In the rkhunter config file here /etc/default/rkhunter it says:
# Defaults for rkhunter automatic tasks
# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
#
# This is a POSIX shell fragment
#
# Set this to yes to enable rkhunter daily runs
# (default: true)
CRON_DAILY_RUN=""
# Set this to yes to enable rkhunter weekly database updates
# (default: true)
CRON_DB_UPDATE=""
# Set this to yes to enable reports of weekly database updates
# (default: false)
DB_UPDATE_EMAIL="false"
# Set this to the email address where reports and run output should be sent
# (default: root)
REPORT_EMAIL="root"
# Set this to yes to enable automatic database updates
# (default: false)
APT_AUTOGEN="false"
# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
# (default: 0)
NICE="0"
# Should daily check be run when running on battery
# powermgmt-base is required to detect if running on battery or on AC power
# (default: false)
RUN_CHECK_ON_BATTERY="false"
APT_AUTOGEN="yes"
What are the options which talk about auto database updates? Like here for instance:
# Set this to yes to enable automatic database updates
# (default: false)
APT_AUTOGEN="false"
Here:
# Set this to yes to enable rkhunter weekly database updates
# (default: true)
CRON_DB_UPDATE=""
And here:
# Set this to yes to enable rkhunter daily runs
# (default: true)
CRON_DAILY_RUN=""
Some sort of virus database update that otherwise I would have to do manually? If so how would I run it manually? Or is this checking if there is a new rkhunter version available?
If I do get it to run auto database updates, should I get it to do weekly and daily? Or do I only choose whether I want it weekly, or daily?
A rootkit is the nastiest piece of malware you can have on your system and basically they're mostly self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the prying eyes of the sysadmin. So it also takes a lot of skill to detect these and rootkit removal is always done through re-install.
In the README of Rkhunter, it is clearly stated that the software doesn't know everything about your specific machine and that it works by creating a file properties database with rkhunter --propupd after a clean install of your OS... :P
So the answer to your question is: No, this is not like an anti-virus database at all: it is not medicine you take after you've been compromised, but more like a vaccination before you contract Ebola! ;-)
So by now (if you've actually read all the links above) you know that this is very good software (the best), but that it takes a lot of work to actually run and maintain and that installing it on a system that is already compromised is useless. So, unless you want to know all the ins-and-outs of rkhunter, this is server software, not PC software. (Good to know it exists if you ever need to harden a server, but quite useless to install on a PC that has been running for a while)
If you're still interested by now, get out your Ubuntu LiveCD written on a DVD-R (I personally wouldn't even trust DVD-RWs), re-install your system, install rkhunter, do all updates (so you get a feel of what it will do), install all your software and only then restore your file backup, join the mailing list and start contributing!
>:-)
Tip: If you think of installing highly technical software which you know very little or nothing about, read the README, the FAQ afterwards and the full manual if you're still interested before you even start to install such kind of software.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments