best-free-rootkit-removal-scanner/.

To use q-Status™ q-Alerts with Rkhunter must be installed and function on each server.

Installing Rkhunter for Linux using RPM

Documentation and full description of Rkhunter can be found at https://www.comparitech.com/antivirus/best-free-rootkit-removal-scanner/. You can download the software from this site. For RedHat Linux base user, Rkhunter is also part of Source Forge and can be installed and updated from their site. Perform a "yum install rkhunter".

Use the foillowing script to install rkhunter in Linux

#!/bin/sh
# Copyright LogiQwest 2017
# Name: install_rkhunter.sh
# OS: Linux
#-------------------------------------------------------------------------------
# Purpose: To install and add /etc/cron.daily/rkhunter crontab
#------------------------------------------------------------------------------
# Version 2.00:15 Feb 2013 Created by Michael Barto
# Version 2.01:07 May 2015 Added -y option with yum in INSTALL_RKHUNTER
# Update PROPUPD with comment.
# Version 3.00:07 May 2017 Rvised for CentOS7
#===============================================================================
VERSION='3.00'
BASEDIR=`/usr/bin/dirname $0`
cd ${BASEDIR}

CRON_DIR='/etc/cron.daily'

CHECK_ID()
{
if [ -f /usr/bin/whoami ]; then
ID=`/usr/bin/whoami`
elif [ -f /usr/ucb/whoami ]; then
ID=`/usr/ucb/whoami`
elif [ -f /usr/gnu/bin/whoami ]; then
ID=`/usr/gnu/bin/whoami`
else
echo 'Unix command whoami not found. Program exited!!'
exit 1
fi
if [ $ID != "root" ]; then
echo "$ID, you must be root to run this program."
exit 1
fi
}

PROPUPD ()
{
RKHUNTER_BIN=`which rkhunter`
echo "updating rkhunter properties"
${RKHUNTER_BIN} --propupd
echo "properties updated........"
}

INSTALL_RKHUNTER()
{
PACKAGE='rkhunter'
VALUE=`../PERL/test_package.pl $PACKAGE`
echo "$VALUE"

if [ "${VALUE}" = 0 ]; then
echo "$PACKAGE already installed"
yum -y update rkhunter
else
echo "......installing rkhunter package ...........................";
yum -y install ${PACKAGE}
fi
}

CHECK_ID
INSTALL_RKHUNTER
PROPUPD

RKhunter Alerts

q-Status™ Rkhunter discrepancies alert is an automatic email notification if a discrepancy is evaluated between the last rkhunter.log baseline and the . It identify changes in the warning outputs. If the warnings are the same, no email is sent. New warning that are not in the last rkhunter.log baseline, will generate an email.rkhunter.log

A simple crontab entry will execute a script to compare the most recent baselines for Rkhunter and create an alert email of any discrepancies found. The email is then sent using smtp to a users in a configurable baseline alert mailing list.

q-Status™ Baseline Alerts requires little configuration set up to implement. Rkhunter discrepancy alerts are clear by simply generating a new baseline. If no discrepancies are found, no email baseline discrepancy alerts are sent.

The email alert summarizes each host and the number warning discrepancies. A q-Status™ link to its web page report is provides. Clicking this link will take the user to the Root Kit Hunter "Baseline Comparison" report page in the "Discrepancies Only" mode. This is displayed as a true table stating is a warning is present. The word "true" for a discrepancy will link the user to the full report and to the exact link where this entry appears.

Other links are provide such as "Search" and changing the report to "Full" display

Setting Up q-Status™ Rkhunter Alerts

Setting up q-Status™ RKhunter Alerts requires four steps:

Editing Alert.conf to added web location of q-StatusLinux™.
Adding email addresses to the mail_list_security.conf.
Configuring the smtp or sendmail mail program.
Adding crontab entries to call to the q-Status™ RKhunter Alert program.
Note:
q-Status™ Alerts utilized an independent Perl Script smtpClient.pl located in the qAlert directory. This smtp Perl script support all types of mail servers including encrypted mail servers to provide q-Status™ the greatest flexibility. This script requires that two Perl libraries be installed on the server to support this security:

IO::Socket::SSL
Net::SSLeay

Even though this may not be required, LogiQwest wished to maintain this smtp Perl script in its full functional format. When you run any of the Perl scripts that call this program smtpClient.pl, an error message may be generated stating that these libraries cannot be found. To fix this issue, simply use Perl with the CPAN and shell options (e.g. perl -MCPAN -eshell) as root, to enter the interactive CPAN environment:
# perl -MCPAN -eshell
Then performing an install to install the missing libraries:
      ... ... ... ... ... 
cpan> install IO::Socket::SSL
      ... ... ... ... ... 
cpan> install Net::SSLeay 
      ... ... ... ... ...
cpan> quit
#
You may need to configure CPAN for the server before completing the install. This is documented when you execute perl the initial "-MCPAN -eshell" options.

