Security automation with rkhunter
Command Line – rkhunter

© Lead Image © Kamirika, photocase.com
The Rootkit Hunter script efficiently checks for malware, with the potential to detect over 240 rootkits.
Rootkit Hunter, or rkhunter, detects over 240 rootkits – pieces of malware designed to gain control of a system. However, while testing for rootkits may be rkhunter's main purpose, it is far from the only one. You can see the list of the names of the various tests run by the script by entering rkhunter --list
(Figure 1) [1]. Mostly, the tests' names are self-explanatory. They include checks not only for rootkits, but also changed or deleted libraries and commands, hidden ports, loaded kernel modules, and several dozen other aspects of a system besides.
Rkhunter is written for generic Unix systems with a Bourne-type shell, such as Bash or ksh. Since its tests depend on online databases, it also requires an Internet connection. It is available in major Linux distributions and can be run from the command line, or as a cron job. Note that some distributions, such as Debian and its derivatives, may not install some of the Perl packages needed for a few of the tests. You can see what functionality may be missing by running rkhunter --list
(Figure 2) and will then have to figure out which packages support the missing functionality. These packages, of course, may have different names depending on your distribution.
Setup and Configuration
If you install rkhunter from outside your distro's standard repositories, you can make sure that you always have the latest version by running rkhunter --versioncheck
to help ensure your system's security. With most commands, I would always recommend that you not run the repository version, but rkhunter is so slow to release that in many cases the latest version is contained in a distro's repository (see below). Currently, for example, even Debian, whose software versions often lag behind those of other distributions, has the latest rkhunter release in its official release.
No matter what your installation source, before running rkhunter for the first time, you need to run rkhunter --propupd
to ensure that the command's databases are up to date (Figure 3). You should also run --propupd
whenever the system is updated. Otherwise, the log will contain false positives that will only waste your time. You can automate the updating of the databases by adding:
APT_AUTOGEN="yes"
to
/etc/default/rkhunter
You may also want to configure /etc/rkhunter.conf
for your system. The field MAIL-ON-WARNING ="EMAIL"
can be modified to send a list of warnings to the address of your choice. You may also want to whitelist some common false positives by removing the #
to uncomment these lines:
#ALLOWHIDDENDIR=/dev/.udev #ALLOWHIDDENDIR=/dev/.static #ALLOWHIDDENDIR=/dev/.initramfs
After the first time you run rkhunter, additional whitelists (Figure 4) can be defined by adding the field SCRIPTWHITELIST="FILE,FILE"
so that false positives are not flagged when the command is run. After any changes to rkhunter.conf
, in some distros you can run rkhunter -C
to check for any errors.
Running the Tests
If you install rkhunter from a distribution's repository, it can be run as soon as it is installed, although whitelisted files will be logged. If you install from an outside source, however, configure the command as described above. In either case, to run the command, enter rkhunter --check
(-c
) (Figure 5). Rkhunter will begin to run its tests, although at several stages it will pause until you press the Enter key. As it runs, it may flag warnings, ranging from whitelists (files that list acceptable files) to unusually large files. A running summary of results displays (Figure 6) as tests are done, although they may scroll too quickly to be easily read at some stages. Not to worry – you will want to study /var/log/rkhunter
anyway (Figure 7). Some of the warnings may be false positives; for example, Firefox often has a larger than usual configuration file (Figure 8). Take your time with the logfile, and make a list of any problems that you need to research to learn how to address.

This basic sequence can be modified with options, some of which have a long and a short form, and some which have only a long form. To start with, you can use --disable
or --enable
to select the tests to run in comma-separated lists (use the --list
option to see which tests are available). Since the next step after running rkhunter is to examine the log, you can also use --display-logfile
to show the log immediately after the completion of the command. Similarly, --skip-keypress
(-sk
) omits the pauses in the running of the command where you need to press the Enter key to continue. In addition, you can also suppress default features with commands like --nocolors
and --nolog
or set the directories to use with options like configfile FILE
or tmpdir FILE
.
Running as a Cron Job
Rkhunter can be automated even more by setting it to run as a cron job. The cron job is best run with MAIL-ON-WARNING
set in /etc/rkhunter.conf
. Since rkhunter must be run as root, use the root account's crontab. Before beginning, use crontab -l
to see if root already has a crontab, and, if so, back it up before beginning.
To add rkhunter to the crontab, enter crontab -e
while logged in as root, and, if this is your first time editing it, choose a text editor to use. There are many ways to enter times and dates with crontab, but the easiest is to enter the minutes and hours using a 24 hour clock, followed by the command. For example, if you want to run rkhunter at 3am, when you are not using your computer, the cron job entry would look like this:
The three asterisks indicate unused fields. The --cronjob
option runs rkhunter without colors and without pausing, while the --update
option updates the databases and --quiet
runs the command without output. MAIL-ON-WARNING
sets email notifications, and you can check the log later.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
News
-
An All-Snap Version of Ubuntu is In The Works
Along with the standard deb version of the open-source operating system, Canonical will release an-all snap version.
-
Mageia 9 Beta 2 Ready for Testing
The latest beta of the popular Mageia distribution now includes the latest kernel and plenty of updated applications.
-
KDE Plasma 6 Looks to Bring Basic HDR Support
The KWin piece of KDE Plasma now has HDR support and color management geared for the 6.0 release.
-
Bodhi Linux 7.0 Beta Ready for Testing
The latest iteration of the Bohdi Linux distribution is now available for those who want to experience what's in store and for testing purposes.
-
Changes Coming to Ubuntu PPA Usage
The way you manage Personal Package Archives will be changing with the release of Ubuntu 23.10.
-
AlmaLinux 9.2 Now Available for Download
AlmaLinux has been released and provides a free alternative to upstream Red Hat Enterprise Linux.
-
An Immutable Version of Fedora Is Under Consideration
For anyone who's a fan of using immutable versions of Linux, the Fedora team is currently considering adding a new spin called Fedora Onyx.
-
New Release of Br OS Includes ChatGPT Integration
Br OS 23.04 is now available and is geared specifically toward web content creation.
-
Command-Line Only Peropesis 2.1 Available Now
The latest iteration of Peropesis has been released with plenty of updates and introduces new software development tools.
-
TUXEDO Computers Announces InfinityBook Pro 14
With the new generation of their popular InfinityBook Pro 14, TUXEDO upgrades its ultra-mobile, powerful business laptop with some impressive specs.