readme

在网络安全中经常会遇到rootkit

THE ROOTKIT HUNTER PROJECT
==========================

Copyright (c) 2003-2007, Michael Boelen
See the LICENSE file for conditions of use and distribution.

It is recommended that all users of RootKit Hunter (RKH) join the
rkhunter-users mailing list. Subscribing to the list can be done via
the RKH website at http://rkhunter.sourceforge.net

A copy of the RKH FAQ is also available from the web site.


ROOTKIT HUNTER REQUIREMENTS
===========================

Please note RKH has some requirements:

1) Before RKH starts it will check that certain required commands
   are present on the system. These are typical commands such as
   'cat', 'sed', 'head', 'tail', etc. If a command is missing then
   RKH will not run.

2) Some tests require commands such as stat, readlink, md5/md5sum or
   sha1/sha1sum. If these are not present, then RKH has perl
   scripts which will automatically be used instead. However, this
   requires perl being present. If it is not, then the tests will
   be skipped. Readlink is provided as a script itself, and does
   not use perl. Other tests will use other commands. If the relevant
   command is not found on the system, then the test will be skipped.

3) A tool should be present with which to download file updates. 
   Currently wget, curl, (e)links, lynx and GET are supported. If your
   system does not allow the possibility to install one of these 
   applications, but does run perl, you can use 'bget' available from 
   http://www.cpan.org/authors/id/E/EL/ELIJAH/. If you use another 
   generic method of updating RKH then please let us know.

4) Some tests require single-purpose tools. RKH does not depend on
   these, but it will use them if it finds them - they can enhance
   RKH's detection capabilities. The tools are:
   - Skdet
       Tests for SucKIT, Adore, Adore-NG, UNFshit, UNFkmem and
       frontkey.
   - Unhide
       Finds hidden processes.
       http://www.security-projects.com/?Unhide
   If the relevant tool is not found, then the test is skipped.


ROOTKIT HUNTER INSTALLATION
===========================

Unpacking the tar file should produce a single directory called
'rkhunter-<version>'. Where '<version>' is the version number of rkhunter
being installed. For example, the rkhunter-1.3.0.tar.gz tar file will produce
the 'rkhunter-1.3.0' directory when unpacked. Within this directory is the
installation script called 'installer.sh'.

To perform a default installation of RKH simply unpack the tarball and,
as root, run the installation script:

    tar zxf rkhunter-<version>.tar.gz
    cd rkhunter-<version>
    ./installer.sh --layout default --install

RKH installation supports custom layouts. To show some examples
run:

    ./installer.sh --examples

As an another example, to install all files beneath /opt, run:

    ./installer.sh --layout custom /opt --install

To show where files are installed using the 'oldschool' layout
run:

    ./installer.sh --layout oldschool --show

The layout named 'RPM' may not be chosen since it is used solely
for installing RKH using RPM.


The default installation process will install a configuration file,
called 'rkhunter.conf', into the '/etc' directory or where
you chose using the --layout switch. Please edit the configuration 
file according to your own system requirements. If the installer 
encounters an existing rkhunter.conf, it will not be overwritten.
Instead the installer creates a new configuration file, but with
a unique number as its suffix. Please inspect the new configuration
file and copy over any changes to the existing configuration file.

The main RKH script will be installed into the '/usr/local/bin'
directory or where you chose using the --layout switch. Man pages will 
be installed into '/usr/local/share/man', and other documentation will 
be installed into the '/usr/local/share/doc' directory. RKH data files,
language support, and a directory for temporary files will be
installed into '/var/lib/rkhunter'. Finally, RKH support scripts will
be installed into '/usr/local/lib/rkhunter/scripts', or, if using an
x86_64 system, into '/usr/local/lib64/rkhunter/scripts'. All directories,
except 'lib64', will be created where necessary.

Before running RKH you will need to fill the file properties database by
running the following command:

    rkhunter --propupd

Note that if you want to use the package management tools provided by 
your distribution you will need to select a package manager. In the case
of using RPM your command would be:

    rkhunter --propupd --pkgmgr RPM


To run RKH, as root, simply enter the following command:

    rkhunter --check


By default, the log file '/var/log/rkhunter.log' will be created. It
will contain the results of the checks made by RKH.

