Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-rkhunter', '0.1.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Description
A SIMP Puppet module for managing rkhunter
, an application that checks for rootkits
on a Linux system.
See REFERENCE.md for more details.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
Setup
What rkhunter affects
This module configures:
rkhunter
packageunhide
packagerkhunter
cron jobs
Some tests require single-purpose tools, if rkhunter
has them then it will
use them. unhide
is one such tool.
Beginning with rkhunter
To use this module with its default settings, just instantiate it. The following example adds it to the include list for a SIMP system.
---
simp_classes:
- rkhunter
Alternatively, you can simply include rkhunter
.
Usage
The class will install the packages and cron
jobs automatically.
The output of the cron
jobs will be sent to the default cron
mechanism.
Reference
Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the
metadata.json
file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Development
Please read our [Contribution Guide] (https://simp.readthedocs.io/en/stable/contributors_guide/index.html)
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
rkhunter
: Installs rkhunter and sets up cron job to run rkhunter once per dayrkhunter::check
: Add a scheduled job to check the system with rkhunterrkhunter::config
: Configure rkhunterrkhunter::install
: Install rkhunterrkhunter::propupd
: Immediately update the properties databaserkhunter::update
: Add a scheduled job to update rkhunter
Data types
Rkhunter::BindPath
: matches valid binddir path accepts absolute path or an absolute path with a '+' proceeding it
Classes
rkhunter
Installs rkhunter and sets up cron job to run rkhunter once per day
Parameters
The following parameters are available in the rkhunter
class:
check_for_updates
Data type: Boolean
Check internet for definition updates
Default value: false
enable_system_check
Data type: Boolean
Set rkhunter to check the system on a regular basis
Default value: true
install_optional_packages
Data type: Boolean
Install packages that enhance the capabilities of rkhunter
Default value: true
rkhunter::check
Add a scheduled job to check the system with rkhunter
Parameters
The following parameters are available in the rkhunter::check
class:
method
Data type: Enum['cron','systemd']
How you wish to schedule the run
Default value: 'systemd'
systemd_calendar
Data type: Optional[String[1]]
If $method
is systemd
, set this exact calendar string
This is not verified, use systemd-analyze calendar
on a modern system to
ensure that you have a valid string
Default value: undef
minute
Data type: Simplib::Cron::Minute
Cron minute
Default value: fqdn_rand(59)
hour
Data type: Simplib::Cron::Hour
Cron hour
Default value: 1
monthday
Data type: Simplib::Cron::MonthDay
Cron monthday
Default value: '*'
month
Data type: Simplib::Cron::Month
Cron month
Default value: '*'
weekday
Data type: Simplib::Cron::Weekday
Cron weekday
Default value: '*'
path
Data type: Stdlib::Unixpath
The path to rkhunter
Default value: '/usr/bin/rkhunter'
options
Data type: Array[String[1]]
Extra options to pass to rkhunter --check
Default value: ['--skip-keypress', '--quiet']
rkhunter::config
Any parameter that is not documented below matches its direct counterpart in
the rkhunter.conf
configuration file.
You may need to extract a copy from the RPM for the full documentation set.
Any deviations from the defaults are noted here and any defaults that are set here relate to either performance or system security safety.
