# update for 2023 (#1116)

* modify the configuration section slightly
* specific instructions for testing your rkhunter setup using `rkhunter --check`
* updated the "tested with" in the meta to reflect it working correctly with the latest Rocky versions
* added a "General Steps" section as a quick reference of the steps to take and brief description where necessary

Author: sspencerwire

docs/guides/web/apache_hardened_webserver/rkhunter.md

@@ -2,7 +2,7 @@
 title: Rootkit Hunter
 author: Steven Spencer
 contributors: Ezequiel Bruni
-tested with: 8.5
+tested with: 8.7, 9.1
 tags:
   - server
   - security
@@ -18,57 +18,75 @@ tags:
 * An understanding of what can trigger a response to changed files on the file system (such as package updates) is helpful
 * All commands are run as the root user or sudo
 
-This document was originally written in conjunction with the apache hardened webserver routines, but works equally well in a server running any software.
+This document was originally written in conjunction with the apache hardened webserver routines, but works equally well on a server running any software.
 
 ## Introduction
 
-_rkhunter_ (Root Kit Hunter) is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits. It is a good part of a hardened web server, and is designed to notify the administrator quickly when something suspicious happens on the server's file system.
+_rkhunter_ (Root Kit Hunter) is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits. It is a good part of a hardened server, and is designed to notify the administrator quickly when something suspicious happens on the server's file system.
 
 _rkhunter_ is just one possible component of a hardened Apache web server setup and can be used with or without other tools. If you'd like to use this along with other tools for hardening, refer back to the [Apache Hardened Web Server guide](index.md).
 
 This document also uses all of the assumptions and conventions outlined in that original document, so it is a good idea to review it before continuing.
 
+## General steps
+
+1. install rkhunter
+2. configure rkhunter
+3. configure email and make sure it is set up to work correctly
+4. run `rkhunter` manually to generate a list of warnings to test your email settings (`rkhunter --check`)
+5. run `rkhunter --propupd` to generate a clean `rkhunter.dat` file that `rkhunter` will use from this point forward as a baseline for further checks.
+
 ## Installing rkhunter
 
 _rkhunter_ requires the EPEL (Extra Packages for Enterprise Linux) repository. So install that repository if you don't have it installed already:
 
-`dnf install epel-release`
+```
+dnf install epel-release
+```
 
 Then install _rkhunter_:
 
-`dnf install rkhunter`
+```
+dnf install rkhunter
+```
 
 ## Configuring rkhunter
 
 The only configuration options that need to be set are those dealing with mailing reports to the administrator. To modify the configuration file, run:
 
-`vi /etc/rkhunter.conf`
+```
+vi /etc/rkhunter.conf`
+```
 
 And then search for:
 
-`#MAIL-ON-WARNING=me@mydomain   root@mydomain`
+```
+#MAIL-ON-WARNING=me@mydomain   root@mydomain
+```
+
+Remove the remark here and change the `[email protected]` to reflect your email address.
+
+Then change the `root@mydomain` to `root@whatever_the_server_name_is`.
 
-Remove the remark here and change the [email protected] to reflect your email address.
+You will probably also want to remove the remark (and edit the line to fit your needs) of the `MAIL-CMD` line, found a few lines below that looks like this:
 
-Then change the root@mydomain to root@whatever_the_server_name_is.
+```
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+```
 
 You may also need to setup [Postfix Email for Reporting](../../email/postfix_reporting.md) in order to get the email section to work correctly.
 
 ## Running rkhunter
 
 _rkhunter_ can be run by typing it at the command-line. There is a cron job installed for you in `/etc/cron.daily`, but if you want to automate the procedure on a different schedule, look at the [Automating cron jobs guide](../../automation/cron_jobs_howto.md).
 
-You'll also need to move the script somewhere other than `/etc/cron.daily`, such as `/usr/local/sbin` and then call it from your custom cron job. The easiest method, of course, is to leave the default cron.daily setup intact.
-
-Before you run allow _rkhunter_ to run automatically, run the command manually with the "--propupd" flag to create the rkhunter.dat file, and to make sure that your new environment is recognized without issue:
-
-`rkhunter --propupd`
-
-To run _rkhunter_ manually:
+You'll also need to move the script somewhere other than `/etc/cron.daily`, such as `/usr/local/sbin` and then call it from your custom cron job. The easiest method, of course, is to leave the default `cron.daily` setup intact.
 
-`rkhunter --check`
+If you want to test `rkhunter` before you start, including all email functionality, etc., run `rkhunter --check` from the command line. If there are problems with email setup, hold off completing the rest so that you can run this command again. Once email has been confirmed to work but before you allow `rkhunter` to run automatically, run the command manually again with the "--propupd" flag to create the `rkhunter.dat` file, and to make sure that your new environment is recognized without issue:
 
-This will echo back to the screen as the checks are performed, prompting you to `[Press <ENTER> to continue]` after each section.
+```
+rkhunter --propupd
+```
 
 ## Conclusion