rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems
Step 1: Basic Installation
Install the packages
# apt install rkhunter
Step 2: Change the primary configuration file
Edit /etc/rkhunter.conf with the following, it will enable most of the important settings required:
#
# This is the main configuration file for Rootkit Hunter.
#
# You can modify this file directly, or you can create a local configuration
# file. The local file must be named 'rkhunter.conf.local', and must reside
# in the same directory as this file. Alternatively you can create a directory,
# named 'rkhunter.d', which also must be in the same directory as this
# configuration file. Within the 'rkhunter.d' directory you can place further
# configuration files. There is no restriction on the file names used, other
# than they must end in '.conf'.
#
# Please modify the configuration file(s) to your own requirements. It is
# recommended that the command 'rkhunter -C' is run after any changes have
# been made.
#
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go
# to: http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
# Note that this is a moderated list, so please subscribe before posting.
#
# In the configuration files, lines beginning with a hash (#), and blank lines,
# are ignored. Also, end-of-line comments are not supported.
#
# Any of the configuration options may appear more than once. However, several
# options only take one value, and so the last one seen will be used. Some
# options are allowed to appear more than once, and the text describing the
# option will say if this is so. These configuration options will, in effect,
# have their values concatenated together. To delete a previously specified
# option list, specify the option with no value (that is, a null string).
#
# Some of the options are space-separated lists, others, typically those
# specifying pathnames, are newline-separated lists. These must be entered
# as one item per line. Quotes must not be used to surround the pathname.
#
# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an
# option: XXX=/tmp/abc (correct)
# XXX=/tmp/xyz
#
# XXX="/tmp/abc" (incorrect)
# XXX="/tmp/xyz"
#
# XXX=/tmp/abc /tmp/xyz (incorrect)
# or XXX="/tmp/abc /tmp/xyz" (incorrect)
# or XXX="/tmp/abc" "/tmp/xyz" (incorrect)
#
# The last three examples are being configured as space-separated lists,
# which is incorrect, generally, for options specifying pathnames. They
# should be configured with one entry per line as in the first example.
#
# If wildcard characters (globbing) are allowed for an option, then the
# text describing the option will say so.
#
# Space-separated lists may be enclosed by quotes, although they are not
# required. If they are used, then they must only appear at the start and
# end of the list, not in the middle.
#
# For example: XXX=abc def gh (correct)
# XXX="abc def gh" (correct)
# XXX="abc" "def" "gh" (incorrect)
#
# Space-separated lists may also be entered simply as one entry per line.
#
# For example: XXX=abc (correct)
# XXX=def
# XXX="gh"
#
# If a configuration option is never set, then the program will assume a
# default value. The text describing the option will state the default value.
# If there is no default, then rkhunter will calculate a value or pathname
# to use.
#
#
# If this option is set to '1', it specifies that the mirrors file
# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
# options are used, is to be rotated. Rotating the entries in the file allows
# a basic form of load-balancing between the mirror sites whenever the above
# options are used.
#
# If the option is set to '0', then the mirrors will be treated as if in a
# priority list. That is, the first mirror listed will always be used first.
# The second mirror will only be used if the first mirror fails, the third
# mirror will only be used if the second mirror fails, and so on.
#
# If the mirrors file is read-only, then the '--versioncheck' command-line
# option can only be used if this option is set to '0'.
#
# The default value is '1'.
#
#ROTATE_MIRRORS=1
ROTATE_MIRRORS=1
#
# If this option is set to '1', it specifies that when the '--update' option is
# used, then the mirrors file is to be checked for updates as well. If the
# current mirrors file contains any local mirrors, these will be prepended to
# the updated file. If this option is set to '0', the mirrors file can only be
# updated manually. This may be useful if only using local mirrors.
#
# The default value is '1'.
#
#UPDATE_MIRRORS=1
UPDATE_MIRRORS=1
#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