Parameters
The following parameters are available in the rkhunter::config
class:
allowdevfile
allowhiddendir
allowhiddenfile
user_fileprop_files_dirs
allowipcpid
allowipcproc
allowipcuser
allowprocdelfile
allowproclisten
allowpromiscif
allow_ssh_prot_v1
allow_ssh_root_user
allow_syslog_remote_logging
append_log
app_whitelist
attrwhitelist
auto_x_detect
bindir
color_set2
copy_log_on_error
dbdir
disable_tests
empty_logfiles
enable_tests
epoch_date_cmd
exclude_user_fileprop_files_dirs
existwhitelist
globstar
hash_cmd
hash_fld_idx
ignore_prelink_dep_err
immutable_set
immutwhitelist
inetd_allowed_svc
inetd_conf_path
installdir
ipc_seg_size
language
lock_timeout
lockdir
logfile
mail_on_warning
mail_cmd
mirrors_mode
missing_logfiles
modules_dir
os_version_file
password_file
phalanx2_dirtest
pkgmgr_no_vrfy
pkgmgr
port_path_whitelist
tcp_port_whitelist
udp_port_whitelist
pwdless_accounts
readlink_cmd
rotate_mirrors
rtkt_dir_whitelist
rtkt_file_whitelist
scan_mode_dev
scanrootkitmode
scriptdir
scriptwhitelist
shared_lib_whitelist
show_lock_msgs
show_summary_time
show_summary_warnings_number
skip_inode_check
ssh_config_dir
startup_paths
stat_cmd
suspscan_dirs
suspscan_maxsize
suspscan_temp
suspscan_thresh
suspscan_whitelist
syslog_config_file
tmpdir
uid0_accounts
unhide_tests
unhidetcp_opts
update_lang
update_mirrors
updt_on_os_change
use_locking
use_sunsum
syslog_priority
use_syslog
warn_on_os_change
web_cmd
whitelisted_is_white
writewhitelist
xinetd_allowed_svc
xinetd_conf_path
allowdevfile
Data type: Array[Stdlib::Unixpath]
In module data
allowhiddendir
Data type: Array[Stdlib::Unixpath]
In module data
allowhiddenfile
Data type: Array[Stdlib::Unixpath]
In module data
user_fileprop_files_dirs
Data type: Array[Stdlib::Unixpath]
In module data
allowipcpid
Data type: Optional[Array[Integer[1]]]
Default value: undef
allowipcproc
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
allowipcuser
Data type: Optional[Array[String[1]]]
Default value: undef
allowprocdelfile
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
allowproclisten
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
allowpromiscif
Data type: Optional[Array[String[1]]]
Default value: undef
allow_ssh_prot_v1
Data type: Boolean
Default value: false
allow_ssh_root_user
Data type: Variant[Boolean,Enum['unset']]
Default value: false
allow_syslog_remote_logging
Data type: Boolean
Default value: true
append_log
Data type: Boolean
Default value: false
app_whitelist
Data type: Optional[Array[String[1]]]
Default value: undef
attrwhitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
auto_x_detect
Data type: Boolean
Default value: true
bindir
Data type: Optional[Array[Rkhunter::BindPath]]
Default value: undef
color_set2
Data type: Boolean
Default value: false
copy_log_on_error
Data type: Boolean
Default value: false
dbdir
Data type: Stdlib::Unixpath
Default value: '/var/lib/rkhunter/db'
disable_tests
Data type: Array[String]
While the default of rkhunter is to disable none of its tests, these tests are recommended to be disabled for normal runs due to their system intesive nature and the fact they are prone to false positives.
