1rkhunter(8) System Manager's Manual rkhunter(8)
2
6 rkhunter - RootKit Hunter
7
9 rkhunter {--check | --update | --propupd | --versioncheck |
10 --list [tests | languages | rootkits]
11 --version | --help} [options]
12
15 rkhunter is a shell script which carries out various checks on the
16 local system to try and detect known rootkits and malware. It also per‐
17 forms checks to see if commands have been modified, if the system
18 startup files have been modified, and various checks on the network
19 interfaces, including checks for listening applications.
20 rkhunter has been written to be as generic as possible, and so should
22 run on most Linux and UNIX systems. It is provided with some support
23 scripts should certain commands be missing from the system, and some of
24 these are perl scripts. rkhunter does require certain commands to be
25 present for it to be able to execute. Additionally, some tests require
26 specific commands, but if these are not present then the test will be
27 skipped. rkhunter needs to be run under a Bourne-type shell, typically
28 bash or ksh. rkhunter can be run as a cron job or from the com‐
29 mand-line.
30
33 If no command option is given, then --help is assumed. rkhunter will
34 return a non-zero exit code if any error or warning occurs.
35 -c, --check
38 This command option tells rkhunter to perform various checks on
39 the local system. The result of each test will be displayed on
40 stdout. If anything suspicious is found, then a warning will be
41 displayed. A log file of the tests and the results will be auto‐
42 matically produced.
43 It is suggested that this command option is run regularly in
45 order to ensure that the system has not been compromised.
46 --update
49 This command option causes rkhunter to check if there is a later
50 version of any of its text data files. A command-line web
51 browser, for example wget or lynx, must be present on the system
52 when using this option.
53 It is suggested that this command option is run regularly in
55 order to ensure that the data files are kept up to date.
56 If this option is used via cron, then it is recommended that the
58 --nocolors option is also used.
59 An exit code of zero for this command option means that no
61 updates were available. An exit code of one means that a down‐
62 load error occurred, and a code of two means that no error
63 occurred but updates were available and have been installed.
64 --propupd
67 One of the checks rkhunter performs is to compare various cur‐
68 rent file properties of various commands, against those it has
69 previously stored. This command option causes rkhunter to update
70 its data file of stored values with the current values.
71 WARNING: It is the users responsibility to ensure that the files
73 on the system are genuine and from a reliable source. rkhunter
74 can only report if a file has changed, but not on what has
75 caused the change. Hence, if a file has changed, and the --prop‐
76 upd command option is used, then rkhunter will assume that the
77 file is genuine.
78 --versioncheck
81 This command option causes rkhunter to check if there is a later
82 version of the program. A command-line web browser must be
83 present on the system when using this option.
84 If this option is used via cron, then it is recommended that the
86 --nocolors option is also used.
87 An exit code of zero for this command option means that no new
89 version was available. An exit code of one means that an error
90 occurred downloading the latest version number, and a code of
91 two means that no error occurred but a new version is available.
92 --list [tests | languages | rootkits]
95 This command option will list some of the supported capabilities
96 of the program, and then exit. The tests option lists the cur‐
97 rently available test names (see the README file for more
98 details about test names). The languages option lists the cur‐
99 rently available languages, and the rootkits option lists the
100 rootkits that rkhunter will search for. If no specific option
101 is given, then all the lists are displayed.
102 -V, --version
105 This command option causes rkhunter to display its version num‐
106 ber, and then exit.
107 -h, --help
110 This command option displays the help screen menu, and then
111 exits.
112
115 rkhunter uses a configuration file, named rkhunter.conf, for many of
116 its configuration options. However, some options can also be specified
117 on the command-line, and these will override the configuration file
118 options. The configuration file options are well documented within the
119 file itself. The following are the command-line options. The defaults
120 mentioned here are the program defaults, unless explicitly stated as
121 the configuration file default.
122 --appendlog
125 By default a new log file will be created when rkhunter runs.
126 This option tells rkhunter to append to the existing log file.
127 If the log file does not exist, then it will be created.
128 --bindir <directory>...
131 This option tells rkhunter which directories to look in to find
132 the various commands it requires. The default is the current
133 PATH environment variable, and the typical command directories
134 of /bin, /usr/bin, /sbin and so on.
