1rkhunter(8) System Manager's Manual rkhunter(8)
2
6 rkhunter - RootKit Hunter
7
9 rkhunter {--check | --unlock | --update | --versioncheck |
10 --propupd [{filename | directory | package name},...] |
11 --list [tests | {lang | languages} | rootkits | perl] |
12 --config-check | --version | --help} [options]
13
16 rkhunter is a shell script which carries out various checks on the
17 local system to try and detect known rootkits and malware. It also per‐
18 forms checks to see if commands have been modified, if the system
19 startup files have been modified, and various checks on the network
20 interfaces, including checks for listening applications.
21 rkhunter has been written to be as generic as possible, and so should
23 run on most Linux and UNIX systems. It is provided with some support
24 scripts should certain commands be missing from the system, and some of
25 these are perl scripts. rkhunter does require certain commands to be
26 present for it to be able to execute. Additionally, some tests require
27 specific commands, but if these are not present then the test will be
28 skipped. rkhunter needs to be run under a Bourne-type shell, typically
29 bash or ksh. rkhunter can be run as a cron job or from the com‐
30 mand-line.
31
34 If no command option is given, then --help is assumed. rkhunter will
35 return a non-zero exit code if any error or warning occurs.
36 -c, --check
39 This command option tells rkhunter to perform various checks on
40 the local system. The result of each test will be displayed on
41 stdout. If anything suspicious is found, then a warning will be
42 displayed. A log file of the tests and the results will be auto‐
43 matically produced.
44 It is suggested that this command option is run regularly in
46 order to ensure that the system has not been compromised.
47 --unlock
50 This command option simply unlocks (removes) the lock file. If
51 this option is used on its own, then no log file is created.
52 --update
55 This command option causes rkhunter to check if there is a later
56 version of any of its text data files. A command-line web
57 browser, for example wget or lynx, must be present on the system
58 when using this option.
59 It is suggested that this command option is run regularly in
61 order to ensure that the data files are kept up to date.
62 If this option is used via cron, then it is recommended that the
64 --nocolors option is also used.
65 An exit code of zero for this command option means that no
67 updates were available. An exit code of one means that a down‐
68 load error occurred, and a code of two means that no error
69 occurred but updates were available and have been installed.
70 --propupd [{filename | directory | package name},...]
73 One of the checks rkhunter performs is to compare various cur‐
74 rent file properties of various commands, against those it has
75 previously stored. This command option causes rkhunter to update
76 its data file of stored values with the current values.
77 If the filename option is used, then it must either be a full
79 pathname, or a plain file name (for example, 'awk'). When used,
80 then only the entry in the file properties database for that
81 file will be updated. If the directory option is used, then only
82 those files listed in the database that are in the given direc‐
83 tory will be updated. Similarly, if the package name option is
84 used, then only those files in the database which are part of
85 the specified package will be updated. The package name must be
86 the base part of the name, no version numbers should be included
87 - for example, 'coreutils'. Package names will, of course, only
88 be stored in the file properties database if a package manager
89 is being used. If a package name is the same as a file name -
90 for example, 'file' could refer to the 'file' command or to the
91 RPM 'file' package (which contains the 'file' command) - the
92 package name will be used. If no specific option is given, then
93 the entire database is updated.
94 WARNING: It is the users responsibility to ensure that the files
96 on the system are genuine and from a reliable source. rkhunter
97 can only report if a file has changed, but not on what has
98 caused the change. Hence, if a file has changed, and the --prop‐
99 upd command option is used, then rkhunter will assume that the
100 file is genuine.
101 --versioncheck
104 This command option causes rkhunter to check if there is a later
105 version of the program. A command-line web browser must be
106 present on the system when using this option.
107 If this option is used via cron, then it is recommended that the
109 --nocolors option is also used.
110 An exit code of zero for this command option means that no new
112 version was available. An exit code of one means that an error
113 occurred downloading the latest version number, and a code of
114 two means that no error occurred but a new version is available.
