faq

在网络安全中经常会遇到rootkit

     automatically emailed to root by the cron process.

     Note that the '--update' option has been included. Rkhunter will
     first perform any updates required to its data files, and then
     perform the system checks. This option can be omitted, but it is
     suggested that the option is used regularly to ensure that the
     rkhunter data files are kept up todate.

     If it is wished that all the normal output of rkhunter, as seen when
     running rkhunter from the command-line, is emailed to root, then this
     is possible. The '--rwo' option should be removed, and the '--cronjob'
     option replaced by '--sk --nocolors --check'.

     The next example is of a cronjob script. For Linux systems this
     script could be put in to the /etc/cron.daily directory, so that
     it will be automatically run every day.

     The script might look like this:

          #!/bin/sh

          ( /usr/local/bin/rkhunter --cronjob --update --rwo && echo "" ) \
            | /bin/mail -s "Rkhunter daily run on `uname -n`" root

          exit 0

     Because we are piping any output through to the mail command, it is
     required to use 'echo ""' when there are no warnings. Without this,
     the mail command would issue its own warning about there being no
     message body.

     If it is wished to include the date in the output, then something
     like this could be used instead:

          #!/bin/sh

          ( date; /usr/local/bin/rkhunter --cronjob --update --rwo ) \
            | /bin/mail -s "Rkhunter daily run on `uname -n`" root

          exit 0

     Finally, it is possible to run rkhunter in quiet-mode, whereby no
     output will be produced at all. However, if the return code indicates
     that warnings were found, then we get cron to mail the root user.
     For example:

          30 5 * * * /usr/local/bin/rkhunter --cronjob --update --quiet \
                     || echo "Rkhunter daily run on `uname -n` has produced warning messages"

     An alternative to the above example would be to use:

          30 5 * * * /usr/local/bin/rkhunter --cronjob --update --quiet

     and then simply set the MAIL-ON-WARNING option in the configuration
     file with the root email address. This way, rkhunter produces no
     output, and so nothing is emailed to root by cron. However, if any
     warnings are found, then a notice message is emailed to root by
     rkhunter itself.

     Note: The '--quiet' option in the above two examples is not actually
     necessary, but was included for clarity. The '--cronjob' option assumes
     the '--quiet' option, and so, as mentioned above, when rkhunter is run
     with the '--cronjob' option no output is generally produced.


3.4) What is the meaning of the test names?

A.   See the README file for information about the test names.


3.5) Can rkhunter handle filenames with spaces in them?

A.   Generally no. Within the tests the space character is typically
     used to delimit command output fields. Some tests will work, but
     others will not.


3.6) What does the following warning mean:

       Determining OS... Warning: this operating system is not
       fully supported!

A.   This is a message from older versions of rkhunter. Upgrade to
     a newer version.


3.7) I have just installed Rootkit Hunter, and I am already
     getting warning messages. Why is that?

A.   The first run of rkhunter after an installation will usually give
     some warning messages. One of the checks is whether the file of
     file properties (called 'rkhunter.dat') exists. This file won't
     exist until rkhunter is run with the '--propupd' option. There is
     also a check to see if any commands have been replaced by a script.
     To avoid these warning messages you can whitelist the commands in
     your rkhunter.conf file. Similarly if there are warnings about
     hidden files or directories, then these can be whitelisted. Look in
     the configuration file and you will find examples of these.

     Once these changes have been made, then re-run rkhunter and no
     warnings should appear. Obviously warning messages from other
     checks indicate that something else is wrong, and so should be
     investigated.

     NOTE: When using the '--propupd' option it is the users
           responsibility to ensure that the files on their system are
           genuine. Rootkit Hunter can only inform the user of a change
           to the files, not whether they are the original files or not.
           Although Rootkit Hunter can use a package manager for some
           systems, it must be remembered that the package manager itself
           uses files stored on the system. Those files may have been
           tampered with.

     The logfile will contain further information about each warning
     message. Once the reason for the warning has been found, and you
     believe that rkhunter has given a false-positive result, then
     looking in the configuration file may show you that the relevant
     item can be whitelisted.


3.8) When I used the '--propupd' option, Rootkit Hunter told me
     I had some missing hashes. What does this mean?

A.   Your system probably uses prelinking (the log file will say if
     it does or not). Sometimes a file may be updated but not be
     prelinked. When this happens RKH cannot determine the files hash
     value. If you run the command 'prelink --verify --sha <file>'
     on the file, it will probably give an error about the files
     dependencies having changed. This is what RKH sees, and flags
     it as a missing hash. If you are sure that the file is genuine,
     then you can try using 'prelink <file>' to correct it. The
     'prelink' command above should then work. Re-run RKH with the
     '--propupd' option to ensure that all the hash values are recorded.


