1rkhunter(8) System Manager's Manual rkhunter(8)
2
6 rkhunter - RootKit Hunter
7
9 rkhunter {--check | --unlock | --update | --versioncheck |
10 --propupd [{filename | directory | package name},...] |
11 --list [tests | {lang | languages} | rootkits | perl |
12 propfiles] |
13 --config-check | --version | --help} [options]
14
17 rkhunter is a shell script which carries out various checks on the
18 local system to try and detect known rootkits and malware. It also per‐
19 forms checks to see if commands have been modified, if the system
20 startup files have been modified, and various checks on the network
21 interfaces, including checks for listening applications.
22 rkhunter has been written to be as generic as possible, and so should
24 run on most Linux and UNIX systems. It is provided with some support
25 scripts should certain commands be missing from the system, and some of
26 these are perl scripts. rkhunter does require certain commands to be
27 present for it to be able to execute. Additionally, some tests require
28 specific commands, but if these are not present then the test will be
29 skipped. rkhunter needs to be run under a Bourne-type shell, typically
30 bash or ksh. rkhunter can be run as a cron job or from the com‐
31 mand-line.
32
35 If no command option is given, then --help is assumed. rkhunter will
36 return a non-zero exit code if any error or warning occurs.
37 -c, --check
40 This command option tells rkhunter to perform various checks on
41 the local system. The result of each test will be displayed on
42 stdout. If anything suspicious is found, then a warning will be
43 displayed. A log file of the tests and the results will be auto‐
44 matically produced.
45 It is suggested that this command option is run regularly in
47 order to ensure that the system has not been compromised.
48 --unlock
51 This command option simply unlocks (removes) the lock file. If
52 this option is used on its own, then no log file is created.
53 --update
56 This command option causes rkhunter to check if there is a later
57 version of any of its text data files. A command-line web
58 browser, for example wget or lynx, must be present on the system
59 when using this option.
60 It is suggested that this command option is run regularly in
62 order to ensure that the data files are kept up to date.
63 If this option is used via cron, then it is recommended that the
65 --nocolors option is also used.
66 An exit code of zero for this command option means that no
68 updates were available. An exit code of one means that a down‐
69 load error occurred, and a code of two means that no error
70 occurred but updates were available and have been installed.
71 --propupd [{filename | directory | package name},...]
74 One of the checks rkhunter performs is to compare various cur‐
75 rent file properties of various commands, against those it has
76 previously stored. This command option causes rkhunter to update
77 its data file of stored values with the current values.
78 If the filename option is used, then it must either be a full
80 pathname, or a plain file name (for example, 'awk'). When used,
81 then only the entry in the file properties database for that
82 file will be updated. If the directory option is used, then only
83 those files listed in the database that are in the given direc‐
84 tory will be updated. Similarly, if the package name option is
85 used, then only those files in the database which are part of
86 the specified package will be updated. The package name must be
87 the base part of the name, no version numbers should be included
88 - for example, 'coreutils'. Package names will, of course, only
89 be stored in the file properties database if a package manager
90 is being used. If a package name is the same as a file name -
91 for example, 'file' could refer to the 'file' command or to the
92 RPM 'file' package (which contains the 'file' command) - the
93 package name will be used. If no specific option is given, then
94 the entire database is updated.
95 WARNING: It is the users responsibility to ensure that the files
97 on the system are genuine and from a reliable source. rkhunter
98 can only report if a file has changed, but not on what has
99 caused the change. Hence, if a file has changed, and the --prop‐
100 upd command option is used, then rkhunter will assume that the
101 file is genuine.
102 --versioncheck
105 This command option causes rkhunter to check if there is a later
106 version of the program. A command-line web browser must be
107 present on the system when using this option.
108 If this option is used via cron, then it is recommended that the
110 --nocolors option is also used.
111 An exit code of zero for this command option means that no new
113 version was available. An exit code of one means that an error
114 occurred downloading the latest version number, and a code of
115 two means that no error occurred but a new version is available.