# the '--update' or '--versioncheck' command-line options are given.
# Possible values are:
# 0 - use any mirror
# 1 - only use local mirrors
# 2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors file by using the
# 'local=' and 'remote=' keywords respectively.
#
# The default value is '0'.
#
#MIRRORS_MODE=0
MIRRORS_MODE=0
#
# Email a message to this address if a warning is found when the system is
# being checked. Multiple addresses may be specified simply be separating
# them with a space. To disable the option, simply set it to the null string
# or comment it out.
#
# The option may be specified more than once.
#
# The default value is the null string.
#
# Also see the MAIL_CMD option.
#
#MAIL-ON-WARNING=me@mydomain root@mydomain
#
# This option specifies the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but are required
# around the subject line if it contains spaces.
#
# The default is to use the 'mail' command, with a subject line
# of '[rkhunter] Warnings found for ${HOST_NAME}'.
#
#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
#
# This option specifies the directory to use for temporary files.
#
# NOTE: Do not use '/tmp' as your temporary directory. Some important files
# will be written to this directory, so be sure that the directory permissions
# are secure.
#
# The installer program will set the default directory. If this default is
# subsequently commented out or removed, then the program will assume a
# default directory beneath the installation directory.
#
#TMPDIR=/var/lib/rkhunter/tmp
TMPDIR=/var/lib/rkhunter/tmp
#
# This option specifies the database directory to use.
#
# The installer program will set the default directory. If this default is
# subsequently commented out or removed, then the program will assume a
# default directory beneath the installation directory.
#
DBDIR=/var/lib/rkhunter/db
#
# This option specifies the script directory to use.
#
# The installer program will set the default directory. If this default is
# subsequently commented out or removed, then the program will not run.
#
#SCRIPTDIR=/usr/local/lib/rkhunter/scripts
SCRIPTDIR=/usr/share/rkhunter/scripts
#
# This option can be used to modify the command directory list used by rkhunter
# to locate commands (that is, its PATH). By default this will be the root PATH,
# and an internal list of some common command directories.
#
# Any directories specified here will, by default, be appended to the default
# list. However, if a directory name begins with the '+' character, then that
# directory will be prepended to the list (that is, it will be put at the start
# of the list).
#
# This is a space-separated list of directory names. The option may be
# specified more than once.
#
# The default value is based on the root account PATH environment variable.
#
#BINDIR=/bin /usr/bin /sbin /usr/sbin
#BINDIR=+/usr/local/bin +/usr/local/sbin
#
# This option specifies the default language to use. This should be similar to
# the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
# For a list of supported languages use the following command:
#
# rkhunter --lang en --list languages
#
# The default language is 'en' (English).
#
#LANGUAGE=en
#
# This option is a space-separated list of the languages that are to be updated
# when the '--update' option is used. If unset, then all the languages will be
# updated. If none of the languages are to be updated, then set this option to
# just 'en'.
#
# The default language, specified by the LANGUAGE option, and the English (en)
# language file will always be updated regardless of this option.
#
# This option may be specified more than once.
#
# The default value is the null string, indicating that all the language files
# will be updated.
#
#UPDATE_LANG=""
UPDATE_LANG="en"
#
# This option specifies the log file pathname. The file will be created if it
# does not initially exist. If the option is unset, then the program will
# display a message each time it is run saying that the default value is being
# used.
#
# The default value is '/var/log/rkhunter.log'.
#
LOGFILE=/var/log/rkhunter.log
#
# Set this option to '1' if the log file is to be appended to whenever rkhunter
# is run. A value of '0' will cause a new log file to be created whenever the
# program is run.
#
# The default value is '0'.
#
#APPEND_LOG=0
APPEND_LOG=0
#
# Set the following option to '1' if the log file is to be copied when rkhunter
# finishes and an error or warning has occurred. The copied log file name will
# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format).