115 --list [tests | {lang | languages} | rootkits | perl]
118 This command option will list some of the supported capabilities
119 of the program, and then exit. The tests option lists the cur‐
120 rently available test names (see the README file for more
121 details about test names). The languages option lists the cur‐
122 rently available languages, and the rootkits option lists the
123 rootkits that rkhunter will search for. The perl option lists
124 the installation status of perl modules that may be used by some
125 of the tests. Note that it is not required to install these mod‐
126 ules. However, if rkhunter is forced to use perl to execute a
127 test then the module must be present. If no specific option is
128 given, then all the lists are displayed.
129 -C, --config-check
132 This command option causes rkhunter to check its configuration
133 file(s), and then exit. The program will run through its normal
134 configuration checks as specified by the enable and disable
135 options on the command-line and in the configuration files. That
136 is, only the configuration options for tests which would nor‐
137 mally run are checked. In order to check all the configured
138 options, then use the --enable all --disable none options on the
139 command line. Additionally, the program will check to see if
140 there are any unrecognised configuration options. If any config‐
141 uration problems are found, then they will be displayed and the
142 return code will be set to 1.
143 It is suggested that this option is used whenever the configura‐
145 tion file(s) have been changed.
146 -V, --version
149 This command option causes rkhunter to display its version num‐
150 ber, and then exit.
151 -h, --help
154 This command option displays the help screen menu, and then
155 exits.
156
159 rkhunter uses a configuration file, named rkhunter.conf, for many of
160 its configuration options. It will also use a local configuration file,
161 named rkhunter.conf.local, if it is present. However, some options can
162 also be specified on the command-line, and these will override the con‐
163 figuration file options. The configuration file options are well docu‐
164 mented within the main configuration file itself. The following are the
165 command-line options. The defaults mentioned here are the program
166 defaults, unless explicitly stated as the configuration file default.
167 --appendlog
170 By default a new log file will be created when rkhunter runs,
171 and the previous log file will be renamed by having .old
172 appended to its name. This option tells rkhunter to append to
173 the existing log file. If the log file does not exist, then it
174 will be created.
175 --bindir <directory>...
178 This option modifies which directories rkhunter looks in to find
179 the various commands it requires (that is, its PATH). The
180 default is the root PATH, and an internal list of some common
181 command directories. By default a specified directory will be
182 appended to the default list. However, if the directory name
183 begins with the '+' character, then it will be prepended to the
184 list (that is, it will be put at the start of the list).
185 --cs2, --color-set2
188 By default rkhunter will display its test results in color. The
189 colors used are green for successful tests, red for failed tests
190 (warnings), and yellow for skipped tests. These colors are visi‐
191 ble when a black background is used, but are difficult to see on
192 a white background. This option tells rkhunter to use a differ‐
193 ent color set which is more suited to a white background.
194 --configfile <file>
197 The installation process will automatically tell rkhunter where
198 its configuration file is located. However, if necessary, this
199 option can be used to specify a different pathname.
200 If a local configuration file is to be used, then it must reside
202 in the same directory as the configuration file specified by
203 this option.
204 --cronjob
207 This is similar to the --check command option, but it disables
208 several of the interactive options. When this option is used
209 --check, --nocolors and --skip-keypress are assumed. By default
210 no output is sent to stdout, so the --report-warnings-only
211 option may be useful with this option.
212 --dbdir <directory>
215 The installation process will automatically configure where the
216 data files are stored for rkhunter. However, if necessary, this
217 option can be used to specify a different directory. The direc‐
218 tory can be read-only, after installation, provided that neither
219 of the --update or --propupd options are specified, and that the
220 --versioncheck option is not specified if ROTATE_MIRRORS is set
221 to 1 in the configuration file.
222 --debug
225 This is a special option mainly for the developers. It produces
226 no output on stdout. Regular logging will continue as per
227 default or as specified by the --logfile option, and the debug
228 output will be in a randomly generated filename which starts
229 with /tmp/rkhunter-debug.
230 --disable <test>[,<test>...]