3.9) I run rkhunter in cron and in the emailed output I get some strange
     characters. Why is this?

A.   The problem only occurs when the '--update' or '--versioncheck'
     options are used, and does not occur when rkhunter is run from
     the command-line. It also does not occur if the '--cronjob' or
     '--quiet' options are used in cron.

     The emailed output probably looks something like this:

           [1;33mChecking rkhunter data files...[0;39m
           Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ]

     The 'strange' characters are ANSI color codes and escape sequences,
     and this is why the problem does not occur if rkhunter is run from
     the command-line. The terminal correctly interprets the codes, but
     cron cannot do this.

     The solution is to use the '--nocolors' option in your cron job.
     The '--cronjob' option assumes '--nocolors', which is why the
     problem does not occur when '--cronjob' is used.


===========================================================

4. ERROR AND WARNING MESSAGES
=============================

4.1) What does the following warning mean:

       The file of stored file properties (rkhunter.dat) is empty,
       and so must be created. To do this type in
       'rkhunter --propupd'.

A.   For rkhunter to perform file property checks, it must first
     have a database file ('rkhunter.dat') containing the property
     values for each file. It can then compare each files current
     values against those stored in the database. Any difference
     indicates that the file has changed. To create and/or update
     the database file use the '--propupd' option.

     NOTE: An additional warning will be displayed stating that it
           is the users responsibility to ensure that the files are
           valid before using the '--propupd' option. That is, the
           user must be sure that the files have not been compromised.


4.2) Rootkit Hunter skips some checks, and the logfile indicates
     that certain commands are missing. What can I do?

A.   You have a choice:

       1) Install the relevant command. You may be able to do this
          simply by running a package updater for your system (for
          example, 'yum' or 'apt-get').

       2) You may be able to disable the check by adding its test
          name to your rkhunter.conf file. (See the README file
          for more information about the test names.)

       3) If you are sure that the relevant command is present on
          your system, then rkhunter is having a problem locating
          it. Check the logfile for the 'command directories' it
          is using. If the directory containing the command isn't
          listed, then you can set the command directories to use
          by using the '--bindir' command-line option, or the BINDIR
          option in the rkhunter.conf file.


4.3) I get warnings from PHP like:

        PHP Warning: Function registration failed - duplicate name
        - pg_update in Unknown on line 0. What does this mean?

A.   This is usually because you have updated the Apache version
     of PHP, but forgot to update/recompile the CLI (console
     version) of PHP. So recompile/update it and try again.


4.4) After performing some updates, all, or some, binaries in the
     file properties checks are marked with a 'Warning'.
     What can I do?

A.   The first thing would be to verify that the update is the cause
     of the warnings. Checking the system log files should indicate
     what has been updated.

     It is most likely that the stored rkhunter file property values
     need to be recalculated. To do this use the RKH '--propupd'
     option. However, the output of the RKH file properties check
     should only be seen as an indication that the file has changed.
     Updating the stored property values should be done only after
     proper verification of the files using a file integrity checker
     or your distributions package management tools.

     Alternatively, you can use the '--pkgmgr' command-line option, or
     the PKGMGR option in the configuration file, to tell RKH to obtain
     its file properties information from the package manager database.
     See the README file for more information about the package manager
     options.

     NOTES
     =====
     1) If the logfile indicates that a files' hash value has changed
        from some value to 'No hash value found', and your system
        uses prelinking, then the file probably needs to be
        specifically prelinked. This can usually be done by running
        the 'prelink' command on the relevant file. Running RKH with
        the '--propupd' option afterwards will indicate if there
        are still any hash values missing. Check the logfile and
        repeat the above process of prelinking the files.

        RKH will try and determine if your system is using prelinking
        or not. The logfile will contain the result of the check.

     2) If your system uses Libsafe and prelinking, then errors can
        occur. Disable preloading Libsafe in /etc/ld.so.preload.
        Prelink again, and then run 'rkhunter --propupd'.


===========================================================

5. UPDATING QUESTIONS
=====================

5.1) Rootkit Hunter tells me that I have multiple versions
     installed. How it this possible?

A.   Usually you install a tool and upgrade it later. Sometimes
     if you use a 'non-official' updater or package manager
     (for example, from an external party, or a build from source
     using an installer like RPM/DEB/TGZ), the binaries may be
     installed into a different location from the original. So there
     are then two binaries with the same name, but in different
     locations. You will have to check which are the old binaries,
     and remove them.


5.2) Can I be notified when a new release will be available?

A.   Yes, you can join the rkhunter-announce mailing list. This is
     a low volume list. Details can be found on the RKH web site.

     Additionally, the '--versioncheck' option of rkhunter itself
     will indicate if a new version is available.


===========================================================