1rkhunter(8)                 System Manager's Manual                rkhunter(8)
2
3
4

NAME

6       rkhunter - RootKit Hunter
7

SYNOPSIS

9       rkhunter {--check | --unlock | --update | --versioncheck |
10                 --propupd [{filename | directory | package name},...] |
11                 --list [tests | {lang | languages} | rootkits | perl |
12                         propfiles] |
13                 --config-check | --version | --help} [options]
14
15

DESCRIPTION

17       rkhunter  is  a  shell  script  which carries out various checks on the
18       local system to try and detect known rootkits and malware. It also per‐
19       forms  checks  to  see  if  commands  have been modified, if the system
20       startup files have been modified, and various  checks  on  the  network
21       interfaces, including checks for listening applications.
22
23       rkhunter  has  been written to be as generic as possible, and so should
24       run on most Linux and UNIX systems. It is provided  with  some  support
25       scripts should certain commands be missing from the system, and some of
26       these are perl scripts.  rkhunter does require certain commands  to  be
27       present  for it to be able to execute. Additionally, some tests require
28       specific commands, but if these are not present then the test  will  be
29       skipped.  rkhunter needs to be run under a Bourne-type shell, typically
30       bash or ksh. rkhunter can be run  as  a  cron  job  or  from  the  com‐
31       mand-line.
32
33

COMMAND OPTIONS

35       If  no  command option is given, then --help is assumed.  rkhunter will
36       return a non-zero exit code if any error or warning occurs.
37
38
39       -c, --check
40              This command option tells rkhunter to perform various checks  on
41              the  local  system. The result of each test will be displayed on
42              stdout. If anything suspicious is found, then a warning will  be
43              displayed. A log file of the tests and the results will be auto‐
44              matically produced.
45
46              It is suggested that this command option  is  run  regularly  in
47              order to ensure that the system has not been compromised.
48
49
50       --unlock
51              This  command  option simply unlocks (removes) the lock file. If
52              this option is used on its own, then no log file is created.
53
54
55       --update
56              This command option causes rkhunter to check if there is a later
57              version  of  any  of  its  text  data  files. A command-line web
58              browser, for example wget or lynx, must be present on the system
59              when using this option.
60
61              It  is  suggested  that  this command option is run regularly in
62              order to ensure that the data files are kept up to date.
63
64              If this option is used via cron, then it is recommended that the
65              --nocolors option is also used.
66
67              An  exit  code  of  zero  for  this command option means that no
68              updates were available. An exit code of one means that  a  down‐
69              load  error  occurred,  and  a  code  of two means that no error
70              occurred but updates were available and have been installed.
71
72
73       --propupd [{filename | directory | package name},...]
74              One of the checks rkhunter performs is to compare  various  cur‐
75              rent  file  properties of various commands, against those it has
76              previously stored. This command option causes rkhunter to update
77              its data file of stored values with the current values.
78
79              If  the  filename  option is used, then it must either be a full
80              pathname, or a plain file name (for example, 'awk'). When  used,
81              then  only  the  entry  in the file properties database for that
82              file will be updated. If the directory option is used, then only
83              those  files listed in the database that are in the given direc‐
84              tory will be updated. Similarly, if the package name  option  is
85              used,  then  only  those files in the database which are part of
86              the specified package will be updated. The package name must  be
87              the base part of the name, no version numbers should be included
88              - for example, 'coreutils'. Package names will, of course,  only
89              be  stored  in the file properties database if a package manager
90              is being used. If a package name is the same as a  file  name  -
91              for  example, 'file' could refer to the 'file' command or to the
92              RPM 'file' package (which contains the  'file'  command)  -  the
93              package name will be used.  If no specific option is given, then
94              the entire database is updated.
95
96              WARNING: It is the users responsibility to ensure that the files
97              on  the  system are genuine and from a reliable source. rkhunter
98              can only report if a file has  changed,  but  not  on  what  has
99              caused the change. Hence, if a file has changed, and the --prop‐
100              upd command option is used, then rkhunter will assume  that  the
101              file is genuine.
102
103
104       --versioncheck
105              This command option causes rkhunter to check if there is a later
106              version of the program.  A  command-line  web  browser  must  be
107              present on the system when using this option.
108
109              If this option is used via cron, then it is recommended that the
110              --nocolors option is also used.
111
112              An exit code of zero for this command option means that  no  new
113              version  was  available. An exit code of one means that an error
114              occurred downloading the latest version number, and  a  code  of
115              two means that no error occurred but a new version is available.
116
117
118       --list [tests | {lang | languages} | rootkits | perl | propfiles]
119              This command option will list some of the supported capabilities
120              of the program, and then exit. The tests option lists  the  cur‐
121              rently  available  test  names  (see  the  README  file for more
122              details about test names). The languages option lists  the  cur‐
123              rently  available  languages,  and the rootkits option lists the
124              rootkits that are searched for  by  rkhunter.  The  perl  option
125              lists  the installation status of the perl command and perl mod‐
126              ules that may be used by some of the tests. Note that it is  not
127              required  to  install  these  modules.  However,  if rkhunter is
128              forced to use perl to execute a test then  the  module  must  be
129              present.  The propfiles option will list the file names that are
130              used to generate the file properties database.  If  no  specific
131              option is given, then all the lists, except for the file proper‐
132              ties database, are displayed.
133
134
135       -C, --config-check
136              This command option causes rkhunter to check  its  configuration
137              file(s),  and then exit. The program will run through its normal
138              configuration checks as specified  by  the  enable  and  disable
139              options on the command-line and in the configuration files. That
140              is, only the configuration options for tests  which  would  nor‐
141              mally  run  are  checked.  In  order to check all the configured
142              options, then use the --enable all --disable none options on the
143              command  line.  Additionally,  the  program will check to see if
144              there are any unrecognised configuration options. If any config‐
145              uration  problems are found, then they will be displayed and the
146              return code will be set to 1.
147
148              It is suggested that this option is used whenever the configura‐
149              tion file(s) have been changed.
150
151
152       -V, --version
153              This  command option causes rkhunter to display its version num‐
154              ber, and then exit.
155
156
157       -h, --help
158              This command option displays the  help  screen  menu,  and  then
159              exits.
160
161

