man rkhunter Command

Man page for apt-get rkhunter Command

Man Page for rkhunter in Linux

Ubuntu Man Command : man rkhunter

Man Rkhunter  Command

This tutorial shows the man page for man rkhunter in linux.

Open terminal with 'su' access and type the command as shown below:
man rkhunter

Result of the Command Execution shown below:

rkhunter(8)                                                        rkhunter(8)



NAME
rkhunter RootKit Hunter

SYNOPSIS
rkhunter { check | unlock | update | versioncheck |
propupd [{filename | directory | package name},...] |
list [tests | {lang | languages} | rootkits] |
version | help} [options]


DESCRIPTION
rkhunter is a shell script which carries out various checks on the
local system to try and detect known rootkits and malware. It also per
forms checks to see if commands have been modified, if the system
startup files have been modified, and various checks on the network
interfaces, including checks for listening applications.

rkhunter has been written to be as generic as possible, and so should
run on most Linux and UNIX systems. It is provided with some support
scripts should certain commands be missing from the system, and some of
these are perl scripts. rkhunter does require certain commands to be
present for it to be able to execute. Additionally, some tests require
specific commands, but if these are not present then the test will be
skipped. rkhunter needs to be run under a Bourne type shell, typically
bash or ksh. rkhunter can be run as a cron job or from the com
mand line.


COMMAND OPTIONS
If no command option is given, then help is assumed. rkhunter will
return a non zero exit code if any error or warning occurs.


c, check
This command option tells rkhunter to perform various checks on
the local system. The result of each test will be displayed on
stdout. If anything suspicious is found, then a warning will be
displayed. A log file of the tests and the results will be auto
matically produced.

It is suggested that this command option is run regularly in
order to ensure that the system has not been compromised.


unlock
This command option simply unlocks (removes) the lock file. If
this option is used on its own, then no log file is created.


update
This command option causes rkhunter to check if there is a later
version of any of its text data files. A command line web
browser, for example wget or lynx, must be present on the system
when using this option.

It is suggested that this command option is run regularly in
order to ensure that the data files are kept up to date.

If this option is used via cron, then it is recommended that the
nocolors option is also used.

An exit code of zero for this command option means that no
updates were available. An exit code of one means that a down
load error occurred, and a code of two means that no error
occurred but updates were available and have been installed.


propupd [{filename | directory | package name},...]
One of the checks rkhunter performs is to compare various cur
rent file properties of various commands, against those it has
previously stored. This command option causes rkhunter to update
its data file of stored values with the current values.

If the filename option is used, then it must either be a full
pathname, or a plain file name (for example, 'awk'). When used,
then only the entry in the file properties database for that
file will be updated. If the directory option is used, then only
those files listed in the database that are in the given direc
tory will be updated. Similarly, if the package name option is
used, then only those files in the database which are part of
the specified package will be updated. The package name must be
the base part of the name, no version numbers should be included
for example, 'coreutils'. Package names will, of course, only
be stored in the file properties database if a package manager
is being used. If a package name is the same as a file name
for example, 'file' could refer to the 'file' command or to the
RPM 'file' package (which contains the 'file' command) the
package name will be used. If no specific option is given, then
the entire database is updated.

WARNING: It is the users responsibility to ensure that the files
on the system are genuine and from a reliable source. rkhunter
can only report if a file has changed, but not on what has
caused the change. Hence, if a file has changed, and the prop
upd command option is used, then rkhunter will assume that the
file is genuine.


versioncheck
This command option causes rkhunter to check if there is a later
version of the program. A command line web browser must be
present on the system when using this option.

If this option is used via cron, then it is recommended that the
nocolors option is also used.

An exit code of zero for this command option means that no new
version was available. An exit code of one means that an error
occurred downloading the latest version number, and a code of
two means that no error occurred but a new version is available.


list [tests | {lang | languages} | rootkits]
This command option will list some of the supported capabilities
of the program, and then exit. The tests option lists the cur
rently available test names (see the README file for more
details about test names). The languages option lists the cur
rently available languages, and the rootkits option lists the
rootkits that rkhunter will search for. If no specific option
is given, then all the lists are displayed.


V, version
This command option causes rkhunter to display its version num
ber, and then exit.


h, help
This command option displays the help screen menu, and then
exits.