# For example: rkhunter.log.2009-04-21_00:57:51
# If the option value is '0', then the log file will not be copied regardless
# of whether any errors or warnings occurred.
#
# The default value is '0'.
#
#COPY_LOG_ON_ERROR=0
COPY_LOG_ON_ERROR=0
#
# Set the following option to enable the rkhunter check start and finish times
# to be logged by syslog. Warning messages will also be logged. The value of
# the option must be a standard syslog facility and priority, separated by a
# dot. For example:
#
# USE_SYSLOG=authpriv.warning
#
# Setting the value to 'NONE', or just leaving the option commented out,
# disables the use of syslog.
#
# The default value is not to use syslog.
#
#USE_SYSLOG=authpriv.notice
USE_SYSLOG=authpriv.warning
#
# Set the following option to '1' if the second colour set is to be used. This
# can be useful if your screen uses black characters on a white background
# (for example, a PC instead of a server). A value of '0' will cause the default
# colour set to be used.
#
# The default value is '0'.
#
#COLOR_SET2=0
COLOR_SET2=0
#
# Set the following option to '0' if rkhunter should not detect if X is being
# used. If X is detected as being used, then the second colour set will
# automatically be used. If set to '1', then the use of X will be detected.
#
# The default value is '0'.
#
AUTO_X_DETECT=1
#
# Set the following option to '1' if it is wanted that any 'Whitelisted' results
# are shown in white rather than green. For colour set 2 users, setting this
# option will cause the result to be shown in black. Setting the option to '0'
# causes whitelisted results to be displayed in green.
#
# The default value is '0'.
#
#WHITELISTED_IS_WHITE=0
WHITELISTED_IS_WHITE=0
#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not match.
# However, if a value has not been set in the SSH configuration file, then a
# value here of 'unset' can be used to avoid warning messages.
#
# The default value is 'no'.
#
ALLOW_SSH_ROOT_USER=no
#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
# that theoretically it is weaker, and therefore less secure, than the
# SSH-2 protocol. Do not modify this option unless you have good reasons
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. A value of '0' indicates that the use of
# SSH-1 is not allowed.
#
# The default value is '0'.
#
#ALLOW_SSH_PROT_V1=0
ALLOW_SSH_PROT_V1=0
#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
# This option has no default value.
#
#SSH_CONFIG_DIR=/etc/ssh
#
# These two options determine which tests are to be performed. The ENABLE_TESTS
# option can use the word 'ALL' to refer to all of the available tests. The
# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
# disabled. The list of disabled tests is applied to the list of enabled tests.
#
# Both options are space-separated lists of test names, and both options may
# be specified more than once. The currently available test names can be seen
# by using the command 'rkhunter --list tests'.
#
# The supplied configuration file has some tests already disabled, and these
# are tests that will be used only occasionally, can be considered 'advanced'
# or that are prone to produce more than the average number of false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
# The default values are to enable all tests and to disable none. However, if
# either of the options below are specified, then they will override the
# program defaults.
#
ENABLE_TESTS=ALL
#DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
DISABLE_TESTS=deleted_files
#
# The HASH_CMD option can be used to specify the command to use for the file
# properties hash value check. It can be specified as just the command name or
# the full pathname. If just the command name is given, and it is one of MD5,
# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the
# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of
# these are found, it will then look to see if a perl module has been installed
# which will support the relevant hash function. To see which perl modules have
# been installed use the command 'rkhunter --list perl'.
#
# Systems using prelinking are restricted to using either the SHA1 or MD5
# function.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that no hash
# function should be used. Rkhunter will detect this, and automatically disable
# the file properties hash check test.
#
# Examples:
# For Solaris 9 : HASH_CMD=gmd5sum
# For Solaris 10: HASH_CMD=sha1sum
# For AIX (>5.2): HASH_CMD="csum -hMD5"
# For NetBSD : HASH_CMD="cksum -a sha512"
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is the SHA1 function, or MD5 if SHA1 cannot be found.
#
# Also see the HASH_FLD_IDX option.
#
HASH_CMD=sha512sum
#
# The HASH_FLD_IDX option specifies which field from the HASH_CMD command
# output contains the hash value. The fields are assumed to be space-separated.
#
# The option value must be an integer greater than zero.
#
# The default value is '1', but for *BSD users rkhunter will, by default, use a
# value of '4' if the HASH_CMD option has not been set.
#
#HASH_FLD_IDX=4
#
# The PKGMGR option tells rkhunter to use the specified package manager to
# obtain the file property information. This is used when updating the file
# properties file ('rkhunter.dat'), and when running the file properties check.
# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value,
# or a value of 'NONE', indicates that no package manager is to be used.
#
# The current package managers, except 'SOLARIS', store the file hash values
# using an MD5 hash function. The Solaris package manager includes a checksum
# value, but this is not used by default (see USE_SUNSUM below).
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values. The 'SOLARIS' also provides
