Run rkhunter from a crontab

Rootkit hunter is an open source Unix/Linux based tool that scans for backdoors, rootkits and local exploits on your systems. It scans for suspicious files and works like a file integrity checker.

The team behind rkhunter recommends installing same-class tools like Chkrootkit or OSSEC-HIDS which compliment the overall security of a system. On this entry today we are going to review:

How to install rkhunter
Create a bash script that can be executed from a crontab
Setup the crontab to run daily scans
How to prep rkhunter

We will be working with a Debian-based distribution. The first step is to install rkhunter.

sudo apt-get install rkhunter

Next create a file for the bash script

vi /opt/rkhunter/rkhunter.sh

Below is a sample bash script that will update rkhunter and then execute it, only notifying you if a discrepancy is identified.

#!/bin/bash

/usr/bin/rkhunter --update;

/usr/bin/rkhunter --cronjob --report-warnings-only;

exit

Save the file and then make it executable

chmod +x /opt/rkhunter/rkhunter.sh

Switch to root and setup a crontab

sudo su -

crontab -e

In this crontab the script is being run each day at 10pm local time

00 22 * * * /opt/rkhunter/rkhunter.sh

It’s a good idea to both manually update and run rkhunter at least once

sudo rkhunter --update

sudo rkhunter --check

Examine the results and exclude any false positives within the file

/etc/rkhunter.conf

Once you are satisfied with your configuration run the –propupd to set a baseline for your system.

sudo rkhunter --propupd

If you have email notifications configured on your system rkhunter will now notify you if it detects any suspicious changes.

References
Rootkit Hunter
rkhunter read me
DigitalOcean

Recent Posts

Recent Comments

Bugs filed

Following

Run rkhunter from a crontab

Leave a Reply Cancel reply