Difference between revisions of "Rkhunter"

From ArchWiki
Jump to navigation Jump to search
(→‎Basic commands: Need to be root)
(→‎Usage: rm note)
Line 31: Line 31:
== Usage ==
== Usage ==
See {{man|8|rkhunter}} for a full list of options.
See {{man|8|rkhunter}} for a full list of options.
{{Note|By default, ''RKH'' requires root privileges to run. }}
=== Basic commands ===
=== Basic commands ===

Revision as of 16:27, 21 June 2019

rkhunter (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities. It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.

It is written in Bash, to allow for portability, and can run on most UNIX-based systems.


Install the rkhunter package.


Initial setup

Prior to running rkhunter for the first time, update the file properties database:

# rkhunter --propupd

Important files

The main configuration file is located at: /etc/rkhunter.conf

By default, RKH places logs at: /var/log/rkhunter.log


See rkhunter(8) for a full list of options.

Basic commands

  • Update file properties database:
# rkhunter --propupd
  • Run system check:
# rkhunter --check
  • To validate the configuration file(s):
# rkhunter --config-check


False positives

Out of the box, RKH will throw up some false warnings during the file properties check. This is because, a few of the core utilities have been replaced by scripts. These warnings can be muted through white-listing.


See also

External documentation

Related Wikipedia pages