# most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
# HASH_CMD hash function instead.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is 'NONE'.
#
# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
#
#PKGMGR=NONE
PKGMGR=DPKG
#
# It is possible that a file, which is part of a package, may have been
# modified by the administrator. Typically this occurs for configuration
# files. However, the package manager may list the file as being modified.
# For the RPM package manager this may well depend on how the package was
# built. This option specifies a pathname which is to be exempt from the
# package manager verification process, and which will be treated
# as a non-packaged file. As such, the file properties are still checked.
#
# This option only takes effect if the PKGMGR option has been set, and
# is not 'NONE'.
#
# This option may be specified more than once.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is the null string.
#
#PKGMGR_NO_VRFY=""
#
# If the 'SOLARIS' package manager is used, then it is possible to use the
# checksum (hash) value stored for a file. However, this is only a 16-bit
# checksum, and as such is not nearly as secure as, for example, a SHA-2 value.
# If the option is set to '0', then the checksum is not used and the hash
# function given by HASH_CMD is used instead. To enable this option, set its
# value to '1'. The Solaris 'sum' command must be present on the system if this
# option is used.
#
# The default value is '0'.
#
#USE_SUNSUM=0
#
# This option can be used to tell rkhunter to ignore any prelink dependency
# errors for the given commands. However, a warning will also be issued if the
# error does not occur for a given command. As such this option must only be
# used on commands which experience a persistent problem.
#
# Short-term prelink dependency errors can usually be resolved simply by
# running the 'prelink' command on the given pathname.
#
# This is a space-separated list of command pathnames. The option can be
# specified more than once.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is the null string.
#
#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top
#
# These options specify a command, directory or file pathname which will be
# included or excluded in the file properties checks.
#
# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example,
# 'top' - and directory names are added to the internal list of directories to
# be searched for each of the command names in the command list. Additionally,
# full pathnames to files, which need not be commands, may be given. Any files
# or directories which are already part of the internal lists will be silently
# ignored from the configuration.
#
# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for
# simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
# option. Wildcards may be used with this option.
#
# By combining these two options, and using wildcards, whole directories can be
# excluded. For example:
#
# USER_FILEPROP_FILES_DIRS=/etc/*
# USER_FILEPROP_FILES_DIRS=/etc/*/*
# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/*
#
# This will look for files in the first two directory levels of '/etc'. However,
# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be
# excluded.
#
# NOTE: Only files and directories which have been added by the user, and are
# not part of the internal lists, can be excluded. So, for example, it is not
# possible to exclude the 'ps' command by using '/bin/ps'. These will be
# silently ignored from the configuration.
#
# Both options can be specified more than once.
#
# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run.
#
# The default value for both options is the null string.
#
#USER_FILEPROP_FILES_DIRS=top
#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/*
#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/*
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter*
#
# This option whitelists files and directories from existing, or not existing,
# on the system at the time of testing. This option is used when the
# configuration file options themselves are checked, and during the file
# properties check, the hidden files and directories checks, and the filesystem
# check of the '/dev' directory.
#
# This option may be specified more than once, and may use wildcards.
# Be aware though that this is probably not what you want to do as the
# wildcarding will be expanded after files have been deleted. As such
# deleted files won't be whitelisted if wildcarded.
#
# NOTE: The user must take into consideration how often the file will appear
# and disappear from the system in relation to how often rkhunter is run. If
# the file appears, and disappears, too often then rkhunter may not notice
# this. All it will see is that the file has changed. The inode-number and DTM
# will certainly be different for each new file, and rkhunter will report this.
#
# The default value is the null string.
#
#
# Whitelist various attributes of the specified file. The attributes are those
# of the 'attributes' test. Specifying a file name here does not include it
# being whitelisted for the write permission test (see below).
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ATTRWHITELIST=/usr/bin/date
#
# Allow the specified file to have the 'others' (world) permission have the
# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#WRITEWHITELIST=/usr/bin/date
#
# Allow the specified file to be a script.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/which
#
# Allow the specified file to have the immutable attribute set.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#IMMUTWHITELIST=/sbin/ifdown