233 This option tells rkhunter not to run the specified tests. If
234 this option is used, and --propupd is not specified, then the
235 --check command option is assumed. Read the README file for more
236 information about test names. By default no tests are disabled.
237 --display-logfile
240 This option will cause the logfile to be displayed on the screen
241 once rkhunter has finished.
242 --enable <test>[,<test>...]
245 This option tells rkhunter to only run the specified tests. If
246 this option is used, and --propupd is not specified, then the
247 --check command option is assumed. If only one test name, other
248 than all, is given, then the --skip-keypress option is also
249 assumed. Read the README file for more information about test
250 names. By default all tests are enabled. All the test names are
251 listed below under TESTS.
252 --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
255 NONE | <command>}
256 Both the file properties check and the --propupd command option
257 will use a hash function to determine a files current hash
258 value. This option tells rkhunter which hash function to use.
259 The MD5 and SHA options will look for the relevant command, and,
260 if not found, a perl support script will then be used to see if
261 a perl module supporting the function has been installed. Alter‐
262 natively, a specific command may be specified. A value of NONE
263 can be used to indicate that the hash values should not be
264 obtained or used as part of the file properties check. The
265 default is SHA1, or MD5 if no SHA1 command can be found.
266 Systems using prelinking must use either MD5, SHA1 or NONE.
268 --lang, --language <language>
271 This option specifies which language to use for the displayed
272 tests and results. The currently supported languages can be
273 seen by the --list command option. The default is en (English).
274 If a message to be displayed cannot be found in the language
275 file, then the English version will be used. As such, the Eng‐
276 lish language file must always be present. The --update command
277 option will update the language files when new versions are
278 available.
279 -l, --logfile [file]
282 By default rkhunter will write out a log file. The default loca‐
283 tion of the file is /var/log/rkhunter.log. However, this loca‐
284 tion can be changed by using this option. If /dev/null is speci‐
285 fied as the log file, then no log file will be written. If no
286 specific file is given, then the default will be used. By
287 default rkhunter will create a new log file each time it is run.
288 Any previously existing logfile is moved out of the way, and has
289 .old appended to it.
290 --noappend-log
293 This option reverts rkhunter to its default behaviour of creat‐
294 ing a new log file rather than appending to it.
295 --nocf
298 This option is only valid when the command-line --disable option
299 is used. When the --disable option is used, by default, the
300 configuration file option to disable tests is also used to
301 determine which tests to run. If only the --disable option is to
302 be used to determine which tests to run, then --nocf must be
303 given.
304 --nocolors
307 This option causes the result of each test to not be displayed
308 in a specific color. The default color, usually the reverse of
309 the background color, will be used (typically this is just black
310 and white).
311 --nolog
314 This option tells rkhunter not to write anything to a log file.
315 --nomow, --no-mail-on-warning
318 The configuration file has an option which will cause a simple
319 email message to be sent to a user should rkhunter detect any
320 warnings during system checks. This command-line option over‐
321 rides the configuration file option, and prevents an email mes‐
322 sage from being sent. The configuration file default is not to
323 email a message.
324 --ns, --nosummary
327 When the --check command option is used, by default a short sum‐
328 mary of results is displayed at the end. This option prevents
329 the summary from being displayed.
330 --novl, --no-verbose-logging
333 During some tests rkhunter will log a lot of information. Use of
334 this option reduces the amount of logging, and so can improve
335 the performance of rkhunter. However, the log file will contain
336 less information should any warnings occur. By default verbose
337 logging is enabled.
338 --pkgmgr {RPM | DPKG | BSD | SOLARIS | NONE}
341 This option is used during the file properties check or when the
342 --propupd command option is given. It tells rkhunter that the
343 current file property values should be obtained from the rele‐
344 vant package manager. See the README file for more details of
345 this option. The default is NONE, which means not to use a pack‐
346 age manager.
347 -q, --quiet
350 This option tells rkhunter not to display any output. It can be
351 useful when only the exit code is going to be checked. Other
352 options may be used with this one, to force only specific items
353 to be displayed.
