Rootkit hunter is an open source Unix/Linux based tool that scans for backdoors, rootkits and local exploits on your systems. It scans for suspicious files and works like a file integrity checker.
The team behind rkhunter recommends installing same-class tools like Chkrootkit or OSSEC-HIDS which compliment the overall security of a system. On this entry today we are going to review:
- How to install rkhunter
- Create a bash script that can be executed from a crontab
- Setup the crontab to run daily scans
- How to prep rkhunter
We will be working with a Debian-based distribution. The first step is to install rkhunter.
sudo apt-get install rkhunter
Next create a file for the bash script
Below is a sample bash script that will update rkhunter and then execute it, only notifying you if a discrepancy is identified.
#!/bin/bash /usr/bin/rkhunter --update; /usr/bin/rkhunter --cronjob --report-warnings-only; exit
Save the file and then make it executable
chmod +x /opt/rkhunter/rkhunter.sh
Switch to root and setup a crontab
sudo su -
In this crontab the script is being run each day at 10pm local time
00 22 * * * /opt/rkhunter/rkhunter.sh
It’s a good idea to both manually update and run rkhunter at least once
sudo rkhunter --update
sudo rkhunter --check
Examine the results and exclude any false positives within the file
Once you are satisfied with your configuration run the –propupd to set a baseline for your system.
sudo rkhunter --propupd
If you have email notifications configured on your system rkhunter will now notify you if it detects any suspicious changes.