rkhunter is a rootkit and malware detection application available in the repositories. So you can install it using pacman with command:
#pacman -S rkhunter ##to install rkhunter.
I’m skipping configuration steps for your user case. I’m referring to any changes you wish to do with /etc/rkhunter.conf. Perhaps another blog post is necessary. For this post, I wish to start rkhunter in systemd using Unit and Timer methods.
systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. systemd supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution.
I wish to run rkhunter daily with systemd managing the service and the process. To do this I have to create two files. A Unit or Service file and a Timer file. I’m going to use vim but use the text editor of your choice.
#vim /etc/systemd/system/rkhunter.service ##to create the service file
[sample service file]
Description=rkhunter rootkit scan and malware detection
ExecStart=/usr/bin/rkhunter –check -sk
ExecStartPre is the command for pre-processes to start first
ExecStart is the command for the main process, path to the command.
SuccessExitStatus= takes a list of exit codes to accept as successful termination of the service.
#vim /etc/systemd/system/rkhunter.timer ##to create a Timer file. A timer file ends in .timer. A timer file is required by the service file.
[sample timer file]
Description=Run rkhunter daily
Unit= refers to the service the timer is starting
OnCalendar= refers to real time (wallclock, etc.) for example second, minute, hours, day, week, year
RandomizedDelaySec=span of time timer can randomly delay starting the service. useful if you want rkhunter to run during idle hours (e.g. from 12 midnight to 6 am)
WakeSystem= tells systemd to wake the machine up from sleep to perform action if supported
Persistent=applies to OnCalendar timers, the last time time elapse is saved on disk. useful when scheduled run is missed.
RemainAfterElapse configures the timer to remain active after the time for it to activate elapse.
$ systemctl status rkhunter.timer
● rkhunter.timer – Run rkhunter daily
Loaded: loaded (/etc/systemd/system/rkhunter.timer; disabled; vendor preset: disabled)
Active: active (running) since Sat 2017-08-12 23:37:04 +08; 1h 6min ago
● rkhunter.service – rkhunter rootkit scan and malware detection
Loaded: loaded (/etc/systemd/system/rkhunter.service; static; vendor preset: disabled)
Active: active (exited) since Sat 2017-08-12 23:08:17 +08; 1h 36min ago
Main PID: 16924 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
If you are prompted to reload systemd, the command is :
If rkhunter finds something suspicious, and issues a warning the process will exit with a value other than 0 which is failure. I have rkhunter configured to send an email to me in /etc/rkhunter.conf in such a case.