Background

On debian distributions, the default rkhunter install (apt-get install rkhunter) does not ask you for the “automatically run rkhunter” options that you get with a source install of rkhunter. This post shows you how to reconfigure rkhunter with dpkg-reconfigure to configure the built-in cron jobs.

Details

The standard rkhunter setup “wizard” can be invoked with dpkg-reconfigure at any time.

$ dpkg-reconfigure rkhunter

The first screen allows enabling/disabling the daily run job of rkhunter.

The second screen allows enabling/disabling of automatically updating rkhunters database.

The third screen allows enabling/disabling the automatic update of the file properties database.

Configure rkhunter

If you have ran rkhunter before, you have probably seen the log messages/email about hidden files detected. rkhunter can be tuned to skip (via whitelist) specific items. An example of this is rkhunter likes to tell me that a hidden .java directory exists. I know this as I have java installed and develop in java. You can configure rkhunter to ignore this via the /etc/rkhunter.conf file as follows (uncomment the ALLOWHIDDENDIR for /etc/.java):

#ALLOWHIDDENDIR="/etc/.java"
ALLOWHIDDENDIR="/etc/.java"

This file is well documented so you may like to review the file for other configuration settings you may be interested in.