Force rkhunter to send detailed email, instead of unhelpful "Please inspect this machine ..."

Discussion in 'Installation/Configuration' started by cbj4074, Nov 3, 2016.

  1. cbj4074

    cbj4074 Member

    I can't for the life of me determine how to force rkhunter to send something more useful than "Please inspect this machine, because it may be infected." via email when a scan is run that results in one or more warnings.

    Here's what I've tried thus far:

    1. Create /etc/rkhunter.conf.local and add to it the following:

    Code:
    MAIL-ON-WARNING=root
    REPORT_EMAIL=root
    MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
    
    2. Schedule a cron job that executes the following command:

    Code:
    rkhunter --update --check --sk --nocolors --pkgmgr dpkg
    
    I am under the impression that the cron facility emails all output to "root", by default. Why is that not happening in this case? The above command produces a lot of output, yet I only receive the one-line email message, which is not helpful.

    What I would really like to do is use

    Code:
    rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg
    
    so that I receive an email only when warnings are reported.

    I've tried adding shell redirection operators to try and force rkhunter to email me the very same output that it prints to the screen during a scan, but that doesnt work either:

    Code:
    rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg 2>&1
    
    I still receive the useless one-line email:

    I'm a bit puzzled because if I do this

    Code:
    rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg > stdout.txt 2> stderr.txt
    
    the stdout.txt file contains exactly the text that I would like to be emailed to me: just the warnings. For example:

    Code:
    Warning: Found passwordless account in shadow file: www-data
    Warning: Found passwordless account in shadow file: mysql-backup
    Warning: Found passwordless account in shadow file: web1
    Warning: Found passwordless account in shadow file: web3
    
    The rkhunter FAQ makes this sound like a breeze. From http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ :

    Code:
    30 5 * * * /usr/local/bin/rkhunter --cronjob --update --rwo
    
    No. This still sends the worthless one-liner.

    In fact, if I remove "MAIL-ON-WARNING=root" from the local configuration file, I don't receive an email message at all. And I've tailed the mail log while running the report; no attempt is made to send email (it's not as though the recipient address is invalid and the mail is failing to be delivered).

    Any help here would be much appreciated!
     
    Last edited: Nov 3, 2016
  2. cbj4074

    cbj4074 Member

    I managed to solve it.

    1.) Ensure that user as whom cron script is being executed (most likely "root") has mail alias defined in ~/.forward so that mail is not accidentally sent to /var/mail/root and never noticed. (I don't think this was happening in my case, before I reworked the approach, but this is highly recommended if using [email protected] in next step.)

    Code:
    echo [email protected]' > ~/.forward
    
    2.) Install the "ifne" utility to prevent an empty email from being sent when rkhunter does not produce output (i.e., there are no warnings).

    Code:
    apt install moreutils
    
    3.) Use the following command in the cron job:

    Code:
    rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg | ifne mail -s "rkhunter warnings for `uname -n`" [email protected]
    
    I'm still not sure why "ifne" and "mail" are even necessary here, given that every other cron script I run sends an email to me whenever the output is not empty. I'm just happy that it works.
     
    Last edited: Nov 3, 2016

Share This Page