rkhunter.8

在网络安全中经常会遇到rootkit

specific \fIcommand\fP may be specified. A value of \fINONE\fP can be used
to indicate that the hash values should not be obtained or used as part of the
file properties check. The default is \fISHA1\fP, or \fIMD5\fP if no SHA1
command can be found.

.IP "\fB\-\-lang, \-\-language <language>\fP"
This option specifies which language to use for the displayed tests and results.
The currently supported languages can be seen by the \fB\-\-list\fP command
option. The default is \fIen\fP (English). If a message to be displayed cannot
be found in the language file, then the English version will be used. As such,
the English language file must always be present. The \fB\-\-update\fP command
option will update the language files when new versions are available.

.IP "\fB\-l, \-\-logfile [file]\fP"
By default \fBrkhunter\fP will write out a log file. The default location of
the file is \fI/var/log/rkhunter.log\fP. However, this location can be changed
by using this option. If \fI/dev/null\fP is specified as the log file, then no
log file will be written. If no specific \fIfile\fP is given, then the default
will be used. By default \fBrkhunter\fP will create a new log file each time
it is run. Any previously existing logfile is moved out of the way, and has
\fI.old\fP appended to it.

.IP \fB\-\-noappend\-log\fP
This option reverts \fBrkhunter\fP to its default behaviour of creating a new
log file rather than appending to it.

.IP \fB\-\-nocolors\fP
This option causes the result of each test to not be displayed in a specific
color. The default color, usually the reverse of the background color, will be
used (typically this is just black and white).

.IP \fB\-\-nolog\fP
This option tells \fBrkhunter\fP not to write anything to a log file.

.IP "\fB\-\-nomow, \-\-no\-mail\-on\-warning\fP"
The configuration file has an option which will cause a simple email message to
be sent to a user should \fBrkhunter\fP detect any warnings. This command\-line
option overrides the configuration file option, and prevents an email message
from being sent. The configuration file default is not to email a message.

.IP "\fB\-\-ns, \-\-nosummary\fP"
When the \fB\-\-check\fP command option is used, by default a short summary of
results is displayed at the end. This option prevents the summary from being
displayed.

.IP "\fB\-\-novl, \-\-no\-verbose\-logging\fP"
During some tests \fBrkhunter\fP will log a lot of information. Use of this
option reduces the amount of logging, and so can improve the performance of
\fBrkhunter\fP. However, the log file will contain less information should any
warnings occur. By default verbose logging is enabled.

.IP "\fB\-\-pkgmgr {RPM | DPKG | BSD | NONE}\fP"
This option is used during the file properties check or when the
\fB\-\-propupd\fP command option is given. It tells \fBrkhunter\fP that the
current file property values should be obtained from the relevant package manager.
See the README file for more details of this option. The default is \fINONE\fP,
which means not to use a package manager.

.IP "\fB\-q, \-\-quiet\fP"
This option tells \fBrkhunter\fP not to display any output. It can be useful
when only the exit code is going to be checked. Other options may be used with
this one, to force only specific items to be displayed.

.IP "\fB\-\-rwo, \-\-report\-warnings\-only\fP"
This option causes only warning messages to be displayed. This can be
useful when \fBrkhunter\fP is run via cron. Other options may be used to
force other items of information to be displayed.

.IP "\fB\-r, \-\-rootdir <directory>\fP"
If a suspect system is locally or remotely mounted, it is possible to tell
\fBrkhunter\fP to inspect it by using this option. However, it must be used
with care, as several of the other options specifying configuration
directories may need to be set as well. There is no default.

.IP "\fB\-\-sk, \-\-skip\-keypress\fP"
When the \fB\-\-check\fP command option is used, after certain sections of
tests, the user will be prompted to press the \fIreturn\fP key in order to
continue. This option disables that feature, and \fBrkhunter\fP will run until
all the tests have completed.

If this option has not been given, and the user is prompted to press the
\fIreturn\fP key, a single '\fIs\fP' character, in upper\- or lowercase, may be
given followed by the \fIreturn\fP key. \fBrkhunter\fP will then continue
the tests without prompting the user again (as if this option had been given).

