rkhunter
--------

* RKHUNTER FAQ
  The new Rootkit Hynter FAQ is located at:
  http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034

* FALSE POSITIVES
  Below is a list of packages which are known to set off false alarms in
  rkhunter:

    * slice: /usr/bin/slice sets false alarm about RH-Sharpe
    * sash: as the root account is cloned to sashroot, rkhunter issues a
    warning telling the sashroot account has UID=0.
    If you have deliberately installed sash, you can avoid this warning thanks
    to the UID0_ACCOUNTS configuration option in /etc/rkhunter.conf.

  --

  Below is a list of common hidden files and directories known to set off
  false alarms in rkhunter:

    * /dev/.static/, /dev/.udev & /dev/.udevdb/ - used by udev
    * /etc/.java/ - it is common for java installations to use this
      hidden directory
    * /dev/.initramfs - created by initramfs-tools generated ramfs
      filesystems during boot

  In most cases, you can just ignore warnings about these files and directories.
  Use ALLOWHIDDENFILE and ALLOWHIDDENDIR options in /etc/rkhunter.conf to
  avoid them.


* HASH CHECKS
  By default, all hashes checks are now ENABLED in the standard daily cron
  job.

  Add the 'hashes' and 'attributes' tests to the DISABLED_TESTS option in
  /etc/rkhunter.conf if you wish to disable them.

  If enabled, each time a base package is upgraded, you will have to run:
  'rkhunter --propupd' to update the file properties database located
  in /var/lib/rkhunter/db/rkhunter.dat.

  This can be done automatically after each install/remove. Please run:
    # dpkg-reconfigure rkhunter
  to enable this feature.

  Note that if both 'hashes' and 'attributes' tests are disabled, this feature
  will be automatically disabled. This is also the case if the group test
  'properties' is disabled.

* WEEKLY DATABASE UPDATES
  To be able to run automatic database update, you will need a tool with which to
  download file updates.

  Currently wget, curl, (e)links, lynx and GET are supported.

  You will also need to reconfigure rkhunter to activate the automatic weekly database update:
    # dpkg-reconfigure rkhunter


* THIRD PARTY TOOLS

  rkhunter also supports two 3rd party tools which are not in debian:

    * skdet - http://www.rootshell.be/~unspawn/packaging/skdet.html (*)
    Skdet is a simple program that will detect the following rootkits:
    - SucKIT (<=1.3b)
    - adore (all versions)
    - adore-ng (all versions)
    - UNFshit (<=1.1a)
    - UNFkmem (from phrack.org)
    - frontkey (first release)
    - all rootkits that use trojaned files

    Note that Skdet seems to be unmaintained, and is probably obsolete.
    USE AT YOUR OWN RISK

    (*) The original skdet website is down, this is an archived copy
    provided by the main rkhunter developer.


-- Micah Anderson <micah@debian.org> Sat Sep  3 18:23:21 CDT 2005
-- Julien Valroff <julien@kirya.net>  Sun, 07 Oct 2007 14:15:37 +0200