From shell;
cd /tmp
wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
md5sum rkhunter-1.4.2.tar.gz
Compare result to sourceforge.
tar xvfz rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./installer.sh --layout default --install
cd /
Just because.
/usr/local/bin/rkhunter --update
Not really necessary if run immediately after download.
/usr/local/bin/rkhunter -c
This runs rkhunter interactively, afterwards you can look through the rkhunter log since the warnings are explained in the log.
Obviously, rkhunter has lots of configurable options but that’a a little beyond the scope of this quick, fun run.

My results;
System checks summary

File properties checks…
Required commands check failed
Files checked: 135
Suspect files: 5

Rootkit checks…
Rootkits checked : 378
Possible rootkits: 0

Applications checks…
Applications checked: 5
Suspect applications: 1

The system checks took: 1 minute and 16 seconds

Another compromise check tool is chrootkit.

I ran all the commands exactly as posted and it worked just as described. Thanks!

Rkhunter is known to have many false positive… use it "in a smart way"
BTW, AFAIR, there’s a rpm too, and that’s the way to go (google will tell you more)

Thanks man good work!
Can I suggest to edit the title in “Installing rkunter on NethServer” ?
As @zamboni already said, can you try the rpm way? Could be cool! So we can edit the howto properly

I didn’t bother with rpm because the ones that I’ve seen were 1.4.0 and it’s so easy to pull the latest from sourceforge that I haven’t bothered to see if the rpm is backported.

before using this script it mightbe usefull to finish your NethServer installation and consider it being in production

after that you should run to determine what is normal and not

# rkhunter --propupd

you could also receive email directly from rkhunter by giving your email into /etc/rkhunter

MAIL-ON-WARNING=“your_user@domain.com”

most of the time you will need to IGNORE .udev Warning, to do that find into /etc/rkhunter those further lines are an exemples and mightbe not fully suitable for your configuration.

#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.mdadm
…
ALLOWHIDDENFILE=/usr/share/man/man1/…1.gz
ALLOWHIDDENFILE=/usr/share/man/man5/..5.gz
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
…
#ALLOWDEVFILE=/dev/shm/pulse-shm-
#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
ALLOWDEVFILE=/dev/.udev/db/block:loop*
ALLOWDEVFILE=/dev/.udev/db/block:ram*
ALLOWDEVFILE=/dev/.udev/db/block:vda*
ALLOWDEVFILE=/dev/.udev/db/input:event*
ALLOWDEVFILE=/dev/.udev/db/input:mouse*
ALLOWDEVFILE=/dev/.udev/db/misc:kvm
ALLOWDEVFILE=/dev/.udev/db/serio:*
ALLOWDEVFILE=/dev/.udev/db/usb:*
ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
ALLOWDEVFILE=/dev/.udev/queue.bin…

##Now if you want to add CHRootKit and LogWatch and being noticed by email follow those line

###to install chkrootkit from EPEL

# yum --enablerepo=epel -y install chkrootkit

###Install logwatch

# yum install logwatch

###and receiving all those logs by email

touch /etc/cron.daily/report-log
chmod a+x /etc/cron.daily/report-log
vi /etc/cron.daily/report-log

with this report-log script

#!/bin/bash
date=$(date +"%m-%d-%Y")
**email="your email here"**

## rkhunter
rkhunter --update
rkhunter --checkall --cronjob --report-warnings-only > rkhunter-check-$date.log

## chkrootkit
chkrootkit | grep -v not > chkrootkit-$date.log

## logwatch
logwatch --output html --detail High --range All > logwatch-all-$date.html
logwatch --output html --detail High --range Today > logwatch-today-$date.html
logwatch --output html --detail High --range Yesterday > logwatch-yesterday-$date.html

## send them
echo "RKHunter, CHKRootkit and LogWatch Logs for $date" | mutt -s "log $date" -a "rkhunter-check-$date.log" -a "chkrootkit-$date.log" -a "logwatch-all-$date.html" -a "logwatch-today-$date.html" -a "logwatch-yesterday-$date.html" -- $email

\## remote those logs
rm -f rkhunter-check-$date.log chkrootkit-$date.log logwatch-*.html

To avoid all the ALLOWDEVFILE= configuration part
it’s also possible to install RKHunter from EPEL

# yum --enablerepo=epel -y install rkhunter

if you like me and when you do

# whereis rkhunter

OR

# hash -t rkhunter

you still having /usr/local/bin/rkhunter
just do

# hash -p /usr/bin/rkhunter rkhunter

@all: please be aware that RKHunter is (well) known to be prone to false positive… use it smartly