Rootkits are very powerful viruses. Viruses will cause trouble, but rootkits will keep themselves secret while doing their damage and getting details.

For this reason, scanning for them is very important.

Here I’ll show how to setup rkhunter to scan your system daily.

rkhunter

rkhunter is a very good scanner that searches for many different types of rootkits.

First, install it:

apt-get install rkhunter

dnf install rkhunter

pacman -Sy rkhunter

Once installed, the config files are:

  • /etc/rkhunter.conf is for the options for rkhunter.
  • /etc/default/rkhunter is a distro file that tells when rkhunter will run.

As installed, the /etc/rkhunter.conf doesn’t usually need to be modified. But if you do:

  • Set ALLOW_SSH_ROOT_USER to whatever your SSH’s root login settings are.
  • DISABLE_TESTS allows you to remove any tests you don’t want.
  • ALLOWHIDDENDIR and ALLOWHIDDENFILE allow you to tell it to ignore items.

Warning

Do not exclude items without knowing that are truly safe. A web search can help.

Then in /etc/default/rkhunter set the following, according to your needs.

  • CRON_DAILY_RUN="yes" = so it will run each day
  • CRON_DB_UPDATE="yes" = so it will update its database (very important)
  • REPORT_EMAIL="root" = where emails should go, when rkhunter finds an issue.
  • APT_AUTOGEN="yes" = If it’s checking the integrity of the system’s apps, set this so when you update the system’s applications, rkhunter will update its database of their hashes and properties. Thus avoiding false positives.

Then run rkhunter to see if there are any warnings

rkhunter --cronjob --report-warnings-only

And to really make sure it’s running, run it’s cron job:

/etc/cron.daily/rkhunter

Conclusion

And with that, we are a bit more secure, knowing we’ll be alerted to the presence of a rootkit on our system.

For more on rootkits, see how to setup chkrootkit.

Jellyfish