Menu

scans

scans (2) cron (1) cronjob (1) mail (2) anacron (1)
aus9

Scan - Manual or Automatic

MANUAL

Manual scans are best in the beginning to observe all the warnings and information that RKH scans provide. I recommend running a manual scan after a significant update like a new kernel.

However, manual scans take longer than automatic ones due to the need to show output on the screen and write to the log. Manual scan provide a summary so its the best to read this area first.

File properties checks...
Required commands check failed
Files checked: 120
Suspect files: 8

Rootkit checks...
Rootkits checked : 109
Possible rootkits: 0

Applications checks...
Applications checked: 3
Suspect applications: 0

The system checks took: (time deleted)

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system. Please check the log file > (/var/log/rkhunter.log)

Note the log location is /var/log/rkhunter.log

Those suspect files must be investigated. However, this log extract was from my first scan....and most were solved by modifying my CONF. Automatic scans need cron, and if you turn off computer, anacron.

AUTOMATIC

There are 2 main cron jobs we can adopt. A job added to crontab to run hourly or daily.

A script made executable that sits in /etc/cron.daily Or you can add a command to your rc.local script that needs a computer to boot daily to execute, so ignored. There are restrictions on cron depending on the existance of cron.allow or cron.deny files and their contents.

Note crontab jobs are not “catched up” by anacron. So home users can skip this section. All /etc/crontab jobs can only run if computer is on.

Automatic ---using /etc/crontab jobs

My initial /etc/crontab contents were:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
home=/
run-parts 01 * * root nice -n 19 run-parts --report /etc/cron.hourly
02 4 * * root nice -n 19 run-parts --report /etc/cron.daily
22 4 * 0 root nice -n 19 run-parts --report /etc/cron.weekly
42 4 1 * * root nice -n 19 run-parts --report /etc/cron.monthly

Cron is a root process, so my mail goes to root.

Cron tab columns are from left to right:
Minutes past the hour from 0 (0 to 59)
Hour of the day (0 to 23 using 24 clock eg 23 means 11 pm)
Day of the month (1 -31)
Month of the year (either 1 to 12 or jan,feb,.....dec)
Weekday (either 0 to 6 with 0=sun or sun, mon,...sat)

  • = every possible permutation in that column.
    */n = every number equal to N for that column.

Lets add some automatic scan commands then discuss. Assuming you have vi command you could use
vi -e /etc/crontab
and when it opens run visual to get to full output. Press i to get into insert mode, type your changes then press the ESCape key to get back to command mode then type commands :wq! ....This writes to file, quits without prompting you.

Another way is to open a shell su to root powers and then run a gui editor like eg kwrite, leafpad, mousepad
Cron wakes up every minute so, create an entry 2 minutes into the future to test.

Examples: (inserted into code box for format reasons

30 14 * * root /usr/local/bin/rkhunter --cronjob --update --rwo --nocolors
0 * * root /usr/local/bin/rkhunter --cronjob --update --rwo --nocolors * /4 * root /usr/local/bin/rkhunter --cronjob --update --rwo --nocolors
40 2 * * root /usr/local/bin/rkhunter --update -c -sk --nocolors --nocolors * /1 * root /usr/local/bin/rkhunter--cronjob --update --rwo --nocolors
Notes:
John advises all cron jobs are to be run with --nocolors.
For all rwo crontabs, modify your conf to comment out MAIL-ON-WARNING.

So top line is:
30 minutes past 2 pm, every day, execute a RKH scan after updating any stale data files and report warnings only by mail. Mail only produced if warnings found.
Second line is:
0 minutes past every hour execute a RKH scan after updating any stale data files and report warnings only by mail.
Third line is:
Same as last entry but run every multiple of 4 hour intervals. That is, at 4,8,noon,4pm,8pm, and midnight.
Fourth line is:
40 minutes past 2 am execute a RKH scan after updating any stale data files and mail report similar to manual scan results.....a full report.
Last line is:
Equal to having a cron.daily script it means every day update stale data files then scan and send a mail only if warnings found.

Note how easy the last line is, but its a trap if you turn off your computer. You have to wait until past midnight the next day to get your next scan. So if you always go to bed early you have no RKH scans! Recommend anacron and use a RKH script in cron.daily if you turn off computer.

Mail for --cronjob --update --rwo --nocolors

Assuming the scan detects a warning or higher, mail is sent to root.

.....mail example from opening mail with mail command

Warning:....and the type of warning
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

You then check the log and investigate.
If there is no warning....the rwo switch means you get no mail.

Mail for --update -c -sk --nocolors --nocolors
You will receive mail even if there are no warnings as its the same scan as our first manual scan.
.....mail ....excerpts:

Subject: Cron root@gs /usr/local/bin/rkhunter --update -c -sk --nocolors

No warnings were found while checking the system

Now if your mail matches the last line, you could change your crontab to a rwo format.
If you want mail each day then do not convert to rwo cronjob.

--Automatic ---using /etc/cron.daily scripts
These are better for home users as anacron catches up on missed tasks.

Anacron will catch all missed cron.daily, cron.monthy and cron.yearly scripts. So this time

02 4 * * * root nice -n 19 run-parts --report /etc/cron.daily
is rarely achieved by crontab but is “catched up” by anacron.

Create a cron.daily script for a Linux system. Copy and paste the following into a text editor. Placed in a code box to highlight the contents.

1
2
3
4
#!/bin/sh
( /usr/local/bin/rkhunter --cronjob --update --rwo && echo "" ) \
| /usr/bin/mail -s "Rkhunter daily run on `uname -n`" root
exit 0

Custom install users change your pathway to executable eg /opt/bin/rkhunter

Mail pathway may differ as well.

Please read the FAQ on other examples but in particular to above script.......Because we are piping any output through to the mail command, it is required to use 'echo ""' when there are no warnings. Without this, the mail command would issue its own warning about there being no message body.

Then using root powers save the file as /etc/cron.daily/rkh and then change its properties to make it executable. If you prefer commands,

chmod 700 /etc/cron.daily/rkh

If successful, the permissions appear as

If you prefer a replacement for manual scan, add -c -sk to the script.
Reboot for a full test or run with ROOT powers

/etc/cron.daily/rkh

Next Page
Home Page