116 --list [tests | {lang | languages} | rootkits | perl | propfiles]
119 This command option will list some of the supported capabilities
120 of the program, and then exit. The tests option lists the cur‐
121 rently available test names (see the README file for more
122 details about test names). The languages option lists the cur‐
123 rently available languages, and the rootkits option lists the
124 rootkits that are searched for by rkhunter. The perl option
125 lists the installation status of the perl command and perl mod‐
126 ules that may be used by some of the tests. Note that it is not
127 required to install these modules. However, if rkhunter is
128 forced to use perl to execute a test then the module must be
129 present. The propfiles option will list the file names that are
130 used to generate the file properties database. If no specific
131 option is given, then all the lists, except for the file proper‐
132 ties database, are displayed.
133 -C, --config-check
136 This command option causes rkhunter to check its configuration
137 file(s), and then exit. The program will run through its normal
138 configuration checks as specified by the enable and disable
139 options on the command-line and in the configuration files. That
140 is, only the configuration options for tests which would nor‐
141 mally run are checked. In order to check all the configured
142 options, then use the --enable all --disable none options on the
143 command line. Additionally, the program will check to see if
144 there are any unrecognised configuration options. If any config‐
145 uration problems are found, then they will be displayed and the
146 return code will be set to 1.
147 It is suggested that this option is used whenever the configura‐
149 tion file(s) have been changed.
150 -V, --version
153 This command option causes rkhunter to display its version num‐
154 ber, and then exit.
155 -h, --help
158 This command option displays the help screen menu, and then
159 exits.
160
163 rkhunter uses a configuration file, named rkhunter.conf, for many of
164 its configuration options. It can also use a local configuration file,
165 named rkhunter.conf.local, and a directory named rkhunter.d if it is
166 present. Both the local configuration file, and the local directory,
167 must be in the same directory as the main configuration file. The in‐
168 staller does not create the local file or directory, but one, or both,
169 can be created by the user if required. If a directory is used, then
170 within the directory any file ending in .conf will be treated as a
171 local configuration file.
172 Some options can also be specified on the command-line, and these will
174 override the equivalent configuration file options. The configuration
175 file options are well documented within the main configuration file
176 itself. The following are the command-line options. The defaults men‐
177 tioned here are the program defaults, unless explicitly stated as the
178 configuration file default.
179 --appendlog
182 By default a new log file will be created when rkhunter runs,
183 and the previous log file will be renamed by having .old
184 appended to its name. This option tells rkhunter to append to
185 the existing log file. If the log file does not exist, then it
186 will be created.
187 --bindir <directory>...
190 This option modifies which directories rkhunter looks in to find
191 the various commands it requires (that is, its PATH). The
192 default is the root PATH, and an internal list of some common
193 command directories. By default a specified directory will be
194 appended to the default list. However, if the directory name
195 begins with the '+' character, then it will be prepended to the
196 list (that is, it will be put at the start of the list).
197 --cs2, --color-set2
200 By default rkhunter will display its test results in color. The
201 colors used are green for successful tests, red for failed tests
202 (warnings), and yellow for skipped tests. These colors are visi‐
203 ble when a black background is used, but are difficult to see on
204 a white background. This option tells rkhunter to use a differ‐
205 ent color set which is more suited to a white background.
206 --configfile <file>
209 The installation process will automatically tell rkhunter where
210 its configuration file is located. However, if necessary, this
211 option can be used to specify a different pathname.
212 If a local configuration file, or directory, is to be used, then
214 it must reside in the same directory as the configuration file
215 specified by this option.
216 --cronjob
219 This is similar to the --check command option, but it disables
220 several of the interactive options. When this option is used
221 --check, --nocolors and --skip-keypress are assumed. By default
222 no output is sent to stdout, so the --report-warnings-only
223 option may be useful with this option.
224 --dbdir <directory>
227 The installation process will automatically configure where the
228 data files are stored for rkhunter. However, if necessary, this
229 option can be used to specify a different directory. The direc‐
230 tory can be read-only, after installation, provided that neither
231 of the --update or --propupd options are specified, and that the
232 --versioncheck option is not specified if ROTATE_MIRRORS is set
233 to 1 in the configuration file.
