Provided by: rkhunter_1.4.0-3_all bug

NAME

       rkhunter - RootKit Hunter

SYNOPSIS

       rkhunter {--check | --unlock | --update | --versioncheck |
                 --propupd [{filename | directory | package name},...] |
                 --list [tests | {lang | languages} | rootkits | perl |
                         propfiles] |
                 --config-check | --version | --help} [options]

DESCRIPTION

       rkhunter is a shell script which carries out various checks on the local system to try and
       detect known rootkits and malware. It also performs checks to see if  commands  have  been
       modified,  if  the  system  startup  files  have  been modified, and various checks on the
       network interfaces, including checks for listening applications.

       rkhunter has been written to be as generic as possible, and so should run  on  most  Linux
       and  UNIX  systems.  It  is  provided with some support scripts should certain commands be
       missing from the system, and some of  these  are  perl  scripts.   rkhunter  does  require
       certain  commands  to  be  present  for it to be able to execute. Additionally, some tests
       require specific commands, but if these are not present then the  test  will  be  skipped.
       rkhunter needs to be run under a Bourne-type shell, typically bash or ksh. rkhunter can be
       run as a cron job or from the command-line.

COMMAND OPTIONS

       If no command option is given, then --help is assumed.  rkhunter will  return  a  non-zero
       exit code if any error or warning occurs.

       -c, --check
              This  command  option tells rkhunter to perform various checks on the local system.
              The result of each test will be displayed on  stdout.  If  anything  suspicious  is
              found,  then  a  warning will be displayed. A log file of the tests and the results
              will be automatically produced.

              It is suggested that this command option is run regularly in order to  ensure  that
              the system has not been compromised.

       --unlock
              This  command option simply unlocks (removes) the lock file. If this option is used
              on its own, then no log file is created.

       --update
              This command option causes rkhunter to check if there is a later version of any  of
              its  text data files. A command-line web browser, for example wget or lynx, must be
              present on the system when using this option.

              It is suggested that this command option is run regularly in order to  ensure  that
              the data files are kept up to date.

              If  this option is used via cron, then it is recommended that the --nocolors option
              is also used.

              An exit code of zero for this command option means that no updates were  available.
              An  exit  code of one means that a download error occurred, and a code of two means
              that no error occurred but updates were available and have been installed.

       --propupd [{filename | directory | package name},...]
              One of the checks rkhunter performs is to compare various current  file  properties
              of  various  commands,  against those it has previously stored. This command option
              causes rkhunter to update its data file of stored values with the current values.

              If the filename option is used, then it must either be a full pathname, or a  plain
              file  name  (for  example,  'awk').  When  used,  then  only  the entry in the file
              properties database for that file will be updated. If the directory option is used,
              then  only  those files listed in the database that are in the given directory will
              be updated. Similarly, if the package name option is used, then only those files in
              the  database  which are part of the specified package will be updated. The package
              name must be the base part of the name, no version numbers should be included - for
              example,  'coreutils'.  Package  names  will, of course, only be stored in the file
              properties database if a package manager is being used. If a package  name  is  the
              same  as  a file name - for example, 'file' could refer to the 'file' command or to
              the RPM 'file' package (which contains the 'file' command) - the package name  will
              be used.  If no specific option is given, then the entire database is updated.

              WARNING:  It is the users responsibility to ensure that the files on the system are
              genuine and from a reliable source. rkhunter can only report if a file has changed,
              but  not  on  what  has  caused  the  change. Hence, if a file has changed, and the
              --propupd command option is used, then  rkhunter  will  assume  that  the  file  is
              genuine.

       --versioncheck
              This  command  option  causes  rkhunter to check if there is a later version of the
              program. A command-line web browser must be present on the system when  using  this
              option.

              If  this option is used via cron, then it is recommended that the --nocolors option
              is also used.

              An exit code of zero for  this  command  option  means  that  no  new  version  was
              available.  An exit code of one means that an error occurred downloading the latest
              version number, and a code of two means that no error occurred but a new version is
              available.

       --list [tests | {lang | languages} | rootkits | perl | propfiles]
              This  command  option  will list some of the supported capabilities of the program,
              and then exit. The tests option lists the currently available test names  (see  the
              README  file  for  more  details  about test names). The languages option lists the
              currently available languages, and the rootkits option lists the rootkits that  are
              searched for by rkhunter. The perl option lists the installation status of the perl
              command and perl modules that may be used by some of the tests. Note that it is not
              required  to  install  these modules. However, if rkhunter is forced to use perl to
              execute a test then the module must be present. The propfiles option will list  the
              file  names  that are used to generate the file properties database. If no specific
              option is given, then all the lists, except for the file properties  database,  are
              displayed.

       -C, --config-check
              This  command  option  causes rkhunter to check its configuration file(s), and then
              exit. The program will run through its normal configuration checks as specified  by
              the  enable and disable options on the command-line and in the configuration files.
              That is, only the configuration options for tests  which  would  normally  run  are
              checked.  In  order  to check all the configured options, then use the --enable all
              --disable none options on the command line. Additionally, the program will check to
              see  if  there  are  any  unrecognised  configuration options. If any configuration
              problems are found, then they will be displayed and the return code will be set  to
              1.

              It  is  suggested  that this option is used whenever the configuration file(s) have
              been changed.

       -V, --version
              This command option causes rkhunter to display its version number, and then exit.

       -h, --help
              This command option displays the help screen menu, and then exits.

OPTIONS

       rkhunter uses a configuration file, named rkhunter.conf, for  many  of  its  configuration
       options.  It will also use a local configuration file, named rkhunter.conf.local, if it is
       present. However, some options can also be specified on the command-line, and  these  will
       override  the  configuration  file  options.  The  configuration  file  options  are  well
       documented within the main configuration file itself. The following are  the  command-line
       options. The defaults mentioned here are the program defaults, unless explicitly stated as
       the configuration file default.

       --appendlog
              By default a new log file will be created when rkhunter runs, and the previous  log
              file  will  be  renamed  by  having  .old  appended to its name.  This option tells
              rkhunter to append to the existing log file. If the log file does not  exist,  then
              it will be created.

       --bindir <directory>...
              This  option  modifies  which  directories  rkhunter  looks  in to find the various
              commands it requires (that is, its PATH). The default is  the  root  PATH,  and  an
              internal  list of some common command directories. By default a specified directory
              will be appended to the default list. However, if the directory  name  begins  with
              the  '+'  character, then it will be prepended to the list (that is, it will be put
              at the start of the list).

       --cs2, --color-set2
              By default rkhunter will display its test results in color.  The  colors  used  are
              green for successful tests, red for failed tests (warnings), and yellow for skipped
              tests. These colors are visible when a black background is used, but are  difficult
              to  see  on a white background. This option tells rkhunter to use a different color
              set which is more suited to a white background.

       --configfile <file>
              The installation process will automatically tell rkhunter where  its  configuration
              file  is  located.  However,  if  necessary,  this  option can be used to specify a
              different pathname.

              If a local configuration file is to be used,  then  it  must  reside  in  the  same
              directory as the configuration file specified by this option.

       --cronjob
              This  is  similar  to  the  --check  command option, but it disables several of the
              interactive options. When this option  is  used  --check,  --nocolors  and  --skip-
              keypress   are   assumed.   By  default  no  output  is  sent  to  stdout,  so  the
              --report-warnings-only option may be useful with this option.

       --dbdir <directory>
              The installation process will automatically configure  where  the  data  files  are
              stored  for  rkhunter.  However, if necessary, this option can be used to specify a
              different directory. The directory can be read-only, after  installation,  provided
              that  neither  of  the  --update  or  --propupd options are specified, and that the
              --versioncheck option is not specified  if  ROTATE_MIRRORS  is  set  to  1  in  the
              configuration file.

