Question rkhunter.conf

[Seba]

how can I modify the

rkhunter.conf

?
Watchdog reports a lot of warning that I want to suppress.

The first lines of the conf file say this:

#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST AFTER YOU UPGRADE PLESK.

Do I need to create a

rkhunter.conf.local

file and insert there my configuration?
What I need to add inside? just the config i want?

 

[Ales]

Yes, create /usr/local/psa/etc/modules/watchdog/rkhunter.conf.local and add the configuration directives you wish to change to this new configuration file.

After you've done it, run:

/usr/local/psa/admin/sbin/modules//watchdog/rkhunter --configfile /usr/local/psa/etc/modules/watchdog/rkhunter.conf --check-config

in order to check the validity of your configuration. If no error is returned, the configuration is valid.

If it helps anyone, here is a /usr/local/psa/etc/modules/watchdog/rkhunter.conf.local (Plesk 17.8.11, Centos 7 under openvz) for reference:

# Used to suppress:
#  "Warning: Package manager verification has failed"
PKGMGR_NO_VRFY="/usr/local/psa/etc/modules/watchdog/rkhunter.conf"

# Used to suppress:
#  "Warning: The following suspicious shared memory segments have been found"
ALLOWIPCPROC=/usr/sbin/httpd

# Used to suppress:
#  "Warning: Found enabled xinetd service"
XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/smtp_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/smtps_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/submission_psa

# Add avail_modules and loaded_modules to DISABLE_TESTS to suppress:
#  "Warning: The kernel modules directory '/lib/modules' is missing or empty."
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps avail_modules loaded_modules

# Used to suppress:
#  "Warning: Hidden file found"
ALLOWHIDDENFILE=/etc/.updated
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz

Note, this configuration is specific to our Plesk instances and should be inspected and adjusted before using it elsewhere.

Edit: adjusted the referenced configuration above, I had an old version in our documentation, this is now current.

 

[trialotto]

how can I modify the

rkhunter.conf

?
Watchdog reports a lot of warning that I want to suppress.

The first lines of the conf file say this:

#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST AFTER YOU UPGRADE PLESK.

Do I need to create a

rkhunter.conf.local

file and insert there my configuration?
What I need to add inside? just the config i want?

@Seba

On an Ubuntu system, the location of the rkhunter.conf.local file would be : /opt/psa/etc/modules/watchdog/rkhunter.conf.local

Furthermore, note that you can alter a lot with rkhunter.conf.local file, but that does not mean that you should do so.

In essence, the most annoying messages should be suppressed, which can be achieved by adding on an Ubuntu based system :

1 - Ignore changes made to rkhunter.conf by setting :

PKGMGR_NO_VRFY=/opt/psa/etc/modules/watchdog/rkhunter.conf

2 - Ignore false positives related to xinetd based services :

XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

Note : more is not necessary, rkhunter should not give you other warnings than those warnings related to the two above services.

Note : you do NOT want to suppress messages for all xinetd based service - this would simply skip checking, leaving your system still vulnerable.

3 - Allow Apache2

ALLOWIPCPROC=/usr/sbin/apache2

4 - Disable tests for specific rkhunter modules

DISABLE_TESTS=loaded_modules

Note : it should not be the case that you block all or most test explicitly, after you have enable all tests - this is a safe approach, but a inherently wrong approach : enabling all tests is really not necessary, certainly not if you want to discard some tests.

5 - OPTIONAL : Ignore SSH and SSH_v1 related messages :

ALLOW_SSH_ROOT_USER=yes (note : only required if there is a root user)
ALLOW_SSH_PROT_V1=0 (note: we do not actually want to use this, but rkhunter will sometimes keep on nagging about this one)

Note : both of the statements are only to be included if and only if you get warnings about this - otherwise, please do not use them.


Naturally, you can fine tune rkhunter.conf.local even further - but I would not recommend that at all.

If you really want full control over security checks, you would be rather better off by implementing some more advanced tool (and rkhunter is not that advanced).

Hope the above helps a (tiny) bit.

Kind regards...........

