Tools compared: rkhunter VS Lynis

The question about what the differences are between rkhunter and Lynis is showing up more and more. Time to share the purpose of both and show the difference in its usage. As the author of both tools, I should have done this nine years ago. So with some little delay, here it is.

Rootkit Hunter

Written in 2003, rkhunter had the goal to detect malware on Linux and UNIX-based systems. The main target was rootkits, with an occasional detection mechanism for a common backdoor. The secondary target was promoting a few best practices, like disabling direct root logins via SSH.

The rkhunter tool is written in shell script to allow portability and support more than just Linux systems.

Lynis

Lynis was created in 2007, also as a set of shell scripts. Where rkhunter focuses on malware, Lynis takes a more generic approach. The primary goal is to provide tips for system hardening. It does so by detecting weak configurations, search for vulnerable software packages, and looking at several system characteristics. These include the processes that run or some files that may be present. Depending on the outcome of those, more tests will be executed.

The output of Lynis looks slightly similar to what rkhunter uses. This is because of some screen routines used to share any findings.

Which one should I use?

The primary difference between the two tools is that Rootkit Hunter focuses on malware detection, Lynis on performing a security assessment. For that reason, you should at least use Lynis, combined with a malware scanner. That could be rkhunter, ClamAV, LMD, or one of the commercial solutions. It mainly depends on what kind of malware could possibly reside on that particular system. A web server with file uploads has different threats than a mail server.