rkhunter

Install and set up Rootkit Hunter on Debian-like systems.

Requirements

None.

Role Variables

About the /etc/default/rkhunter file

• rkhunter_cron_daily_run: [default: 'true']: Set to 'true' to run rkhunter daily.
• rkhunter_cron_db_update: [default: 'true']: Set to 'true' for weekly database updates.
• rkhunter_db_update_email: [default: 'false']: Set to 'true' to receive email about weekly updates.
• rkhunter_report_email: [default: root]: Email address for reports and results.
• rkhunter_apt_autogen: [default: 'false']: Set to 'true' for automatic database updates.
• rkhunter_nice: [default: 0]: Controls the scheduling priority, from -20 (high priority) to 19 (low priority).
• rkhunter_run_check_on_battery: [default: 'false']: Run checks on battery if 'true' (requires powermgmt-base).

About the /etc/rkhunter.conf file

• rkhunter_rotate_mirrors: [default: 1]: 1 to switch between mirrors, 0 to use the first failing mirror.
• rkhunter_update_mirrors: [default: 1]: 1 to update the mirrors list, 0 to keep it unchanged.
• rkhunter_mirrors_mode: [default: 0]: 0 to use any mirror, 1 for local only, 2 for remote only.
• rkhunter_mail_on_warning: [default: root@localhost]: Email address for warning notifications.
• rkhunter_mail_cmd: [default: 'mail -s "[rkhunter] Warnings found for ${HOST_NAME}"']: Command for sending warning emails.
• rkhunter_bindir: [default: "{{ ansible_env.PATH | replace(':',' ')}}"]: Directory for commands used by rkhunter.
• rkhunter_language: [default: en]: Default language setting.
• rkhunter_logfile: [default: /var/log/rkhunter.log]: Path to the log file.
• rkhunter_append_log: [default: 0]: 0 creates a new log file, 1 appends to the existing log.
• rkhunter_copy_log_on_error: [default: 0]: 0 does not copy the log file; 1 copies it.
• rkhunter_use_syslog: [default: NONE]: Logs start and finish times with syslog; requires standard facility and priority.
• rkhunter_allow_ssh_root_user: [default: 'no']: Warns if SSH config does not match the root login settings.
• rkhunter_enable_tests: [default: ALL]: Choose which tests to run.
• rkhunter_disable_tests: [default: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps]: List of tests to disable.
• rkhunter_hash_cmd: [default: SHA256]: Specifies the hash command for file checks.
• rkhunter_pkgmgr: [default: NONE]: Use the specified package manager for file property info.
• rkhunter_existwhitelist: [default: []]: Whitelist for existing files and directories.
• rkhunter_attrwhitelist: [default: []]: Whitelist for specific file attributes.
• rkhunter_writewhitelist: [default: []]: Allows certain files to have write permissions for 'others'.
• rkhunter_scriptwhitelist: [default: []]: Allows certain files to be considered scripts.
• rkhunter_immutwhitelist: [default: []]: Allows certain files to be set as immutable.
• rkhunter_allowhiddendir: [default: []]: Whitelist specific hidden directories.
• rkhunter_allowhiddenfile: [default: []]: Whitelist specific hidden files.
• rkhunter_allowprocdelfile: [default: '']: Allows processes to use deleted files.
• rkhunter_allowproclisten: [default: []]: Allows specified processes to listen on network interfaces.
• rkhunter_port_whitelist: [default: []]: Whitelist for network ports, including 'protocol:port' pairs.
• rkhunter_port_path_whitelist: [default: []]: Whitelist network ports, combining executable paths and protocols.

Dependencies

None.

Example Playbook

---
- hosts: all
  roles:
    - rkhunter

License

MIT

Author Information

Maxime Lareo

Feedback, bug-reports, requests, ...

Your feedback is welcome!