chkrootkit
提供: セキュリティ
スポンサーリンク
読み方
- chkrootkit
- しーえいちけーるーときっと (?)
目次
概要
chkrootkitは、システムにルートキットが仕掛けられていないかを調べるためのルートキット検出プログラムです。
インストール
FreeBSD 9.0の場合の事前準備
FreeBSD 9.0-RELEASE に chkrootkit-0.49をインストールする場合の下準備です。
ports をビルドするときに、下記のエラーが出たら、パッチをあててください。
===>>> This port is marked BROKEN ===>>> fails to build with new utmpx ===>>> If you are sure you can build it, remove the BROKEN line in the Makefile and try again.
下記は、パッチの当て方です。
% cd /tmp % fetch http://people.freebsd.org/~garga/patches/chkrootkit-utmpx.diff % cd /usr/ports/security/chkrootkit % sudo patch < /tmp/chkrootkit-utmpx.diff
FreeBSDにインストールする場合
ports コレクションからインストールする場合
cd /usr/ports/security/chkrootkit sudo make install clean
pkgコマンドでインストールする場合
sudo pkg install chkrootkit
portmasterコマンドでインストールする場合
sudo portmaster -y -d /usr/ports/security/chkrootkit
portinstallコマンドでインストールする場合
sudo portinstall /usr/ports/security/chkrootkit
CentOSにインストールする場合
sudo yum -y install chkrootkit
インストールされたファイル
% pkg_info -L /var/db/pkg/chkrootkit-0.49/ Information for chkrootkit-0.49: Files: /usr/local/sbin/chkrootkit /usr/local/sbin/chklastlog /usr/local/sbin/chkwtmp /usr/local/sbin/chkutmp /usr/local/sbin/chkproc /usr/local/sbin/chkdirs /usr/local/sbin/ifpromisc /usr/local/sbin/check_wtmpx /usr/local/sbin/strings /usr/local/share/doc/chkrootkit/ACKNOWLEDGMENTS /usr/local/share/doc/chkrootkit/COPYRIGHT /usr/local/share/doc/chkrootkit/README /usr/local/share/doc/chkrootkit/README.chklastlog /usr/local/share/doc/chkrootkit/README.chkwtmp
使い方
% sudo chkrootkit
注意するべきなのは、 INFECTED です。 感染していると疑わしいファイルは、 INFECTED と表示されます。
% sudo chkrootkit | fgrep INFECTED
% sudo chkrootkit -help Usage: /usr/local/sbin/chkrootkit [options] [test ...] Options: -h show this help and exit -V show version information and exit -l show available tests and exit -d debug -q quiet mode -x expert mode -r dir use dir as the root directory -p dir1:dir2:dirN path for the external commands used by chkrootkit -n skip NFS mounted dirs
実行例
% sudo chkrootkit ROOTDIR is `/' Checking `amd'... not infected Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not infected Checking `identd'... not found Checking `init'... INFECTED Checking `killall'... not infected Checking `ldsopreload'... not tested Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not found Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `vdir'... not found Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for common ssh-scanners default files... nothing found Searching for suspect PHP files... /tmp/int.php Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... chkproc: nothing detected chkdirs: nothing detected Checking `rexedcs'... not found Checking `sniffer'... usbus0 is not promisc em0 is not promisc Checking `w55808'... not infected Checking `wted'... Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... not tested: not found wtmp and/or lastlog file Checking `chkutmp'... chkutmp: nothing deleted Checking `OSX_RSPLUG'... not infected
FreeBSD でのcron による自動実行
chkrootkit は、毎日、実行して、環境を検証するべきです。
430.chkrootkit の準備
sudo mkdir -p /usr/local/etc/periodic/security sudo touch /usr/local/etc/periodic/security/430.chkrootkit sudo chomod +x /usr/local/etc/periodic/security/430.chkrootkit sudo vim /usr/local/etc/periodic/security/430.chkrootkit
ファイル名は、適当です。 /usr/local/etc/periodic/security/430.chkrootkit の例です。
#!/bin/sh if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi case "$daily_status_security_chkrootkit_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking for chkrootkit:' /usr/local/sbin/chkroot-kit -q [ $? -ne 0 ] && rc=1 || rc=0;; *) rc=0;; esac exit "$rc"
/etc/periodic.conf
/etc/periodic.conf を設定します。
sudo vim /etc/periodic.conf
/etc/periodic.conf の設定の例。
daily_status_security_chkroot_enable="YES"
430.chkrootkit の準備
sudo mkdir -p /usr/local/etc/periodic/security sudo touch /usr/local/etc/periodic/security/430.chkrootkit sudo chomod +x /usr/local/etc/periodic/security/430.chkrootkit sudo vim /usr/local/etc/periodic/security/430.chkrootkit
ファイル名は、適当です。 /usr/local/etc/periodic/security/430.chkrootkit の例です。
#!/bin/sh if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi case "$daily_status_security_chkrootkit_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking for chkrootkit:' /usr/local/sbin/chkroot-kit -q [ $? -ne 0 ] && rc=1 || rc=0;; *) rc=0;; esac exit "$rc"
/etc/periodic.conf
/etc/periodic.conf を設定します。
sudo vim /etc/periodic.conf
/etc/periodic.conf の設定の例。
daily_status_security_chkroot_enable="YES"
Linux でのcron による自動実行
chkrootkit は、毎日、実行して、環境を検証するべきです。
/etc/cron.daily/chkroot の作成
% sudo touch /etc/cron.daily/chkrootkit % sudo chmod +x /etc/cron.daily/chkrootkit % sudo vim /etc/cron.daily/chkrootkit
#!/bin/sh touch /var/log/chkrootkit.log chmod 600 /var/log/chkrootkit.log /usr/local/bin/chkrootkit > /var/log/chkrootkit.log fgrep "INFECTED" /var/log/chkrootkit.log | mail -s "chkrootkit log" root
関連項目
ツイート
スポンサーリンク