354 --rwo, --report-warnings-only
357 This option causes only warning messages to be displayed. This
358 can be useful when rkhunter is run via cron. Other options may
359 be used to force other items of information to be displayed.
360 -r, --rootdir <directory>
363 If a suspect system is locally or remotely mounted, it is possi‐
364 ble to tell rkhunter to inspect it by using this option. How‐
365 ever, it must be used with care, as several of the other options
366 specifying configuration directories may need to be set as well.
367 There is no default.
368 --sk, --skip-keypress
371 When the --check command option is used, after certain sections
372 of tests, the user will be prompted to press the return key in
373 order to continue. This option disables that feature, and
374 rkhunter will run until all the tests have completed.
375 If this option has not been given, and the user is prompted to
377 press the return key, a single 's' character, in upper- or low‐
378 ercase, may be given followed by the return key. rkhunter will
379 then continue the tests without prompting the user again (as if
380 this option had been given).
381 --summary
384 This option will cause the summary of test results to be dis‐
385 played. This is the default.
386 --syslog [facility.priority]
389 When the --check command option is used, this option will cause
390 the start and finish times to be logged to syslog. The default
391 is not to log anything to syslog, but if the option is used,
392 then the default level is authpriv.notice.
393 --tmpdir <directory>
396 The installation process will automatically configure where tem‐
397 porary files are to be created. However, if necessary, this
398 option can be used to specify a different directory. The direc‐
399 tory must not be a symbolic link, and must be secure (root
400 access only).
401 --vl, --verbose-logging
404 This option tells rkhunter that when it runs some tests, it
405 should log as much information as possible. This can be useful
406 when trying to diagnose why a warning has occurred, but it obvi‐
407 ously also takes more time. The default is to use verbose log‐
408 ging.
409 -x, --autox
412 When this option is used, rkhunter will try and detect if the X
413 Window system is in use. If it is in use, then the second color
414 set will automatically be used (see the --color-set2 option).
415 This allows rkhunter to be run on, for example, a server console
416 (where X is not present, so the default color set should be
417 used), and on a users terminal (where X is in use, so the second
418 color set should be used). In both cases rkhunter will use the
419 correct color set. The configuration file default is to try and
420 detect X.
421 -X, --no-autox
424 This option prevents rkhunter from automatically detecting if
425 the X Window system is being used. See the --autox option.
426
430 [This section to be written]
431 additional_rkts
434 This test is for SHORT_EXPLANATION. It works as part of GROUP.
435 Corresponding configuration file entries: ONE=one, TWO=two and
436 for white-listing THREE=three,three. Simple globbing
437 (/dev/shm/file-*) works.
438 all
442 apps
444 attributes
446 avail_modules
448 deleted_files
450 filesystem
452 group_accounts
454 group_changes
456 hashes
458 hidden_ports
460 hidden_procs
462 immutable
464 loaded_modules
466 local_host
468 malware
470 network
472 none
474 os_specific
476 other_malware
478 packet_cap_apps
480 passwd_changes
482 ports
484 possible_rkt_files
486 possible_rkts
488 possible_rkt_strings
490 promisc
492 properties
494 rootkits
496 running_procs
498 scripts
500 shared_libs
502 shared_libs_path
504 startup_files
506 startup_malware
508 strings
510 suspscan
512 system_commands
514 system_configs
516
520 (For a default installation) /etc/rkhunter.conf
521
524 See the CHANGELOG file for recent changes.
525 The README file has information about installing rkhunter, as well as
526 specific sections on test names and using package managers.
527 The FAQ file should also answer some questions.
528
531 RootKit Hunter is licensed under the GPL, copyright Michael Boelen.
532 See the LICENSE file for details of GPL licensing.
533
536 RootKit Hunter is under active development by the RootKit Hunter
537 project team. For reporting bugs, updates, patches, comments and ques‐
538 tions, please go to http://rkhunter.sourceforge.net/
539 August, 2010 rkhunter(8)