To see what other options can be used with rkhunter, enter:

    rkhunter --help


NOTE: The first run of 'rkhunter' after installation may give some
      warning messages. Please see the FAQ file for more details
      about this.


STANDALONE INSTALLATION
=======================

It is possible to run RKH standalone, that is, with it all being
installed into one directory.

To do this unpack RKH as described above, and then install it using
the following command:

    ./installer.sh --layout custom . --install

It is then necessary to change to the 'files' directory:

    cd files

Within the directory will be a copy of the 'rkhunter.conf' configuration
file. You can modify this file according to your requirements if you
wish, but note the installer has already set the necessary variables.

To run RKH, as root simply enter the following command:

    ./rkhunter --check


INSTALLATION INFORMATION FOR x86_64 SYSTEMS
===========================================

The installation of RKH is largely independent of the system architecture.
However, RKH does have some support scripts and these need to be installed
into the appropriate library directory. When using the 'default' layout
option, or one of the known layout options (for example, '/usr' or
'/usr/local'), then the relevant 'lib64' directory will be used only if it
already exists. For a 'custom' layout, the 'lib64' directory will be used
and created if necessary. Standalone installations do not use any special
library directory at all. RPM installations will use the relevant 'lib64'
directory only if the system architecture is detected as being 'x86_64'.


REMOVING AN INSTALLATION
========================

RKH supports uninstallation. To do this unpack the installation
tarball, and then run the installer with the --remove option. If RKH
was installed using a default installation, then run:

    tar zxf rkhunter-<version>.tar.gz
    cd rkhunter-<version>
    ./installer.sh --layout default --remove

If you chose a different layout, for example '/usr', then run the
installer using:

    ./installer.sh --layout /usr --remove

Note: the installer will not remove files that were installed using RPM
(use the 'rpm' command to remove the package).

For a standalone uninstallation, specified by using '--layout custom .',
the installer will remove the whole installation directory (the 'files'
sub-directory).

During uninstallation, the installer will remove the initial configuration
file. However, if RKH was installed more than once, then any additional
configuration files are not removed. These may be removed manually.

When installing RKH, some directories may have been created. However,
RKH is unaware of this when being uninstalled. As such, and especially
when having used a custom installation, some directories may be
emptied of files, but the directories themselves may remain. Again,
these can be removed manually if wished.

In order to see where RKH installed its files during installation, the
'--show' option can be used. For example:

    ./installer.sh --layout custom /opt --show


USING TEST NAMES
================

Within RKH some of the tests have been given names. There are two types of
test names - specific test names and grouped test names. A specific test name
generally refers to one specific test within RKH. A grouped test name refers
to a set, or group, of related tests. Within a group name there are usually
one or more specific test names.

To see the current list of test names use the 'rkhunter --list tests' command.
The grouped names list will show the specific names that are within the group.

So, for example, the file properties check has the grouped name of 'properties'.
However, within that test the file hash value test is known as 'hashes'.
Similarly, the file attributes check, which checks the file permissions, uid
and gid values, and so on, is known as the 'attributes' test. Note that while
it is possible to tell RKH to run the file properties check, but ignore the
file hash value test, it is not possible to tell RKH to run the file attributes
but to ignore the file permissions checks. RKH has no specific name for the
file permissions test, and so it cannot be specifically enabled or disabled.

RKH can be told to enable or disable one or more of the tests by using the
'--enable' and '--disable' command-line options. Alternatively, the RKH
configuration file options 'ENABLE_TESTS' and 'DISABLE_TESTS' can be used.
Note, however, that if either command-line option is used then the
configuration file options, for both enabled and disabled tests, are ignored.
The program defaults if no options are used at all are to enable all tests and
to disable no tests. For this purpose the enable options can use the special
test name 'all', and the disable options can use the name 'none'. To specify
more than one test name, specify them as a comma-separated list. For example:

    rkhunter --enable 'rootkits,hashes'

Note that in the above example no disabled test list was specified. As such, it
will default to the program default value - '--disable none'. If multiple use
of the options are given on the command-line, then the last values seen will
be used.

The supplied RKH configuration file will have some tests already disabled.
These are generally CPU and/or I/O intensive tests, or ones which may be prone