From 4a2ac76ff8b0f6d5caeb8e8fc9aecc05898da813 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Tue, 11 Nov 2025 21:42:58 -0500
Subject: [PATCH] Make RKHunter truly temporary - auto-install and auto-remove

Changed rkhunter from permanent installation to temporary session-based use,
aligning with toolkit's "Download, Run, Fix, Delete" philosophy.

Behavior:
- Standalone scanner checks if rkhunter is installed
- If NOT found: Auto-installs temporarily with EPEL
- Updates definitions and initializes baseline
- Runs the scan
- Auto-removes rkhunter at end of scan session
- Tracks installation with RKHUNTER_TEMP_INSTALLED flag

Benefits:
- No permanent footprint on server
- Automatic cleanup after use
- Still available in "Install All Scanners" for users who want it permanent
- Standalone scans are truly self-contained and temporary

Implementation:
- Added RKHUNTER_TEMP_INSTALLED tracking variable
- Auto-install logic before scanner detection
- Silent installation (yum &>/dev/null)
- Auto-removal after scan completes
- Logged in session.log for transparency

RKHunter is system-level (checks binaries/kernel) not file-level,
so it doesn't need to persist - perfect candidate for temp install.
---
 modules/security/malware-scanner.sh | 41 +++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 65d6a49..e60d69f 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -571,9 +571,37 @@ if command -v maldet &>/dev/null; then
     log_message "Detected: Maldet"
 fi
 
+# Track if rkhunter was auto-installed (for cleanup)
+RKHUNTER_TEMP_INSTALLED=false
+
 if command -v rkhunter &>/dev/null; then
     AVAILABLE_SCANNERS+=("rkhunter")
     log_message "Detected: Rootkit Hunter"
+else
+    # Auto-install rkhunter temporarily for this scan
+    log_message "RKHunter not found - installing temporarily..."
+    echo "→ Installing Rootkit Hunter (temporary, will be removed after scan)..."
+
+    if command -v yum &>/dev/null; then
+        # Ensure EPEL is available
+        if ! rpm -qa | grep -q epel-release; then
+            yum install -y epel-release &>/dev/null
+        fi
+
+        # Install rkhunter
+        yum install -y rkhunter &>/dev/null
+
+        if command -v rkhunter &>/dev/null; then
+            # Update definitions and initialize baseline
+            rkhunter --update &>/dev/null
+            rkhunter --propupd &>/dev/null
+
+            AVAILABLE_SCANNERS+=("rkhunter")
+            RKHUNTER_TEMP_INSTALLED=true
+            log_message "RKHunter installed temporarily"
+            echo "  ✓ RKHunter installed (will be removed after scan)"
+        fi
+    fi
 fi
 
 if [ ${#AVAILABLE_SCANNERS[@]} -eq 0 ]; then
@@ -772,6 +800,19 @@ else
     echo ""
 fi
 
+# Cleanup: Remove rkhunter if it was temporarily installed
+if [ "$RKHUNTER_TEMP_INSTALLED" = "true" ]; then
+    log_message "Removing temporarily installed RKHunter..."
+    echo ""
+    echo "→ Cleaning up: Removing Rootkit Hunter..."
+
+    if command -v yum &>/dev/null; then
+        yum remove -y rkhunter &>/dev/null
+        echo "  ✓ RKHunter removed"
+        log_message "RKHunter successfully removed"
+    fi
+fi
+
 log_message "Scan session ended"
 STANDALONE_EOF