Skip to main content

Setting Up rkhunter Using systemd

rkhunter is a rootkit and malware detection application available in the repositories. So you can install it using pacman with command:
#pacman -S rkhunter ##to install rkhunter.

I'm skipping configuration steps for your user case. I'm referring to any changes you wish to do with /etc/rkhunter.conf. Perhaps another blog post is necessary. For this post, I wish to start rkhunter in systemd using Unit and Timer methods.


systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. systemd supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution.

I wish to run rkhunter daily with systemd managing the service and the process. To do this I have to create two files. A Unit or Service file and a Timer file. I'm going to use vim but use the text editor of your choice.

#vim /etc/systemd/system/rkhunter.service ##to create the service file

[sample service file]
[Unit]
Description=rkhunter rootkit scan and malware detection


[Service]
Type=oneshot
ExecStart=/usr/bin/rkhunter --update
ExecStart=/usr/bin/rkhunter --propupd
ExecStart=/usr/bin/rkhunter --check -sk
RemainAfterExit=yes 

Type can be simple, oneshot, idle, forking, notify and dbus. 
ExecStart is the command for the process, path to the command.
RemainAfterExit accepts boolean value, yes if you want to tell systemd that the process is active after it exited.


#vim /etc/systemd/system/rkhunter.timer ##to create a Timer file. A timer file ends in .timer. A timer file is required by the service file. 

[sample timer file]
[Unit]
Description=Run rkhunter daily


[Timer]
OnCalendar=daily
RandomizedDelaySec=15m
WakeSystem=true
Persistent=true


[Install]
WantedBy=timers.target

Unit= refers to the service the timer is starting
OnCalendar= refers to real time (wallclock, etc.) for example second, minute, hours, day, week, year
RandomizedDelaySec= tells systemd to manage start of process to efficiently use system resources
WakeSystem= tells systemd to wake the system up from sleep to perform action if supported
Persistent= in case of process failing to run after elapse of timer, systemd runs the process

$ systemctl status rkhunter.timer
● rkhunter.timer - Run rkhunter daily
   Loaded: loaded (/etc/systemd/system/rkhunter.timer; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-08-12 23:37:04 +08; 1h 6min ago
  Trigger: n/a

● rkhunter.service - rkhunter rootkit scan and malware detection
   Loaded: loaded (/etc/systemd/system/rkhunter.service; static; vendor preset: disabled)
   Active: active (exited) since Sat 2017-08-12 23:08:17 +08; 1h 36min ago
 Main PID: 16924 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/rkhunter.service

If you are prompted to reload systemd, the command is :
#systemctl daemon-reload

If rkhunter finds something suspicious, and issues a warning the process will exit with a value other than 0 which is failure. I have rkhunter configured to send an email to me in /etc/rkhunter.conf in such a case.

Comments

Popular posts from this blog

ZFS Unable to System Snapshot, bpool is Full?

I first encountered the problem after a routine update / upgrade of the system. Well there was a kernel upgrade and I have not checked how many old kernels are still left for backups in /boot. Apparently, there was a few and the partition is 85% full. Every software update included a warning because of the restriction in disk space. Also, zfs could not create snapshots. It is also full. This is not very clear to me. Snapshots were suppose to be diff copies so why would it take up a large space. Most of the snapshots are less than 2MB. Or 0MB. Another problem that popped up is the constant freezing of Rhythmbox. I don't know if the config files are corrupted. The CPU cycles from one to the next. Peaks for 5-6 seconds then on to the next CPU. This forced me to download Clementine and Audacious. But both applications do not find the zfs pool or don't show the zfs structure. Why not? My final solution is to reinstall Rhythmbox via snaps. I re-scanned the music libr

Renter's ID and Business Licensing 2023

Last year's business permit application involved an undertaking of submitting lessee list to the Barangay in order to get them ID's including one for the lessor himself. I received a letter of notification just before New Year's Day. It informed me that I might be denied renewal of permits because I did not comply with this undertaking. So the Renter's ID is a serious thing now. When I went ahead and applied for a business permit renewal at the local government office everything went well except they want my list of lessee. So I had to backtrack and go to the Barangay and submit the list. They produced the ID's and I provided the photo ID's and of course have it signed by the lessee. After that, they pointed me to the cashier to pay the taxes and permit fees which totaled php15,305.00 ($280.33) During the payment of Fire and Safety department, they reminded me to bring my fire extinguisher official receipts of payment. I can pick up my new pe

How To Verify iso Image After Download In Linux

I assume that you have downloaded the image / iso file in a folder. Navigate to the folder where the iso is. You have to get the public gpg key for fedora downloads. [ donato@archdesktop Downloads]$ ls builds  debian-live--9.0.0-amd64-gnome  Fedora-Workstation-Live-x86_64-25  Fedora-Workstation-Live-x86_64-26 [ donato@archdesktop Downloads]$ cd Fedora-Workstation-Live-x86_64-26 [ donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ ls Fedora-Workstation-26-1.5-x86_64-CHECKSUM  Fedora-Workstation-Live-x86_64-26-1.5.iso [ donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ gpg --verify Fedora-Workstation-Live-x86_64-26-1.5.iso gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. [ donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ ls Fedora-Workstation-26-1.5-x86_64-CHECKSUM  Fedora-Workstation-Live-x86_64-26-1.5.iso