Although an attacker able to install a rootkit is likely also able to easily escape or delete these tools, not every attacker is a skilful one. Not every script kiddie knows about these tools or the way to cover its tracks. Since every single error can make the difference, on either sides, an effortless passive protection can do no harm and adds one more (maybe thin) layer of security.
Both rkhunter and chkrootkit, indeed, can be deployed quickly and require little management effort.
aptitude and their super cow powers, we can just go for a
$ sudo aptitude install chkrootkit rkhunter
Or go root if you’re not a sudoer. Once installed, both packages will add a
cron entry and automatically execute every day.
What they do
Both chkrootkit and rkhunter use a signature-rule/filter based system: they can detect the presence of known rootkits —via files or similar indicators— and flag anomalous conditions, like interfaces entering promiscuos mode or hidden files. In fact, not unlike anti-virus programs, rkhunter and chkrootkit indeed need periodical updates.
The signature based approach is a quite simple one, something like a big grep and strings combo: it is strongly suggested to have an alternate copy of some binary (
strings, just to name a couple) so that —at the very least— the aggressor has to patch them too. Obviously, mounting the disk via another machine is far more reliable, even if it won’t allow you to find modified rootkits.
Both softwares provide MD5 signature verification on known binaries, with sort of a white list approach, thus trying to ensure that none of the most important binaries were tampered with. Among others, checks performed include searching for hidden directories and scanning for promiscuous interfaces and suspicious file permissions.
So, what are the differences?
The autoupdate feature is a very nice feature to have. You just have to run rkhunter –update and the software will update the rootkit definitions. You can control the autoupdate behaviour via the
/etc/default/rkhunter file, using the
CRON_DB_UPDATE parameter, which is enabled by default. This will upgrade the system binaries MD5 database and the good/bad/black list of applications and program versions.
Other features of note include the ability to use WebJob to run rkhunter in a centralized manner, thus simplyfying administration, and the colorful interactive mode you can run with
Chkrootkit provides a differential mode where it reports only what changed between the latest scan and the previous one. While this is a very nice feature to limit the impact of false postives, one single missed mail can make the difference, so choosing whether it should be enabled or not is an important decision.
If the whole “grep and look for signatures” stuff is not enough for you, you can root chkrootkit in expert mode, with
# chkrootkit -x
This will give you a greatly improved control on what’s going on and more verbose output, but make sure to redirect the output somehow.
Chkrootkit has a nice modular design, with subcomponents taking care of differenct aspects, like lastlog and wtmp deletions. Last but not least, chkrootkit can run without installation and from a read only media.
The big decision
Maybe now you’re wondering “which one should I use?”. My answer is simply “both of them”. There is no reason not to do that, so go for it. Chkrootkit has been available since, at least, Sarge and Dapper. Rkhunter, being newer, has been available since Etch.
The chkrootkit package has been available .
The rkhunter package has been available .