Difference between revisions of "User:MizZen/drafts/rkhunter"

From ArchWiki
Jump to navigation Jump to search
(added Categories, Cleaned up usage section, added to troubleshooting section.)
(user pages shall not be categorized, see Help:Style#User pages)
Tag: wiki-scripts
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 
{{Lowercase title}}
 
{{Lowercase title}}
 
[[Category:Security]]
 
[[Category:Intrusion detection]]
 
 
 
{{Related articles start}}
 
{{Related articles start}}
 
{{Related|Security}}
 
{{Related|Security}}
Line 10: Line 6:
 
{{Related articles end}}
 
{{Related articles end}}
  
 
+
'''rkhunter''' (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities. It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.
 
 
'''rkhunter''' (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities.
 
 
 
It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.
 
  
 
It is written in [[Bash]], to allow for portability, and can run on most UNIX-based systems.  
 
It is written in [[Bash]], to allow for portability, and can run on most UNIX-based systems.  
Line 44: Line 36:
 
* Update RKH after modifying the configuration file:
 
* Update RKH after modifying the configuration file:
 
  $ rkhunter -C, --config-check
 
  $ rkhunter -C, --config-check
 
 
  
 
== Troubleshooting ==
 
== Troubleshooting ==
Line 57: Line 47:
 
SCRIPTWHITELIST=/usr/bin/ldd
 
SCRIPTWHITELIST=/usr/bin/ldd
 
}}
 
}}
 
 
  
 
== See also ==
 
== See also ==

Latest revision as of 06:11, 9 April 2019

rkhunter (Rootkit Hunter) is a security monitoring tool for POSIX compliant systems. It scans for rootkits, and other possible vulnerabilities. It does so by searching for the default directories (of rootkits), misconfigured permissions, hidden files, kernel modules containing suspicious strings, and comparing hashes of important files with known good ones.

It is written in Bash, to allow for portability, and can run on most UNIX-based systems.

Installation

Install the rkhunter package.

Configuration

Initial setup

Prior to running RKH for the first time, You will need to update the file properties database:

$ sudo rkhunter --propupd

Important files

The main configuration file is located at: /etc/rkhunter.conf

By default, RKH places logs at: /var/log/rkhunter.log

Usage

See rkhunter(8) for a full list of options.

Note: By default, RKH requires root privileges to run.

Basic commands

  • Update file properties database:
$ rkhunter --propupd
  • Run system check:
$ rkhunter -c, --check
  • Update RKH after modifying the configuration file:
$ rkhunter -C, --config-check

Troubleshooting

False positives

Out of the box, RKH will throw up some false warnings during the file properties check. This is because, a few of the core utilities have been replaced by scripts. These warnings can be fixed through white-listing.

/etc/rkhunter.conf
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/ldd

See also

External documentation

Related Wikipedia pages