Add Rootkit Hunter (rkhunter) as 4th malware scanner

Integrated rkhunter for comprehensive rootkit/backdoor/exploit detection
alongside existing ImunifyAV, ClamAV, and Maldet scanners.

Features:
- Detection: is_rkhunter_installed() checks for installation
- Installation: Auto-enables EPEL, installs rkhunter, updates definitions
- Baseline: Initializes property database with --propupd
- Scanning: Uses --check --skip-keypress --report-warnings-only
- Reporting: Tracks warnings and detected rootkits
- Documentation: Added to installation guide with full instructions

Integration points:
- detect_scanners(): Added rkhunter to available scanners list
- show_scanner_installation_guide(): Added installation instructions
- install_all_scanners(): Added [4/4] installation with EPEL setup
- Standalone scanner: Added rkhunter detection and scan case

Scan behavior:
- Updates rootkit definitions before each scan
- Runs comprehensive system checks (no user interaction)
- Reports warnings count in summary
- Extracts found rootkits to infected_list
- Runs sequentially with other scanners

Research: Based on 2024-2025 best practices from rkhunter documentation
- Version: 1.4.6 (current stable)
- Free and open source
- Available in EPEL repository

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

modules/security/malware-scanner.sh

@@ -35,6 +35,10 @@ is_maldet_installed() {
     command -v maldet &>/dev/null || [ -f "/usr/local/sbin/maldet" ]
 }
 
+is_rkhunter_installed() {
+    command -v rkhunter &>/dev/null || [ -f "/usr/bin/rkhunter" ]
+}
+
 # Scanner detection
 detect_scanners() {
     available_scanners=()
@@ -51,6 +55,10 @@ detect_scanners() {
         available_scanners+=("maldet")
     fi
 
+    if is_rkhunter_installed; then
+        available_scanners+=("rkhunter")
+    fi
+
     if [ ${#available_scanners[@]} -eq 0 ]; then
         echo -e "${RED}No malware scanners detected!${NC}"
         echo ""
@@ -118,7 +126,23 @@ show_scanner_installation_guide() {
         echo ""
     fi
 
-    echo -e "${YELLOW}Recommendation:${NC} Install at least ClamAV (free) for basic scanning"
+    # Check Rootkit Hunter
+    if ! is_rkhunter_installed; then
+        echo -e "${CYAN}Rootkit Hunter${NC} - Rootkit/backdoor/exploit scanner"
+        echo "  Status: Not installed"
+        echo "  Installation:"
+        echo "    yum install epel-release -y  # Enable EPEL repo"
+        echo "    yum install rkhunter -y"
+        echo "    rkhunter --update  # Update definitions"
+        echo "    rkhunter --propupd  # Initialize baseline"
+        echo "  Docs: https://rkhunter.sourceforge.net/"
+        echo ""
+    else
+        echo -e "${GREEN}✓ Rootkit Hunter${NC} - Installed"
+        echo ""
+    fi
+
+    echo -e "${YELLOW}Recommendation:${NC} Install at least ClamAV + RKHunter (both free) for comprehensive protection"
     echo ""
 }
 
@@ -131,6 +155,7 @@ install_all_scanners() {
     echo "  • ClamAV (free, open source)"
     echo "  • Maldet (free, Linux-specific)"
     echo "  • ImunifyAV (FREE version)"
+    echo "  • Rootkit Hunter (free, rootkit detection)"
     echo ""
     echo -e "${YELLOW}Note: ImunifyAV is FREE. Imunify360 is the paid version.${NC}"
     echo ""
@@ -151,7 +176,7 @@ install_all_scanners() {
 
     # Install ClamAV
     if ! is_clamav_installed; then
-        echo -e "${CYAN}[1/3] Installing ClamAV...${NC}"
+        echo -e "${CYAN}[1/4] Installing ClamAV...${NC}"
 
         if [ -f "/usr/local/cpanel/cpanel" ]; then
             # cPanel method - check if already installed but not configured
@@ -190,7 +215,7 @@ install_all_scanners() {
 
     # Install Maldet
     if ! is_maldet_installed; then
-        echo -e "${CYAN}[2/3] Installing Maldet...${NC}"
+        echo -e "${CYAN}[2/4] Installing Maldet...${NC}"
 
         cd /tmp
         wget -q http://www.rfxn.com/downloads/maldetect-current.tar.gz
@@ -221,7 +246,7 @@ install_all_scanners() {
 
     # Install ImunifyAV (FREE version)
     if ! is_imunify_installed; then
-        echo -e "${CYAN}[3/3] Installing ImunifyAV (FREE)...${NC}"
+        echo -e "${CYAN}[3/4] Installing ImunifyAV (FREE)...${NC}"
         echo "  This may take several minutes - please wait..."
 
