1

My question is very simple and I'm very surprised to see that this question haven't be asked before.

How to add a file or a directory to rkhunter checking ? With that I could see my directory appears in the 'rkhunter --propupd' command I know I can modify the .dat file but if I do that , I'd rather do a script myself to check for md5sum/sha1sum for my specific directory

Hope that someone could help me ! Have a good day :)

KaAzZ
  • 33
  • 1
  • 7

1 Answers1

2

EDIT: Maybe I confused you (of course I did, I wrote or instead of and...)

Here's a step by step:

mkdir /var/local/test
touch /var/local/test/test.bla

add config in rkhunter.conf:

USER_FILEPROP_FILES_DIRS="/var/local/test/test.bla"

run rkhunter --propupd

run rkhunter --check [--sk] (if you want to, should return no errors or warnings)

edit the file /var/local/test/test.bla

run rkhunter --check [--sk]

my output:

/bin/dash                                                [ OK ]

/var/local/test/test.bla                                 [ Warning ]

You can also use /var/local/test/* as wildcard for all files in that directory.

It's a command line argument for --propupd:

From the man page (emphasis mine)

--propupd [{filename | directory | package name},...] One of the checks rkhunter performs is to compare various current file properties of various commands, against those it has previously stored. This command option causes rkhunter to update its data file of stored values with the current values. If the filename option is used, then it must either be a full pathname, or a plain file name (for example, 'awk'). When used, then only the entry in the file properties database for that file will be updated. If the directory option is used, then only those files listed in the database that are in the given directory will be updated. Similarly, if the package name option is used, then only those files in the database which are part of the specified package will be updated. The package name must be the base part of the name, no version numbers should be included - for example, 'coreutils'. Package names will, of course, only be stored in the file properties database if a package manager is being used. If a package name is the same as a file name - for example, 'file' could refer to the 'file' command or to the RPM 'file' package (which contains the 'file' command) - the package name will be used. If no specific option is given, then the entire database is updated.

WARNING: It is the users responsibility to ensure that the files on the system are genuine and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.

Or And, of course, change it in rkhunter.conf:

#
# This option is a space-separated list of commands, directories and file
# pathnames which will be included in the file properties checks.
# This option can be specified more than once.
#
# Whenever this option is changed, 'rkhunter --propupd' must be run.
#
# Simple command names - for example, 'top' - and directory names are
# added to the internal list of directories to be searched for each of
# the command names in the command list. Additionally, full pathnames
# to files, which need not be commands, may be given. Any files or
# directories which are already part of the internal lists will be
# silently ignored from the configuration.
#
# Normal globbing wildcards are allowed, except for simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
# Specific files may be excluded by preceding their name with an
# exclamation mark (!). For example, '!/opt/top'. By combining this
# with wildcarding, whole directories can be excluded. For example,
# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
#
# NOTE: Only files and directories which have been added by the user,
# and are not part of the internal lists, can be excluded. So, for
# example, it is not possible to exclude the 'ps' command by using
# '!/bin/ps'. These will be silently ignored from the configuration.
#
#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"

This should add it to the rkhunter db.

Lenniey
  • 5,090
  • 2
  • 17
  • 28
  • Thanks for your reply ! but that doesn't help...Do I have to manually change de database file ? Or can a file be added "dynamicaly" thanks to a command ? – KaAzZ Apr 08 '17 at 19:58
  • @KaAzZ why is it not working? What happens? – Lenniey Apr 10 '17 at 06:30
  • Ok , so let's assume that I want to add the dir "/var/www/html" to rkhunter check If I understand what you meant I should do : `rkhunter --propupd /var/www/html` But it won't work cause the directory isn't in the .dat file... My question is very simple , how can you add a directory to rkhunter checks ? – KaAzZ Apr 11 '17 at 16:10
  • @KaAzZ check my edited answer – Lenniey Apr 12 '17 at 07:43