Setting up q-Status™ Rkhunter Alerts crontab

All configuration files and the q-Status™ RKhunter Alert program are located in the directory qAlert/ of the q-Status™ program and is broken down this way:

Name			Description
*qAlert*			The qAlert Directory
	baselineAlertLinux.pl		q-Status™ Baseline email alert program. Set up to be called by crontab.
	diskAlertsLinux.pl		q-Status™ Disk threshold email alert program. Set up to be called by crontab.
	rkhunterAlertLinux.pl		q-Status™ RKhunter changes email alert program.
	smtpClient.pl		smtp Perl email program. Program is called by baselineAlertWindows.pl
	*conf*		Configuration Files directory
		Alert.conf	Contain entry of q-Status™ web location address and reports true or false parameters.
		mail_list_base.conf	Mailing list and parameters for baseline line alerts
		mail_list_disk.conf	Mailing list and parameters for disk threshold alerts
		mail_list_security.conf	Mailing list and parameters for RKhunter alerts
		smtp.conf	Configuration file for smtp for access to remote mail server. Copy smtp.conf.template to smtp.conf to activate.
		smtp.conf.template	Template Configuration file for smtp for access to remote mail server. Rename or copy to smtp.conf.
	*Goodies*		qAlert Miscellaneous directory
		INSTALL_qAlerts_cronClassicUnix.sh	Script to install qAlert crontab entires in Classic Unux (e.g. Solaris).
		INSTALL_qAlerts_cronClassicUnixRKhunter.sh	Script to install rkhunter crontab entires in Classic Unux (e.g. Solaris).
		INSTALL_qAlerts_cronsLinux.sh	Script to install qAlert crontab entires in Linux.
		INSTALL_qAlerts_cronsLinuxRKhunter.sh	Script to install rkhunter crontab entires in Linux.
	*tmp*		scratch write area for email message.

The Perl script rkhunterAlertLinux.pl, and the shell scripts INSTALL_qAlerts_cronClassicUnixRKhunter.sh and INSTALL_qAlerts_cronsLinuxRKhunter.sh are used to support RKhunter Alerts.

Note: In the directory qAlert/conf copy or rename "smtp.conf.template" to "smtp.conf" and edit as described below.

Configuring "Alert.conf"

The Alert.conf file contains for parameter entries.

The http_ref web location parameter is used for the hyperlinks displays in the email messages. It must consist an http entry for the parameter http_ref. Note that is must contain a ending slash (/).
The remaining parameters are used for baseline comparison and have no effect with q-Status™ RKhunter Alerts.

Configuring "mail_list_security.conf"

The "mail_list_security.conf" file consist of two sections. The first section defined the from-to-subject of the email that will appear when sent. Note the "FROM" and "TO" do not need to be valid email addresses. The "TO" can a group name such as "Database Group", "Production Group" or anything that may be appropriate. The from also does not need to be a real email address such as "qstatus alert" or "Server Monitoring". The "SUBJECT" parameter will display in the mail subject line of the receiver.

# Mail List Version 1.02
#-------------------------------------------------------------------------------
# Mail HEADER parameters
# FROM - general from list 
# TO - mailing general name 
# SUBJECT - general subject
FROM|qstatus@mycompany.com
TO|Server Group
SUBJECT|TEST q-Status Linux RKhunter Security Discrepancy Detected
#-------------------------------------------------------------------------------
#email|name|note
#john.doe@mycompany.com|John Doe|Comment out person
mbarto@logiqwest.com|The Support|Test
support@logiqwest.com|The Support|Test
admin@logiqwest.com|administrator|PRODUCT ANNOUNCEMENT
#sales@logiqwest.com|

The second part consist of the email addresses in the following format:

email address

Name

Note

separated by a bar (|). You may comment out an email address, by enter in a pound (#) at the beginning of the line. This email address will not be processed. Both Note and Name are not used for the email.

q-Status "smtp.conf"

In the directory qAlert/conf copy of rename "smtp.conf.template" to "smtp.conf". The "smtp.conf" file contains the smtp mail parameters. The consist of:

Name	Default	Description
MAIL_METHOD		has two options: smtpmail - user smtp mail server requiring password and userid unixmail - uses standard Unix sendmail
MAILSERVER		smtp mail server name or address
PORT	25	mail server port. Normally 25
USER		mail server login name. Setting this value to NULL, specifies that the mail server requires no password or userid to be accessed to send mail.
PASSWORD		mail server login name password
FROM		A real email user address (must be a valid email address)
BASEMAILIST	mail_list_base.conf	baseline alert mailing list. Default is mail_list_base.conf
DISKMAILIST	mail_list_disk.conf	disk alert mailing list. Default is mail_list_disk.conf
SECUREMAILIST	mail_list_security.conf	security (rkhunter) alert mailing list. Default is mail_list_security.conf
MESSAGE_DIR	tmp/	temporary directory where email message is written. Do not change.
VERBOSE	FALSE	User for debugging. VERBOSE has three parameters: TRUE, FALSE and NOMAIL FALSE - the default setting when configured correctly TRUE - displays mail debugging messages and sends mail. NOMAIL - Run discrepancy report without sending mail. Results displayed on screen.

smtp.conf

###SMTP Parameter File Version 2.01
# MAIL_METHOD has two options:
#           smtpmail - user smtp mail server requiring password and userid 
#           unixmail - uses standard Unix sendmail
# When MAIL_METHOD is set to unixmail, USER and PASSWORD are ignored.
MAIL_METHOD|smtpmail
# MAIL_METHOD|unixmail
MAILSERVER|smtp.mycompany.com
PORT|25
USER|mail_user
PASSWORD|abcdefg
FROM|mail_user@mycompany.com
BASEMAILIST|mail_list_base.conf
DISKMAILIST|mail_list_disk.conf
SECUREMAILIST|mail_list_security.conf
MESSAGE_DIR|tmp/
# VERBOSE has three parameters: TRUE, FALSE and NOMAIL
#               FALSE  - the default setting when configured correctly.
#               TRUE   - displays mail debugging messages and sends mail.
#               NOMAIL - Run discrepancy report without sending mail. Results 
#                        displayed on screen.
VERBOSE|TRUE

These setting are the same that you set up for a email program on a computer. Check with the mail administrator or provide to obtain the correct values.

Note: Using MAIL_METHOD equal 'unixmail', it is assume that the q-Status™ Linux Web server has been configurate properly (e.g. mailhost) to support a sendmail process.

Testing q-Status™ Alerts

q-Status™ Linux RKhunter Alerts will only generate email if there is a change from the previous RKhunter report collected as a baseline. If no discrepancy exist for any of the rkhunter report comparisons, no email will be sent. Therefore to test the alerts, one may need to create a rkhunter report discrepancy. Say by editing an existing rkhunter file (e.g in data directory <hostname>.rkhunter) .

q-Status™ Linux RKhunter Alerts can then be tested by simply running the rkhunterAlertLinux.pl Perl script from the command line.

The commands is run in a quiet mode, so no command line out will be displayed. But mail should be delivered. You can enable some diagnostic by changing the value of the VERBOSE option in the smtp.conf file. The VERSOSE parameter has three parameters: TRUE, FALSE and NOMAIL:

FALSE - the default setting when configured correctly.
TRUE - displays mail debugging messages with mail.
Run discrepancy report without sending mail. Results displayed on screen.

Debugging q-Status Alerts

If the smtp mail seems to not work correctly or there is general failure, edit the "smtp.conf" file and change the parameter "VERBOSE" to 'TRUE". Now when "baselineAlertRKhunter.pl" is run, results, outputs and email server dialog will be displayed at the command line. This maybe useful to locate configuration errors.

Notes:

q-Status™ Disks Alerts will only generate email if a threshold has been exceeded. If there is no threshold is exceeded, no Disk Alert will be sent.

q-Status™ Baseline Alerts require that baselines be created and updated on a regular bases. If no baselines exist for a specified server, evaluation of that server will not be processed and no email will be sent.

Many mail servers support a security check where the "USER" and the "FROM" entry must be the same. If not mail is send when tested, try assigning these values to be the same.

Setting up the crontab

In the qAlert/Goodies/ directory are two files:

INSTALL_qAlerts_cronsLinuxRKhunter.sh -Script to install qAlert crontab entires for Linux web server.
INSTALL_qAlerts_cronClassicUnixRKhunter.sh - Script to install qAlert crontab entires in Classic Unux (e.g. Solaris web server).

Running this scripts as root wil not only install the qAlerts crons for baseline and disks, but will also install the crontab to generate new baselines every week. "INSTALL_qAlert_cronsLinux.sh" will places entries in the cron.weekly, cron.daily and cron.hourly directories for Linux.

This scripts calculate the location of the q-Status™ Linux Web server and create cron entries to call the Perl Scripts.

Name Description

qAlert The qAlert Directory

Goodies qAlert Miscellaneous directory

INSTALL_qAlerts_cronClassicUnixRKhunter.sh Script to install rkhunter crontab entires in Classic Unux (e.g. Solaris).

INSTALL_qAlerts_cronsLinuxRKhunter.sh Script to install rkhunter crontab entires in Linux.

These scripts will install two cron entries as follow: