19 March 2018 Home
q-Status Rkhunter q-Alerts
q-Status q-Alerts provides a demonstrate of log noise suppression alerts to identify warning changes of the log file generated by the popular root hunter security scanning shell script program called Rkhunter. To use q-Status q-Alerts with RKhunter:
- RKhunter must be deployed on each server.
- RKhunter must be configures to generate a rkhunter.log in the /var/log directory once a day.
The q-Status bin directory will automatically copy the rkhunter.log file to the q-Status web server with the other configuration date for processing by q-Status q-Alerts. This has already been pre-configured as of q-Status Linux 5.20 Update 04.
q-Status q-Alerts for Rkhunter is an example implementation of identify changes in output files on a daily bases. It works the same way as any of the other q-Status q-Alerts funtions and can be cleared from the q-Status Administrative GUI by generating another baseline.
Rkhunter is released as GPL licensed project and free for everyone to use.
Rkhunter is a shell script program written by Michael Boelen. It supports Unix, Linux and Solaris type operating systems. This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Rkhunter is released as GPL licensed project and free for everyone.
Documentation and full description of Rkhunter can be found at http://www.rootkit.nl/projects/rootkit_hunter.html You can download the software from this site. For rpm Linux types (RedHat Fedora, Centos) user, Rkhunter is also part of Source Forge and can be installed and updated from their site. See note at end of document.
To use q-Status q-Alerts with Rkhunter must be installed and function on each server.
Documentation and full description of Rkhunter can be found at http://www.rootkit.nl/projects/rootkit_hunter.html You can download the software from this site. For RedHat Linux base user, Rkhunter is also part of Source Forge and can be installed and updated from their site. Perform a "yum install rkhunter".
To enable a cron entry, Logiqwest has provided the 'install_rkhunter_cron.sh' script (click link to download). This script will also automatically perform a property update for an initial install.
q-Status Rkhunter discrepancies alert is an automatic email notification if a discrepancy is evaluated between the last rkhunter.log baseline and the . It identify changes in the warning outputs. If the warnings are the same, no email is sent. New warning that are not in the last rkhunter.log baseline, will generate an email.rkhunter.log
A simple crontab entry will execute a script to compare the most recent baselines for Rkhunter and create an alert email of any discrepancies found. The email is then sent using smtp to a users in a configurable baseline alert mailing list.
q-Status Baseline Alerts requires little configuration set up to implement. Rkhunter discrepancy alerts are clear by simply generating a new baseline. If no discrepancies are found, no email baseline discrepancy alerts are sent.
The email alert summarizes each host and the number warning discrepancies. A q-Status link to its web page report is provides. Clicking this link will take the user to the Root Kit Hunter "Baseline Comparison" report page in the "Discrepancies Only" mode. This is displayed as a true table stating is a warning is present. The word "true" for a discrepancy will link the user to the full report and to the exact link where this entry appears.
Other links are provide such as "Search" and changing the report to "Full" display
Setting up q-Status RKhunter Alerts requires four steps:
- Editing Alert.conf to added web location of q-StatusLinux.
- Adding email addresses to the mail_list_security.conf.
- Configuring the smtp or sendmail mail program.
- Adding crontab entries to call to the q-Status RKhunter Alert program.
Note: q-Status Alerts utilized an independent Perl Script smtpClient.pl located in the qAlert directory. This smtp Perl script support all types of mail servers including encrypted mail servers to provide q-Status the greatest flexibility. This script requires that two Perl libraries be installed on the server to support this security:
Even though this may not be required, LogiQwest wished to maintain this smtp Perl script in its full functional format. When you run any of the Perl scripts that call this program smtpClient.pl, an error message may be generated stating that these libraries cannot be found. To fix this issue, simply use Perl with the CPAN and shell options (e.g. perl -MCPAN -eshell) as root, to enter the interactive CPAN environment:
# perl -MCPAN -eshell
Then performing an install to install the missing libraries:
... ... ... ... ... cpan> install IO::Socket::SSL ... ... ... ... ... cpan> install Net::SSLeay ... ... ... ... ... cpan> quit #
You may need to configure CPAN for the server before completing the install. This is documented when you execute perl the initial "-MCPAN -eshell" options.
