Skip to content

Update rkhunter.md #1290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 21, 2023
Merged

Update rkhunter.md #1290

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 166 additions & 3 deletions docs/guides/web/apache_hardened_webserver/rkhunter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Rootkit Hunter
author: Steven Spencer
contributors: Ezequiel Bruni
contributors: Ezequiel Bruni, Andrew Thiesen
tested with: 8.8, 9.2
tags:
- server
Expand Down Expand Up @@ -56,7 +56,14 @@ dnf install rkhunter

## Configuring `rkhunter`

The only configuration options that you need to set are those dealing with mailing reports to the administrator. To change the configuration file, run:
The only configuration options that you _need_ to set are those dealing with mailing reports to the Administrator.

!!! warning

Modification of _any_ configuration file in Linux carries risk. Before altering **any** configuration file in Linux, it is recomended to create a backup of the _original_ configuration file, in the event that you must revert to the original configuration.


To change the configuration file, run:

```
vi /etc/rkhunter.conf`
Expand Down Expand Up @@ -87,7 +94,163 @@ Run `rkhunter` manually by typing it at the command-line. A cron job takes care

You will also need to move the script somewhere other than `/etc/cron.daily/`, such as `/usr/local/sbin/` and call it from your custom cron job. The easiest method is to leave the default `cron.daily` setup intact.

If you want to test `rkhunter` before you start, including all email functionality, run `rkhunter --check` from the command line. If problems exist with the email setup, hold off completing the remaining steps. When confirming email works, but before allowing `rkhunter` to run automatically, run the command manually again with the "--propupd" flag to create the `rkhunter.dat` file. This ensures recognition of your environment and configuration:
If you want to test `rkhunter` before you start, including all email functionality, run `rkhunter --check` from the command line. If installed and functioning correctly, you should receive an output similar to the following:

```
[root@sol admin]# rkhunter --check
[Rootkit Hunter version 1.4.6]

Checking system commands...

Performing 'strings' command checks
- Checking 'strings' command [OK]

Performing 'shared libraries' checks
- Checking for preloading variables [None found]
- Checking for preloaded libraries [None found]
- Checking LD_LIBRARY_PATH variable [Not found]

