Last active
October 21, 2022 03:10
-
-
Save amekusa/1b28d1695f67320342e84aef7d5c11b6 to your computer and use it in GitHub Desktop.
Rkhunter Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # dir: /etc/pacman.d/hooks/ | |
| [Trigger] | |
| Operation = Upgrade | |
| Type = Package | |
| Target = * | |
| [Action] | |
| Description = rkhunter --propupd | |
| When = PostTransaction | |
| Exec = /usr/bin/rkhunter --propupd --report-warnings-only | |
| Depends = rkhunter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # dir: /etc/pacman.d/hooks/ | |
| [Trigger] | |
| Operation = Upgrade | |
| Type = Package | |
| Target = * | |
| [Action] | |
| Description = rkhunter.service status check | |
| When = PreTransaction | |
| Exec = /usr/bin/sh -c "! /usr/bin/systemctl is-failed rkhunter.service" | |
| Depends = rkhunter | |
| AbortOnFail = yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Rootkit Hunter Custom Settings | |
| ## Allow some hidden directories/files | |
| ALLOWHIDDENDIR=/etc/.git | |
| ALLOWHIDDENFILE=/etc/.etckeeper | |
| ALLOWHIDDENFILE=/etc/.gitignore | |
| ALLOWHIDDENFILE=/etc/.updated | |
| ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz | |
| ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz | |
| ## Ignore the warnings: 'The command ... has been replaced by ...' | |
| SCRIPTWHITELIST=/usr/bin/egrep | |
| SCRIPTWHITELIST=/usr/bin/fgrep | |
| SCRIPTWHITELIST=/usr/bin/ldd | |
| ## False Positive: WP-CLI | |
| RTKT_FILE_WHITELIST=/usr/bin/wp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Rootkit Scan | |
| [Service] | |
| Type=oneshot | |
| ExecStartPre=/usr/bin/rkhunter --update --report-warnings-only | |
| ExecStart=/usr/bin/rkhunter --cronjob --report-warnings-only | |
| ExecStartPost=/usr/bin/rkhunter --propupd --report-warnings-only |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Daily Rootkit Scan | |
| [Timer] | |
| OnCalendar=05:00:00 | |
| Persistent=true | |
| [Install] | |
| WantedBy=timers.target |
I made a setup script for Arch Linux that can entirely automate this rkhunter setup:
https://github.com/amekusa/arch-setup/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
UPDATE @ 2021-11-09
Added
rkhunter-propupd.hook