This how to helps you to learn to deal with rkhunter suspect files. Rkhunter could for example report suspect files after a software update, but also in case of a materialization of the cyber risks you are facing.
Index Of How To rkhunter Suspect Files
- How To rkhunter Suspect Files
- Additional Information
This how to assumes that you received a notification of suspect files by rkhunter or you found this in rkhunter‘s logfile. In the logfile it could look like this:
[06:27:41] System checks summary [06:27:41] ===================== [06:27:41] [06:27:41] File properties checks... [06:27:41] Files checked: 144 [06:27:41] Suspect files: 5 [06:27:41]
Alternatively, if you have activated email notifications, you maybe received an email that potentially could look like this
Receiving rkhunter messages like the above is a typical scenario after for example Debian automatically updated the operating system. Nevertheless, since rkhunter is a portion of your cyberdefense, you should better verify. To do so, this how to guides you thru an example how you can do this.
First of all, you like to check your logfile to find out whether indeed there was an operating systems update. Debian Linux auto updates are typically stored in the history.log. Simply read it and you will find out whether there was recently an update. Running the below command
The outcome could for example look like this:
Start-Date: 2023-03-25 04:49:46 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: tzdata:amd64 (2021a-0+deb10u8, 2021a-0+deb10u10) End-Date: 2023-03-25 04:49:48 Start-Date: 2023-03-30 04:19:26 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: libunbound8:amd64 (1.9.0-2+deb10u2, 1.9.0-2+deb10u3) End-Date: 2023-03-30 04:19:27 Start-Date: 2023-03-31 04:17:52 Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true Upgrade: libsystemd0:amd64 (241-7~deb10u8, 241-7~deb10u9), udev:amd64 (241-7~deb10u8, 241-7~deb10u9), libmicrohttpd12:amd64 (0.9.62- 1, 0.9.62-1+deb10u1), libudev1:amd64 (241-7~deb10u8, 241-7~deb10u9), systemd-sysv:amd64 (241-7~deb10u8, 241-7~deb10u9), libmicrohttp d-dev:amd64 (0.9.62-1, 0.9.62-1+deb10u1), libpam-systemd:amd64 (241-7~deb10u8, 241-7~deb10u9), systemd:amd64 (241-7~deb10u8, 241-7~d eb10u9), libnss-systemd:amd64 (241-7~deb10u8, 241-7~deb10u9) End-Date: 2023-03-31 04:18:15
With this information in hand, you are in a good position to compare now to rkhunter logs / email notification. Keep the window with this open move to the next chapter „Check rkhunter Log“
Check rkhunter Log
Best is to open a new terminal window. This allows to compare the logs of the above and what is in the log of khunter. Run the following command:
cat rkhunter.log | grep Warning
This should output something like the below:
[06:27:06] /usr/sbin/init [ Warning ] [06:27:07] Warning: The file properties have changed: [06:27:08] /usr/sbin/runlevel [ Warning ] [06:27:08] Warning: The file properties have changed: [06:27:24] /usr/bin/systemd [ Warning ] [06:27:24] Warning: The file properties have changed: [06:27:24] /usr/bin/systemctl [ Warning ] [06:27:24] Warning: The file properties have changed: [06:27:27] /usr/lib/systemd/systemd [ Warning ] [06:27:27] Warning: The file properties have changed:
Having this in hand now, you can compare the two logfiles for items that match.
The two above log files can now be compared. If you opened them in two different terminal windows, than this might be more easy. In the two above, as an example, its pretty easy to identify that for example „systemd“ was updated. Looking into the rkhunter.log systemd can be found too. This is a good hit!
What does it mean? Basically, Debian has updated systemd and therefore most likely the hash value of the systemd file changed. rkhunter has found this out and prints a warning. This is perfect! If however you cannot find any indication of updates being made, than you potentially indeed have a security issue. In this case, you should more deep dive analyse your system!
Fix The rkhunter Warning
To fix the rkhunter Warning, you need to update the rkhunter database. I recommend to do this together with updating rkhunter itself. to do so, run the following command:
rkhunter --update --propupd
There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:
- Rkhunter Linux man page – man page including rkhunter description and command options
- Debian Linux rkhunter man page – specific Debian Linux man page about rkhunter
It would be amazing if you follow my myhowto.blog. To my blog is actually easy! You can leverage on
- Click to follow me on Twitter
- Bookmark this page and comeback from time to time
I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to the myhowto.blog. Simply click this link to touch base with me.
I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole myhowto.blog. Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!