rkhunter

[Josh Wheeler]

Categories: security

rkhunter is an easy-to-implement file system integrity checker and rootkit scanner. It typically runs on a daily cron job and sends an email notification it detects anything suspicious.

Install rkhunter

Debian

apt-get update
apt-get install rkhunter

Fedora

dnf install rkhunter

Update definitions and file hashes

rkhunter --update
rkhunter --propupd

Scan system and display only warnings

rkhunter -c --rwo

Update configuration file

Distro-packaged configurations usually have fairly sane defaults, but they can be further customized to fit the needs of your environment.

Fix false positives

lwp-request needed to be whitelisted, as well as OpenJDK’s /etc.java dir and bitlbee.

# /etc/rkhunter.conf
SCRIPTWHITELIST=/usr/bin/lwp-request
...
ALLOWHIDDENDIR=/etc/.java
PORT_PATH_WHITELIST="/usr/sbin/bitlbee:TCP:6667"

Another preference I have is to disable root login via ssh. rkhunter also has a configuration line item for this.

Once the system-specific configurations are done, add an address or local alias for MAIL-ON-WARNING if you wish to be notified of possible issues anytime the /etc/cron.daily/rkhunter cron job is run.

# /etc/rkhunter.conf
MAIL-ON-WARNING=root

In /etc/aliases, root’s mail gets sent to my primary email address. After modifying /etc/aliases update with newaliases.

Configure rkhunter defaults

Edit /etc/default/rkhunter to set up daily run, niceness, email, automatic updates, etc.

# /etc/default/rkhunter
#
# Defaults for rkhunter automatic tasks
# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
#
# This is a POSIX shell fragment
#

# Set this to yes to enable rkhunter daily runs
# (default: false)
CRON_DAILY_RUN="yes"

# Set this to yes to enable rkhunter weekly database updates
# (default: false)
CRON_DB_UPDATE="yes"

# Set this to yes to enable reports of weekly database updates
# (default: false)
DB_UPDATE_EMAIL="yes"

# Set this to the email address where reports and run output should be sent
# (default: root)
REPORT_EMAIL="root"

# Set this to yes to enable automatic database updates
# (default: false)
APT_AUTOGEN="yes"

# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
# (default: 0)
NICE="0"

# Should daily check be run when running on battery
# powermgmt-base is required to detect if running on battery or on AC power
# (default: false)
RUN_CHECK_ON_BATTERY="false"