#
# If this option is set to '1', then the immutable-bit test is reversed. That
# is, the files are expected to have the bit set. A value of '0' means that the
# immutable-bit should not be set.
#
# The default value is '0'.
#
#IMMUTABLE_SET=0
IMMUTABLE_SET=0
#
# Allow the specified hidden directory to be whitelisted.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWHIDDENDIR=/etc/.java
#ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENDIR=/dev/.mdadm
#
# Allow the specified hidden file to be whitelisted.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
#
# Allow the specified process to use deleted files. The process name may be
# followed by a colon-separated list of full pathnames. The process will then
# only be whitelisted if it is using one of the given files. For example:
#
# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
#
# This option may be specified more than once. It may also use wildcards, but
# only in the file names.
#
# The default value is the null string.
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
#
# Allow the specified process to listen on any network interface.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
ALLOWPROCLISTEN=/sbin/dhclient
ALLOWPROCLISTEN=/usr/bin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#
# Allow the specified network interfaces to be in promiscuous mode.
#
# This is a space-separated list of interface names. The option may be
# specified more than once.
#
# The default value is the null string.
#
#ALLOWPROMISCIF=eth0
#
# This option specifies how rkhunter should scan the '/dev' directory for
# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'.
#
# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this,
# it is highly recommended that this value is used.
#
# The default value is 'THOROUGH'.
#
# Also see the ALLOWDEVFILE option.
#
#SCAN_MODE_DEV=THOROUGH
SCAN_MODE_DEV=THOROUGH
#
# Allow the specified file to be present in the '/dev' directory, and not
# regarded as suspicious.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWDEVFILE=/dev/shm/pulse-shm-*
#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
ALLOWDEVFILE=/dev/shm/qb-*/qb-*
ALLOWDEVFILE=/dev/shm/PostgreSQL*
ALLOWDEVFILE=/dev/shm/performanceanalyzer/*
ALLOWDEVFILE=/dev/shm/sem.*.dat
ALLOWDEVFILE=/dev/shm/squid-*.shm
ALLOWDEVFILE=/dev/shm/mono.*
ALLOWDEVFILE=/dev/shm/libpod*lock*
#
# Allow the specified process pathnames to use shared memory segments.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWIPCPROC=/usr/bin/firefox
