NAME
rkhunter - RootKit Hunter
SYNOPSIS
rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [tests | {lang | languages} | rootkits] |
--version | --help} [options]
DESCRIPTION
rkhunter is a shell script which carries out various checks on the
local system to try and detect known rootkits and malware. It also
performs checks to see if commands have been modified, if the system
startup files have been modified, and various checks on the network
interfaces, including checks for listening applications.
rkhunter has been written to be as generic as possible, and so should
run on most Linux and UNIX systems. It is provided with some support
scripts should certain commands be missing from the system, and some of
these are perl scripts. rkhunter does require certain commands to be
present for it to be able to execute. Additionally, some tests require
specific commands, but if these are not present then the test will be
skipped. rkhunter needs to be run under a Bourne-type shell, typically
bash or ksh. rkhunter can be run as a cron job or from the
command-line.
COMMAND OPTIONS
If no command option is given, then --help is assumed. rkhunter will
return a non-zero exit code if any error or warning occurs.
-c, --check
This command option tells rkhunter to perform various checks on
the local system. The result of each test will be displayed on
stdout. If anything suspicious is found, then a warning will be
displayed. A log file of the tests and the results will be
automatically produced.
It is suggested that this command option is run regularly in
order to ensure that the system has not been compromised.
--unlock
This command option simply unlocks (removes) the lock file. If
this option is used on its own, then no log file is created.
--update
This command option causes rkhunter to check if there is a later
version of any of its text data files. A command-line web
browser, for example wget or lynx, must be present on the system
when using this option.
It is suggested that this command option is run regularly in
order to ensure that the data files are kept up to date.
If this option is used via cron, then it is recommended that the
--nocolors option is also used.
An exit code of zero for this command option means that no
updates were available. An exit code of one means that a
download error occurred, and a code of two means that no error
occurred but updates were available and have been installed.
--propupd [{filename | directory | package name},...]
One of the checks rkhunter performs is to compare various
current file properties of various commands, against those it
has previously stored. This command option causes rkhunter to
update its data file of stored values with the current values.
If the filename option is used, then it must either be a full
pathname, or a plain file name (for example, ’awk’). When used,
then only the entry in the file properties database for that
file will be updated. If the directory option is used, then only
those files listed in the database that are in the given
directory will be updated. Similarly, if the package name option
is used, then only those files in the database which are part of
the specified package will be updated. The package name must be
the base part of the name, no version numbers should be included
- for example, ’coreutils’. Package names will, of course, only
be stored in the file properties database if a package manager
is being used. If a package name is the same as a file name -
for example, ’file’ could refer to the ’file’ command or to the
RPM ’file’ package (which contains the ’file’ command) - the
package name will be used. If no specific option is given, then
the entire database is updated.
WARNING: It is the users responsibility to ensure that the files
on the system are genuine and from a reliable source. rkhunter
can only report if a file has changed, but not on what has
caused the change. Hence, if a file has changed, and the
--propupd command option is used, then rkhunter will assume that
the file is genuine.
--versioncheck
This command option causes rkhunter to check if there is a later
version of the program. A command-line web browser must be
present on the system when using this option.
If this option is used via cron, then it is recommended that the
--nocolors option is also used.
An exit code of zero for this command option means that no new
version was available. An exit code of one means that an error
occurred downloading the latest version number, and a code of
two means that no error occurred but a new version is available.
--list [tests | {lang | languages} | rootkits]
This command option will list some of the supported capabilities
of the program, and then exit. The tests option lists the
currently available test names (see the README file for more
details about test names). The languages option lists the
currently available languages, and the rootkits option lists the
rootkits that rkhunter will search for. If no specific option
is given, then all the lists are displayed.
-V, --version
This command option causes rkhunter to display its version
number, and then exit.
-h, --help
This command option displays the help screen menu, and then
exits.
OPTIONS
rkhunter uses a configuration file, named rkhunter.conf, for many of
its configuration options. It will also use a local configuration file,
named rkhunter.conf.local, if it is present. However, some options can
also be specified on the command-line, and these will override the
configuration file options. The configuration file options are well
documented within the main configuration file itself. The following are
the command-line options. The defaults mentioned here are the program
defaults, unless explicitly stated as the configuration file default.
