Rootcheck is another great rootkit-checking tool for your Slice. You can never have too many.
Continuing our series on scanning for rootkits, we now concentrate on installing and configuring Rootcheck.
Rootcheck is open source rootkit detection and system auditing software. It scans the whole system looking for known rootkits. Using anomaly detection, it also searches for unknown (private or custom) and kernel-level rootkits. In addition, it checks your configuration for insecure options.
Log into your slice and change to your "sources" directory:
Once there, download the latest version of rootcheck from the OSSEC's website:
Version 2.0 is the latest stable version but do check with the rootcheck's home page to see if a newer version is available.
Check the md5sum
An MD5 hash functions as a compact digital fingerprint for a file. md5sum is a command line utility that calculates and verifies 128-bit MD5 hashes.
Being good sysadmins we want to check the md5sum of the downloaded file before extracting it and installing it.
To find the md5 signature of the downloaded package:
Compare this with the signature available on the website. If the two signatures don't match it means the data got corrupted during the transfer. In that case you will need to re-download the tar.gz file and re-check with md5sum.
Once we're happy with our download we can extract the source code:
tar -zxvf rootcheck-2.0.tar.gz
Next we'll change to the newly-created directory:
To install the code, simply issue the following command:
sudo make all
Let's run it:
sudo ./ossec-rootcheck >results.txt
That command will run the rootcheck program and write the output to a file named "results.txt".
We can read that file in our favorite editor and analyze the results. The INFO messages are reported just for informational purposes and can generally be ignored.
It would be a good idea to have a cron job that runs daily and sends a small security report to your email account. Let's create a shell script for this cron job:
#!/bin/sh cd /home/demo/sources/rootcheck-2.0 ./ossec-rootcheck -c rootcheck.conf | mail -s 'rootcheck daily report' root@localhost
Don’t forget to replace root@localhost with your preferred e-mail address.
Save the file and call it something like 'rootcheckscript.sh'. Make the file executable:
chmod 750 rootcheckscript.sh
Now set a root cronjob as follows:
sudo crontab -e
20 3 * * * /home/demo/sources/rootcheck-2.0/rootcheckcron.sh
That will run the command at 3:20am every day. Provided you have 'mail' installed and configured (see our email articles for help if needed), the results will be sent to the email address you specified.