#ALLOWIPCPROC=/usr/bin/vlc
#
# Allow the specified memory segment creator PIDs to use shared memory segments.
#
# This is a space-separated list of PID numbers (as given by the
# 'ipcs -p' command). This option may be specified more than once.
#
# The default value is the null string.
#
#ALLOWIPCPID=12345 6789
#
# Allow the specified account names to use shared memory segments.
#
# This is a space-separated list of account names. The option may be specified
# more than once.
#
# The default value is the null string.
#
#ALLOWIPCUSER=usera userb
#
# This option can be used to set the maximum shared memory segment size
# (in bytes) that is not considered suspicious. Any segment above this size,
# and with 600 or 666 permissions, will be considered suspicious during the
# shared memory check.
#
# The default is 1048576 (1M) bytes.
#
#IPC_SEG_SIZE=1048576
#
# This option is used to indicate if the Phalanx2 test is to perform a basic
# check, or a more thorough check. If the option is set to '0', then a basic
# check is performed. If it is set to '1', then all the directories in the
# '/etc' and '/usr' directories are scanned.
#
# NOTE: Setting this option to '1' will cause the test to take longer
# to complete.
#
# The default value is '0'.
#
#PHALANX2_DIRTEST=0
PHALANX2_DIRTEST=0
#
# This option tells rkhunter where the inetd configuration file is located.
#
# The default value is the null string.
#
#INETD_CONF_PATH=/etc/inetd.conf
#
# This option allows the specified enabled inetd services.
#
# This is a space-separated list of service names. The option may be specified
# more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
#
# INETD_ALLOWED_SVC=echo
#
# For Solaris 9 users the simple service name should also be used, but
# if it is an RPC service, then the executable pathname should be used.
# For example:
#
# INETD_ALLOWED_SVC=imaps
# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
# INETD_ALLOWED_SVC=/network/rpc/meta
# INETD_ALLOWED_SVC=/network/rpc/metamed
# INETD_ALLOWED_SVC=/application/font/stfsloader
# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
# The default value is the null string.
#
#INETD_ALLOWED_SVC=echo
#
# This option tells rkhunter where the xinetd configuration file is located.
#
# The default value is the null string.
#
#XINETD_CONF_PATH=/etc/xinetd.conf
#
# This option allows the specified enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing we only have
# the pathname available. As such, these entries are the xinetd file pathnames.
#
# This is a space-separated list of service names. The option may be specified
# more than once.
#
# The default value is the null string.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
#
# This option tells rkhunter the local system startup file pathnames. The
# directories will be searched for files. By default rkhunter will try and
# determine were the startup files are located. If the option is set to 'NONE',
# then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames. The option
# may be specified more than once, and may use wildcard characters.
#
# This option has no default value.
#
#STARTUP_PATHS=/etc/rc.d /etc/rc.local
#
# This option tells rkhunter the pathname to the file containing the user
# account passwords. This setting will be worked out by rkhunter, and so
# should not usually need to be set. Users of TCB shadow files should not
# set this option.
#
# This option has no default value.
#
#PASSWORD_FILE=/etc/shadow
#
# This option allows the specified accounts to be root equivalent. These
# accounts will have a UID value of zero. The 'root' account does not need
# to be listed as it is automatically whitelisted.
#
# This is a space-separated list of account names. The option may be specified
# more than once.
#
# NOTE: For *BSD systems you will probably need to use this option for the
# 'toor' account.
#
# The default value is the null string.
#
#UID0_ACCOUNTS=toor rooty
#
# This option allows the specified accounts to have no password. NIS/YP entries
# do not need to be listed as they are automatically whitelisted.
#
# This is a space-separated list of account names. The option may be specified
# more than once.
#
# The default value is the null string.
#
#PWDLESS_ACCOUNTS=abc
#
# This option tells rkhunter the pathname to the syslog configuration file.
# This setting will be worked out by rkhunter, and so should not usually need
# to be set. A value of 'NONE' can be used to indicate that there is no
# configuration file, but that the syslog daemon process may be running.
#
# This is a space-separated list of pathnames. The option may be specified
# more than once.
#
# This option has no default value.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
#
# If this option is set to '1', then the use of syslog remote logging is
# permitted. A value of '0' disallows the use of remote logging.
#
# The default value is '0'.
#
#ALLOW_SYSLOG_REMOTE_LOGGING=0
ALLOW_SYSLOG_REMOTE_LOGGING=0
#
# This option allows the specified applications, or a specific version of an
# application, to be whitelisted. If a specific version is to be whitelisted,
# then the name must be followed by a colon and then the version number.
# For example:
#
# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29
#
# This is a space-separated list of pathnames. The option may be specified
# more than once.
#
# The default value is the null string.
#
#APP_WHITELIST=""
#
# Set this option to scan for suspicious files in directories which pose a
# relatively higher risk due to user write access.
#
# Please do not enable the 'suspscan' test by default as it is CPU and I/O
# intensive, and prone to producing false positives. Do review all settings
# before usage. Also be aware that running 'suspscan' in combination with
# verbose logging on, rkhunter's default, will show all ignored files.
#
# Please consider adding all directories the user the (web)server runs as,
# and has write access to, including the document root (e.g: '/var/www') and
# log directories (e.g: '/var/log/httpd').
#
# This is a space-separated list of directory pathnames. The option may be
# specified more than once.
#
# The default value is the '/tmp' and '/var/tmp' directories.
#
#SUSPSCAN_DIRS=/tmp /var/tmp
#
# This option specifies the directory for temporary files used by the
# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is
# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS
# as that is highly likely to cause false-positive results.
#
# The default value is '/dev/shm'.
#
#SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_TEMP=/dev/shm
#
# This option specifies the 'suspscan' test maximum filesize in bytes. Files
# larger than this will not be inspected. Do make sure you have enough space
# available in your temporary files directory.
#
# The default value is '1024000'.
#
#SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_MAXSIZE=10240000
#
# This option specifies the 'suspscan' test score threshold. Below this value
# no hits will be reported.
#
# The default value is '200'.
#
#SUSPSCAN_THRESH=200
SUSPSCAN_THRESH=200
#
# The following options can be used to whitelist network ports which are known
# to have been used by malware.
#
# The PORT_WHITELIST option is a space-separated list of one or more of two
# types of whitelisting. These are:
#
# 1) a 'protocol:port' pair
# 2) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number must be
# between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable which rkhunter can
# locate as a command, is whitelisted. (Also see BINDIR)
#
# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting.
