Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

2026-01-17T08:36:33Z

Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

← Older revision		Revision as of 08:36, 17 January 2026
Line 1:		Line 1:
	[[Category:Wiki]]		[[Category:Wiki]]

			'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


	== Basic Usage ==		== Basic Usage ==

Admin: Created page with "Category:Wiki == Basic Usage == The most basic command to run rkhunter is as follows: rkhunter --check This runs a full scan of the system and checks for rootkits, hidden files, and other potential security risks. It may take some time to complete, depending on the system size. == Running rkhunter with Options == The command supports a wide range of options to customize the scan. Some of the most commonly used options are: === Running a Chec..."

2025-12-14T08:36:18Z

Created page with "Category:Wiki == Basic Usage == The most basic command to run rkhunter is as follows: <nowiki> rkhunter --check</nowiki> This runs a full scan of the system and checks for rootkits, hidden files, and other potential security risks. It may take some time to complete, depending on the system size. == Running rkhunter with Options == The command supports a wide range of options to customize the scan. Some of the most commonly used options are: === Running a Chec..."

New page

[[Category:Wiki]]

== Basic Usage ==

The most basic command to run rkhunter is as follows:

<nowiki>
rkhunter --check</nowiki>

This runs a full scan of the system and checks for rootkits, hidden files, and other potential security risks. It may take some time to complete, depending on the system size.

== Running rkhunter with Options ==

The command supports a wide range of options to customize the scan. Some of the most commonly used options are:

=== Running a Check with Verbose Output ===
To run rkhunter with detailed output, use the following command:

<nowiki>
rkhunter --check --verbose</nowiki>

This provides more detailed information about each check and any issues it finds.

=== Check a Specific Directory or File ===
If you wish to check a specific directory or file, use the `--file` or `--dir` option, respectively:

<nowiki>
rkhunter --check --dir /home/user</nowiki>

or

<nowiki>
rkhunter --check --file /etc/passwd</nowiki>

=== Update Rootkit Hunter Database ===
Rootkit Hunter relies on a database of known rootkits. To ensure it has the latest signatures, update the database with the following command:

<nowiki>
rkhunter --update</nowiki>

This will download the latest rootkit definitions from the rkhunter servers.

=== Exclude Specific Tests ===
If you want to skip certain tests during the check, you can exclude them with the `--skip` option. For example, to skip the file system checks:

<nowiki>
rkhunter --check --skip fs</nowiki>

You can exclude multiple tests by separating them with commas:

<nowiki>
rkhunter --check --skip fs,sysctl</nowiki>

=== Enable Debugging Mode ===
If you are troubleshooting or need more detailed logging for analysis, use the `--debug` flag:

<nowiki>
rkhunter --check --debug</nowiki>

This will generate debug output, which can be helpful in identifying issues with the tool or system configuration.

== Configuration File ==

rkhunter stores its configuration settings in a configuration file, usually located at `/etc/rkhunter.conf`. This file can be edited to change various behavior of the tool. Key configuration options include:

=== Disabling Specific Checks ===
To disable certain tests by default, you can edit the configuration file and comment out or set options to `false`. For example, to disable the "hidden file" check:

<nowiki>
# Disable check for hidden files
HIDDEN_FILE_CHECK=false</nowiki>

=== Setting Email Notifications ===
You can configure rkhunter to send email notifications after a scan completes. To do so, edit the following settings in the configuration file:

<nowiki>
MAIL_ON_WARN=true
MAIL_CMD="/usr/bin/mail -s 'Rootkit Hunter Warning' user@example.com"</nowiki>

Ensure that the mail utility is properly configured on your system for this feature to work.

=== Specifying the Log File ===
By default, rkhunter logs its output to `/var/log/rkhunter.log`. You can change the log file location by modifying the following entry in the configuration file:

<nowiki>
LOGFILE="/var/log/custom_rkhunter.log"</nowiki>

== Viewing Log Files ==

After running a scan, rkhunter logs the results to a log file. To view the log and check for potential issues, use:

<nowiki>
cat /var/log/rkhunter.log</nowiki>

or, if you have configured a custom log file:

<nowiki>
cat /var/log/custom_rkhunter.log</nowiki>

For easier reading, you can filter the logs for warnings or errors:

<nowiki>
grep "Warning" /var/log/rkhunter.log</nowiki>

or

<nowiki>
grep "Warning" /var/log/custom_rkhunter.log</nowiki>

== Automated Scheduling with Cron ==

To automate rkhunter scans, it is common to use cron jobs to run rkhunter at regular intervals. Here's an example of how to run rkhunter daily:

1. Edit the crontab for root by running:

<nowiki>
sudo crontab -e</nowiki>

2. Add the following line to schedule a daily scan at 2 AM:

<nowiki>
0 2 * * * /usr/bin/rkhunter --check --quiet</nowiki>

This will run rkhunter daily at 2 AM without outputting anything unless a problem is found.

== Common Issues and Troubleshooting ==

=== False Positives ===
rkhunter may occasionally flag certain files or directories as suspicious, even if they are legitimate. In such cases, you can ignore those warnings by adding the affected files to the ignore list in the configuration file. For example:

<nowiki>
# Ignore false positive for /usr/bin/suspicious_file
IGNORE_FILES="/usr/bin/suspicious_file"</nowiki>

=== Permissions Issues ===
rkhunter needs to run with root privileges to perform most of its checks. Ensure you are running the command as root or with sudo:

<nowiki>
sudo rkhunter --check</nowiki>

If permissions are incorrect for system files, rkhunter might not be able to check them properly, resulting in incomplete scans.

=== Outdated Database ===
An outdated rootkit database can lead to missed detections. Regularly run the `--update` command to keep the database current:

<nowiki>
sudo rkhunter --update</nowiki>

== Useful Links ==

* [https://github.com/Truecrypt/RKHunter GitHub Repository]
* [https://rkhunter.sourceforge.io/ Official Website]
* [https://man7.org/linux/man-pages/man1/rkhunter.1.html Manual Page]
* [https://www.debian.org/doc/manuals/securing-debian-manual/ch06.en.html Securing Debian Manual]
* [https://wiki.archlinux.org/title/Rootkit_Hunter ArchWiki: Rootkit Hunter]

RKHUNTER - Documentation - Revision history

Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "