mjhjmtu

OS: Linux Mint 18.2 Cinnamon 64-bit

Although I don't use the rkhunter much, probably several times a year, today I decided to look at it.

I found in rkhunter log:

/var/log/rkhunter.log

that it seems to lack some skdet binary in the following section:

Performing Suckit Rookit additional checks

where it states, that:

Running skdet command [ Skipped ]
Info: Unable to find the 'skdet' command

Since there's no available package under this name, I wonder what it actually is, and quite frankly, how to install it?

It is not available in packaged version, since having an unclear license, and its use is limited to your own risk as stated here.

I have found it be hosted on some strangely named domain:

https://dvgevers.home.xs4all.nl/skdet/

And since I don't know if it will always be available there, I have just hosted it on my domain, untouched, see below backup links, if the originals become broken in time.

First make some directory for the files.

There are three files you will need:

• skdet-1.0.tar.bz2 (Backup Link)




• skdet-1.0.sha1 (Backup Link)




• skdet-fix-includes.diff (Backup Link)

More conveniently, you can use e.g. wget to download them directly from your terminal:

wget https://www.vlastimilburian.cz/public/skdet/skdet-1.0.tar.bz2
wget https://www.vlastimilburian.cz/public/skdet/skdet-1.0.sha1
wget https://www.vlastimilburian.cz/public/skdet/skdet-fix-includes.diff

Download them all to that directory you've created.

Extract the bzip'ed file:

tar -xjf skdet-1.0.tar.bz2

It will expand one directory named skdet-1.0.

Move the diff file into that directory:

mv skdet-fix-includes.diff skdet-1.0/

Edit the sha1 file, so that the last line:

59bfb29bc1f7601027629453a39dc81508dd9df5 skdet-1.0/skdet-fix-includes.diff

has 2 spaces between the hash and file name, otherwise it would be skipped.

Then, let's check the integrity of those files:

sha1sum --check skdet-1.0.sha1

All should be OK.

Now, we need to apply the patch file:

cd skdet-1.0/
patch -p 1 < skdet-fix-includes.diff

It will say:

patching file src/skdet.c
patching file src/usage.c

We don't need the diff file now:

rm skdet-fix-includes.diff

Though it already contains the binary pre-compiled, I rather compile myself, so...

make clean

Let's compile this thing already:

make

It will output one file named skdet.

Just copy it where you like to have your own compiled binaries, for me:

sudo cp skdet /usr/local/bin/

And you're basically done.

Just update your rkhunter's file properties database and virus database files:

sudo rkhunter --propupd
sudo rkhunter --update

Finally, after your rkhunter command, for example:

sudo rkhunter --check --enable all --disable none --skip-keypress

Should result into such entry in the log file:

sudo cat /var/log/rkhunter.log | grep -B 6 -A 1 "skdet command"

[16:23:13] Performing additional rootkit checks
[16:23:13]
[16:23:13] Performing Suckit Rookit additional checks
[16:23:13] Checking hard link count on '/sbin/init' [ OK ]
[16:23:13] Checking for hidden file extensions [ None found ]
[16:23:13] Info: Found the 'skdet' command: /usr/local/bin/skdet
[16:23:13] Running skdet command [ OK ]
[16:23:13] Suckit Rookit additional checks [ OK ]

Voila!