OPTIONS
rkhunter uses a configuration file, named rkhunter.conf, for many of
its configuration options. It will also use a local configuration file,
named rkhunter.conf.local, if it is present. However, some options can
also be specified on the command line, and these will override the con
figuration file options. The configuration file options are well docu
mented within the main configuration file itself. The following are the
command line options. The defaults mentioned here are the program
defaults, unless explicitly stated as the configuration file default.


appendlog
By default a new log file will be created when rkhunter runs,
and the previous log file will be renamed by having .old
appended to its name. This option tells rkhunter to append to
the existing log file. If the log file does not exist, then it
will be created.


bindir ...
This option tells rkhunter which directories to look in to find
the various commands it requires. The default is the current
PATH environment variable, and the typical command directories
of /bin, /usr/bin, /sbin and so on.


cs2, color set2
By default rkhunter will display its test results in color. The
colors used are green for successful tests, red for failed tests
(warnings), and yellow for skipped tests. These colors are visi
ble when a black background is used, but are difficult to see on
a white background. This option tells rkhunter to use a differ
ent color set which is more suited to a white background.


configfile
The installation process will automatically tell rkhunter where
its configuration file is located. However, if necessary, this
option can be used to specify a different pathname.

If a local configuration file is to be used, then it must reside
in the same directory as the configuration file specified by
this option.


cronjob
This is similar to the check command option, but it disables
several of the interactive options. When this option is used
check, nocolors and skip keypress are assumed. By default
no output is sent to stdout, so the report warnings only
option may be useful with this option.


dbdir
The installation process will automatically configure where the
data files are stored for rkhunter. However, if necessary, this
option can be used to specify a different directory. The direc
tory can be read only, after installation, provided that neither
of the update or propupd options are specified, and that the
versioncheck option is not specified if ROTATE_MIRRORS is set
to 1 in the configuration file.


debug
This is a special option mainly for the developers. It produces
no output on stdout. Regular logging will continue as per
default or as specified by the logfile option, and the debug
output will be in a randomly generated filename which starts
with /tmp/rkhunter debug.


disable [,...]
This option tells rkhunter not to run the specified tests. If
this option is used, and propupd is not specified, then the
check command option is assumed. Read the README file for more
information about test names. By default no tests are disabled.


display logfile
This option will cause the logfile to be displayed on the screen
once rkhunter has finished.


enable [,...]
This option tells rkhunter to only run the specified tests. If
this option is used, and propupd is not specified, then the
check command option is assumed. If only one test name, other
than all, is given, then the skip keypress option is also
assumed. Read the README file for more information about test
names. By default all tests are enabled. All tests will be
listed below under TESTS.


hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | }
Both the file properties check and the propupd command option
will use a hash function to determine a files current hash
value. This option tells rkhunter which hash function to use.
The MD5 and SHA options will look for the relevant command, and,
if not found, a perl support script will then be used to see if
a perl module supporting the function has been installed. Alter
natively, a specific command may be specified. A value of NONE
can be used to indicate that the hash values should not be
obtained or used as part of the file properties check. The
default is SHA1, or MD5 if no SHA1 command can be found.

Systems using prelinking must use either MD5, SHA1 or NONE.


lang, language
This option specifies which language to use for the displayed
tests and results. The currently supported languages can be
seen by the list command option. The default is en (English).
If a message to be displayed cannot be found in the language
file, then the English version will be used. As such, the
English language file must always be present. The update com
mand option will update the language files when new versions are
available.


l, logfile [file]
By default rkhunter will write out a log file. The default loca
tion of the file is /var/log/rkhunter.log. However, this loca
tion can be changed by using this option. If /dev/null is speci
fied as the log file, then no log file will be written. If no
specific file is given, then the default will be used. By
default rkhunter will create a new log file each time it is run.
Any previously existing logfile is moved out of the way, and has
.old appended to it.


noappend log
This option reverts rkhunter to its default behaviour of creat
ing a new log file rather than appending to it.


nocolors
This option causes the result of each test to not be displayed
in a specific color. The default color, usually the reverse of
the background color, will be used (typically this is just black
and white).


nolog
This option tells rkhunter not to write anything to a log file.


nomow, no mail on warning
The configuration file has an option which will cause a simple
email message to be sent to a user should rkhunter detect any
warnings during system checks. This command line option over
rides the configuration file option, and prevents an email mes
sage from being sent. The configuration file default is not to
email a message.


