ROOTKIT - Check Script

From IT-Arts.net


Return to Wiki Index


Basic Script

#!/bin/bash

rkhunter --update
rkhunter --propupd
rkhunter -C
rkhunter --check-all --sk

chkrootkit

tiger

lynis --check-update
lynis --check-all -Q

logwatch

debsecan --suite $(lsb_release --codename --short)

exit 0

Enhanced Script

#!/bin/bash

# Start logging to capture output for review
LOGFILE="/var/log/system_security_check.log"
exec > >(tee -a $LOGFILE) 2>&1
echo "Starting security checks at $(date)"

# 1. Update rkhunter (Rootkit Hunter)
# This updates the rkhunter database for the latest rootkit signatures.
echo "Updating rkhunter database..."
rkhunter --update

# 2. Update rkhunter's properties (ensures the latest configuration data is used)
# This ensures rkhunter has the latest file properties for comparison.
echo "Updating rkhunter properties..."
rkhunter --propupd

# 3. Check the rkhunter configuration
# Run a configuration check to validate the current settings of rkhunter.
echo "Running rkhunter configuration check..."
rkhunter -C

# 4. Perform a full rootkit scan
# '--check-all' runs all the checks, '--sk' skips known false positives.
# You can remove '--sk' to ensure no results are skipped (higher accuracy, but may have more false positives).
echo "Running full rkhunter rootkit scan (with known false positives skipped)..."
rkhunter --check-all --sk

# 5. Run chkrootkit
# chkrootkit is another tool to detect rootkits.
# It scans for the presence of rootkits on the system.
echo "Running chkrootkit scan..."
chkrootkit

# 6. Run Tiger security audit
# Tiger performs a thorough security audit of the system.
echo "Running Tiger security audit..."
tiger

# 7. Run Lynis security audit
# Update the Lynis database and then run a full security audit.
# '-Q' suppresses warnings and non-critical messages.
echo "Updating Lynis database..."
lynis --check-update
echo "Running full Lynis audit..."
lynis --check-all -Q

# 8. Run logwatch for log file analysis
# Logwatch analyzes system logs and generates a report on important events.
echo "Running Logwatch report..."
logwatch

# 9. Run debsecan to check for security vulnerabilities in installed packages
# This will check security advisories for packages installed on the system.
# '--suite' specifies the release code name for the current Debian-based system.
echo "Running debsecan for vulnerabilities..."
debsecan --suite $(lsb_release --codename --short)

# End of the security check
echo "Security check completed at $(date)"

# Exit with success
exit 0
Retrieved from "https://it-arts.net/index.php?title=ROOTKIT_-_Check_Script&oldid=1010"