<style type="text/css"> p { margin-bottom: 0.25cm; line-height: 120%; }a:link { }code.cjk { font-family: "Droid Sans Fallback",monospace; } </style>

Tutorial Goal : Tips covering some Intrusion Detection tools: Root Kit Hunter(RKHunter); Tiger &

                          Lynis security scans and reading their log report files using GNOME System log.

System           : Linux Mint 17.1 Rebecca x86 / 64 bit Cinnamon, 2.4 Kernel 3.13.0 -24.

Call Out         :  DuckDuckGo (DDG) search words are given to point to a web site for detail on each

                          specific tool to first evaluate its applicability for your needs and system set up.

2(A) Root Kit Hunter (RKHUNTER)

DDG Search: Root Kit Hunter Project Sourceforge

A rootkit is software designed to get privileged access to a computer. Often it is associated with malware. RKHunter is a rootkit, backdoor exploit scanner that is available from the LM17 Software Manager (search all applications “rkhunter” ) or can install direct from the Terminal.

From Terminal To Install: $ sudo apt-get install rkhunter (all lower case)

From Terminal To Run : $ sudo rkhunter -c --sk (all lower case)

From Terminal to update : $ sudo rkhunter --update (all lower case)

Then can view it run in the terminal and also a log file will be placed in /var/log/rkhunter.log.

RKHunter detects dubious files and also file changes. So over time (e.g. upgrades, changes to your /usr/bin) can produce a high number of possible false positives in the log file. Therefore before run RKHunter a second time consider prop up command $ sudo rkhunter --propupd and use the prop up command after update RKHunter.

2(B) CLAM AV and CLAM Tk GUI (Graphical User Interface)

DDG Search Words: “Clam AntiVirus” and “ClamTk”

While Linux has low virus attacks historically, on the basis that no system is /will be virus bullet proof you may wish to use CLAMAV.

$ sudo-apt-get install clamav (use this command from the terminal, all lower case, to install)

$ sudo freshclam (This terminal command is to update the anti-virus definitions)

Note: Unlike windows real time anti-virus programs that run in the background, ClamAV is on-demand, where user activates when wants it to run.

To check a folder

$ sudo clamscan -r /home/yourusername/folderrname

If you wish to scan downloads folder, then from the Terminal the command is:

$ sudo clamscan -ri /home/yourusername/downloads

To check a file-name

$ sudo clamscan -r /home/yourusername/directorypath/filename

To scan all your home directory using the menu driven Graphical User Interface ClamTk,

From the Terminal the install command is:

$ sudo apt-get install clamtk

To run it : LM17 Menu->ClamTk which presents a Menu

From the ClamTj Menu, Select “Scan” -> Home (Recursive)

With recursive -r mode the ClamTk GUI will show the progress of the scan.

When finished it will present a “Scanning Results” menu listing files with possible infections and the option to “Quarantine” or “Delete”. Clam AV is known for its tight scans. Therefore before delete the file consider doing a web search to check if its findings are false positives. For example if you have a password protected .pdf file, this may not be a file you wish to delete. Instead can Quarantine a file to research further and later use the ClamTk “Quarantine” sub menu to “Restore” or Delete”.

Running CLAM Tk witt Sudo Root Permission

When using the ClamTk GUI, if your systems shows a red X (rather than black OK tick) for out of date “Antivirus definitions” or out of date “Antivirus” engine, then you can update these as root administration permission as follows:

Close Clam Tk GUI and then from the Terminal type:

$ gksudo clamtk.

Then at the prompt, enter your Sudo (root) administrative password), and press the enter key.

This launches a terminal instance of ClamTk with administrative privileges. The ClamTk GUI menu will appear in the terminal, then select “Help” → “Check for updates”. This will update your Anti-virus definitions and Anti-virus engine. You may see a message here saying the GUI Version is out of date. This is likely due to fact that that the source repositories are using the regression tested release of the GUI rather than the latest GUI version.

2 (C) TIGER and LYNIS Security Vulnerability Audit Tools

DDG Search: Tiger non gnu org

DDG Search: Lynis Security Audit Tool

2(C)(i) TIGER's goal is to assist highlight ways the system security can possibly be compromised including md5sums checks of installed files, location of files not belonging to packages. Its output is a security report of the system placed in /var/log/tiger

To Install from LM17 Software Manager:

LM17 Menu-> Software Manager-> Password-> Under All Packages search bar enter “Tiger”

To run it go to your LM17 Menu->Administration->Tiger Unix security Tool

Alternatively to install and Run Tiger from the Terminal

To Install from Terminal : $ sudo apt-get install tiger (all lower case)

To run from Terminal : $ sudo tiger (you then get to see report results in terminal as it runs)

 

2(C)(ii) LYNIS is an auditing tool that scans the system configuration and outputs a report in /var/log/lynis with some recommendations on some potential security intrusion /vulnerability issues.

To Install from LM17 Software Manager:

LM17 Menu-> Software Manager-> Password-> Under All Packages Search bar enter “Lynisr”

To run it go to your LM17 Menu->Administration->Lynis auditing tool

Alternatively to install and Run Lynis from the Terminal

To Install from Terminal : $ sudo apt-get install lynis (all lower case)

To run from Terminal : $ sudo lynis -c 

(- c means you then get to see report results in terminal as it runs)

 

2(D) GNOME SYSTEM LOG VIEWER

RKHunter, Tiger and Lynis output their reports in /var/log.

LM17 comes with a Log viewer. LM Menu-> Applications'>-Log File Viewer.

If you are not logged in as root then the log viewer may give a “Cant read log” message.

Many log files typically require Root Login to access. A quick way to do this is to open the log file viewer as root from the terminal as follows:

To run from Terminal : $ sudo gnome-system-log

Navigate from within viewer File-> Devices Computer->var->log Then

From there for rkhunter ->rkhunterX.log (where X = ascending log number 1,2,3...)

From there for tiger Folder -> security.report.computername.YYMMDDdate.time

From there for lynis Report -> lynis.log-> lynis.report.dat

Footnote: Versions used here are rkhunter 1.4.0, Tiger 3.2.3 Lynis 1.3.9. Future versions may have nuances of difference. These system admin type security tools can use “tight” checks that could generate false positive alerts on you particular system. Therefore use the Official sites for each too and Linux forums to research any findings you are unsure of.

 

I hope you found this tutorial useful

 

ConorCork, December 2014