Difference between revisions of "Rkhunter"

From ArchWiki
Jump to navigation Jump to search
(→‎Basic commands: Need to be root)
(add ja link)
 
(2 intermediate revisions by one other user not shown)
Line 2: Line 2:
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:Intrusion detection]]
 
[[Category:Intrusion detection]]
 +
[[ja:Rkhunter]]
 
{{Related articles start}}
 
{{Related articles start}}
 
{{Related|Security}}
 
{{Related|Security}}
Line 7: Line 8:
 
{{Related|AIDE}}
 
{{Related|AIDE}}
 
{{Related articles end}}
 
{{Related articles end}}
 
  
 
'''rkhunter''' (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities. It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.
 
'''rkhunter''' (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities. It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.
Line 26: Line 26:
 
=== Important files ===
 
=== Important files ===
  
The main configuration file is located at: {{ic|/etc/rkhunter.conf}}
+
The main configuration file is located at {{ic|/etc/rkhunter.conf}}.
  
By default, RKH places logs at: {{ic|/var/log/rkhunter.log}}
+
By default, a log of the last system check will be placed at {{ic|/var/log/rkhunter.log}}.
  
 
== Usage ==
 
== Usage ==
See {{man|8|rkhunter}} for a full list of options.
+
 
{{Note|By default, ''RKH'' requires root privileges to run. }}
+
See {{man|8|rkhunter}} for full details.
  
 
=== Basic commands ===
 
=== Basic commands ===
  
* Update file properties database:
+
To update the file properties database:
 
  # rkhunter --propupd
 
  # rkhunter --propupd
* Run system check:
+
 
 +
To run a system check:
 
  # rkhunter --check
 
  # rkhunter --check
* To validate the configuration file(s):
+
 
 +
To validate the configuration file(s):
 
  # rkhunter --config-check
 
  # rkhunter --config-check
  
Line 46: Line 48:
  
 
=== False positives ===
 
=== False positives ===
Out of the box, RKH will throw up some false warnings during the file properties check. This is because, a few of the core utilities have been replaced by scripts. These warnings can be muted through white-listing.
+
 
 +
Out of the box, Rootkit Hunter will throw up some false warnings during the file properties check. This is because, a few of the core utilities have been replaced by scripts. These warnings can be muted through white-listing.
  
 
{{hc|1=/etc/rkhunter.conf|2=
 
{{hc|1=/etc/rkhunter.conf|2=
Line 57: Line 60:
  
 
=== External documentation ===
 
=== External documentation ===
* [http://rkhunter.sourceforge.net/ RKH Homepage]
+
* [http://rkhunter.sourceforge.net/ Rootkit Hunter Homepage]
* [https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/README RKH README]
+
* [https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/README Rootkit Hunter README]
  
 
=== Related Wikipedia pages ===
 
=== Related Wikipedia pages ===

Latest revision as of 11:13, 3 October 2019

rkhunter (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities. It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.

It is written in Bash, to allow for portability, and can run on most UNIX-based systems.

Installation

Install the rkhunter package.

Configuration

Initial setup

Prior to running rkhunter for the first time, update the file properties database:

# rkhunter --propupd

Important files

The main configuration file is located at /etc/rkhunter.conf.

By default, a log of the last system check will be placed at /var/log/rkhunter.log.

Usage

See rkhunter(8) for full details.

Basic commands

To update the file properties database:

# rkhunter --propupd

To run a system check:

# rkhunter --check

To validate the configuration file(s):

# rkhunter --config-check

Troubleshooting

False positives

Out of the box, Rootkit Hunter will throw up some false warnings during the file properties check. This is because, a few of the core utilities have been replaced by scripts. These warnings can be muted through white-listing.

/etc/rkhunter.conf
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/ldd

See also

External documentation

Related Wikipedia pages