Add rkhunter module

[Kovah]

It's me, again. 😄

This PR adds a module for rkhunter / Malware check: #45
Thing that could be improved before merge is to loop through multiple rootkit checks in one task (identifiable by "Performing ....").

Example output:

Running Rootkit Hunter version 3.1.0 on localhost

Info: Start date is Mon 29 Aug 2022 06:56:27 PM UTC

Info: Detected operating system is 'Linux'
Found O/S name: Ubuntu 1.2.15Info: Environment shell is /bin/bash; rkhunter is using dash
Info: Using configuration file '/etc/rkhunter.conf'
Info: Installation directory is '/usr'
Info: Using language 'en'
Info: Using '/var/lib/rkhunter/db' as the database directory
Info: Using '/usr/share/rkhunter/scripts' as the support script directory
Info: Using '/var/lib/rkhunter/db' as the database directory
Info: Using '/usr/share/rkhunter/scripts' as the support script directory
Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/games /usr/local/games /snap/bin /usr/libexec' as the command directories
Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
Info: No mail-on-warning address configured

Checking if the O/S has changed since last time...
Info: Nothing seems to have changed.
Info: Locking is not being used

Starting system checks...

Performing check of possible rootkit files and directories
  Checking for TCP port 25000                       [ Not found ]
  Checking for TCP port 31337                       [ Not found ]
  Checking for TCP port 7000                        [ Not found ]
  Checking for directory '/usr/doc/backup'          [ Not found ]
  Checking for file '/etc/rc.d/rc6.d/S55IptabLex'   [ Not found ]
  Checking for file '/tmp/bill.lock'                [ Not found ]
  Checking for file '/usr/lib/elm/arobia/elm/sd.pp' [ Not found ]
  Checking for file '/usr/lib/elm/arobia/elm/sdco'  [ Not found ]
  Checking for string '/lib/.xsyslog'               [ Not found ]
  Checking for string '/usr/bin/rcpc'               [ Not found ]
  Checking for string '/usr/include/gpm2.h'         [ Skipped ]
  Scanning for string /dev/.lib/lib/lib             [ Not found ]
  Scanning for string /usr/include/.../proc.h       [ Not found ]
  Checking /dev for suspicious file types           [ Not found ]
  Running skdet command                             [ Not found ]

Performing additional rootkit checks
  Checking for zaRwT.KiT Rootkit...
    Checking for TCP port 7000                       [ Found ]
    Checking for directory '/usr/doc/backup'         [ Not found ]
    Checking for directory '/xochikit'               [ Not found ]
    Checking for file '/usr/bin/bsd-port/getty.lock' [ Not found ]
    Checking for string '/usr/lib/ldlibdu.so'        [ Not found ]
  zaRwT.KiT Rootkit                                  [ Found ]

Performing system boot checks
  Checking for Tuxtendo Rootkit...
    Checking for directory '/var/lock/subsys/...datafile.../...datafile...' [ Not found ]
    Checking for file '/lib/tls/libkeyutils.so.1'                           [ Not found ]
    Checking for file '/lib64/libns5.so'                                    [ Not found ]
    Checking for kernel symbol 'h4x_open'                                   [ Not found ]
    Checking for string '/dev/ida/.inet'                                    [ Not found ]
  Tuxtendo Rootkit                                                          [ Not found ]

...

Warning
By the way: I had to use the nightly Rust channel, because of this error message:
#![feature] may not be used on the stable release channel in anyhow-1.0.62/src/lib.rs:214:32
Not sure if this is really intended.

[svenstaro]

Good stuff! Just a few notes.

[svenstaro]

Would it perhaps be smarter to have a list of directories and a list of files? These could then also be consumed by other genact modules later on. It's also fine if you want to just play these files from the top for now, your choice.

[Kovah]

I'll have a look tomorrow.

[Kovah]

Thought about this and having files and directories in one file would be difficult to differentiate. If we decide to have normalized data for the Linux filesystem, I would create one file for directories and one for regular files. Maybe this could be done if another module needs this data?

[svenstaro]

Could you merge these?

[Kovah]

Reduced it to RKHUNTER_CHECKS_LIST, RKHUNTER_ROOTKITS_LIST and RKHUNTER_TASKS_LIST.
I could move the Rootkits into an array in the rkhunter module, but I am not sure if this is fine?

[svenstaro]

I like it! Merging as is. Thanks. :)