Rootkits are malicious software packages designed to gain persistent, hidden root-level access to a system by replacing or patching critical binaries, kernel modules, or configuration files. Two widely used open-source tools — rkhunter (Rootkit Hunter) and chkrootkit — complement each other by using different detection techniques: signature databases, hash comparisons, and behavioural checks. On RHEL 8, rkhunter is available through the EPEL repository, while chkrootkit can be installed from EPEL or compiled from source. This tutorial walks through installing and running both tools, reading their logs, whitelisting known false positives, and scheduling daily automated checks with email alerts.

Prerequisites

  • RHEL 8 server with root or sudo access
  • EPEL 8 repository enabled (dnf install -y epel-release)
  • Internet access for downloading signature updates
  • An MTA or mailx package installed for email alerting (optional)
  • A clean baseline system — run these tools immediately after provisioning for best results

Step 1 — Install rkhunter from EPEL

Enable EPEL and install rkhunter.

sudo dnf install -y epel-release
sudo dnf install -y rkhunter
rkhunter --version

After installation, update the rkhunter data files (rootkit signatures and package hash database) before running the first scan.

sudo rkhunter --update
sudo rkhunter --propupd

The --propupd command builds an initial hash baseline of all monitored files. Run it on a trusted, clean system — subsequent scans compare live file hashes against this baseline to detect tampering.

Step 2 — Run a Full rkhunter Check

Execute a complete rootkit scan. The --skip-keypress flag suppresses the interactive pause after each category, allowing the scan to run unattended.

sudo rkhunter --check --skip-keypress

The scan covers: rootkit file and directory signatures, known trojanised binaries, suspicious network interfaces, system command checks (ls, ps, netstat), and kernel module checks. Warnings appear in yellow and are written to the log. A clean system should show 0 warnings, though false positives are common on first run.

Step 3 — Review the rkhunter Log

The full log including all test results is written to /var/log/rkhunter.log.

# Show only warnings from the last scan
sudo grep -i "warning" /var/log/rkhunter.log

# Show the summary section at the end of the log
sudo tail -40 /var/log/rkhunter.log

# View the entire log with less
sudo less /var/log/rkhunter.log

Common false positives on RHEL 8 include warnings about /dev/shm contents, SSH protocol version, and preloaded libraries. Investigate each warning to confirm it is benign before whitelisting.

Step 4 — Whitelist False Positives in rkhunter.conf

Edit /etc/rkhunter.conf to suppress known false positives. Always verify a warning is genuinely benign before adding it to the whitelist.

sudo vi /etc/rkhunter.conf

Common whitelist directives for RHEL 8:

# Whitelist a specific file hash change (e.g. after a package update)
RTKT_FILE_WHITELIST=/usr/bin/lwp-request

# Whitelist a preloaded library warning
SHARED_LIB_WHITELIST=/lib64/libsplice.so.0

# Suppress a specific script warning
SCRIPTWHITELIST=/usr/bin/lwp-request

# Allow hidden files in /dev (RHEL 8 uses /dev/.udev and similar)
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.mdadm

After editing the config, re-run the check to verify warnings are gone.

sudo rkhunter --check --skip-keypress 2>&1 | grep -E "Warning|Rootkit"

Step 5 — Install and Run chkrootkit

chkrootkit is available in EPEL. Alternatively, compile it from source if a newer version is needed.

# Install from EPEL
sudo dnf install -y chkrootkit

# Run the main scan
sudo chkrootkit

chkrootkit scans for over 60 known rootkits and backdoors using pattern matching against running processes, system binaries, and network interfaces. Lines prefixed with INFECTED require immediate investigation. Lines prefixed with not infected are clean. Some not tested entries are normal — they indicate tests that only apply to other Linux distributions or kernel versions.

# Filter output to show only potential detections
sudo chkrootkit | grep -v "not infected" | grep -v "not tested"

Step 6 — Schedule Daily Automated Checks with Cron and Email Alerts

Create a cron job that runs both tools nightly and emails the results. First ensure mailx is available.

sudo dnf install -y mailx

# Create the daily scan script
sudo tee /etc/cron.daily/rootkit-scan.sh > /dev/null < /tmp/rootkit-report.txt
rkhunter --check --skip-keypress --report-warnings-only >> /tmp/rootkit-report.txt 2>&1

echo "" >> /tmp/rootkit-report.txt
echo "=== chkrootkit scan: $HOSTNAME $DATE ===" >> /tmp/rootkit-report.txt
chkrootkit | grep -v "not infected" | grep -v "not tested" >> /tmp/rootkit-report.txt 2>&1

mail -s "Rootkit scan report: $HOSTNAME $DATE" "$MAILTO" < /tmp/rootkit-report.txt
rm -f /tmp/rootkit-report.txt
EOF

sudo chmod +x /etc/cron.daily/rootkit-scan.sh

Test the script manually to verify it runs without errors and that email delivery works.

sudo bash /etc/cron.daily/rootkit-scan.sh

Conclusion

You have installed rkhunter from EPEL on RHEL 8, built a clean file hash baseline, run a full rootkit scan, reviewed and whitelisted false positives in /etc/rkhunter.conf, installed and run chkrootkit as a complementary scanner, and set up a daily automated scan script with email alerting via cron. Using both tools in tandem increases detection coverage because each tool uses different signatures and methods. Remember that rootkit detectors are most effective when run against a known-clean baseline and scheduled consistently.

Next steps: Audit Linux Security with Lynis on RHEL 8, Configure auditd for File Integrity Monitoring on RHEL 8, and Use AIDE for Host-Based Intrusion Detection on RHEL 8.