# These are:
#
# 1) a pathname to an executable
# 2) a combined pathname, protocol and port
#
# As above, the protocol can only be TCP or UDP, and the port number must be
# between 1 and 65535 inclusive.
#
# Examples:
#
# PORT_WHITELIST=TCP:2001 UDP:32011
# PORT_PATH_WHITELIST=/usr/sbin/squid
# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
#
# NOTE: In order to whitelist a pathname, or use the asterisk option, the
# 'lsof' command must be present.
#
# Both options may be specified more than once.
#
# The default value for both options is the null string.
#
#PORT_WHITELIST=""
#PORT_PATH_WHITELIST=""
#
# The following option can be used to tell rkhunter where the operating system
# 'release' file is located. This file contains information specifying the
# current O/S version. RKH will store this information, and check to see if it
# has changed between each run. If it has changed, then the user is warned that
# RKH may issue warning messages until RKH has been run with the '--propupd'
# option.
#
# Since the contents of the file vary according to the O/S distribution, RKH
# will perform different actions when it detects the file itself. As such, this
# option should not be set unless necessary. If this option is specified, then
# RKH will assume the O/S release information is on the first non-blank line of
# the file.
#
# This option has no default value.
#
# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
#
#OS_VERSION_FILE=/etc/release
#
# Set the following option to '0' if you do not want to receive a warning if any
# O/S information has changed since the last run of 'rkhunter --propupd'. The
# warnings occur during the file properties check. Setting a value of '1' will
# cause rkhunter to issue a warning if something has changed.
#
# The default value is '1'.
#
#WARN_ON_OS_CHANGE=1
#
# Set the following option to '1' if you want rkhunter to automatically run a
# file properties update ('--propupd') if the O/S has changed. Detection of an
# O/S change occurs during the file properties check. Setting a value of '0'
# will cause rkhunter not to do an automatic update.
#
# WARNING: Only set this option if you are sure that the update will work
# correctly. That is, that the database directory is writeable, that a valid
# hash function is available, and so on. This can usually be checked simply by
# running 'rkhunter --propupd' at least once.
#
# The default value is '0'.
#
#UPDT_ON_OS_CHANGE=0
#
# The following two options can be used to whitelist files and directories that
# would normally be flagged with a warning during the various rootkit and
# malware checks. Only existing files and directories can be specified, and
# these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
# RTKT_FILE_WHITELIST=/etc/rc.local
# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with just
# a colon appended. For example:
#
# RTKT_FILE_WHITELIST=/etc/rc.local
# RTKT_FILE_WHITELIST=/etc/rc.local:
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# Both of these options may be specified more than once.
#
# For both options the default value is the null string.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""
#
# The following option can be used to whitelist shared library files that would
# normally be flagged with a warning during the preloaded shared library check.
# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
# the LD_PRELOAD environment variable.
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# This option is a space-separated list of library pathnames. The option may be
# specified more than once.
#
# The default value is the null string.
#
#SHARED_LIB_WHITELIST=/lib/snoopy.so
#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command the following two options can be used. The value must be set to
# 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
# For both options the default value is the null string.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN
#
# In the file properties test any modification date/time is displayed as the
# number of epoch seconds. Rkhunter will try and use the 'date' command, or
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
# 'seconds ago' options found in the GNU 'date' command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
# This option has no default value.
#
#EPOCH_DATE_CMD=""
#
# This setting tells rkhunter the directory containing the available Linux
# kernel modules. This setting will be worked out by rkhunter, and so should
# not usually need to be set.
#
# This option has no default value.
#
#MODULES_DIR=""
#
# The following option can be set to a command which rkhunter will use when
# downloading files from the Internet - that is, when the '--update' or
# '--versioncheck' option is used. The command can take options.
#
# This allows the user to use a command other than the one automatically
# selected by rkhunter, but still one which it already knows about.
# For example:
#
# WEB_CMD=curl
#
# Alternatively, the user may specify a completely new command. However, note
# that rkhunter expects the downloaded file to be written to stdout, and that
# everything written to stderr is ignored. For example:
#
# WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
# *BSD users may want to use the 'ftp' command, provided that it supports the
# HTTP protocol:
#
# WEB_CMD="ftp -o -"
#
# This option has no default value.
#
#WEB_CMD=""
WEB_CMD=curl
#
# Set the following option to '1' if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock. A value of '0' means not to use locking.