All configuration files and the q-Status RKhunter Alert program are located in the directory qAlert/ of the q-Status program and is broken down this way:
Name Description qAlert The qAlert Directory baselineAlertLinux.pl q-Status Baseline email alert program. Set up to be called by crontab. diskAlertsLinux.pl q-Status Disk threshold email alert program. Set up to be called by crontab. rkhunterAlertLinux.pl q-Status RKhunter changes email alert program. smtpClient.pl smtp Perl email program. Program is called by baselineAlertWindows.pl conf Configuration Files directory Alert.conf Contain entry of q-Status web location address and reports true or false parameters. mail_list_base.conf Mailing list and parameters for baseline line alerts mail_list_disk.conf Mailing list and parameters for disk threshold alerts mail_list_security.conf Mailing list and parameters for RKhunter alerts smtp.conf Configuration file for smtp for access to remote mail server. Copy smtp.conf.template to smtp.conf to activate. smtp.conf.template Template Configuration file for smtp for access to remote mail server. Rename or copy to smtp.conf. Goodies qAlert Miscellaneous directory INSTALL_qAlerts_cronClassicUnix.sh Script to install qAlert crontab entires in Classic Unux (e.g. Solaris). INSTALL_qAlerts_cronClassicUnixRKhunter.sh Script to install rkhunter crontab entires in Classic Unux (e.g. Solaris). INSTALL_qAlerts_cronsLinux.sh Script to install qAlert crontab entires in Linux. INSTALL_qAlerts_cronsLinuxRKhunter.sh Script to install rkhunter crontab entires in Linux. tmp scratch write area for email message.
The Perl script rkhunterAlertLinux.pl, and the shell scripts INSTALL_qAlerts_cronClassicUnixRKhunter.sh and INSTALL_qAlerts_cronsLinuxRKhunter.sh are used to support RKhunter Alerts.
Note: In the directory qAlert/conf copy or rename "smtp.conf.template" to "smtp.conf" and edit as described below.
The Alert.conf file contains for parameter entries.
- The http_ref web location parameter is used for the hyperlinks displays in the email messages. It must consist an http entry for the parameter http_ref. Note that is must contain a ending slash (/).
- The remaining parameters are used for baseline comparison and have no effect with q-Status RKhunter Alerts.
The "mail_list_security.conf" file consist of two sections. The first section defined the from-to-subject of the email that will appear when sent. Note the "FROM" and "TO" do not need to be valid email addresses. The "TO" can a group name such as "Database Group", "Production Group" or anything that may be appropriate. The from also does not need to be a real email address such as "qstatus alert" or "Server Monitoring". The "SUBJECT" parameter will display in the mail subject line of the receiver.
# Mail List Version 1.02 #------------------------------------------------------------------------------- # Mail HEADER parameters # FROM - general from list # TO - mailing general name # SUBJECT - general subject FROMemail@example.com TO|Server Group SUBJECT|TEST q-Status Linux RKhunter Security Discrepancy Detected #------------------------------------------------------------------------------- #email|name|note #firstname.lastname@example.org|John Doe|Comment out person email@example.com|The Support|Test firstname.lastname@example.org|The Support|Test email@example.com|administrator|PRODUCT ANNOUNCEMENT #firstname.lastname@example.org|
The second part consist of the email addresses in the following format:
email address Name Note
separated by a bar (|). You may comment out an email address, by enter in a pound (#) at the beginning of the line. This email address will not be processed. Both Note and Name are not used for the email.
In the directory qAlert/conf copy of rename "smtp.conf.template" to "smtp.conf". The "smtp.conf" file contains the smtp mail parameters. The consist of:
Name Default Description MAIL_METHOD
has two options:
- smtpmail - user smtp mail server requiring password and userid
- unixmail - uses standard Unix sendmail
MAILSERVER smtp mail server name or address PORT 25 mail server port. Normally 25 USER mail server login name. Setting this value to NULL, specifies that the mail server requires no password or userid to be accessed to send mail. PASSWORD mail server login name password FROM A real email user address (must be a valid email address) BASEMAILIST mail_list_base.conf baseline alert mailing list. Default is mail_list_base.conf DISKMAILIST mail_list_disk.conf disk alert mailing list. Default is mail_list_disk.conf SECUREMAILIST mail_list_security.conf security (rkhunter) alert mailing list. Default is mail_list_security.conf MESSAGE_DIR tmp/ temporary directory where email message is written. Do not change. VERBOSE FALSE User for debugging. VERBOSE has three parameters: TRUE, FALSE and NOMAIL
- FALSE - the default setting when configured correctly
- TRUE - displays mail debugging messages and sends mail.
- NOMAIL - Run discrepancy report without sending mail. Results displayed on screen.
smtp.conf ###SMTP Parameter File Version 2.01 # MAIL_METHOD has two options: # smtpmail - user smtp mail server requiring password and userid # unixmail - uses standard Unix sendmail # When MAIL_METHOD is set to unixmail, USER and PASSWORD are ignored. MAIL_METHOD|smtpmail # MAIL_METHOD|unixmail MAILSERVER|smtp.mycompany.com PORT|25 USER|mail_user PASSWORD|abcdefg FROMemail@example.com BASEMAILIST|mail_list_base.conf DISKMAILIST|mail_list_disk.conf SECUREMAILIST|mail_list_security.conf MESSAGE_DIR|tmp/ # VERBOSE has three parameters: TRUE, FALSE and NOMAIL # FALSE - the default setting when configured correctly. # TRUE - displays mail debugging messages and sends mail. # NOMAIL - Run discrepancy report without sending mail. Results # displayed on screen. VERBOSE|TRUE
These setting are the same that you set up for a email program on a computer. Check with the mail administrator or provide to obtain the correct values.