234 --debug
237 This is a special option mainly for the developers. It produces
238 no output on stdout. Regular logging will continue as per
239 default or as specified by the --logfile option, and the debug
240 output will be in a randomly generated filename which starts
241 with /tmp/rkhunter-debug.
242 --disable <test>[,<test>...]
245 This option tells rkhunter not to run the specified tests. Read
246 the README file for more information about test names. By
247 default no tests are disabled.
248 --display-logfile
251 This option will cause the logfile to be displayed on the screen
252 once rkhunter has finished.
253 --enable <test>[,<test>...]
256 This option tells rkhunter to only run the specified tests. If
257 only one test name, other than all, is given, then the
258 --skip-keypress option is assumed. Read the README file for more
259 information about test names. By default all tests are enabled.
260 All the test names are listed below under TESTS.
261 --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
264 NONE | <command>}
265 Both the file properties check and the --propupd command option
266 will use a hash function to determine a files current hash
267 value. This option tells rkhunter which hash function to use.
268 The MD5 and SHA options will look for the relevant command, and,
269 if not found, a perl support script will then be used to see if
270 a perl module supporting the function has been installed. Alter‐
271 natively, a specific command may be specified. A value of NONE
272 can be used to indicate that the hash values should not be
273 obtained or used as part of the file properties check. The
274 default is SHA256.
275 Systems using prelinking must use either MD5, SHA1 or NONE.
277 --lang, --language <language>
280 This option specifies which language to use for the displayed
281 tests and results. The currently supported languages can be
282 seen by the --list command option. The default is en (English).
283 If a message to be displayed cannot be found in the language
284 file, then the English version will be used. As such, the Eng‐
285 lish language file must always be present. The --update command
286 option will update the language files when new versions are
287 available.
288 -l, --logfile [file]
291 By default rkhunter will write out a log file. The default loca‐
292 tion of the file is /var/log/rkhunter.log. However, this loca‐
293 tion can be changed by using this option. If /dev/null is speci‐
294 fied as the log file, then no log file will be written. If no
295 specific file is given, then the default will be used. By
296 default rkhunter will create a new log file each time it is run.
297 Any previously existing logfile is moved out of the way, and has
298 .old appended to it.
299 --noappend-log
302 This option reverts rkhunter to its default behaviour of creat‐
303 ing a new log file rather than appending to it.
304 --nocf
307 This option is only valid when the command-line --disable option
308 is used. When the --disable option is used, by default, the
309 configuration file option to disable tests is also used to
310 determine which tests to run. If only the --disable option is to
311 be used to determine which tests to run, then --nocf must be
312 given.
313 --nocolors
316 This option causes the result of each test to not be displayed
317 in a specific color. The default color, usually the reverse of
318 the background color, will be used (typically this is just black
319 and white).
320 --nolog
323 This option tells rkhunter not to write anything to a log file.
324 --nomow, --no-mail-on-warning
327 The configuration file has an option which will cause a simple
328 email message to be sent to a user should rkhunter detect any
329 warnings during system checks. This command-line option over‐
330 rides the configuration file option, and prevents an email mes‐
331 sage from being sent. The configuration file default is not to
332 email a message.
333 --ns, --nosummary
336 When the --check command option is used, by default a short sum‐
337 mary of results is displayed at the end. This option prevents
338 the summary from being displayed.
339 --novl, --no-verbose-logging
342 During some tests rkhunter will log a lot of information. Use of
343 this option reduces the amount of logging, and so can improve
344 the performance of rkhunter. However, the log file will contain
345 less information should any warnings occur. By default verbose
346 logging is enabled.
347 --pkgmgr {RPM | DPKG | BSD | BSDng | SOLARIS | NONE}
350 This option is used during the file properties check or when the
351 --propupd command option is given. It tells rkhunter that the
352 current file property values should be obtained from the rele‐
353 vant package manager. See the README file for more details of
354 this option. The default is NONE, which means not to use a pack‐
355 age manager.
