Rootkit hunter is an open source Unix/Linux based tool that scans for backdoors, rootkits and local exploits on your systems. It scans for suspicious files and works like a file integrity checker.

The team behind rkhunter recommends installing same-class tools like Chkrootkit or OSSEC-HIDS which compliment the overall security of a system. On this entry today we are going to review:

  • How to install rkhunter
  • Create a bash script that can be executed from a crontab
  • Setup the crontab to run daily scans
  • How to prep rkhunter

We will be working with a Debian-based distribution. The first step is to install rkhunter.

sudo apt-get install rkhunter

Next create a file for the bash script

vi /opt/rkhunter/rkhunter.sh

Below is a sample bash script that will update rkhunter and then execute it, only notifying you if a discrepancy is identified.

#!/bin/bash

/usr/bin/rkhunter --update;

/usr/bin/rkhunter --cronjob --report-warnings-only;

exit

Save the file and then make it executable

chmod +x /opt/rkhunter/rkhunter.sh

Switch to root and setup a crontab

sudo su -
crontab -e

In this crontab the script is being run each day at 10pm local time

00 22 * * * /opt/rkhunter/rkhunter.sh

It’s a good idea to both manually update and run rkhunter at least once

sudo rkhunter --update
sudo rkhunter --check

Examine the results and exclude any false positives within the file

/etc/rkhunter.conf

Once you are satisfied with your configuration run the –propupd to set a baseline for your system.

sudo rkhunter --propupd

If you have email notifications configured on your system rkhunter will now notify you if it detects any suspicious changes.

References
Rootkit Hunter
rkhunter read me
DigitalOcean