OPTIONS

163       rkhunter  uses  a  configuration file, named rkhunter.conf, for many of
164       its configuration options. It can also use a local configuration  file,
165       named  rkhunter.conf.local,  and  a directory named rkhunter.d if it is
166       present.  Both the local configuration file, and the  local  directory,
167       must  be  in the same directory as the main configuration file. The in‐
168       staller does not create the local file or directory, but one, or  both,
169       can  be  created by the user if required.  If a directory is used, then
170       within the directory any file ending in .conf  will  be  treated  as  a
171       local configuration file.
172
173       Some  options can also be specified on the command-line, and these will
174       override the equivalent configuration file options.  The  configuration
175       file  options  are  well  documented within the main configuration file
176       itself. The following are the command-line options. The  defaults  men‐
177       tioned  here  are the program defaults, unless explicitly stated as the
178       configuration file default.
179
180
181       --appendlog
182              By default a new log file will be created  when  rkhunter  runs,
183              and  the  previous  log  file  will  be  renamed  by having .old
184              appended to its name.  This option tells rkhunter to  append  to
185              the  existing  log file. If the log file does not exist, then it
186              will be created.
187
188
189       --bindir <directory>...
190              This option modifies which directories rkhunter looks in to find
191              the  various  commands  it  requires  (that  is,  its PATH). The
192              default is the root PATH, and an internal list  of  some  common
193              command  directories.  By  default a specified directory will be
194              appended to the default list. However,  if  the  directory  name
195              begins  with the '+' character, then it will be prepended to the
196              list (that is, it will be put at the start of the list).
197
198
199       --cs2, --color-set2
200              By default rkhunter will display its test results in color.  The
201              colors used are green for successful tests, red for failed tests
202              (warnings), and yellow for skipped tests. These colors are visi‐
203              ble when a black background is used, but are difficult to see on
204              a white background. This option tells rkhunter to use a  differ‐
205              ent color set which is more suited to a white background.
206
207
208       --configfile <file>
209              The  installation process will automatically tell rkhunter where
210              its configuration file is located. However, if  necessary,  this
211              option can be used to specify a different pathname.
212
213              If a local configuration file, or directory, is to be used, then
214              it must reside in the same directory as the  configuration  file
215              specified by this option.
216
217
218       --cronjob
219              This  is  similar to the --check command option, but it disables
220              several of the interactive options. When  this  option  is  used
221              --check,  --nocolors and --skip-keypress are assumed. By default
222              no output is  sent  to  stdout,  so  the  --report-warnings-only
223              option may be useful with this option.
224
225
226       --dbdir <directory>
227              The  installation process will automatically configure where the
228              data files are stored for rkhunter. However, if necessary,  this
229              option  can be used to specify a different directory. The direc‐
230              tory can be read-only, after installation, provided that neither
231              of the --update or --propupd options are specified, and that the
232              --versioncheck option is not specified if ROTATE_MIRRORS is  set
233              to 1 in the configuration file.
234
235
236       --debug
237              This  is a special option mainly for the developers. It produces
238              no output on  stdout.  Regular  logging  will  continue  as  per
239              default  or  as specified by the --logfile option, and the debug
240              output will be in a randomly  generated  filename  which  starts
241              with /tmp/rkhunter-debug.
242
243
244       --disable <test>[,<test>...]
245              This  option tells rkhunter not to run the specified tests. Read
246              the README file  for  more  information  about  test  names.  By
247              default no tests are disabled.
248
249
250       --display-logfile
251              This option will cause the logfile to be displayed on the screen
252              once rkhunter has finished.
253
254
255       --enable <test>[,<test>...]
256              This option tells rkhunter to only run the specified  tests.  If
257              only  one  test  name,  other  than  all,  is  given,  then  the
258              --skip-keypress option is assumed. Read the README file for more
259              information  about test names. By default all tests are enabled.
260              All the test names are listed below under TESTS.
261
262
263       --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
264               NONE | <command>}
265              Both the file properties check and the --propupd command  option
266              will  use  a  hash  function  to  determine a files current hash
267              value. This option tells rkhunter which hash  function  to  use.
268              The MD5 and SHA options will look for the relevant command, and,
269              if not found, a perl support script will then be used to see  if
270              a perl module supporting the function has been installed. Alter‐
271              natively, a specific command may be specified. A value  of  NONE
272              can  be  used  to  indicate  that  the hash values should not be
273              obtained or used as part  of  the  file  properties  check.  The
274              default is SHA256.
275
276              Systems using prelinking must use either MD5, SHA1 or NONE.
277
278
279       --lang, --language <language>
280              This  option  specifies  which language to use for the displayed
281              tests and results.  The currently  supported  languages  can  be
282              seen  by the --list command option. The default is en (English).
283              If a message to be displayed cannot be  found  in  the  language
284              file,  then  the English version will be used. As such, the Eng‐
285              lish language file must always be present. The --update  command
286              option  will  update  the  language  files when new versions are
