tar -zxvf rkhunter-1.3.0.tar.gz
cd rkhunter-1.3.0
chmod 755 installer.sh
./installer.sh --layout default --install.
rkhunter --propupd
rkhunter --check
Issue the install command as root:
./installer.sh --layout default --install
Then update file property database:
Then update file property database:
rkhunter --propupd
To do root kit checks:
rkhunter --check
To check for updates:
rkhunter --update
Hopefully you don't find any rootkits on your system :)
How to setup a daily scan report?
pico /etc/cron.daily/rkhunter.sh
add the following replacing your email address:
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 mail -s "Daily Rkhunter Scan Report" email@domain.com)
chmod +x /etc/cron.daily/rkhunter.sh
Updating rkhunter
gets the latest database updates from their central server and matches your OS better to prevent false positives.
rkhunter --update
I just got a false positive!! What do i do?
False positives are warnings which indicates there is a problem, but aren't really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet aware of these new files and while scanning it resports some "bad" files. In this case we have a false positive. You could always have your datacenter or a system administrator check out the server to verify that it is not compromised.
More information on rkhunter can be found here: http://www.rootkit.nl
No comments:
Post a Comment