 

[Seba]

Thanks all, in the end I came up with this:

# Used to suppress:
#  "The SSH and rkhunter configuration options should be the same"
ALLOW_SSH_ROOT_USER=no

# Used to suppress:
#  "Warning: Package manager verification has failed"
PKGMGR_NO_VRFY="/usr/local/psa/etc/modules/watchdog/rkhunter.conf"

# Used to suppress:
#  "Warning: The following suspicious shared memory segments have been found"
ALLOWIPCPROC=/usr/sbin/httpd

# Used to suppress:
#  "Warning: Found enabled xinetd service"
XINETD_ALLOWED_SVC=/etc/xinetd.d/nrpe
XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

# Used to suppress:
#  "Warning: Hidden file found"
ALLOWHIDDENFILE=/etc/.updated
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz

 

[Ales]

2 - Ignore false positives related to xinetd based services :

XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

Note : more is not necessary, rkhunter should not give you other warnings than those warnings related to the two above services.

It does if you use qmail instead of postfix. Qmail under Plesk uses a few more xinetd services.

4 - Disable tests for specific rkhunter modules

DISABLE_TESTS=loaded_modules

Note : it should not be the case that you block all or most test explicitly, after you have enable all tests - this is a safe approach, but a inherently wrong approach : enabling all tests is really not necessary, certainly not if you want to discard some tests.

I think you might be misunderstanding how rkhunter configures which tests to run. There are two settings, ENABLE_TESTS and DISABLE_TESTS. All required tests must be either explicitly listed one by one under ENABLE_TESTS (with DISABLE_TESTS=NONE) or all tests must be enabled with ENABLE_TESTS=ALL and the unneeded ones disabled explicitly one by one.

The latter is the default for the rkhunter configuration file as the upstream itself ships it, the default for major linux distributions, such as CentOS (EPEL), Fedora, Debian and for the rkhunter packaged by Plesk.

This approach seems better to me because if rkhunter gets a new test in between versions, it will be enabled without needing a configuration change.

Since the ENABLE_TESTS=ALL setting is already a part of rkhuter.conf (along with the list of disabled tests), it isn't really needed in the rkhunter.conf.local, but setting both ENABLE_TESTS and DISABLE_TESTS again in one place makes for a safer and less error prone configuration because rkhunter.conf can change during system updates, while rkhunter.conf.local won't.

Hope the above helps a (tiny) bit.

Kind regards...........

It does, thanks. Comparing configurations of such services between different systems is always helpful.

 

[trialotto]

@Ales

Let's start with this remark :

It does, thanks. Comparing configurations of such services between different systems is always helpful.

It is always an excellent idea to

- verify which OS the thread starter is using, before giving a reply as a Plesk Expert
- include a solution for other OSes or system environments, since that can simply do no harm

and there is always the possibility that Plesk Experts or Plesk Forum members help each other to achieve before mentioned objectives, by augmenting each other's posts.

Actually, that is the entire purpose of this forum - helping each other.

Now, with respect to the remark

It does if you use qmail instead of postfix. Qmail under Plesk uses a few more xinetd services.

you will have to note that I am aware of that - I have many servers running Plesk with various setups, for testing purposes alone.

However, you should also note that using Qmail is not to be preferred over Postfix - the default Postfix (as shipped with Plesk) is a bit more secure and even when one does manage to configure Qmail security properly, the usage of Qmail will still increase the actual attack surface : the performance gain is not worth that type of risk.

With respect to

Since the ENABLE_TESTS=ALL setting is already a part of rkhuter.conf (along with the list of disabled tests), it isn't really needed in the rkhunter.conf.local, but setting both ENABLE_TESTS and DISABLE_TESTS again in one place makes for a safer and less error prone configuration because rkhunter.conf can change during system updates, while rkhunter.conf.local won't.

I must emphasize that I am not misunderstanding rkhunter config.

It is exactly what you yourself stated : "Since the ENABLE_TESTS=ALL setting is already a part of rkhuter.conf (along with the list of disabled tests)"

For that reason alone, it is not necessary to fill rkhunter.conf.local with the line ENABLE_TESTS=ALL - actually, this line in rkhunter.conf.local has NO function!

In essence, the config in rkhunter.conf is preferred over the config in rkhunter.conf.local : when the config in both files conflict, rkhunter.conf is dominant.

In my humble opinion, this is not only impractical, but I would be safe to call it a (minor) design flaw - one of the many reasons that rkhunter is not the best tool for the job.

Nevertheless, I agree with the part : " .... again in one place makes for a safer and less error prone configuration .... "

It is always good to be safe ..... and in the case of rkhunter configuration, it does not make any difference to include some config for the second time in rkhunter.conf.local.