356 -q, --quiet
359 This option tells rkhunter not to display any output. It can be
360 useful when only the exit code is going to be checked. Other
361 options may be used with this one, to force only specific items
362 to be displayed.
363 --rwo, --report-warnings-only
366 This option causes only warning messages to be displayed. This
367 can be useful when rkhunter is run via cron. Other options may
368 be used to force other items of information to be displayed.
369 --sk, --skip-keypress
372 When the --check command option is used, after certain sections
373 of tests, the user will be prompted to press the return key in
374 order to continue. This option disables that feature, and
375 rkhunter will run until all the tests have completed.
376 If this option has not been given, and the user is prompted to
378 press the return key, a single 's' character, in upper- or low‐
379 ercase, may be given followed by the return key. rkhunter will
380 then continue the tests without prompting the user again (as if
381 this option had been given).
382 --summary
385 This option will cause the summary of test results to be dis‐
386 played. This is the default.
387 --syslog [facility.priority]
390 When the --check command option is used, this option will cause
391 the start and finish times to be logged to syslog. The default
392 is not to log anything to syslog, but if the option is used,
393 then the default level is authpriv.notice.
394 --tmpdir <directory>
397 The installation process will automatically configure where tem‐
398 porary files are to be created. However, if necessary, this
399 option can be used to specify a different directory. The direc‐
400 tory must not be a symbolic link, and must be secure (root
401 access only).
402 --vl, --verbose-logging
405 This option tells rkhunter that when it runs some tests, it
406 should log as much information as possible. This can be useful
407 when trying to diagnose why a warning has occurred, but it obvi‐
408 ously also takes more time. The default is to use verbose log‐
409 ging.
410 -x, --autox
413 When this option is used, rkhunter will try and detect if the X
414 Window system is in use. If it is in use, then the second color
415 set will automatically be used (see the --color-set2 option).
416 This allows rkhunter to be run on, for example, a server console
417 (where X is not present, so the default color set should be
418 used), and on a users terminal (where X is in use, so the second
419 color set should be used). In both cases rkhunter will use the
420 correct color set. The configuration file default is to try and
421 detect X.
422 -X, --no-autox
425 This option prevents rkhunter from automatically detecting if
426 the X Window system is being used. See the --autox option.
427
431 [This section to be written]
432 additional_rkts
435 This test is for SHORT_EXPLANATION. It works as part of GROUP.
436 Corresponding configuration file entries: ONE=one, TWO=two and
437 for white-listing THREE=three,three. Simple globbing
438 (/dev/shm/file-*) works.
439 all
443 apps
445 attributes
447 avail_modules
449 deleted_files
451 filesystem
453 group_accounts
455 group_changes
457 hashes
459 hidden_ports
461 hidden_procs
463 immutable
465 known_rkts
467 loaded_modules
469 local_host
471 malware
473 network
475 none
477 os_specific
479 other_malware
481 packet_cap_apps
483 passwd_changes
485 ports
487 possible_rkt_files
489 possible_rkt_strings
491 promisc
493 properties
495 rootkits
497 running_procs
499 scripts
501 shared_libs
503 shared_libs_path
505 startup_files
507 startup_malware
509 strings
511 suspscan
513 system_commands
515 system_configs
517 trojans
519
523 (For a default installation)
524 /etc/rkhunter.conf
525 /var/log/rkhunter.log
526
529 See the CHANGELOG file for recent changes.
530 The README file has information about installing rkhunter, as well as
531 specific sections on test names and using package managers.
532 The FAQ file should also answer some questions.
533
536 RootKit Hunter is licensed under the GPL, copyright Michael Boelen.
537 See the LICENSE file for details of GPL licensing.
538
541 This software was developed by the RootKit Hunter project team. To
542 report bugs, patches, comments and questions, please go to:
543 http://rkhunter.sourceforge.net/
544 June 2017 rkhunter(8)