Default value: ['suspscan', 'hidden_ports', 'hidden_procs', 'deleted_files', 'packet_cap_apps', 'apps']
empty_logfiles
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
enable_tests
Data type: Array[String[1]]
Default value: ['ALL']
epoch_date_cmd
Data type: Optional[String[1]]
Default value: undef
exclude_user_fileprop_files_dirs
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
existwhitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
globstar
Data type: Boolean
Default value: true
hash_cmd
Data type: Optional[String[1]]
Default value: undef
hash_fld_idx
Data type: Optional[Integer[1]]
Default value: undef
ignore_prelink_dep_err
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
immutable_set
Data type: Boolean
Default value: false
immutwhitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
inetd_allowed_svc
Data type: Optional[Array[String[1]]]
Default value: undef
inetd_conf_path
Data type: Optional[Stdlib::Unixpath]
Default value: undef
installdir
Data type: Stdlib::Unixpath
Default value: '/usr'
ipc_seg_size
Data type: Optional[Integer[1]]
Default value: undef
language
Data type: Optional[String[1]]
Default value: undef
lock_timeout
Data type: Optional[Integer[1]]
Default value: undef
lockdir
Data type: Stdlib::Unixpath
Default value: '/var/run/lock'
logfile
Data type: Stdlib::Unixpath
Default value: '/var/log/rkhunter/rkhunter.log'
mail_on_warning
Data type: Optional[Array[String[1]]]
Default value: undef
mail_cmd
Data type: String[1]
Default value: 'mail -s "[rkhunter] Warnings found for ${HOST_NAME}"'
mirrors_mode
Data type: Enum['any','local','remote']
Default value: 'any'
missing_logfiles
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
modules_dir
Data type: Optional[Stdlib::Unixpath]
Default value: undef
os_version_file
Data type: Optional[Stdlib::Unixpath]
Default value: undef
password_file
Data type: Optional[Stdlib::Unixpath]
Default value: undef
phalanx2_dirtest
Data type: Boolean
Default value: false
pkgmgr_no_vrfy
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
pkgmgr
Data type: String[1]
Default value: 'RPM'
port_path_whitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
tcp_port_whitelist
Data type: Optional[Array[Simplib::Port]]
TCP Ports to add to the PORT_WHITELIST option
Default value: undef
udp_port_whitelist
Data type: Optional[Array[Simplib::Port]]
UDP Ports to add to the PORT_WHITELIST option
Default value: undef
pwdless_accounts
Data type: Optional[Array[String[1]]]
Default value: undef
readlink_cmd
Data type: Optional[String[1]]
Default value: undef
rotate_mirrors
Data type: Boolean
Default value: true
rtkt_dir_whitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
rtkt_file_whitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
scan_mode_dev
Data type: Enum['THOROUGH','LAZY']
Default value: 'THOROUGH'
scanrootkitmode
Data type: Boolean
WARNING: Do not enable this parameter unless you 100% understand what it can do to your system performance!
Default value: false
scriptdir
Data type: Stdlib::Unixpath
Default value: '/usr/share/rkhunter/scripts'
scriptwhitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
shared_lib_whitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
show_lock_msgs
Data type: Boolean
Default value: true
show_summary_time
Data type: Integer[0,3]
Default value: 3
show_summary_warnings_number
Data type: Boolean
Default value: false
skip_inode_check
Data type: Boolean
Default value: false
ssh_config_dir
Data type: Optional[Stdlib::Unixpath]
Default value: undef
startup_paths
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
stat_cmd
Data type: Optional[String[1]]
Default value: undef
suspscan_dirs
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
suspscan_maxsize
Data type: Integer[0]
Default value: 1024000
suspscan_temp
Data type: Stdlib::Unixpath
Default value: '/dev/shm'
suspscan_thresh
Data type: Integer[0]
Default value: 200
suspscan_whitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
syslog_config_file
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
tmpdir
Data type: Stdlib::Unixpath
Default value: '/var/lib/rkhunter'
uid0_accounts
Data type: Optional[Array[String[1]]]
Default value: undef
unhide_tests
Data type: Optional[Array[String[1]]]
Default value: undef
unhidetcp_opts
Data type: Optional[Array[String[1]]]
Default value: undef
update_lang
Data type: Optional[Array[String[1]]]
Default value: undef
update_mirrors
Data type: Boolean
Default value: true
updt_on_os_change
Data type: Boolean
Default value: false