Note: Using MAIL_METHOD equal 'unixmail', it is assume that the q-Status Linux Web server has been configurate properly (e.g. mailhost) to support a sendmail process.
q-Status Linux RKhunter Alerts will only generate email if there is a change from the previous RKhunter report collected as a baseline. If no discrepancy exist for any of the rkhunter report comparisons, no email will be sent. Therefore to test the alerts, one may need to create a rkhunter report discrepancy. Say by editing an existing rkhunter file (e.g in data directory <hostname>.rkhunter) .
q-Status Linux RKhunter Alerts can then be tested by simply running the rkhunterAlertLinux.pl Perl script from the command line.
The commands is run in a quiet mode, so no command line out will be displayed. But mail should be delivered. You can enable some diagnostic by changing the value of the VERBOSE option in the smtp.conf file. The VERSOSE parameter has three parameters: TRUE, FALSE and NOMAIL:
- FALSE - the default setting when configured correctly.
- TRUE - displays mail debugging messages with mail.
- Run discrepancy report without sending mail. Results displayed on screen.
If the smtp mail seems to not work correctly or there is general failure, edit the "smtp.conf" file and change the parameter "VERBOSE" to 'TRUE". Now when "baselineAlertRKhunter.pl" is run, results, outputs and email server dialog will be displayed at the command line. This maybe useful to locate configuration errors.
- q-Status Disks Alerts will only generate email if a threshold has been exceeded. If there is no threshold is exceeded, no Disk Alert will be sent.
- q-Status Baseline Alerts require that baselines be created and updated on a regular bases. If no baselines exist for a specified server, evaluation of that server will not be processed and no email will be sent.
- Many mail servers support a security check where the "USER" and the "FROM" entry must be the same. If not mail is send when tested, try assigning these values to be the same.
In the qAlert/Goodies/ directory are two files:
- INSTALL_qAlerts_cronsLinuxRKhunter.sh -Script to install qAlert crontab entires for Linux web server.
- INSTALL_qAlerts_cronClassicUnixRKhunter.sh - Script to install qAlert crontab entires in Classic Unux (e.g. Solaris web server).
Running this scripts as root wil not only install the qAlerts crons for baseline and disks, but will also install the crontab to generate new baselines every week. "INSTALL_qAlert_cronsLinux.sh" will places entries in the cron.weekly, cron.daily and cron.hourly directories for Linux.
This scripts calculate the location of the q-Status Linux Web server and create cron entries to call the Perl Scripts.
Name Description qAlert The qAlert Directory Goodies qAlert Miscellaneous directory INSTALL_qAlerts_cronClassicUnixRKhunter.sh Script to install rkhunter crontab entires in Classic Unux (e.g. Solaris). INSTALL_qAlerts_cronsLinuxRKhunter.sh Script to install rkhunter crontab entires in Linux.
These scripts will install two cron entries as follow:
- daily crontab entry for rkhunter alerts - calling q-statusLinux/qAlert/baselineAlertsRKhunter.pl
- weekly crontab for baseline creation - calling q-statusLinux/Goodies/baseUnixCreateSolaris.pl
q-Status RKhunter Alerts contain a flag associated with the summary of each alert. The values are "Warning", "Alert" and "Critical". Since it is highly subjective as to what this means, q-Status uses a special method for this classification.
For each RKhunter discrepancy, each list of servers has a maximum number of discrepancies found per server. If the maximum number is less than 3, all discrepancy flags will be considered a "Warning". Above or equal to 3, the maximum discrepancies is divided by 3. If the number of discrepancies falls in the first third, it is considered to be just a "Warning". If it falls in the second third is an "Alert" and the last third it will be considered "Critical".
q-Status Alerts is a new function to q-Status. Feedback to q-Status Alerts is always welcome. LogiQwest would really appreciate suggestion. Request for Enhancements to the alerts is alway welcome.
LogiQwest does provide to a clients any technical information of programs structure for any custom implementation using its tools and under its LICENSE agreement included with the program. q-Status
LogiQwest also provides custom implementation of q-Status technology on a time and material base. For any effort where LogiQwest has performed the development, LogiQwest supports the life cycle of the program, maintain it and make sure that it will run with all future revision of q-Status.
Support is easily obtained through the Email at firstname.lastname@example.org
Or by phone:
16458 Bolsa Chica Street #15
Huntington Beach, CA 92649
LogiQwest, Inc. - USA email@example.com Phone 714.883.1949