rfe: configure rkhunter

rkhunter gets installed, but needs a bit of config to actually be used. This presumes root@'hostname -d' is a deliverable email address, which is usually the case, but if an option is ever added to the installer to specify an admin email address, switch to that:

sed -Ei -e 's/^CRON_DAILY_RUN=""/CRON_DAILY_RUN="true"/g' -e 's/^CRON_DB_UPDATE=""/CRON_DB_UPDATE="true"/g' -e 's/^REPORT_EMAIL="root"/REPORT_EMAIL="root@'`hostname -d`'"/g' -e 's/^APT_AUTOGEN="false"/APT_AUTOGEN="true"/g' /etc/default/rkhunter

cat >> /etc/rkhunter.conf.local <<EOF
#
# This is the local configuration file for Rootkit Hunter.
#
# (see rkhunter.conf for available settings)
#

PKGMGR="DPKG"
ALLOW_SSH_PROT_V1="2"
EOF

(grep ^PermitRootLogin /etc/ssh/sshd_config || echo PermitRootLogin unset) | awk '{print "ALLOW_SSH_ROOT_USER=" $2}' >> /etc/rkhunter.conf.local

test -d /lib/modules || echo 'DISABLE_TESTS="avail_modules"' >> /etc/rkhunter.conf.local

test -x /usr/sbin/apache2 && echo 'ALLOWIPCPROC=/usr/sbin/apache2' >> /etc/rkhunter.conf.local

# updates rkhunter if needed
/etc/cron.weekly/rkhunter

# baseline
rkhunter --propupd

# logs issues found (takes a few minutes)
rkhunter --cronjob

# now add script whitelists
grep 'replaced by a script' /var/log/rkhunter.log | cut -f12 -d' ' | cut -d: -f1 | sort -u | xargs -I{} echo SCRIPTWHITELIST={} >> /etc/rkhunter.conf.local

Edited Mar 12, 2020 by Jesse Norell

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information