My blog has moved!

You should be automatically redirected. If not, visit
http://benohead.com
and update your bookmarks.

Thursday, April 19, 2012

Root kit check as cron job and email notification

First, it's always recommended to not use only one tool checking for root kits but multiples. Here is how to configure cron jobs to check the system everyday and email you the findings (only if something was found).

First rkhunter:

00 23 * * * (/usr/bin/rkhunter --versioncheck; /usr/bin/rkhunter --update; /usr/bin/rkhunter --cronjob --report-warnings-only)
This will first check for latest version of rkhunter (--versioncheck), check for updates to database files (--update) and then run rkhunter.

You can enter email address which should receive a message if something was found in /etc/rkhunter.conf:

MAIL-ON-WARNING=henri.benoit@gmail.com xxx.xxx@googlemail.com

Now chkrootkit:

00 23 * * * /usr/sbin/chkrootkit -q | grep -v "bindshell.*465)" > /tmp/chkrootkit.log && [ -s /tmp/chkrootkit.log ] && mail -s 'chkrootkit findings' henri.benoit@gmail.com xxx.xxx@googlemail.com < /tmp/chkrootkit.log

The grep -v part is only there because chkrootkit keep reporting that port 465 is infected when it is actually just postfix running... Other than that, the crontab line above will scan the system, write a log file and mail the contents of the log file if not empty.

No comments:

Post a Comment