Skip to main content

Setting Up rkhunter Using systemd

rkhunter is a rootkit and malware detection application available in the repositories. So you can install it using pacman with command:
#pacman -S rkhunter ##to install rkhunter.

I'm skipping configuration steps for your user case. I'm referring to any changes you wish to do with /etc/rkhunter.conf. Perhaps another blog post is necessary. For this post, I wish to start rkhunter in systemd using Unit and Timer methods.


systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. systemd supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution.

I wish to run rkhunter daily with systemd managing the service and the process. To do this I have to create two files. A Unit or Service file and a Timer file. I'm going to use vim but use the text editor of your choice.

#vim /etc/systemd/system/rkhunter.service ##to create the service file

[sample service file]
[Unit]
Description=rkhunter rootkit scan and malware detection


[Service]
Type=oneshot
ExecStart=/usr/bin/rkhunter --update
ExecStart=/usr/bin/rkhunter --propupd
ExecStart=/usr/bin/rkhunter --check -sk
RemainAfterExit=yes 

Type can be simple, oneshot, idle, forking, notify and dbus. 
ExecStart is the command for the process, path to the command.
RemainAfterExit accepts boolean value, yes if you want to tell systemd that the process is active after it exited.


#vim /etc/systemd/system/rkhunter.timer ##to create a Timer file. A timer file ends in .timer. A timer file is required by the service file. 

[sample timer file]
[Unit]
Description=Run rkhunter daily


[Timer]
OnCalendar=daily
RandomizedDelaySec=15m
WakeSystem=true
Persistent=true


[Install]
WantedBy=timers.target

Unit= refers to the service the timer is starting
OnCalendar= refers to real time (wallclock, etc.) for example second, minute, hours, day, week, year
RandomizedDelaySec= tells systemd to manage start of process to efficiently use system resources
WakeSystem= tells systemd to wake the system up from sleep to perform action if supported
Persistent= in case of process failing to run after elapse of timer, systemd runs the process

$ systemctl status rkhunter.timer
● rkhunter.timer - Run rkhunter daily
   Loaded: loaded (/etc/systemd/system/rkhunter.timer; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-08-12 23:37:04 +08; 1h 6min ago
  Trigger: n/a

● rkhunter.service - rkhunter rootkit scan and malware detection
   Loaded: loaded (/etc/systemd/system/rkhunter.service; static; vendor preset: disabled)
   Active: active (exited) since Sat 2017-08-12 23:08:17 +08; 1h 36min ago
 Main PID: 16924 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/rkhunter.service

If you are prompted to reload systemd, the command is :
#systemctl daemon-reload

If rkhunter finds something suspicious, and issues a warning the process will exit with a value other than 0 which is failure. I have rkhunter configured to send an email to me in /etc/rkhunter.conf in such a case.

Comments

Post a Comment

Popular posts from this blog

Password Issues On Ubuntu Login

I found myself unable to enter my login credentials when prompted to do so in Ubuntu. I think I might have changed it then forget about it. I've been running the current session for more days than I should have. I forget. So what's the solution to my problem. How do I get in to my system now? It involved getting into the grub menu somehow. I am uncertain as to how to do that exactly in your system. So there's a couple of ways to do it (finger's crossed). When booting at system start, use the esc key or the shift key. The first one worked for me. The timing is key. Wait until the bios banner shows then hit the esc key once. I am using Ubuntu 22.04.4 here. I have a current version of grub. The grub menu will give you options and the one you want is: root. Yes you want root privileges to set the root password. It should give you a terminal access where you can issue commands. Type: #mount -rw -o -s remount / ==> this command mounts the filesyste...
Post a Comment
Read more

Reflections On My Blogging: Keeping It Honest

When you're facing a white, blank screen trying to decide what to write, it seemed hopeless and hopeful at the same time. It's like watching a boat with its sails unfurled but there's no wind, yet you wait and then see the tide turning. You have to stop the distractions. Shut the door. Wait until your breathing is regular and your mind relaxed, like your wrists on the table infront of you. I imagine me looking sideways but not hearing anything. The sounds come much later. I see the big mass of color first, the greens. Just the vegetation, moving, not even individual trees, not leaves, just the big green. Then behind it the blue sky, unfocused and floating. Do not concern your brain with the details. Forget the words and the punctuations. But be mindful of the flow, trace the outlines, hear the motions. Sometime these things don't have a name, give it a name. How do you give something a name and still be honest? How do you keep your writing honest? I...
Post a Comment
Read more

Webapps in Unity

So it has been 4 months since Ubuntu 14.04 came out. This is LTS and supported for 6 years by Canonical. The first mobile device with Ubuntu pre-installed is promised to come out later this year, 2014. It's time to check out how the apps perform so far. It is a good idea. I use Gmail and Twitter and Facebook. Why not a webapp in a desktop? So I start the Twitter and Gmail webapp. So far it has crashed my computer 6 times. Not a very good sign. On the other hand it does work but not as stable as opening them in Firefox. -- Use my PGP key if you want to encrypt your replies/messages to me. You are invited to also send me your PGP keys so we can communicate in private.
Post a Comment
Read more