135 --cs2, --color-set2
138 By default rkhunter will display its test results in color. The
139 colors used are green for successful tests, red for failed tests
140 (warnings), and yellow for skipped tests. These colors are visi‐
141 ble when a black background is used, but are difficult to see on
142 a white background. This option tells rkhunter to use a differ‐
143 ent color set which is more suited to a white background.
144 --configfile <file>
147 The installation process will automatically tell rkhunter where
148 its configuration file is located. However, if necessary, this
149 option can be used to specify a different pathname.
150 --cronjob
153 This is similar to the --check command option, but it disables
154 several of the interactive options. When this option is used
155 --check, --nocolors and --skip-keypress are assumed. By default
156 no output is sent to stdout, so the --report-warnings-only
157 option may be useful with this option.
158 --dbdir <directory>
161 The installation process will automatically configure where the
162 data files are stored for rkhunter. However, if necessary, this
163 option can be used to specify a different directory.
164 --debug
167 This is a special option mainly for the developers. It produces
168 no output on stdout. If debugging must be used, then make sure
169 that it is the first command-line switch. Regular logging will
170 continue as per default or as specified by the --logfile option,
171 and debug output will be in the file /tmp/rkhunter-debug.
172 --disable <test>[,<test>...]
175 This option tells rkhunter not to run the specified tests. If
176 this option is used, and --propupd is not specified, then the
177 --check command option is assumed. Read the README file for more
178 information about test names. By default no tests are disabled.
179 --display-logfile
182 This option will cause the logfile to be displayed on the screen
183 once rkhunter has finished.
184 --enable <test>[,<test>...]
187 This option tells rkhunter to only run the specified tests. If
188 this option is used, and --propupd is not specified, then the
189 --check command option is assumed. If only one test name, other
190 than all, is given, then the --skip-keypress option is also
191 assumed. Read the README file for more information about test
192 names. By default all tests are enabled. All tests will be
193 listed below under TESTS.
194 --hash {MD5 | SHA1 | NONE | <command>}
197 Both the file properties check and the --propupd command option
198 will use a hash function to determine a files current hash
199 value. This option tells rkhunter which hash function to use.
200 The MD5 and SHA1 options, in uppercase, will look for the rele‐
201 vant command, and if not found a perl support script will be
202 used to provide the function. Alternatively, a specific command
203 may be specified. A value of NONE can be used to indicate that
204 the hash values should not be obtained or used as part of the
205 file properties check. The default is SHA1, or MD5 if no SHA1
206 command can be found.
207 --lang, --language <language>
210 This option specifies which language to use for the displayed
211 tests and results. The currently supported languages can be
212 seen by the --list command option. The default is en (English).
213 If a message to be displayed cannot be found in the language
214 file, then the English version will be used. As such, the Eng‐
215 lish language file must always be present. The --update command
216 option will update the language files when new versions are
217 available.
218 -l, --logfile [file]
221 By default rkhunter will write out a log file. The default loca‐
222 tion of the file is /var/log/rkhunter.log. However, this loca‐
223 tion can be changed by using this option. If /dev/null is speci‐
224 fied as the log file, then no log file will be written. If no
225 specific file is given, then the default will be used. By
226 default rkhunter will create a new log file each time it is run.
227 Any previously existing logfile is moved out of the way, and has
228 .old appended to it.
229 --noappend-log
232 This option reverts rkhunter to its default behaviour of creat‐
233 ing a new log file rather than appending to it.
234 --nocolors
237 This option causes the result of each test to not be displayed
238 in a specific color. The default color, usually the reverse of
239 the background color, will be used (typically this is just black
240 and white).
241 --nolog
244 This option tells rkhunter not to write anything to a log file.
245 --nomow, --no-mail-on-warning
248 The configuration file has an option which will cause a simple
249 email message to be sent to a user should rkhunter detect any
250 warnings. This command-line option overrides the configuration
251 file option, and prevents an email message from being sent. The
252 configuration file default is not to email a message.
253 --ns, --nosummary
256 When the --check command option is used, by default a short sum‐
257 mary of results is displayed at the end. This option prevents
258 the summary from being displayed.
259 --novl, --no-verbose-logging
262 During some tests rkhunter will log a lot of information. Use of
263 this option reduces the amount of logging, and so can improve
264 the performance of rkhunter. However, the log file will contain
265 less information should any warnings occur. By default verbose
266 logging is enabled.