287              available.
288
289
290       -l, --logfile [file]
291              By default rkhunter will write out a log file. The default loca‐
292              tion  of  the file is /var/log/rkhunter.log. However, this loca‐
293              tion can be changed by using this option. If /dev/null is speci‐
294              fied  as  the  log file, then no log file will be written. If no
295              specific file is given,  then  the  default  will  be  used.  By
296              default rkhunter will create a new log file each time it is run.
297              Any previously existing logfile is moved out of the way, and has
298              .old appended to it.
299
300
301       --noappend-log
302              This  option reverts rkhunter to its default behaviour of creat‐
303              ing a new log file rather than appending to it.
304
305
306       --nocf
307              This option is only valid when the command-line --disable option
308              is  used.   When  the  --disable option is used, by default, the
309              configuration file option to  disable  tests  is  also  used  to
310              determine which tests to run. If only the --disable option is to
311              be used to determine which tests to run,  then  --nocf  must  be
312              given.
313
314
315       --nocolors
316              This  option  causes the result of each test to not be displayed
317              in a specific color. The default color, usually the  reverse  of
318              the background color, will be used (typically this is just black
319              and white).
320
321
322       --nolog
323              This option tells rkhunter not to write anything to a log file.
324
325
326       --nomow, --no-mail-on-warning
327              The configuration file has an option which will cause  a  simple
328              email  message  to  be sent to a user should rkhunter detect any
329              warnings during system checks. This  command-line  option  over‐
330              rides  the configuration file option, and prevents an email mes‐
331              sage from being sent. The configuration file default is  not  to
332              email a message.
333
334
335       --ns, --nosummary
336              When the --check command option is used, by default a short sum‐
337              mary of results is displayed at the end.  This  option  prevents
338              the summary from being displayed.
339
340
341       --novl, --no-verbose-logging
342              During some tests rkhunter will log a lot of information. Use of
343              this option reduces the amount of logging, and  so  can  improve
344              the  performance of rkhunter. However, the log file will contain
345              less information should any warnings occur. By  default  verbose
346              logging is enabled.
347
348
349       --pkgmgr {RPM | DPKG | BSD | BSDng | SOLARIS | NONE}
350              This option is used during the file properties check or when the
351              --propupd command option is given. It tells  rkhunter  that  the
352              current  file  property values should be obtained from the rele‐
353              vant package manager.  See the README file for more  details  of
354              this option. The default is NONE, which means not to use a pack‐
355              age manager.
356
357
358       -q, --quiet
359              This option tells rkhunter not to display any output. It can  be
360              useful  when  only  the  exit code is going to be checked. Other
361              options may be used with this one, to force only specific  items
362              to be displayed.
363
364
365       --rwo, --report-warnings-only
366              This  option  causes only warning messages to be displayed. This
367              can be useful when rkhunter is run via cron. Other  options  may
368              be used to force other items of information to be displayed.
369
370
371       --sk, --skip-keypress
372              When  the --check command option is used, after certain sections
373              of tests, the user will be prompted to press the return  key  in
374              order  to  continue.  This  option  disables  that  feature, and
375              rkhunter will run until all the tests have completed.
376
377              If this option has not been given, and the user is  prompted  to
378              press  the return key, a single 's' character, in upper- or low‐
379              ercase, may be given followed by the return key.  rkhunter  will
380              then  continue the tests without prompting the user again (as if
381              this option had been given).
382
383
384       --summary
385              This option will cause the summary of test results  to  be  dis‐
386              played. This is the default.
387
388
389       --syslog [facility.priority]
390              When  the --check command option is used, this option will cause
391              the start and finish times to be logged to syslog.  The  default
392              is  not  to  log  anything to syslog, but if the option is used,
393              then the default level is authpriv.notice.
394
395
396       --tmpdir <directory>
397              The installation process will automatically configure where tem‐
398              porary  files  are  to  be  created. However, if necessary, this
399              option can be used to specify a different directory. The  direc‐
400              tory  must  not  be  a  symbolic  link, and must be secure (root
401              access only).
402
403
404       --vl, --verbose-logging
405              This option tells rkhunter that when  it  runs  some  tests,  it
406              should  log  as much information as possible. This can be useful
407              when trying to diagnose why a warning has occurred, but it obvi‐
408              ously  also  takes more time. The default is to use verbose log‐
409              ging.
410
411
412       -x, --autox
413              When this option is used, rkhunter will try and detect if the  X
414              Window  system is in use. If it is in use, then the second color
415              set will automatically be used (see  the  --color-set2  option).
416              This allows rkhunter to be run on, for example, a server console
417              (where X is not present, so the  default  color  set  should  be
418              used), and on a users terminal (where X is in use, so the second
419              color set should be used). In both cases rkhunter will  use  the
420              correct  color set. The configuration file default is to try and
421              detect X.
422
423
424       -X, --no-autox
425              This option prevents rkhunter from  automatically  detecting  if
426              the X Window system is being used. See the --autox option.
427
428
429

