添加文件/目录到 rkhunter 检查

添加文件/目录到 rkhunter 检查

我的问题很简单,而且我很惊讶这个问题以前没有人问过。

如何将文件或目录添加到 rkhunter 检查中?这样,我可以看到我的目录出现在“rkhunter --propupd”命令中。我知道我可以修改 .dat 文件,但如果我这样做,我宁愿自己编写一个脚本来检查特定目录的 md5sum/sha1sum

希望有人能帮助我!祝你有个愉快的一天 :)

答案1

编辑:也许我让你困惑了(当然,我写了或者代替...)

以下是一步一步的操作:

mkdir /var/local/test
touch /var/local/test/test.bla

添加配置rkhunter.conf

USER_FILEPROP_FILES_DIRS="/var/local/test/test.bla"

跑步rkhunter --propupd

运行rkhunter --check [--sk](如果您愿意,不应返回任何错误或警告)

编辑文件/var/local/test/test.bla

跑步rkhunter --check [--sk]

我的输出:

/bin/dash                                                [ OK ]

/var/local/test/test.bla                                 [ Warning ]

您还可以将/var/local/test/*其用作该目录中所有文件的通配符。


这是的命令行参数--propupd

来自手册页(重点是我的)

--propupd [{文件名|目录| 软件包名称},...] rkhunter 执行的检查之一是将各种命令的各种当前文件属性与其先前存储的属性进行比较。此命令选项使 rkhunter 使用当前值更新其存储值的数据文件。如果使用 filename 选项,则它必须是完整路径名或纯文件名(例如“awk”)。使用时,将仅更新该文件的文件属性数据库中的条目。如果使用 directory 选项,则将仅更新数据库中列出的位于给定目录中的文件。类似地,如果使用软件包名称选项,则仅更新数据库中属于指定软件包的文件。软件包名称必须是名称的基本部分,不应包含版本号 - 例如“coreutils”。当然,只有在使用软件包管理器时,软件包名称才会存储在文件属性数据库中。如果软件包名称与文件名相同 - 例如,“file”可以指“file”命令或 RPM“file”软件包(其中包含“file”命令) - 则将使用软件包名称。如果没有给出特定选项,则更新整个数据库。

警告:用户有责任确保系统上的文件是真实的并且来自可靠的来源。rkhunter 只能报告文件是否已更改,但不能报告导致更改的原因。因此,如果文件已更改,并且使用了 --propupd 命令选项,则 rkhunter 将假定该文件是真实的。

或者当然,将其更改为rkhunter.conf

#
# This option is a space-separated list of commands, directories and file
# pathnames which will be included in the file properties checks.
# This option can be specified more than once.
#
# Whenever this option is changed, 'rkhunter --propupd' must be run.
#
# Simple command names - for example, 'top' - and directory names are
# added to the internal list of directories to be searched for each of
# the command names in the command list. Additionally, full pathnames
# to files, which need not be commands, may be given. Any files or
# directories which are already part of the internal lists will be
# silently ignored from the configuration.
#
# Normal globbing wildcards are allowed, except for simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
# Specific files may be excluded by preceding their name with an
# exclamation mark (!). For example, '!/opt/top'. By combining this
# with wildcarding, whole directories can be excluded. For example,
# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
#
# NOTE: Only files and directories which have been added by the user,
# and are not part of the internal lists, can be excluded. So, for
# example, it is not possible to exclude the 'ps' command by using
# '!/bin/ps'. These will be silently ignored from the configuration.
#
#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"

这应该将其添加到 rkhunter db。

相关内容