Ansible role to deploy several rootkit and malware detection tools:

• Rkhunter: rootkit, backdoor, sniffer and exploit scanner
• chkrootkit: rootkit detector
• Unhide: forensic tool to find hidden processes and TCP/UDP ports by rootkits
• Shell Detector: application that helps you find and identify php/cgi(perl)/asp/aspx shells

Debian, RHEL and their respective derivatives are supported. chkrootkit is not available for RHEL.

The following variables control whether a tool is installed (true) or not (false). All variables default to 'false'.

• rkhunter
• chkrootkit
• unhide
• shelldetector

• antirootkits_mail_cmd: Command to send reports (varies between Debian and RHEL)
• antirootkits_mail_from: Sender email address for the audit reports. No valid default, you have to fill it in.
• antirootkits_mail_to: Receiver email address for the audit reports. No valid default, you have to fill it in.
• antirootkits_log_expire: Days before logs are purged. Defaults to '90'.
• antirootkits_rkhunter_diag_scan: Include application check for detailed report scan. Defaults to 'no' (RHEL only)

• unhide_cron_hour: Hour of execution of Unhide's cron job. Defaults to '6'.
• unhide_cron_minute: Minute of execution of Unhide's cron job. Defaults to '00'.

• shelldetector_install_directory: Install directory. Defaults to '/opt/Shell-Detector'.
• shelldetector_scan_directory: Directory to scan. Defaults to '/var/www'.
• shelldetector_cron_hour: Hour of execution of Shell Detector's cron job. Defaults to '6'.
• shelldetector_cron_minute: Minute of execution of Shell Detector's cron job. Defaults to '30'.

• rkhunter_allow_ssh_root_user: Define what rkhunter should expect in sshd config. Defaults to 'no'.

Example of how to use this role:

- hosts: servers
  vars:
     antirootkits_mail_from: '[email protected]'
     antirootkits_mail_to: '[email protected]'
  roles:
     - { role: qs5779.antirootkits }

GPLv3

Projec forked from https://github.com/mablanco/ansible-antirootkits