Rkhunter RPM Issues with Source Forge Repository

as of 8 August 2011

based on rkhunter-1.3.8


Rkhunter has several conflicts that develop when moving from a manual install or creating your own rpm from the download and using the Red Hat Package Manager with yum and rpm and the Source Forge Repository to install and/or update rkhunter for RedHat/CentOS/Fedora or other Linux types using the Red Hat Package Manager.

LogiQwest has reported these conflicts are a bug to Source Forge and as of this writing is pending a resolution. See the Bug Tracker at http://sourceforge.net/tracker/?func=detail&atid=794187&aid=3388139&group_id=155034.

The following describes these issues and warnings.

Rkhunter can be installed in one of two way from downloading the tar ball from Source Forge (# yum install rkhunter with the Source Forge Repository enabled) )or directly from Rkhunter Web site (http://www.rootkit.nl/projects/rootkit_hunter.html). There are consequences if you download is from the Rkhunter web site and then update it from Source Forge as described below.

Method Process Problem with yum
Manual install

After un-tat-gz the download, in the rkhunter-1.3.8 directory, run

# ./installer.sh --install

The default will place rkhunter in /usr/local/bin. No cron.daily entry is created and you must manually perform an rkhunter --propupd to initial the program.

The yum repository does not know that is program is install. Any updates in Source Force will not be revealed with # yum check-update. You can install rkhunter from the Source Forge repository by using

# yum install rkhunter

If you do this without removing the manually installed version, you will have two version of rkhunter existing. One in /usr/local/bin and the other in /usr/bin. The new install will complain about the existing /etc/rkhunter.conf file and install a /etc/rkhunter.conf.rpmnew alternate version. This needs to be resolved before you can use this new version.

If you remove the manually installed version with running from the manual download directory:

# ./installer.sh --remove

it will delete some important directories and files from the new version and will make it no longer functional. Using rkhunter --update may fix these issues if directories it complains about are created, you saved the/etc/rkhunter.conf.rpmnew file and copied it to/etc/rkhunter.conf and you run rkhunter --update twice.

Bottom Line: Remove the manually installed rkhunter before you switch to the Source Forge version.

Creating local RPM

rkhunter's download includes an rpm spec file (rkhunter.spec). Keeping the download as a tar-gz file, you can create you own rpm file by performing

# /usr/bin/rpmbuild -ta rkhunter-1.3.8

This will create a file called:


in the /usr/src/redhat/RPMS/noarch directory.

Installing this locally created version will automatically add a daily entry to /etc/cron.daily. You must still manually perform an rkhunter --propupd to initial the program. Since you have access to the rkhunter.spec file you can customize the install and automatic rkhunter --propupd as a Post process for the install.

Since using a locally created RPM to install rkhunter will register the program with the package manager, if you have the Source Forge repository enable (e.g. use it for Nagios updates), performing a yum check-update will report that a newer version of rkhunter is available. If you perform either a yum update to update all the software or perform yum update rkhunter, the Source Forge version will be installed. When this version is installed, it will remove the old version in /usr/local/bin and install the Source Forge Version the /usr/bin directory. Updating with the Source Forge version will also remove the cron.daily entry. This happens with no warning and will disable a cron.daily log updates and email.

Bottom Line: Remove the locally install rpm version of rkhunter before you switch to the Source Forge version. After the the Source Forge version is installed, add a cron.daily entry and perform a rkhunter --propupd.

The following script can be used to perform this task after installing rkhunter from Source Forge

# Copyright LogiQwest 2011
# License: GPL
# Name: install_rkhunter_cron.sh
# OS: Linux
# Purpose: To create /etc/cron.daily/rkhunter crontab
# $Id: $
# Version 1.00:07 Aug 2010 Created by Michael Barto
RKHUNTER_BIN=`which rkhunter`
    if [ -f /usr/bin/whoami ]; then
    elif [ -f /usr/ucb/whoami ]; then
    elif [ -f /usr/gnu/bin/whoami ]; then
        echo 'Unix command whoami not found. Program exited!!'
        exit 1
    if [ $ID != "root" ]; then
        echo "$ID, you must be root to run this program."
        exit 1

    ${RKHUNTER_BIN} --propupd
    echo "properties updated........"
    cat > "${CRON_DIR}/rkhunter" <<EOF
    HOSTNAME=\`uname -n\`
    ( ${RKHUNTER_BIN} --cronjob --update --rwo && echo "" ) | /bin/mail -s "Rkhunter daily run on \${HOSTNAME}" root
    exit 0
    chmod a+x ${CRON_DIR}/rkhunter
    echo "daily cron added........."

LogiQwest, Inc. - USA        sales@logiqwest.com       Phone 714.377.3705        Fax 714.840.3937