#
# The default value is '0'.
#
# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
#
#USE_LOCKING=0
USE_LOCKING=0
#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
# lock or the timeout value has been reached.
#
# The default value is 300 seconds (5 minutes).
#
#LOCK_TIMEOUT=300
LOCK_TIMEOUT=300
#
# If locking is used, then rkhunter may be doing nothing for some time if it
# has to wait for the lock. If this option is set to '1', then some simple
# messages are echoed to the users screen to let them know that rkhunter is
# waiting for the lock. Set this option to '0' if the messages are not to be
# displayed.
#
# The default value is '1'.
#
#SHOW_LOCK_MSGS=1
SHOW_LOCK_MSGS=1
#
# If this option is set to 'THOROUGH' then rkhunter will search (on a per
# rootkit basis) for filenames in all of the directories (as defined by the
# result of running 'find / -xdev'). While still not optimal, as it still
# searches for only file names as opposed to file contents, this is one step
# away from the rigidity of searching in known (evidence) or default
# (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough
# investigation, which should be based on relevant best practices and
# procedures.
#
# Enabling this feature implies you have the knowledge to interpret the
# results properly.
#
# The default value is the null string.
#
#SCANROOTKITMODE=THOROUGH
#
# The following option can be set to the name(s) of the tests the 'unhide'
# command is to use. Options such as '-m' and '-v' may be specified, but will
# only take effect when they are seen. The test names are a space-separated
# list, and will be executed in the order given.
#
# This option may be specified more than once.
#
# The default value is 'sys' in order to maintain compatibility with older
# versions of 'unhide'.
#
#UNHIDE_TESTS=sys
#
# The following option can be used to set options for the 'unhide-tcp' command.
# The options are space-separated.
#
# This option may be specified more than once.
#
# The default value is the null string.
#
#UNHIDETCP_OPTS=""
#
# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system,
# then it is possible to disable the execution of one of the programs if
# desired. By default rkhunter will look for both programs, and execute each
# of them as they are found. If the value of this option is '0', then both
# programs will be executed if they are present. A value of '1' will disable
# execution of the C 'unhide' program, and a value of '2' will disable the Ruby
# 'unhide.rb' program. To disable both programs, then disable the
# 'hidden_procs' test.
#
# The default value is '0'.
#
#DISABLE_UNHIDE=0
DISABLE_UNHIDE=1
#
# This option can be set to either '0' or '1'. If set to '1' then the summary,
# shown after rkhunter has run, will display the actual number of warnings
# found. If it is set to '0', then the summary will simply indicate that
# 'One or more' warnings were found. If no warnings were found, and this option
# is set to '1', then a "0" will be shown. If the option is set to '0', then
# the words 'No warnings' will be shown.
#
# The default value is '0'.
#
#SHOW_SUMMARY_WARNINGS_NUMBER=0
#
# This option is used to determine where, if anywhere, the summary scan time is
# displayed. A value of '0' indicates that it should not be displayed anywhere.
# A value of '1' indicates that the time should only appear on the screen, and a
# value of '2' that it should only appear in the log file. A value of '3'
# indicates that the time taken should appear both on the screen and in the log
# file.
#
# The default value is '3'.
#
#SHOW_SUMMARY_TIME=3
#
# The two options below may be used to check if a file is missing or empty
# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
# if the file is missing, since that can be interpreted as a file of no size.
# However, the file will only be reported as missing if the MISSING_LOGFILES
# option hasn't already done this.
#
# Both options are space-separated lists of pathnames, and may be specified
# more than once.
#
# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
# perfectly possible for the file to be either missing or empty. As such these
# options may produce false-positive warnings when log files are rotated.
#
# For both options the default value is the null string.
#
#EMPTY_LOGFILES=""
#MISSING_LOGFILES=""
INSTALLDIR=/usr
Step 3: Commands
The following command updates rkhunter
# rkhunter --update
The following command updates rkhunter file properties
# rkhunter --propd
The following command performs full rkhunter check
# rkhunter --check --skip-keypress