       --debug
              This  is  a  special  option  mainly  for  the developers. It produces no output on
              stdout. Regular logging will continue  as  per  default  or  as  specified  by  the
              --logfile  option,  and  the  debug output will be in a randomly generated filename
              which starts with /tmp/rkhunter-debug.

       --disable <test>[,<test>...]
              This option tells rkhunter not to run the specified tests. If this option is  used,
              and  --propupd  is  not specified, then the --check command option is assumed. Read
              the README file for more information about test names.  By  default  no  tests  are
              disabled.

       --display-logfile
              This  option will cause the logfile to be displayed on the screen once rkhunter has
              finished.

       --enable <test>[,<test>...]
              This option tells rkhunter to only run the specified tests. If this option is used,
              and --propupd is not specified, then the --check command option is assumed. If only
              one test name, other than all, is given, then the --skip-keypress  option  is  also
              assumed.   Read  the  README file for more information about test names. By default
              all tests are enabled. All the test names are listed below under TESTS.

       --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
               NONE | <command>}
              Both the file properties check and the --propupd command option  will  use  a  hash
              function  to determine a files current hash value. This option tells rkhunter which
              hash function to use. The MD5 and SHA options will look for the  relevant  command,
              and,  if not found, a perl support script will then be used to see if a perl module
              supporting the function has been installed. Alternatively, a specific  command  may
              be  specified.  A value of NONE can be used to indicate that the hash values should
              not be obtained or used as part of the file properties check. The default is  SHA1,
              or MD5 if no SHA1 command can be found.

              Systems using prelinking must use either MD5, SHA1 or NONE.

       --lang, --language <language>
              This  option  specifies  which language to use for the displayed tests and results.
              The currently supported languages can be seen by the  --list  command  option.  The
              default  is  en  (English).  If  a  message  to be displayed cannot be found in the
              language file, then the English version will be used. As such, the English language
              file  must  always be present. The --update command option will update the language
              files when new versions are available.

       -l, --logfile [file]
              By default rkhunter will write out a log file. The default location of the file  is
              /var/log/rkhunter.log.  However, this location can be changed by using this option.
              If /dev/null is specified as the log file, then no log file will be written. If  no
              specific  file  is  given,  then the default will be used. By default rkhunter will
              create a new log file each time it is run. Any previously existing logfile is moved
              out of the way, and has .old appended to it.

       --noappend-log
              This  option  reverts  rkhunter to its default behaviour of creating a new log file
              rather than appending to it.

       --nocf
              This option is only valid when the command-line --disable option is used.  When the
              --disable  option  is  used,  by  default, the configuration file option to disable
              tests is also used to determine which tests to run. If only the --disable option is
              to be used to determine which tests to run, then --nocf must be given.

       --nocolors
              This option causes the result of each test to not be displayed in a specific color.
              The default color, usually the reverse  of  the  background  color,  will  be  used
              (typically this is just black and white).

       --nolog
              This option tells rkhunter not to write anything to a log file.

       --nomow, --no-mail-on-warning
              The  configuration file has an option which will cause a simple email message to be
              sent to a user should rkhunter detect  any  warnings  during  system  checks.  This
              command-line  option overrides the configuration file option, and prevents an email
              message from being sent. The configuration file default is not to email a message.

       --ns, --nosummary
              When the --check command option is used, by default a short summary of  results  is
              displayed at the end. This option prevents the summary from being displayed.

       --novl, --no-verbose-logging
              During  some  tests  rkhunter  will  log  a  lot of information. Use of this option
              reduces the amount of logging, and so can  improve  the  performance  of  rkhunter.
              However,  the  log file will contain less information should any warnings occur. By
              default verbose logging is enabled.

       --pkgmgr {RPM | DPKG | BSD | SOLARIS | NONE}
              This option is used during the file properties check or when the --propupd  command
              option  is given. It tells rkhunter that the current file property values should be
              obtained from the relevant package manager.  See the README file for  more  details
              of this option. The default is NONE, which means not to use a package manager.

       -q, --quiet
              This  option  tells  rkhunter not to display any output. It can be useful when only
              the exit code is going to be checked. Other options may be used with this  one,  to
              force only specific items to be displayed.

       --rwo, --report-warnings-only
              This  option  causes only warning messages to be displayed. This can be useful when
              rkhunter is run via cron. Other options  may  be  used  to  force  other  items  of
              information to be displayed.

       --sk, --skip-keypress
              When  the --check command option is used, after certain sections of tests, the user
              will be prompted to press the return key in order to continue. This option disables
              that feature, and rkhunter will run until all the tests have completed.

              If  this  option  has  not been given, and the user is prompted to press the return
              key, a single 's' character, in upper- or lowercase, may be given followed  by  the
              return  key. rkhunter will then continue the tests without prompting the user again
              (as if this option had been given).

       --summary
              This option will cause the summary of test results to be  displayed.  This  is  the
              default.

       --syslog [facility.priority]
              When  the  --check  command  option  is  used, this option will cause the start and
              finish times to be logged to syslog. The default is not to log anything to  syslog,
              but if the option is used, then the default level is authpriv.notice.

       --tmpdir <directory>
              The  installation process will automatically configure where temporary files are to
              be created. However, if necessary, this option can be used to specify  a  different
              directory.  The  directory  must  not  be a symbolic link, and must be secure (root
              access only).

       --vl, --verbose-logging
              This option tells rkhunter that when it runs some tests,  it  should  log  as  much
              information  as  possible. This can be useful when trying to diagnose why a warning
              has occurred, but it obviously also takes more time. The default is to use  verbose
              logging.

       -x, --autox
              When this option is used, rkhunter will try and detect if the X Window system is in
              use. If it is in use, then the second color set will automatically be used (see the
              --color-set2  option).  This  allows  rkhunter  to be run on, for example, a server
              console (where X is not present, so the default color set should be used), and on a
              users terminal (where X is in use, so the second color set should be used). In both
              cases rkhunter will use the correct color set. The configuration file default is to
              try and detect X.

       -X, --no-autox
              This  option  prevents rkhunter from automatically detecting if the X Window system
              is being used. See the --autox option.

TESTS

       [This section to be written]

       additional_rkts
              This test is for SHORT_EXPLANATION.  It  works  as  part  of  GROUP.  Corresponding
              configuration    file    entries:    ONE=one,   TWO=two   and   for   white-listing
              THREE=three,three. Simple globbing (/dev/shm/file-*) works.

       all

       apps

       attributes

       avail_modules

       deleted_files

       filesystem

       group_accounts

       group_changes

       hashes

       hidden_ports

       hidden_procs

       immutable

       known_rkts

       loaded_modules

       local_host

       malware

       network

       none

       os_specific

       other_malware

       packet_cap_apps

       passwd_changes

       ports

       possible_rkt_files

       possible_rkts

       possible_rkt_strings

       promisc

       properties

       rootkits

       running_procs

       scripts

       shared_libs

       shared_libs_path

       startup_files

       startup_malware

       strings

       suspscan

       system_commands

       system_configs

       trojans

FILES

       (For a default installation)
       /etc/rkhunter.conf
       /var/log/rkhunter.log

SEE ALSO

       See the CHANGELOG file for recent changes.
       The README file has information about installing rkhunter, as well as specific sections on
       test names and using package managers.
       The FAQ file should also answer some questions.

LICENSING

       RootKit  Hunter is licensed under the GPL, copyright Michael Boelen.  See the LICENSE file
       for details of GPL licensing.

CONTACT INFORMATION

       RootKit Hunter is under active  development  by  the  RootKit  Hunter  project  team.  For
       reporting    bugs,    updates,   patches,   comments   and   questions,   please   go   to
       http://rkhunter.sourceforge.net/

                                          November 2011                               rkhunter(8)