mablanco.antirootkits

Panoramica Versioni Approfondimenti

mablanco.antirootkits

This is an Ansible role used to install various tools that help detect rootkits and malware:

  • Rkhunter: Scans for rootkits, backdoors, sniffers, and exploits.
  • chkrootkit: A tool that detects rootkits.
  • Unhide: A forensic tool to find hidden processes and ports used by rootkits.
  • Shell Detector: Helps find and identify malicious PHP, CGI (Perl), ASP, and ASPX shells.

This role works on Debian, RHEL, and their related systems. Note that chkrootkit is not available for RHEL.

Role Variables

Tools to Install

Use these variables to decide if a tool should be installed (true) or not (false). All variables are set to 'false' by default.

  • rkhunter
  • chkrootkit
  • unhide
  • shelldetector

General Setup

  • antirootkits_mail_cmd: Command used to send reports (different for Debian and RHEL).
  • antirootkits_mail_from: The email address that will send audit reports. You need to provide a valid one.
  • antirootkits_mail_to: The email address that will receive audit reports. You need to provide a valid one.
  • antirootkits_log_expire: Number of days before logs are deleted. Defaults to '90'.
  • antirootkits_rkhunter_diag_scan: Include a detailed report check in the Rkhunter scan. Defaults to 'no' (only for RHEL).

Unhide Setup

  • unhide_cron_hour: The hour when Unhide's cron job runs. Defaults to '6'.
  • unhide_cron_minute: The minute when Unhide's cron job runs. Defaults to '00'.

Shell Detector Setup

  • shelldetector_install_directory: Directory where Shell Detector will be installed. Defaults to '/opt/Shell-Detector'.
  • shelldetector_scan_directory: Directory that will be scanned. Defaults to '/var/www'.
  • shelldetector_cron_hour: The hour when Shell Detector's cron job runs. Defaults to '6'.
  • shelldetector_cron_minute: The minute when Shell Detector's cron job runs. Defaults to '30'.

Rkhunter Setup

  • rkhunter_allow_ssh_root_user: Defines settings for rkhunter regarding the sshd configuration. Defaults to 'no'.

Example Playbook

Here’s an example of how to use this role:

- hosts: servers
  vars:
     antirootkits_mail_from: '[email protected]'
     antirootkits_mail_to: '[email protected]'
  roles:
     - { role: mablanco.antirootkits }

License

GPLv3

Informazioni sul progetto

Linux antirootkit tools deployment

role security
Installa
ansible-galaxy install mablanco.antirootkits
GitHub repository
4 stelle
4 fork
1 problemi aperti
Licenza
gpl-3.0
Download
2.1k
Proprietario
Marco Antonio Blanco
DevSecOps & Cloud Engineer, FOSS advocate and Agile supporter.