Hi
I installed rkhunter using yast and use it often; e.g. I find it useful to run after online updates to see what it shows to have changed then I do
sudo rkhunter --propupd
But I caught it running again today without my starting it (saw it using top). There are no crontab entries for root or myself as a user and running
sudo systemctl status *timer
only shows btrfs maintenance processes and other maintenance processes listed to run. There is however a script…
> ls -l /etc/cron.daily/suse.de-rkhunter
-rwxr-x--- 1 root root 2029 Feb 26 2021 /etc/cron.daily/suse.de-rkhunter
Presumably this came with my installation of rkhunter? I like rkhunter and don’t have a big problem with it running itself as it is well-behaved and writes to its log file so I can check up if it found anything (but I have not configured email warnings so daily runs do not really help much either). But I’m not good with scripting and don’t see how this script runs it with root privileges. I wonder what else might be running as root?
Any pointers please?
And /etc/crontab is the sytem crontab that runs for the system and thus with root as owner.
And of course, when you do not want it run from cron.daily, remove it from the /etc/cron/daily file. But beware, an update of the package could install it anew.
yast - software management - extras - show history gives a detailed history of all files installed and deleted daily since the system was installed. I find this very helpful for finding problem installs, etc. Might be useful to you.