use_locking
Data type: Boolean
Default value: true
use_sunsum
Data type: Boolean
Default value: false
syslog_priority
Data type: Simplib::Syslog::Priority
Default value: 'LOCAL6.NOTICE'
use_syslog
Data type: Boolean
Default value: true
warn_on_os_change
Data type: Boolean
Default value: true
web_cmd
Data type: Optional[String[1]]
Default value: undef
whitelisted_is_white
Data type: Boolean
Default value: false
writewhitelist
Data type: Optional[Array[Stdlib::Unixpath]]
Default value: undef
xinetd_allowed_svc
Data type: Optional[Array[String[1]]]
Default value: undef
xinetd_conf_path
Data type: Optional[Stdlib::Unixpath]
Default value: undef
rkhunter::install
Install rkhunter
Parameters
The following parameters are available in the rkhunter::install
class:
install_optional_packages
Data type: Boolean
Install optional packages that enable additional functionality in rkhunter
Default value: $rkhunter::install_optional_packages
optional_packages
Data type: Optional[Variant[Hash[String[1],Hash],Array[String[1]]]]
The list of optional packages to be installed
This may be anything that the puppetlabs-stdlib ensure_packages
function accepts
Default value: undef
optional_package_ensure
Data type: Simplib::PackageEnsure
The state in which to place all packages
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
rkhunter_package_ensure
Data type: String[1]
The state in which to place the rkhunter package. May be specifically pinned.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
rkhunter::propupd
Needed so that each run after installation does not trigger false positives
Parameters
The following parameters are available in the rkhunter::propupd
class:
datfile
Data type: Stdlib::Unixpath
enable
Data type: Boolean
Default value: true
rkhunter::update
Add a scheduled job to update rkhunter
Parameters
The following parameters are available in the rkhunter::update
class:
method
Data type: Enum['cron','systemd']
How you wish to schedule the run
Default value: 'systemd'
systemd_calendar
Data type: Optional[String[1]]
If $method
is systemd
, set this exact calendar string
This is not verified, use systemd-analyze calendar
on a modern system to
ensure that you have a valid string
Default value: undef
minute
Data type: Simplib::Cron::Minute
Cron minute
Default value: fqdn_rand(59)
hour
Data type: Simplib::Cron::Hour
Cron hour
Default value: 0
monthday
Data type: Simplib::Cron::MonthDay
Cron monthday
Default value: '*'
month
Data type: Simplib::Cron::Month
Cron month
Default value: '*'
weekday
Data type: Simplib::Cron::Weekday
Cron weekday
Default value: '*'
options
Data type: Array[String[1]]
Extra options to pass to rkhunter --update
Default value: ['--nocolors']
path
Data type: Stdlib::Unixpath
Default value: '/usr/bin/rkhunter'
Data types
Rkhunter::BindPath
matches valid binddir path accepts absolute path or an absolute path with a '+' proceeding it
Alias of
Pattern['^(?:\/|\+\/)(?:[^\/\0]+\/*)*$']
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.1.0
- Ensured support for Puppet 7 in requirements and stdlib
- Tue Jun 15 2021 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.0
- Dropped puppet 5 support
- Bumped supported version of puppetlabs/stdlib
- Changed minute for scheduled tasks to a random number to reduce I/O load
- Updated to use systemd timers instead of cron by default
- Thu Jan 21 2021 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.4
- Added Puppet 7 support
- Added default user_fileprop_files_dirs to cover the puppet apps
- Added PostgreSQL to the allowed items in /dev/shm for puppetdb
- Ensure that the initial propupd command runs after the puppet run is complete
- Added a rkhunter::propupd class to ensure that the first cut of properties is updated after all other items (particularly packages) have completed in the puppet run.
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.0.4
- Removed EL6 support
- Wed Apr 01 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.0.3
- Add support for EL8
- Tue Jul 02 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.2
- Update documentation
- Support puppetlabs-stdlib 6
- Wed Feb 27 2019 Joseph Sharkey shark.bruhaha@gmail.com - 0.0.1
- This is the initial code for a
pupmod-simp-rkhunter
module, which installs and configures rkhunter and unhide.
Dependencies
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/simplib (>= 3.14.1 < 5.0.0)
pupmod-simp-rkhunter - A Puppet module for managing rkhunter -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.