         # Use deployment script method (most reliable)
@@ -266,6 +291,44 @@ install_all_scanners() {
         echo -e "${GREEN}✓ ImunifyAV already installed${NC}"
     fi
 
+    echo ""
+
+    # Install Rootkit Hunter
+    if ! is_rkhunter_installed; then
+        echo -e "${CYAN}[4/4] Installing Rootkit Hunter...${NC}"
+
+        # Ensure EPEL repo is enabled
+        if command -v yum &>/dev/null; then
+            if ! rpm -qa | grep -q epel-release; then
+                echo "  → Installing EPEL repository..."
+                yum install -y epel-release 2>&1 | grep -E "Installing|Installed|already installed"
+            fi
+
+            # Install rkhunter
+            yum install -y rkhunter 2>&1 | grep -E "Installing|Installed|already installed"
+        elif command -v apt-get &>/dev/null; then
+            apt-get update && apt-get install -y rkhunter
+        fi
+
+        if is_rkhunter_installed; then
+            echo -e "${GREEN}✓ Rootkit Hunter installed${NC}"
+
+            # Update definitions
+            echo "  → Updating rootkit definitions..."
+            rkhunter --update 2>&1 | grep -E "updated|downloaded" || rkhunter --update &>/dev/null
+            echo -e "  ${GREEN}✓${NC} Definitions updated"
+
+            # Initialize baseline (propupd creates file property database)
+            echo "  → Initializing baseline database..."
+            rkhunter --propupd &>/dev/null
+            echo -e "  ${GREEN}✓${NC} Baseline initialized"
+        else
+            echo -e "${RED}✗ Rootkit Hunter installation failed${NC}"
+        fi
+    else
+        echo -e "${GREEN}✓ Rootkit Hunter already installed${NC}"
+    fi
+
     echo ""
     echo "=========================================="
     echo "Installation Complete"
@@ -508,6 +571,11 @@ if command -v maldet &>/dev/null; then
     log_message "Detected: Maldet"
 fi
 
+if command -v rkhunter &>/dev/null; then
+    AVAILABLE_SCANNERS+=("rkhunter")
+    log_message "Detected: Rootkit Hunter"
+fi
+
 if [ ${#AVAILABLE_SCANNERS[@]} -eq 0 ]; then
     log_message "ERROR: No scanners found!"
     echo -e "${RED}No malware scanners detected!${NC}"
@@ -605,6 +673,26 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
             echo "✓ Maldet scan complete" | tee -a "$SUMMARY_FILE"
             log_message "Maldet: Scan complete"
             ;;
+
+        rkhunter)
+            log_message "RKHunter: Updating definitions"
+            rkhunter --update &>> "$LOG_DIR/rkhunter.log"
+
+            log_message "RKHunter: Starting scan"
+            # --check: Run all checks
+            # --skip-keypress: Don't wait for user input
+            # --report-warnings-only: Only show warnings/issues
+            rkhunter --check --skip-keypress --report-warnings-only &>> "$LOG_DIR/rkhunter.log"
+
+            # Extract warnings
+            RKH_WARNINGS=$(grep -c "Warning:" "$LOG_DIR/rkhunter.log" 2>/dev/null || echo 0)
+
+            # Extract any rootkits found
+            grep "Rootkit" "$LOG_DIR/rkhunter.log" | grep -i "found" >> "$INFECTED_LIST" 2>/dev/null
+
+            echo "✓ RKHunter scan complete - Warnings: $RKH_WARNINGS" | tee -a "$SUMMARY_FILE"
+            log_message "RKHunter: Scan complete - $RKH_WARNINGS warnings"
+            ;;
     esac
 
     echo "" | tee -a "$SUMMARY_FILE"