Docs/SysAdmin/Security/rkhunter
From Mandriva
http://rkhunter.sourceforge.net Is the home of rkhunter
A recent rpm package of rkhunter is usually available in 'contrib', but the above site has the latest versions as a tarball.
Some tips for using rkhunter:
- There is an FAQ at: http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034
- rkhunter --help covers all the options available.
- When you want to run rkhunter as a cronjob (1) make sure to run it before logrotate and make the log rotate on a daily basis (2), because the rkhunter log does not get appended to the previous log, so otherwise you won't be saving any logs before today's.
- From rkhunter-1.3.0 the previous remark is solved, it can now append to the previous log by running rkhunter with the option --append-log. But this version is not released yet as of 12th December 2006; it is available for testing as cvs tarball at http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz
- Keep your rkhunter database up to date by running rkhunter --update every now and then. Also, with rkhunter --versioncheck , you can verify whether or not you have the latest version of the programme.
If you see the following error appear:
Determining OS... Unknown Warning: This operating system is not fully supported! Warning: Cannot find md5_not_known All MD5 checks will be skipped!
this means that you don't have one of the stable versions of Mandriva Linux supported by the standard RkHunter.
In that case please go to the link at the top and download the file hashupd.sh. Run it and the Mandriva release you have will be added to the local database and hashes saved for future checking (this should be done when you are sure the binaries are not corrupted).
(In the near future - as I understood from the rkhunter users mailinglist - this routine will be added into the rkhunter package).
When you run RkHunter after this the errors are gone and the md5sums are checked.
1) An example of the command that can be added to your /etc/crontab is:
50 23 * * * root /usr/local/bin/rkhunter -c --cronjob --createlogfile
The easiest way to add it is via KCron or Webmin.
2) An example on how to logrotate your rkhunter.log on a daily basis, is to add these lines to your /etc/logrotate.conf :
/var/log/rkhunter.log {
daily
rotate 21
}
which will keep your logs for upto 3 weeks in separate logs per day.