--appendlog
By default a new log file will be created when rkhunter runs,
and the previous log file will be renamed by having .old
appended to its name. This option tells rkhunter to append to
the existing log file. If the log file does not exist, then it
will be created.
--bindir <directory>...
This option tells rkhunter which directories to look in to find
the various commands it requires. The default is the current
PATH environment variable, and the typical command directories
of /bin, /usr/bin, /sbin and so on.
--cs2, --color-set2
By default rkhunter will display its test results in color. The
colors used are green for successful tests, red for failed tests
(warnings), and yellow for skipped tests. These colors are
visible when a black background is used, but are difficult to
see on a white background. This option tells rkhunter to use a
different color set which is more suited to a white background.
--configfile <file>
The installation process will automatically tell rkhunter where
its configuration file is located. However, if necessary, this
option can be used to specify a different pathname.
If a local configuration file is to be used, then it must reside
in the same directory as the configuration file specified by
this option.
--cronjob
This is similar to the --check command option, but it disables
several of the interactive options. When this option is used
--check, --nocolors and --skip-keypress are assumed. By default
no output is sent to stdout, so the --report-warnings-only
option may be useful with this option.
--dbdir <directory>
The installation process will automatically configure where the
data files are stored for rkhunter. However, if necessary, this
option can be used to specify a different directory. The
directory can be read-only, after installation, provided that
neither of the --update or --propupd options are specified, and
that the --versioncheck option is not specified if
ROTATE_MIRRORS is set to 1 in the configuration file.
--debug
This is a special option mainly for the developers. It produces
no output on stdout. Regular logging will continue as per
default or as specified by the --logfile option, and the debug
output will be in a randomly generated filename which starts
with /tmp/rkhunter-debug.
--disable <test>[,<test>...]
This option tells rkhunter not to run the specified tests. If
this option is used, and --propupd is not specified, then the
--check command option is assumed. Read the README file for more
information about test names. By default no tests are disabled.
--display-logfile
This option will cause the logfile to be displayed on the screen
once rkhunter has finished.
--enable <test>[,<test>...]
This option tells rkhunter to only run the specified tests. If
this option is used, and --propupd is not specified, then the
--check command option is assumed. If only one test name, other
than all, is given, then the --skip-keypress option is also
assumed. Read the README file for more information about test
names. By default all tests are enabled. All tests will be
listed below under TESTS.
--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | <command>}
Both the file properties check and the --propupd command option
will use a hash function to determine a files current hash
value. This option tells rkhunter which hash function to use.
The MD5 and SHA options will look for the relevant command, and,
if not found, a perl support script will then be used to see if
a perl module supporting the function has been installed.
Alternatively, a specific command may be specified. A value of
NONE can be used to indicate that the hash values should not be
obtained or used as part of the file properties check. The
default is SHA1, or MD5 if no SHA1 command can be found.
Systems using prelinking must use either MD5, SHA1 or NONE.
--lang, --language <language>
This option specifies which language to use for the displayed
tests and results. The currently supported languages can be
seen by the --list command option. The default is en (English).
If a message to be displayed cannot be found in the language
file, then the English version will be used. As such, the
English language file must always be present. The --update
command option will update the language files when new versions
are available.
-l, --logfile [file]
By default rkhunter will write out a log file. The default
location of the file is /var/log/rkhunter.log. However, this
location can be changed by using this option. If /dev/null is
specified as the log file, then no log file will be written. If
no specific file is given, then the default will be used. By
default rkhunter will create a new log file each time it is run.
Any previously existing logfile is moved out of the way, and has
.old appended to it.
--noappend-log
This option reverts rkhunter to its default behaviour of
creating a new log file rather than appending to it.
--nocolors
This option causes the result of each test to not be displayed
in a specific color. The default color, usually the reverse of
the background color, will be used (typically this is just black
and white).
--nolog
This option tells rkhunter not to write anything to a log file.
--nomow, --no-mail-on-warning
The configuration file has an option which will cause a simple
email message to be sent to a user should rkhunter detect any
warnings during system checks. This command-line option
overrides the configuration file option, and prevents an email
message from being sent. The configuration file default is not
to email a message.
