linux-rkhunter
Runs rkhunter (Rootkit Hunter) on the Linux system and retrieves the scan results. rkhunter is a security inspection tool that detects rootkits, backdoors, and suspicious files.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
ignore-error=BOOL- Whether to ignore errors when rkhunter is not installed or fails to run. When set to
t, returns empty results and terminates normally if an error occurs. (Default:f)
Output fields
| Field | Type | Description |
|---|---|---|
target | string | Warning target. File path, command name, process name, SSH configuration option, etc. |
reason | string | Warning reason. Indicates the cause of the detected threat. |
description | string | Detailed warning description. Contains additional information about the detected threat. |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
95040 | no-read-permission | Occurs when run without administrator privilege |
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | - | When rkhunter is not installed or fails to run | Returns empty results if ignore-error=t is set; otherwise terminates the query |
Description
The linux-rkhunter command runs rkhunter -c --enable all --disable none --rwo to perform a full scan and extracts only the warning items. The --rwo option is an rkhunter option that outputs only warning items.
The following types of warnings are parsed from the scan results:
- Command tampering warnings: When system commands have been tampered with
- Hidden file warnings: When hidden files are found
- Processes using deleted files: When processes using deleted files are found
- Suspicious file warnings: When suspicious file types are found
- SSH configuration warnings: When SSH configuration options do not meet security standards
If rkhunter is not installed on the system, a runtime error occurs. When ignore-error=t is specified, it returns empty results without an error if rkhunter is not installed or fails to run.
Examples
-
Retrieve rkhunter scan results
linux-rkhunterRuns rkhunter on the system and retrieves warning items.
-
Retrieve scan results while ignoring errors
linux-rkhunter ignore-error=tTerminates normally without an error even if rkhunter is not installed.
-
Filter only warnings with a specific reason
linux-rkhunter | search isnotnull(reason)Retrieves only items that have a warning reason.