Install rkhunter on CentOS 7

Installing rkhunter 1.4.6 on CentOS 7

I think that rkhunter is a valuable tool no matter the distribution that is used.

In CentOS 7 rkhunter 1.4.6 is found in the EPEL repository, we must make sure that this is available to use first:

$ sudo yum install -y epel-release

The install then is straight forward using yum.

$ sudo yum install rkhunter
$ sudo rkhunter --update
$ sudo rkhunter --propupd

We may also want to manually copy the /etc/passwd and /etc/group file to /var/lib/rkhunter. I gerenerally do not as they are copied in the first scan. The ubuntu install makes copies of these files for you.

If we don’t the first scan will warn that the group file and passwd file could have changed.

$ sudo rkhunter --check --sk
Performing group and account checks
    Checking for passwd file                          [ Found ]
    Checking for root equivalent (UID 0) accounts     [ None found ]
    Checking for passwordless accounts                [ None found ]
    Checking for passwd file changes                  [ Warning ]
    Checking for group file changes                   [ Warning ]
    Checking root account shell history files         [ OK ]

Further details can be found in the log file /var/log/rkhunter/rkhunter.log. Note that with rkhunter 1.4.6 on CentOS 7 we have the extra rkhunter log directory.  As this is the first scan though, we know that the reference files did not exist.

They will exist now and on a second running the warning will not show. Of course, adding a new user will trigger the warning again but will also update the reference files, /var/lib/rkhunter/passwd and /var/lib/rkhunter/group. Each check will update the references.

By default the CentOS install does not check root access in SSH. We should enable this by editong /etc/rkhunter.conf. Look for the line:


Change the line to read:


The file /etc/ssh/sshd_config can be configured with:


Once set, restart the sshd service with:

$ sudo systemctl restart sshd

Running the rkhunter check now will report SSH root login as secured. The execution of rkhunter is enabled with cron by default.