Rootkit and malware detection for Ubuntu servers with automated scanning and false-positive management.
- ✅ Automated Daily Scans - Runs via cron.daily at 06:25 (systemd timer)
- ✅ Weekly Database Updates - Automatic rootkit signature updates
- ✅ Email Alerts - Configurable notifications on warnings
- ✅ False-Positive Whitelisting - Production-tested exclusions
- ✅ Low Overhead - Minimal system impact (~30 seconds scan time)
- ✅ Complementary to AIDE - Signature-based detection vs integrity-based
# 1. Install and initialize
sudo apt install rkhunter
sudo rkhunter --update && sudo rkhunter --propupd
# 2. Run first scan
sudo rkhunter --check --skip-keypress
# 3. Configure email alerts (optional)
sudo nano /etc/rkhunter.conf # Set: MAIL-ON-WARNING=your@email.comFull guide: See docs/SETUP.md
| Document | Description |
|---|---|
| SETUP.md | Installation, configuration, and automation setup |
| FALSE_POSITIVES.md | Known false positives and whitelisting strategies |
- Ubuntu 22.04+ / Debian 11+
- rkhunter v1.4.6+
- Mail transfer agent (for email alerts - optional)
rkhunter and AIDE are complementary tools for defense-in-depth:
| Feature | rkhunter | AIDE |
|---|---|---|
| Detection Method | Signature-based | Integrity-based |
| Speed | Fast (~30 seconds) | Slow (~5 minutes) |
| Rootkit Detection | ✅ Specialized | ❌ No |
| File Integrity | Basic | ✅ Advanced |
| False Positives | Low-Medium | High (needs tuning) |
| Use Case | Known rootkit scanning | File change detection |
Recommendation: Run both for comprehensive coverage.
- ✅ Production Servers - Detect known rootkits and backdoors
- ✅ Defense-in-Depth - Complement AIDE and auditd monitoring
- ✅ Compliance - Regular security scanning requirements
- ✅ Post-Incident - Verify system integrity after compromise
- ← Back to Repository Root
- aide - File integrity monitoring (complementary tool)
- auditd - Kernel-level audit logging
- security-monitoring - Unified security event monitoring