Because of all this udalenka, it turned out that the training laptop, half empty before, has now become the main working machine and it is worth protecting it somehow more thoughtfully. What, in general, is clearly hinted at by the authorities. On the laptop now is Ubuntu 20.04 beta.It all started with clear BIOS settings and full disk encryption, which I probably shouldn’t write about. But then I decided to understand what the rkhunter utility (“rootkit, backdoor, sniffer and exploit scanner”) can do at the file level .I had no big expectations from the software that had not been updated for a couple of years. I must say right away that I very much doubt the use of February 2018 signatures to search for rootkits, but one of the other modes of operation - checking file hashes, interested me. Who is interested in such an experience and what has happened so far - welcome to cat.The idea is simple - but let's add a check in the morning useful things script to see if the MD5 hashes of the files for which they should not change have not changed. At least until package updates should. Such a very light, but not useless, in my opinion, whitelisting. The current version capable of calculating and checking the hashes of the utility is set simply by the package manager:apt search rkhunter
rkhunter/focal,focal,now 1.4.6-8 all [installed]
rootkit, backdoor, sniffer and exploit scanner
The main hunter config is in /etc/rkhunter.conf and first, to solve my problem, these are the parameters I set there:ENABLE_TESTS=hashes
Because, apart from hashes, nothing interests me yet. The list of other possible tests can be obtained by the command.sudo rkhunter --list test
I still consider the MD5-ok collision to be related to mathematics, but not to practice. I do not insist on this opinion, but almost every day I look at good malware and so far have not encountered such conflicts in the wild. So for now in the config is enough for me.HASH_CMD=MD5
Then he indicated his package manager and, most importantly, the directories, file hashes that interest me. The path will be, for example, / bin and / usr / bin. About files that appeared in directories, but which were not there at the time of calculation, the hunter will also give warnings.PKGMGR=DPKG
USER_FILEPROP_FILES_DIRS=/bin/*
USER_FILEPROP_FILES_DIRS=/usr/bin/*
Here is an important point: with my settings, scanning is not based on packages, but on directories. Probably, this is more correct, because the packages contain a lot of non-executable files and they must first be filtered out, for example, through file. So far, I have chosen the path of increasing the list of directories and exceptions.We have finished the scanner config so far, now it’s time to update the base of the correct hashes in /var/lib/rkhunter/db/rkhunter.dat with the new settings. To do this, you need a command (it also takes the names of packages to add to the database, if you go the other way).sudo rkhunter --propupd
After that, all files of interest to you and their hashes should appear in rkhunter.dat. In my case, these are 2847 files, and the indexer took 9m 2,117s. It’s a bit much, like, for three thousand MD5s, considering md5sum for / bin / ls for 0.003s, but there really is.That’s it, we are ready to run a check. Not yet combat, it is unlikely that some malware has already managed to change the hashes.sudo rkhunter -c
There is one very useful key here - rwo (report warnings only), which will skip all successful comparisons and give only warnings. You need to look for the result of work in /var/log/rkhunter.log. As for the speed of the check, for my almost three thousand binaries it was 10m 27,489s, comparable to the indexing time.We sorted out the verification, but the question remains of reindexing when updating packages. Those. we did apt update and now do not consider all updated files to be malware. The scanner has another config / etc / default / rkhunter for automating tasks. In it we will set the parameter.APT_AUTOGEN="yes"
And in /etc/apt/apt.conf.d/90rkhunter lies a script that is responsible for post-reindexing:
// Makes sure that rkhunter file properties database is updated after each remove or install only APT_AUTOGEN is enabled
DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ] && grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then /usr/share/rkhunter/scripts/rkhupd.sh; fi"; };
Actually, everyone, any additions are happy to accept. Hope it was helpful.