TESTS

431       [This section to be written]
432
433
434       additional_rkts
435              This  test  is for SHORT_EXPLANATION. It works as part of GROUP.
436              Corresponding configuration file entries: ONE=one,  TWO=two  and
437              for    white-listing    THREE=three,three.    Simple    globbing
438              (/dev/shm/file-*) works.
439
440
441
442       all
443
444       apps
445
446       attributes
447
448       avail_modules
449
450       deleted_files
451
452       filesystem
453
454       group_accounts
455
456       group_changes
457
458       hashes
459
460       hidden_ports
461
462       hidden_procs
463
464       immutable
465
466       known_rkts
467
468       loaded_modules
469
470       local_host
471
472       malware
473
474       network
475
476       none
477
478       os_specific
479
480       other_malware
481
482       packet_cap_apps
483
484       passwd_changes
485
486       ports
487
488       possible_rkt_files
489
490       possible_rkt_strings
491
492       promisc
493
494       properties
495
496       rootkits
497
498       running_procs
499
500       scripts
501
502       shared_libs
503
504       shared_libs_path
505
506       startup_files
507
508       startup_malware
509
510       strings
511
512       suspscan
513
514       system_commands
515
516       system_configs
517
518       trojans
519
520
521

FILES

523       (For a default installation)
524       /etc/rkhunter.conf
525       /var/log/rkhunter.log
526
527

SEE ALSO

529       See the CHANGELOG file for recent changes.
530       The README file has information about installing rkhunter, as  well  as
531       specific sections on test names and using package managers.
532       The FAQ file should also answer some questions.
533
534

LICENSING

536       RootKit  Hunter  is  licensed  under the GPL, copyright Michael Boelen.
537       See the LICENSE file for details of GPL licensing.
538
539

CONTACT INFORMATION

541       This software was developed by the RootKit  Hunter  project  team.   To
542       report   bugs,   patches,   comments   and  questions,  please  go  to:
543       http://rkhunter.sourceforge.net/
544
545
546
547                                   June 2017                       rkhunter(8)
Impressum