Performing file properties checks
- Checking for prerequisites [Warning]
- /usr/bin/awk [OK]
- /usr/bin/basename [OK]
- /usr/bin/bash [OK]
- /usr/bin/cat [OK]
- /usr/bin/chattr [OK]
- /usr/bin/chmod [OK]
- /usr/bin/chown [OK]
- /usr/bin/cp [OK]
- /usr/bin/curl [OK]
- /usr/bin/cut [OK]
- /usr/bin/date [OK]
- /usr/bin/df [OK]
- /usr/bin/diff [OK]
- /usr/bin/dirname [OK]
- /usr/bin/dmesg [OK]
- /usr/bin/du [OK]
- /usr/bin/echo [OK]
- /usr/bin/ed [OK]
- /usr/bin/egrep [Warning]
- /usr/bin/env [OK]
- /usr/bin/fgrep [Warning]
- /usr/bin/file [OK]
- /usr/bin/find [OK]
- /usr/bin/GET [OK]
- /usr/bin/grep [OK]
- /usr/bin/groups [OK]
- /usr/bin/head [OK]
- /usr/bin/id [OK]
- /usr/bin/ipcs [OK]
- /usr/bin/kill [OK]
- /usr/bin/killall [OK]
- /usr/bin/last [OK]
- /usr/bin/lastlog [OK]
- /usr/bin/ldd [OK]
- /usr/bin/less [OK]
- /usr/bin/locate [OK]
- /usr/bin/logger [OK]
- /usr/bin/login [OK]
- /usr/bin/ls [OK]
- /usr/bin/lsattr [OK]
- /usr/bin/lsof [OK]
- /usr/bin/mail [OK]
- /usr/bin/md5sum [OK]
- /usr/bin/mktemp [OK]
- /usr/bin/more [OK]
- /usr/bin/mount [OK]
- /usr/bin/mv [OK]
- /usr/bin/netstat [OK]
- /usr/bin/newgrp [OK]
- /usr/bin/passwd [OK]
- /usr/bin/perl [OK]
- /usr/bin/pgrep [OK]
- /usr/bin/ping [OK]
- /usr/bin/pkill [OK]
- /usr/bin/ps [OK]
- /usr/bin/pstree [OK]
- /usr/bin/pwd [OK]
- /usr/bin/readlink [OK]
- /usr/bin/rkhunter [OK]
- /usr/bin/rpm [OK]
- /usr/bin/runcon [OK]
- /usr/bin/sed [OK]
- /usr/bin/sestatus [OK]
- /usr/bin/sh [OK]
- /usr/bin/sha1sum [OK]
- /usr/bin/sha224sum [OK]
- /usr/bin/sha256sum [OK]
- /usr/bin/sha384sum [OK]
- /usr/bin/sha512sum [OK]
- /usr/bin/size [OK]
- /usr/bin/sort [OK]
- /usr/bin/ssh [OK]
- /usr/bin/stat [OK]
- /usr/bin/strace [OK]
- /usr/bin/strings [OK]
- /usr/bin/su [OK]
- /usr/bin/sudo [OK]
- /usr/bin/tail [OK]
- /usr/bin/test [OK]
- /usr/bin/top [OK]
- /usr/bin/touch [OK]
- /usr/bin/tr [OK]
- /usr/bin/uname [OK]
- /usr/bin/uniq [OK]
- /usr/bin/users [OK]
- /usr/bin/vmstat [OK]
- /usr/bin/w [OK]
- /usr/bin/watch [OK]
- /usr/bin/wc [OK]
- /usr/bin/wget [OK]
- /usr/bin/whatis [OK]
- /usr/bin/whereis [OK]
- /usr/bin/which [OK]
- /usr/bin/who [OK]
- /usr/bin/whoami [OK]
- /usr/bin/numfmt [OK]
- /usr/bin/gawk [OK]
- /usr/bin/s-nail [OK]
- /usr/bin/whatis.man-db [OK]
- /usr/bin/kmod [OK]
- /usr/bin/systemctl [OK]
- /usr/sbin/adduser [OK]
- /usr/sbin/chroot [OK]
- /usr/sbin/depmod [OK]
- /usr/sbin/fsck [OK]
- /usr/sbin/fuser [OK]
- /usr/sbin/groupadd [OK]
- /usr/sbin/groupdel [OK]
- /usr/sbin/groupmod [OK]
- /usr/sbin/grpck [OK]
- /usr/sbin/ifconfig [OK]
- /usr/sbin/init [OK]
- /usr/sbin/insmod [OK]
- /usr/sbin/ip [OK]
- /usr/sbin/lsmod [OK]
- /usr/sbin/modinfo [OK]
- /usr/sbin/modprobe [OK]
- /usr/sbin/nologin [OK]
- /usr/sbin/ping [OK]
- /usr/sbin/pwck [OK]
- /usr/sbin/rmmod [OK]
- /usr/sbin/route [OK]
- /usr/sbin/rsyslogd [OK]
- /usr/sbin/runlevel [OK]
- /usr/sbin/sestatus [OK]
- /usr/sbin/sshd [OK]
- /usr/sbin/sulogin [OK]
- /usr/sbin/sysctl [OK]
- /usr/sbin/useradd [OK]
- /usr/sbin/userdel [OK]
- /usr/sbin/usermod [OK]
- /usr/sbin/vipw [OK]
- /usr/libexec/gawk [OK]
- /usr/lib/systemd/systemd [OK]

[Press <ENTER> to continue]
```

If problems exist with the email setup, hold off completing the remaining steps. When confirming email works, but before allowing `rkhunter` to run automatically, run the command manually again with the "--propupd" flag to create the `rkhunter.dat` file. This ensures recognition of your environment and configuration:

```
rkhunter --propupd
Expand Down