ns, nosummary
When the check command option is used, by default a short sum
mary of results is displayed at the end. This option prevents
the summary from being displayed.


novl, no verbose logging
During some tests rkhunter will log a lot of information. Use of
this option reduces the amount of logging, and so can improve
the performance of rkhunter. However, the log file will contain
less information should any warnings occur. By default verbose
logging is enabled.


pkgmgr {RPM | DPKG | BSD | NONE}
This option is used during the file properties check or when the
propupd command option is given. It tells rkhunter that the
current file property values should be obtained from the rele
vant package manager. See the README file for more details of
this option. The default is NONE, which means not to use a pack
age manager.


q, quiet
This option tells rkhunter not to display any output. It can be
useful when only the exit code is going to be checked. Other
options may be used with this one, to force only specific items
to be displayed.


rwo, report warnings only
This option causes only warning messages to be displayed. This
can be useful when rkhunter is run via cron. Other options may
be used to force other items of information to be displayed.


r, rootdir
If a suspect system is locally or remotely mounted, it is possi
ble to tell rkhunter to inspect it by using this option. How
ever, it must be used with care, as several of the other options
specifying configuration directories may need to be set as well.
There is no default.


sk, skip keypress
When the check command option is used, after certain sections
of tests, the user will be prompted to press the return key in
order to continue. This option disables that feature, and
rkhunter will run until all the tests have completed.

If this option has not been given, and the user is prompted to
press the return key, a single 's' character, in upper or low
ercase, may be given followed by the return key. rkhunter will
then continue the tests without prompting the user again (as if
this option had been given).


summary
This option will cause the summary of test results to be dis
played. This is the default.


syslog [facility.priority]
When the check command option is used, this option will cause
the start and finish times to be logged to syslog. The default
is not to log anything to syslog, but if the option is used,
then the default level is authpriv.notice.


tmpdir
The installation process will automatically configure where tem
porary files are to be created. However, if necessary, this
option can be used to specify a different directory. The direc
tory must not be a symbolic link, and must be secure (root
access only).


vl, verbose logging
This option tells rkhunter that when it runs some tests, it
should log as much information as possible. This can be useful
when trying to diagnose why a warning has occurred, but it obvi
ously also takes more time. The default is to use verbose log
ging.


x, autox
When this option is used, rkhunter will try and detect if the X
Window system is in use. If it is in use, then the second color
set will automatically be used (see the color set2 option).
This allows rkhunter to be run on, for example, a server console
(where X is not present, so the default color set should be
used), and on a users terminal (where X is in use, so the second
color set should be used). In both cases rkhunter will use the
correct color set. The configuration file default is to try and
detect X.


X, no autox
This option prevents rkhunter from automatically detecting if
the X Window system is being used. See the autox option.



TESTS
[This section to be written]


additional_rkts
This test is for SHORT_EXPLANATION. It works as part of GROUP.
Corresponding configuration file entries: ONE=one, TWO=two and
for white listing THREE=three,three. Simple globbing
(/dev/shm/file *) works.



all

apps

attributes

avail_modules

deleted_files

filesystem

group_accounts

group_changes

hashes

hidden_procs

immutable known_rkts

loaded_modules

local_host

malware

network

none

os_specific

other_malware

packet_cap_apps

passwd_changes

ports

possible_rkt_files

possible_rkts

possible_rkt_strings

promisc

properties

rootkits

running_procs

scripts

shared_libs

shared_libs_path

startup_files

startup_malware

strings

suspscan

system_commands

system_configs trojans



FILES
(For a default installation) /etc/rkhunter.conf


SEE ALSO
See the CHANGELOG file for recent changes.
The README file has information about installing rkhunter, as well as
specific sections on test names and using package managers.
The FAQ file should also answer some questions.


LICENSING
RootKit Hunter is licensed under the GPL, copyright Michael Boelen.
See the LICENSE file for details of GPL licensing.


CONTACT INFORMATION
RootKit Hunter is under active development by the RootKit Hunter
project team. For reporting bugs, updates, patches, comments and ques
tions, please go to http://rkhunter.sourceforge.net/



September, 2008 rkhunter(8)


Related Topics

Apt Get Commands