RKHUNTER - Documentation

Return to Wiki Index

The most basic command to run rkhunter is as follows:

rkhunter --check

This runs a full scan of the system and checks for rootkits, hidden files, and other potential security risks. It may take some time to complete, depending on the system size.

The command supports a wide range of options to customize the scan. Some of the most commonly used options are:

To run rkhunter with detailed output, use the following command:

rkhunter --check --verbose

This provides more detailed information about each check and any issues it finds.

If you wish to check a specific directory or file, use the `--file` or `--dir` option, respectively:

rkhunter --check --dir /home/user

or

rkhunter --check --file /etc/passwd

Rootkit Hunter relies on a database of known rootkits. To ensure it has the latest signatures, update the database with the following command:

rkhunter --update

This will download the latest rootkit definitions from the rkhunter servers.

If you want to skip certain tests during the check, you can exclude them with the `--skip` option. For example, to skip the file system checks:

rkhunter --check --skip fs

You can exclude multiple tests by separating them with commas:

rkhunter --check --skip fs,sysctl

If you are troubleshooting or need more detailed logging for analysis, use the `--debug` flag:

rkhunter --check --debug

This will generate debug output, which can be helpful in identifying issues with the tool or system configuration.

rkhunter stores its configuration settings in a configuration file, usually located at `/etc/rkhunter.conf`. This file can be edited to change various behavior of the tool. Key configuration options include:

To disable certain tests by default, you can edit the configuration file and comment out or set options to `false`. For example, to disable the "hidden file" check:

# Disable check for hidden files
HIDDEN_FILE_CHECK=false

You can configure rkhunter to send email notifications after a scan completes. To do so, edit the following settings in the configuration file:

MAIL_ON_WARN=true
MAIL_CMD="/usr/bin/mail -s 'Rootkit Hunter Warning' user@example.com"

Ensure that the mail utility is properly configured on your system for this feature to work.

By default, rkhunter logs its output to `/var/log/rkhunter.log`. You can change the log file location by modifying the following entry in the configuration file:

LOGFILE="/var/log/custom_rkhunter.log"

After running a scan, rkhunter logs the results to a log file. To view the log and check for potential issues, use:

cat /var/log/rkhunter.log

or, if you have configured a custom log file:

cat /var/log/custom_rkhunter.log

For easier reading, you can filter the logs for warnings or errors:

grep "Warning" /var/log/rkhunter.log

or

grep "Warning" /var/log/custom_rkhunter.log

To automate rkhunter scans, it is common to use cron jobs to run rkhunter at regular intervals. Here's an example of how to run rkhunter daily:

1. Edit the crontab for root by running:

sudo crontab -e

2. Add the following line to schedule a daily scan at 2 AM:

0 2 * * * /usr/bin/rkhunter --check --quiet

This will run rkhunter daily at 2 AM without outputting anything unless a problem is found.

rkhunter may occasionally flag certain files or directories as suspicious, even if they are legitimate. In such cases, you can ignore those warnings by adding the affected files to the ignore list in the configuration file. For example:

# Ignore false positive for /usr/bin/suspicious_file
IGNORE_FILES="/usr/bin/suspicious_file"

rkhunter needs to run with root privileges to perform most of its checks. Ensure you are running the command as root or with sudo:

sudo rkhunter --check

If permissions are incorrect for system files, rkhunter might not be able to check them properly, resulting in incomplete scans.

An outdated rootkit database can lead to missed detections. Regularly run the `--update` command to keep the database current:

sudo rkhunter --update

• GitHub Repository
• Official Website
• Manual Page
• Securing Debian Manual
• ArchWiki: Rootkit Hunter