.IP \fB\-\-summary\fP
This option will cause the summary of test results to be displayed. This is
the default.

.IP "\fB\-\-syslog [facility.priority]\fP"
When the \fB\-\-check\fP command option is used, this option will cause the
start and finish times to be logged to syslog. The default is not to log
anything to syslog, but if the option is used, then the default level
is \fIauthpriv.notice\fP.

.IP "\fB\-\-tmpdir <directory>\fP"
The installation process will automatically configure where temporary files are
to be created. However, if necessary, this option can be used to specify a
different directory. The directory must not be a symbolic link, and must be
secure (root access only).

.IP "\fB\-\-vl, \-\-verbose\-logging\fP"
This option tells \fBrkhunter\fP that when it runs some tests, it should log
as much information as possible. This can be useful when trying to diagnose
why a warning has occurred, but it obviously also takes more time. The default
is to use verbose logging.

.IP "\fB\-x, \-\-autox\fP"
When this option is used, \fBrkhunter\fP will try and detect if the X Window
system is in use. If it is in use, then the second color set will
automatically be used (see the \fB\-\-color\-set2\fP option). This allows
\fBrkhunter\fP to be run on, for example, a server console (where X is not
present, so the default color set should be used), and on a users terminal
(where X is in use, so the second color set should be used). In both cases
\fBrkhunter\fP will use the correct color set. The configuration file default
is to try and detect X.

.IP "\fB\-X, \-\-no\-autox\fP"
This option prevents \fBrkhunter\fP from automatically detecting if the X
Window system is being used. See the \fB\-\-autox\fP option.


.SH TESTS

.IP "\fBadditional_rkts\fP" 
This test is for SHORT_EXPLANATION. It works as part of GROUP. Corresponding 
configuration file entries: ONE=one, TWO=two and for white-listing 
THREE=three,three. Simple globbing (/dev/shm/file-*) works.


.IP \fBall\fP
.IP \fBapps\fP
.IP \fBattributes\fP
.IP \fBdeleted_files\fP
.IP \fBfilesystem\fP
.IP \fBgroup_accounts\fP
.IP \fBgroup_changes\fP
.IP \fBhashes\fP
.IP \fBhidden_procs\fP
.IP \fBimmutable known_rkts\fP
.IP \fBlocal_host\fP
.IP \fBmalware\fP
.IP \fBnetwork\fP
.IP \fBnone\fP
.IP \fBos_specific\fP
.IP \fBother_malware\fP
.IP \fBpacket_cap_apps\fP
.IP \fBpasswd_changes\fP
.IP \fBports\fP
.IP \fBpossible_rkt_files\fP
.IP \fBpossible_rkts\fP
.IP \fBpossible_rkt_strings\fP
.IP \fBpromisc\fP
.IP \fBproperties\fP
.IP \fBrootkits\fP
.IP \fBrunning_procs\fP
.IP \fBscripts\fP
.IP \fBshared_libs\fP
.IP \fBshared_libs_path\fP
.IP \fBstartup_files\fP
.IP \fBstartup_malware\fP
.IP \fBstrings\fP
.IP \fBsuspscan\fP
.IP \fBsystem_commands\fP
.IP \fBsystem_configs trojans\fP


.SH FILES
(For a default installation)
/etc/rkhunter.conf

.SH SEE ALSO
See the CHANGELOG file for recent changes.
.br
The README file has information about installing \fBrkhunter\fP, as well as
specific sections on test names and using package managers.
.br
The FAQ file should also answer some questions.

.SH LICENSING
RootKit Hunter is licensed under the GPL, copyright Michael Boelen.
See the LICENSE file for details of GPL licensing.

.SH CONTACT INFORMATION
RootKit Hunter is under active development by the RootKit Hunter 
project team. For reporting bugs, updates, patches, comments and 
questions, please go to http://rkhunter.sourceforge.net/
.fi