267 --pkgmgr {RPM | DPKG | BSD | NONE}
270 This option is used during the file properties check or when the
271 --propupd command option is given. It tells rkhunter that the
272 current file property values should be obtained from the rele‐
273 vant package manager. See the README file for more details of
274 this option. The default is NONE, which means not to use a pack‐
275 age manager.
276 -q, --quiet
279 This option tells rkhunter not to display any output. It can be
280 useful when only the exit code is going to be checked. Other
281 options may be used with this one, to force only specific items
282 to be displayed.
283 --rwo, --report-warnings-only
286 This option causes only warning messages to be displayed. This
287 can be useful when rkhunter is run via cron. Other options may
288 be used to force other items of information to be displayed.
289 -r, --rootdir <directory>
292 If a suspect system is locally or remotely mounted, it is possi‐
293 ble to tell rkhunter to inspect it by using this option. How‐
294 ever, it must be used with care, as several of the other options
295 specifying configuration directories may need to be set as well.
296 There is no default.
297 --sk, --skip-keypress
300 When the --check command option is used, after certain sections
301 of tests, the user will be prompted to press the return key in
302 order to continue. This option disables that feature, and
303 rkhunter will run until all the tests have completed.
304 If this option has not been given, and the user is prompted to
306 press the return key, a single 's' character, in upper- or low‐
307 ercase, may be given followed by the return key. rkhunter will
308 then continue the tests without prompting the user again (as if
309 this option had been given).
310 --summary
313 This option will cause the summary of test results to be dis‐
314 played. This is the default.
315 --syslog [facility.priority]
318 When the --check command option is used, this option will cause
319 the start and finish times to be logged to syslog. The default
320 is not to log anything to syslog, but if the option is used,
321 then the default level is authpriv.notice.
322 --tmpdir <directory>
325 The installation process will automatically configure where tem‐
326 porary files are to be created. However, if necessary, this
327 option can be used to specify a different directory. The direc‐
328 tory must not be a symbolic link, and must be secure (root
329 access only).
330 --vl, --verbose-logging
333 This option tells rkhunter that when it runs some tests, it
334 should log as much information as possible. This can be useful
335 when trying to diagnose why a warning has occurred, but it obvi‐
336 ously also takes more time. The default is to use verbose log‐
337 ging.
338 -x, --autox
341 When this option is used, rkhunter will try and detect if the X
342 Window system is in use. If it is in use, then the second color
343 set will automatically be used (see the --color-set2 option).
344 This allows rkhunter to be run on, for example, a server console
345 (where X is not present, so the default color set should be
346 used), and on a users terminal (where X is in use, so the second
347 color set should be used). In both cases rkhunter will use the
348 correct color set. The configuration file default is to try and
349 detect X.
350 -X, --no-autox
353 This option prevents rkhunter from automatically detecting if
354 the X Window system is being used. See the --autox option.
355
359 additional_rkts
360 This test is for SHORT_EXPLANATION. It works as part of GROUP.
361 Corresponding configuration file entries: ONE=one, TWO=two and
362 for white-listing THREE=three,three. Simple globbing
363 (/dev/shm/file-*) works.
364 all
368 apps
370 attributes
372 deleted_files
374 filesystem
376 group_accounts
378 group_changes
380 hashes
382 hidden_procs
384 immutable
386 local_host
388 malware
390 network
392 none
394 os_specific
396 other_malware
398 packet_cap_apps
400 passwd_changes
402 ports
404 possible_rkt_files
406 possible_rkts
408 possible_rkt_strings
410 promisc
412 properties
414 rootkits
416 running_procs
418 scripts
420 shared_libs
422 shared_libs_path
424 startup_files
426 startup_malware
428 strings
430 suspscan
432 system_commands
434 system_configs
436
440 (For a default installation) /etc/rkhunter.conf
441
444 See the CHANGELOG file for recent changes.
445 The README file has information about installing rkhunter, as well as
446 specific sections on test names and using package managers.
447 The FAQ file should also answer some questions.
448
451 RootKit Hunter is licensed under the GPL, copyright Michael Boelen.
452 See the LICENSE file for details of GPL licensing.
453
456 RootKit Hunter is under active development by the RootKit Hunter
457 project team. For reporting bugs, updates, patches, comments and ques‐
458 tions, please go to http://rkhunter.sourceforge.net/
459 July, 2007 rkhunter(8)