Rootkits are very powerful viruses. Viruses will cause trouble, but rootkits will keep themselves secret while doing their damage and getting details.
For this reason, scanning for them is very important.
Here I’ll show how to setup
rkhunter to scan your system daily.
rkhunter is a very good scanner that searches for many different types of rootkits.
First, install it:
apt-get install rkhunter
dnf install rkhunter
pacman -Sy rkhunter
Once installed, the config files are:
/etc/rkhunter.confis for the options for rkhunter.
/etc/default/rkhunteris a distro file that tells when rkhunter will run.
As installed, the
/etc/rkhunter.conf doesn’t usually need to be modified. But if you do:
ALLOW_SSH_ROOT_USERto whatever your SSH’s root login settings are.
DISABLE_TESTSallows you to remove any tests you don’t want.
ALLOWHIDDENFILEallow you to tell it to ignore items.
Do not exclude items without knowing that are truly safe. A web search can help.
/etc/default/rkhunter set the following, according to your needs.
CRON_DAILY_RUN="yes"= so it will run each day
CRON_DB_UPDATE="yes"= so it will update its database (very important)
REPORT_EMAIL="root"= where emails should go, when rkhunter finds an issue.
APT_AUTOGEN="yes"= If it’s checking the integrity of the system’s apps, set this so when you update the system’s applications, rkhunter will update its database of their hashes and properties. Thus avoiding false positives.
Then run rkhunter to see if there are any warnings
rkhunter --cronjob --report-warnings-only
And to really make sure it’s running, run it’s cron job:
And with that, we are a bit more secure, knowing we’ll be alerted to the presence of a rootkit on our system.
For more on rootkits, see how to setup chkrootkit.