rkhunter.8

在网络安全中经常会遇到rootkit

.\" rkhunter - RootKit Hunter
.TH rkhunter 8 "July, 2007"

.SH NAME
rkhunter \- RootKit Hunter
.SH SYNOPSIS
\fBrkhunter\fP {--check | --update | --propupd | --versioncheck |
          --list [tests | languages | rootkits]
          --version | --help} [options]

.SH DESCRIPTION
\fBrkhunter\fP is a shell script which carries out various checks on the local
system to try and detect known rootkits and malware. It also performs checks
to see if commands have been modified, if the system startup files have been
modified, and various checks on the network interfaces, including checks for
listening applications.

\fBrkhunter\fP has been written to be as generic as possible, and so should run
on most Linux and UNIX systems. It is provided with some support scripts should
certain commands be missing from the system, and some of these are perl scripts.
\fBrkhunter\fP does require certain commands to be present for it to be able
to execute. Additionally, some tests require specific commands, but if these
are not present then the test will be skipped. \fBrkhunter\fP needs to be run
under a Bourne\-type shell, typically \fBbash\fP or \fBksh\fP. \fBrkhunter\fP
can be run as a cron job or from the command\-line.

.PP
.SH COMMAND OPTIONS
If no command option is given, then \fB\-\-help\fP is assumed.
\fBrkhunter\fP will return a non-zero exit code if any error or warning occurs.

.PP
.IP "\fB\-c, \-\-check\fP"
This command option tells \fBrkhunter\fP to perform various checks on the local
system. The result of each test will be displayed on stdout. If anything
suspicious is found, then a warning will be displayed. A log file of the tests
and the results will be automatically produced.

It is suggested that this command option is run regularly in order to ensure
that the system has not been compromised.

.IP

.IP \fB\-\-update\fP
This command option causes \fBrkhunter\fP to check if there is a later version
of any of its text data files. A command\-line web browser, for example
\fBwget\fP or \fBlynx\fP, must be present on the system when using this option.

It is suggested that this command option is run regularly in order to ensure
that the data files are kept up to date.

If this option is used via cron, then it is recommended that the \fB\-\-nocolors\fP
option is also used.

An exit code of zero for this command option means that no updates were
available. An exit code of one means that a download error occurred, and a code
of two means that no error occurred but updates were available and have been
installed.

.IP

.IP \fB\-\-propupd\fP
One of the checks \fBrkhunter\fP performs is to compare various current file
properties of various commands, against those it has previously stored. This
command option causes \fBrkhunter\fP to update its data file of stored values
with the current values.

\fIWARNING:\fP It is the users responsibility to ensure that the files on the
system are genuine and from a reliable source. \fBrkhunter\fP can only report
if a file has changed, but not on what has caused the change. Hence, if a file
has changed, and the \fB\-\-propupd\fP command option is used, then
\fBrkhunter\fP will assume that the file is genuine.

.IP

.IP \fB\-\-versioncheck\fP
This command option causes \fBrkhunter\fP to check if there is a later version
of the program. A command\-line web browser must be present on the system when
using this option.

If this option is used via cron, then it is recommended that the \fB\-\-nocolors\fP
option is also used.

An exit code of zero for this command option means that no new version was
available. An exit code of one means that an error occurred downloading the
latest version number, and a code of two means that no error occurred but a
new version is available.

.IP

.IP "\fB\-\-list [tests | languages | rootkits]\fP"
This command option will list some of the supported capabilities of the
program, and then exit. The \fItests\fP option lists the currently available
test names (see the README file for more details about test names). The
\fIlanguages\fP option lists the currently available languages, and the
\fIrootkits\fP option lists the rootkits that \fBrkhunter\fP will search for.
If no specific option is given, then all the lists are displayed.

.IP

.IP "\fB\-V, \-\-version\fP"
This command option causes \fBrkhunter\fP to display its version number, and
then exit.

.IP

.IP "\fB\-h, \-\-help\fP"
.br
This command option displays the help screen menu, and then exits.

.IP

.SH OPTIONS
\fBrkhunter\fP uses a configuration file, named \fIrkhunter.conf\fP, for many of
its configuration options. However, some options can also be specified on the
command\-line, and these will override the configuration file options. The
configuration file options are well documented within the file itself. The
following are the command\-line options. The defaults mentioned here are the
program defaults, unless explicitly stated as the configuration file default.

.PP

.IP \fB\-\-appendlog\fP
By default a new log file will be created when \fBrkhunter\fP runs. This option
tells \fBrkhunter\fP to append to the existing log file. If the log file does
not exist, then it will be created.

.IP "\fB\-\-bindir <directory>...\fP"
This option tells \fBrkhunter\fP which directories to look in to find the
various commands it requires. The default is the current PATH environment
variable, and the typical command directories of /bin, /usr/bin, /sbin and so
on.

.IP "\fB\-\-cs2, \-\-color\-set2\fP"
By default \fBrkhunter\fP will display its test results in color. The colors
used are green for successful tests, red for failed tests (warnings), and
yellow for skipped tests. These colors are visible when a black background is
used, but are difficult to see on a white background. This option tells
\fBrkhunter\fP to use a different color set which is more suited to a white
background.

.IP "\fB\-\-configfile <file>\fP"
The installation process will automatically tell \fBrkhunter\fP where its
configuration file is located. However, if necessary, this option can be used
to specify a different pathname.

.IP \fB\-\-cronjob\fP
This is similar to the \fB\-\-check\fP command option, but it disables several
of the interactive options. When this option is used \fB\-\-check\fP,
\fB\-\-nocolors\fP and \fB\-\-skip-keypress\fP are assumed. By default no output
is sent to stdout, so the \fB\-\-report\-warnings\-only\fP option may be useful
with this option.

.IP "\fB\-\-dbdir <directory>\fP"
The installation process will automatically configure where the data files are
stored for \fBrkhunter\fP. However, if necessary, this option can be used
to specify a different directory.

.IP \fB\-\-debug\fP
This is a special option mainly for the developers. It produces no output on
stdout. If debugging must be used, then make sure that it is the first command\-line
switch. Regular logging will continue as per default or as specified by the
\fB\-\-logfile\fP option, and debug output will be in the file
\fI/tmp/rkhunter\-debug\fP.

.IP "\fB\-\-disable <test>[,<test>...]\fP"
This option tells \fBrkhunter\fP not to run the specified tests. If this
option is used, and \fB\-\-propupd\fP is not specified, then the
\fB\-\-check\fP command option is assumed. Read the README file for more
information about test names. By default no tests are disabled.

.IP \fB\-\-display\-logfile\fP
This option will cause the logfile to be displayed on the screen once
\fBrkhunter\fP has finished.

.IP "\fB\-\-enable <test>[,<test>...]\fP"
This option tells \fBrkhunter\fP to only run the specified tests. If this
option is used, and \fB\-\-propupd\fP is not specified, then the
\fB\-\-check\fP command option is assumed. If only one test name, other than
\fIall\fP, is given, then the \fB\-\-skip\-keypress\fP option is also assumed.
Read the README file for more information about test names. By default all
tests are enabled. All tests will be listed below under TESTS.

.IP "\fB\-\-hash {MD5 | SHA1 | NONE | <command>}\fP"
Both the file properties check and the \fB\-\-propupd\fP command option will
use a hash function to determine a files current hash value. This option tells
\fBrkhunter\fP which hash function to use. The \fIMD5\fP and \fISHA1\fP
options, in uppercase, will look for the relevant command, and if not found
a perl support script will be used to provide the function. Alternatively, a