Docs/SysAdmin/Security/rkhunter

From Mandriva Community Wiki

Jump to: navigation, search


Rootkit Hunter is a tool for detecting whether a rootkit has been installed onto your system. Rootkits are sets of scripts installed by crackers onto compromised machines allowing them to be easily controlled remotely while attempting to hide this from the system's legitimate administrator.

The latest versions also offer a database that needs to be established on a clean install and then can check changes in properties similar to tripwire or other intrusion database systems.

A package for rkhunter is usually available in the contrib repository for your release of Mandriva Linux. See Installing and removing software for information on adding repositories and installing packages. If you require a later version of rkhunter, you can download and compile the source code from the above site: see Installing from source for instructions on this.

Some tips for using rkhunter:

  • man rkhunter
  • Read the FAQ!
  • rkhunter --help covers all the options available.
  • Keep your rkhunter database up to date by running rkhunter --update every now and then. Also, with rkhunter --versioncheck, you can verify whether or not you have the latest version of the program.

If you see the following error appear:

Determining OS... Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

this means that you don't have the most recent edition of RKH. The latest now uses a clean install and then you run command rkhunter --propupd to create a database and it is that new database that is compared to your next run's system files etc...to look for changes.

1) An example of the command that can be added to your /etc/crontab is:

50 23 * * * root /usr/local/bin/rkhunter -c --cronjob --createlogfile

The easiest way to add it is via KCron or Webmin.

2) An example on how to logrotate your rkhunter.log on a daily basis is to add these lines to your /etc/logrotate.conf:

/var/log/rkhunter.log {
daily
rotate 21
}

which will keep your logs for up to 3 weeks in separate logs per day.

Please make sure to not make a cronjob that runs concurrently with other rpm checking jobs (scripts) for example msec

Personal tools