That is exactly what I stated earlier with

this is a safe approach, but a inherently wrong approach : enabling all tests is really not necessary

However, you should be aware that rkhunter config duplication is not always a good idea - in some cases, the duplication of default config (as present in rkhunter.conf) to the custom config file rkhunter.conf.local will lead to unexpected situations or even dangerous situations : at upgrade time with a change of rkhunter and/or rkhunter.conf, it can be the case that the proper working of rkhunter is not guaranteed anymore, if the rkhunter.conf.local has not been adjusted accordingly.

It sounds a bit odd, but these "unexpected" or "dangerous" situations do occur more then should be expected.

For that reason alone, it is often best to keep rkhunter.conf.local limited to an absolute minimum.

Again, I have to emphasize the actual differences between specific circumstance and the relation to what we both are saying :

1 - in case of a given specific version and config of rkhunter : we agree that it is or can be safe to duplicate config to rkhunter.conf.local,

2 - in case of a change in rkhunter or it's config : we probably agree that config duplication to rkhunter.conf.local becomes a risk, in the sense that already existing duplicated config can become dangerous, unless the config duplicates to rkhunter.conf.local are properly maintained and updated.

In summary, I would not recommend config duplication to rkhunter.conf.local : it is not necessary and it is impractical, since it requires perfect updating of rkhunter.conf.local.

Kind regards..........

 

[Ales]

Actually, that is the entire purpose of this forum - helping each other.

Of course, I think all this is understood without even mentioning. Your contribution of Ubuntu related differences is more than welcome, especially since I omitted to mention them and I should have. That's the same reason why, I'm sure, you equally appreciate my correction of your xinetd related instructions for the sake of qmail users.

We may erroneously omit some things in a single post, but as long as we as a community manage to get it sorted out in a single thread, I think we're doing a good job on the forum. Perhaps we could take this line of discussion elsewhere, though, as it isn't directly related to rkhunter.

However, you should also note that using Qmail is not to be preferred over Postfix...

We'll have to agree to disagree on this point. As above, I suggest leaving further postfix vs qmail discussion for some other occasion as it would only lead us further off topic.

In essence, the config in rkhunter.conf is preferred over the config in rkhunter.conf.local : when the config in both files conflict, rkhunter.conf is dominant.

In my humble opinion, this is not only impractical, but I would be safe to call it a (minor) design flaw - one of the many reasons that rkhunter is not the best tool for the job.

Ok, this is a surprise. I did a couple of quick tests with rkhunter to confirm this and, sadly, you're correct. Indeed an unfortunate design decision for which I'd use stronger words than you did.

 

[trialotto]

@Ales,

This part, being

We'll have to agree to disagree on this point. As above, I suggest leaving further postfix vs qmail discussion for some other occasion as it would only lead us further off topic.

would be a bit off-topic, but it is an interesting discussion - for many people on the forum.

In essence, I am a Qmail advocate and was an avid Qmail user, but there are some serious security and other issues - certainly when used in combination with Plesk.

For the sake of general upgrade/update and config compatibility, I would recommend Postfix with Plesk.

For the sake of performance and the possibility to tweak config beyond the galaxy, I would be inclined to choose Qmail.

But the thing is that we are working with Plesk - it is best served with Postfix unless one is able to create perfect mail server configs (in which case Postfix and Qmail are too a high degree equivalently sufficient for the job).

In short, the Postfix vs Qmail challenge is more or less undecided - but any good discussion about both of them is always an excellent idea.

With respect to

Ok, this is a surprise. I did a couple of quick tests with rkhunter to confirm this and, sadly, you're correct. Indeed an unfortunate design decision for which I'd use stronger words than you did.

I can simply say that I am fully aware of the history and the decisions made with respect to configuration.

Please note that rkhunter is not "as it used to be" - that is part of the history of rkhunter.

In general, one could force reality by stating that the "new rkhunter" is Lynis - a different package, a different design and an excellent alternative to rkhunter.

I explicitly use the term "design flaw", given that (on the one hand) a well-considered decision has been made with respect to config - anyone else would have made the same decisions at the time of (active) development and (on the other hand) package maintenance became different after 2006.

Stronger words are not necessary, not in my humble opinion.

Kind regards........