Setting Up rkhunter Using systemd

rkhunter is a rootkit and malware detection application available in the repositories. So you can install it using pacman with command:
#pacman -S rkhunter ##to install rkhunter.

I’m skipping configuration steps for your user case. I’m referring to any changes you wish to do with /etc/rkhunter.conf. Perhaps another blog post is necessary. For this post, I wish to start rkhunter in systemd using Unit and Timer methods.

From systemd Website:

systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. systemd supports SysV and LSB init scripts and works as a replacement for sysvinit. Other parts include a logging daemon, utilities to control basic system configuration like the hostname, date, locale, maintain a list of logged-in users and running containers and virtual machines, system accounts, runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution.

I wish to run rkhunter daily with systemd managing the service and the process. To do this I have to create two files. A Unit or Service file and a Timer file. I’m going to use vim but use the text editor of your choice.

#vim /etc/systemd/system/rkhunter.service ##to create the service file

[sample service file]
Description=rkhunter rootkit scan and malware detection


ExecStartPre=/usr/bin/rkhunter –update
ExecStartPre=/usr/bin/rkhunter –propupd
ExecStart=/usr/bin/rkhunter –check -sk
SuccessExitStatus=1 2


ExecStartPre is the command for pre-processes to start first

ExecStart is the command for the main process, path to the command.
SuccessExitStatus= takes a list of exit codes to accept as successful termination of the service.


#vim /etc/systemd/system/rkhunter.timer ##to create a Timer file. A timer file ends in .timer. A timer file is required by the service file.

[sample timer file]
Description=Run rkhunter daily

OnCalendar=*-*-* 04:20:00




Unit= refers to the service the timer is starting
OnCalendar= refers to real time (wallclock, etc.) for example second, minute, hours, day, week, year
RandomizedDelaySec=span of time timer can randomly delay starting the service. useful if you want rkhunter to run during idle hours (e.g. from 12 midnight to 6 am)
WakeSystem= tells systemd to wake the machine up from sleep to perform action if supported
Persistent=applies to OnCalendar timers, the last time time elapse is saved on disk. useful when scheduled run is missed.

RemainAfterElapse configures the timer to remain active after the time for it to activate elapse.


$ systemctl status rkhunter.timer
● rkhunter.timer – Run rkhunter daily
Loaded: loaded (/etc/systemd/system/rkhunter.timer; disabled; vendor preset: disabled)
Active: active (running) since Sat 2017-08-12 23:37:04 +08; 1h 6min ago
Trigger: n/a

● rkhunter.service – rkhunter rootkit scan and malware detection
Loaded: loaded (/etc/systemd/system/rkhunter.service; static; vendor preset: disabled)
Active: active (exited) since Sat 2017-08-12 23:08:17 +08; 1h 36min ago
Main PID: 16924 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/rkhunter.service

If you are prompted to reload systemd, the command is :
#systemctl daemon-reload

If rkhunter finds something suspicious, and issues a warning the process will exit with a value other than 0 which is failure. I have rkhunter configured to send an email to me in /etc/rkhunter.conf in such a case.


One thought on “Setting Up rkhunter Using systemd

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s