User:mizZen/drafts/rkhunter
rkhunter (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities. It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.
It is written in Bash, to allow for portability, and can run on most UNIX-based systems.
Installation
Configuration
Initial setup
Prior to running RKH for the first time, You will need to update the file properties database:
$ sudo rkhunter --propupd
Important files
The main configuration file is located at: /etc/rkhunter.conf
By default, RKH places logs at: /var/log/rkhunter.log
Usage
See rkhunter(8) for a full list of options.
Basic commands
- Update file properties database:
$ rkhunter --propupd
- Run system check:
$ rkhunter -c, --check
- Update RKH after modifying the configuration file:
$ rkhunter -C, --config-check
Troubleshooting
False positives
Out of the box, RKH will throw up some false warnings during the file properties check. This is because, a few of the core utilities have been replaced by scripts. These warnings can be fixed through white-listing.
/etc/rkhunter.conf
SCRIPTWHITELIST=/usr/bin/egrep SCRIPTWHITELIST=/usr/bin/fgrep SCRIPTWHITELIST=/usr/bin/ldd