GNU/Linux man pages
Livre :
Expressions régulières,
Syntaxe et mise en oeuvre :
GNU/Linux |
Debian 4.0(Etch) |
|
 |
rkhunter(8) |
 |
rkhunter - run a system check for rootkits or other malware
rkhunter
[-c|--checkall] [--createlogfile] [--cronjob]
[--disable-md5-check] [--nocolors] [--versioncheck]
rkhunter is an easy-to-use tool which checks machines running UNIX, Linux, BSD and other clones, for the presence of rootkits and/or other unwanted tools. rkhunter can be run as a cronjob, or from the command line when needed. A Bash Shell or Korn Shell is required. If available, Perl modules will be used to replace some default system commands.
The following system areas may be checked:
-MD5 hash comparisons
-Default files commonly used by rootkits
-Incorrect file placement (moved binaries)
-Search for suspect strings in LKM and KLD modules
-Hidden files
-Deleted files
-Interfaces in promiscuous mode
-Listening applications that could use libpcap
-Optional scan within plaintext and binary files
-Search for old versions of software packages
--allow-ssh-root-user
Allow SSH ’root’ user, while checking the SSH configuration file. This is a useful option when you use public key authentication instead of keyboard authentication.
--checkall
(or -c).rkhunter performs a full check of the system, printing out the results of each test to stdout.
--configfile <file>
Use another configuration file, instead of the default one
--createlogfile <file>
A plain text file summarizing rkhunter’s findings. Defaults to /var/log/rkhunter.log, optionally another filename can be chosen.
--cronjob
Use this option if you wish to run rkhunter from a cron-job rather than the commandline. Removes colored layout.
--dbdir
Uses another directory for the databases (instead of the default path)
--disable-md5-check
Skip checking MD5 hashes. Used on systems with custom tools or binaries that would throw off this test.
|
--help |
Show help / usage information |
--nocolors
Skip colorized output
--quick
Skips some tests (less accurate)
--reportmode
Hide all information which not interesting for cronjobs and non-interactive scans (like hiding header/footer)
--rootdir
Changes the default root directory, for chroot environments.
--tmpdir
Changes the default directory for temporary storage
--skip-keypress
Make rkhunter non-interactive
--check-deleted
Make rkhunter check for processes that have files opened that are deleted from the filesystem while the process is running. While this could give a clue about a process intentions enabling this check will cause false positives so enable whitelisting for Examples are provided in the config file.
--check-listen
In addition to the ifconfig and "ip" promiscuous mode tests this makes rkhunter check for any applications that are listening on interfaces. Use on systems where the libpcap "-p" flag enables you to avoid interface promiscuous mode. Note any ifconfig or "ip" based promiscuous mode checks are obsolete on GNU/Linux systems running kernel 2.6. Unfortunately there is no easy way to distinguish between illegitimate libpcap/libnet-using applications, legit ones like IDSes or plain old DHCP clients. In short, this will definately cause false positives so enable whitelisting for ’known good’ applications. Examples are provided in the config file.
--versioncheck
Consults the rkhunter website to determine if a newer version is available for download. Uses wget. The latest version can be found at http://rkhunter.sourceforge.net/
Multiple parameters are allowed. Some parameters can be only used with others. When running Rootkit Hunter without any parameters, the most recent help will be shown.
Rootkit Hunter is licensed under the GPL, copyright Michael Boelen.
Rootkit Hunter is under active development by the Rootkit Hunter project team. For reporting bugs, updates, patches, comments and questions please see http://rkhunter.sourceforge.net/
|
rkhunter(8) | |