Key Knowledge Areas:
- Use and configure the Linux Audit system
- Use chkrootkit
- Use and configure rkhunter, including updates
- Use Linux Malware Detect
- Automate host scans using cron
- Use RPM and DPKG package management tools to verify the integrity of installed files
- Configure and use AIDE, including rule management
- Awareness of OpenSCAP
Partial list of the used files, terms and utilities:
- auditd
- auditctl
- ausearch, aureport
- auditd.conf
- audit.rules
- pam_tty_audit.so
- chkrootkit
- rkhunter
- /etc/rkhunter.conf
- maldet
- conf.maldet
- rpm
- dpkg
- aide
- /etc/aide/aide.conf
(Fedora 31: audit.x86_64)
This file contains settings like: disk_full_action, plugin_dir, transport, verify_email, write_logs, etc.
(Fedora 31: audit.x86_64)
This file is generated from: /etc/audit/rules.d/*.rules.
(Fedora 31: pam.x86_64)
man 8 pam_tty_audit
(Fedora 31: rkhunter.noarch)
(https://www.rfxn.com/downloads/maldetect-current.tar.gz)
(Fedora 31: aide.x86_64 - as /etc/aide.conf)
(Fedora 31: audit.x86_64)
The general configuration file is called /etc/audit/auditd.conf. This file contains settings like: disk_full_action, plugin_dir, transport, verify_email, write_logs, etc. Plugins are configured as: /etc/audit/plugins.d/*.conf. Rules are configured through /etc/audit/audit.rules, which is generated from: /etc/audit/rules.d/*.rules.
(Fedora 31: audit.x86_64)
With auditctl you can add, delete, or list rules, control the auditd daemon, and insert or remove watches.
Note: This command must be run as root user.
Examples:
monitor (=watch) a path for attribute changes:
auditctl -w /tmp/foo -p a
remove the watch:
auditctl -W /tmp/foo -p a
(Fedora 31: audit.x86_64)
Search the audit logs, or create summary reports of them.
Note: These commands must be run as root user.
(Fedora 31: chkrootkit.x86_64)
Application that checks for several known rootkits.
(Fedora 31: rkhunter.noarch)
Bourne-tyoe shell script (i.e. bash, ksh, etc.) that detects known rootkits and malware. It is bundled with some support scripts, some of them written in perl.
/etc/rkhunter.conf (excerpt):
# limit the languages that will be updated with `rkhunter --update`
# (this option can be specified multiple times)
#UPDATE_LANG=""
# run `rkhunter --propupd` automatically upon OS change
# 0: disable
# 1: enable
#UPDT_ON_OS_CHANGE=0
/etc/cron.daily/rkhunter (Fedora 33):
Cron job which updates definitions through rkhunter --update --nocolors, and then scans the host with rkhunter --cronjob --nocolors --report-warnings-only.
LMD is a collection of Bash scripts.
Malware detection (and cleaning) through checksum analysis of files based on metadata collected from real life (active!) malware attacks against shared hosted environments.
/etc/cron.daily/maldet:
Cron job which (optionally) automatically updates the engine, signatures, or both. And then continues to scan the host. The job is installed through install.sh.
(Fedora 31: rpm.x86_64)
Verify an installed package: rpm (-V|--verify) [(-v|--verbose)] $package
(Fedora 31: dpkg.x86_64)
Verify an installed package: dpkg [(-D|--debug=)$n] (-V|--verify) $package
(Fedora 31: aide.x86_64)
Creates, or compares, digests of files to detect (unwarranted) changes.
There is a set of default rules present in /etc/aide.conf. The list can be modified here, and then referred to in path entries below.
Example (excerpt):
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#m: mtime
#c: ctime
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#sha256: sha256 checksum
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
NORMAL = FIPSR+sha512
/etc/fstab NORMAL