--ns, --nosummary
When the --check command option is used, by default a short
summary of results is displayed at the end. This option prevents
the summary from being displayed.
--novl, --no-verbose-logging
During some tests rkhunter will log a lot of information. Use of
this option reduces the amount of logging, and so can improve
the performance of rkhunter. However, the log file will contain
less information should any warnings occur. By default verbose
logging is enabled.
--pkgmgr {RPM | DPKG | BSD | NONE}
This option is used during the file properties check or when the
--propupd command option is given. It tells rkhunter that the
current file property values should be obtained from the
relevant package manager. See the README file for more details
of this option. The default is NONE, which means not to use a
package manager.
-q, --quiet
This option tells rkhunter not to display any output. It can be
useful when only the exit code is going to be checked. Other
options may be used with this one, to force only specific items
to be displayed.
--rwo, --report-warnings-only
This option causes only warning messages to be displayed. This
can be useful when rkhunter is run via cron. Other options may
be used to force other items of information to be displayed.
-r, --rootdir <directory>
If a suspect system is locally or remotely mounted, it is
possible to tell rkhunter to inspect it by using this option.
However, it must be used with care, as several of the other
options specifying configuration directories may need to be set
as well. There is no default.
--sk, --skip-keypress
When the --check command option is used, after certain sections
of tests, the user will be prompted to press the return key in
order to continue. This option disables that feature, and
rkhunter will run until all the tests have completed.
If this option has not been given, and the user is prompted to
press the return key, a single ’s’ character, in upper- or
lowercase, may be given followed by the return key. rkhunter
will then continue the tests without prompting the user again
(as if this option had been given).
--summary
This option will cause the summary of test results to be
displayed. This is the default.
--syslog [facility.priority]
When the --check command option is used, this option will cause
the start and finish times to be logged to syslog. The default
is not to log anything to syslog, but if the option is used,
then the default level is authpriv.notice.
--tmpdir <directory>
The installation process will automatically configure where
temporary files are to be created. However, if necessary, this
option can be used to specify a different directory. The
directory must not be a symbolic link, and must be secure (root
access only).
--vl, --verbose-logging
This option tells rkhunter that when it runs some tests, it
should log as much information as possible. This can be useful
when trying to diagnose why a warning has occurred, but it
obviously also takes more time. The default is to use verbose
logging.
-x, --autox
When this option is used, rkhunter will try and detect if the X
Window system is in use. If it is in use, then the second color
set will automatically be used (see the --color-set2 option).
This allows rkhunter to be run on, for example, a server console
(where X is not present, so the default color set should be
used), and on a users terminal (where X is in use, so the second
color set should be used). In both cases rkhunter will use the
correct color set. The configuration file default is to try and
detect X.
-X, --no-autox
This option prevents rkhunter from automatically detecting if
the X Window system is being used. See the --autox option.
TESTS
[This section to be written]
additional_rkts
This test is for SHORT_EXPLANATION. It works as part of GROUP.
Corresponding configuration file entries: ONE=one, TWO=two and
for white-listing THREE=three,three. Simple globbing
(/dev/shm/file-*) works.
all
apps
attributes
avail_modules
deleted_files
filesystem
group_accounts
group_changes
hashes
hidden_procs
immutable known_rkts
loaded_modules
local_host
malware
network
none
os_specific
other_malware
packet_cap_apps
passwd_changes
ports
possible_rkt_files
possible_rkts
possible_rkt_strings
promisc
properties
rootkits
running_procs
scripts
shared_libs
shared_libs_path
startup_files
startup_malware
strings
suspscan
system_commands
system_configs trojans
FILES
(For a default installation) /etc/rkhunter.conf
SEE ALSO
See the CHANGELOG file for recent changes.
The README file has information about installing rkhunter, as well as
specific sections on test names and using package managers.
The FAQ file should also answer some questions.
LICENSING
RootKit Hunter is licensed under the GPL, copyright Michael Boelen.
See the LICENSE file for details of GPL licensing.
CONTACT INFORMATION
RootKit Hunter is under active development by the RootKit Hunter
project team. For reporting bugs, updates, patches, comments and
questions, please go to http://rkhunter.sourceforge.net/
September, 2008 rkhunter(8)