Sunday, August 13, 2017

Setting Up rkhunter Using systemd

rkhunter is a rootkit and malware detection application available in the repositories. So you can install it using pacman with command:
#pacman -S rkhunter ##to install rkhunter.

I'm skipping configuration steps for your user case. I'm referring to any changes you wish to do with /etc/rkhunter.conf. Perhaps another blog post is necessary. For this post, I wish to start rkhunter in systemd using Unit and Timer methods.


systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. systemd supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution.

I wish to run rkhunter daily with systemd managing the service and the process. To do this I have to create two files. A Unit or Service file and a Timer file. I'm going to use vim but use the text editor of your choice.

#vim /etc/systemd/system/rkhunter.service ##to create the service file

[sample service file]
[Unit]
Description=rkhunter rootkit scan and malware detection


[Service]
Type=oneshot
ExecStart=/usr/bin/rkhunter --update
ExecStart=/usr/bin/rkhunter --propupd
ExecStart=/usr/bin/rkhunter --check -sk
RemainAfterExit=yes 

Type can be simple, oneshot, idle, forking, notify and dbus. 
ExecStart is the command for the process, path to the command.
RemainAfterExit accepts boolean value, yes if you want to tell systemd that the process is active after it exited.


#vim /etc/systemd/system/rkhunter.timer ##to create a Timer file. A timer file ends in .timer. A timer file is required by the service file. 

[sample timer file]
[Unit]
Description=Run rkhunter daily


[Timer]
OnCalendar=daily
RandomizedDelaySec=15m
WakeSystem=true
Persistent=true


[Install]
WantedBy=timers.target

Unit= refers to the service the timer is starting
OnCalendar= refers to real time (wallclock, etc.) for example second, minute, hours, day, week, year
RandomizedDelaySec= tells systemd to manage start of process to efficiently use system resources
WakeSystem= tells systemd to wake the system up from sleep to perform action if supported
Persistent= in case of process failing to run after elapse of timer, systemd runs the process

$ systemctl status rkhunter.timer
● rkhunter.timer - Run rkhunter daily
   Loaded: loaded (/etc/systemd/system/rkhunter.timer; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-08-12 23:37:04 +08; 1h 6min ago
  Trigger: n/a

● rkhunter.service - rkhunter rootkit scan and malware detection
   Loaded: loaded (/etc/systemd/system/rkhunter.service; static; vendor preset: disabled)
   Active: active (exited) since Sat 2017-08-12 23:08:17 +08; 1h 36min ago
 Main PID: 16924 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/rkhunter.service

If you are prompted to reload systemd, the command is :
#systemctl daemon-reload

If rkhunter finds something suspicious, and issues a warning the process will exit with a value other than 0 which is failure. I have rkhunter configured to send an email to me in /etc/rkhunter.conf in such a case.
Post a Comment

Update Chromium From 61 -->> 62

Browser updates are very important to web security. Don't miss it. If there's a piece of software that you really have to get right,...