RKHunter not running

Discussion in 'ISPConfig 3 Priority Support' started by Jemt, Mar 3, 2018.

  1. Jemt

    Jemt Member HowtoForge Supporter


    RKHunter does not seem to be working. The log in the ISPConfig web interface says:
    Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"

    However, I can run rkhunter manually just fine:
    rkhunter --check

    I tried running the cronjob manually like so:

    It immediately exits and nothing is written to /var/log/rkhunter.log, nor is any report sent via sendmail - I've checked /var/mail/root and /var/spool/mail/root. Finally there's no output added to /var/log/syslog either.

    I wonder if it has ever worked.

    Here is my system details:

    ISPConfig 3.1.11
    Debian 8 (Linux ******** 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64 GNU/Linux)
    Rootkit Hunter version 1.4.2

    The system is fully updated - I updated both the OS and ISPConfig yesterday.

    - Any suggestions would be appreciated - thanks

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This worked before, the problem is that the maintainer of the Debian rkhunter package decided to disable web update sin rkhunter which causes it to fail now when an update is requested. Here is a thread about this which two possible solutions, but it's in German. maybe a google translate translation is sufficient to understand it?

    Jemt likes this.
  3. Jemt

    Jemt Member HowtoForge Supporter

    Thank you. I understand why the "web updator" is not working, but not why it prevents the cron job from scanning using the existing version.
    Never the less, will I break the "upgrade path" for ISPConfig if I implement the fix you linked to ?

    - Thanks

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig runs a rkhunter update as part of the scan and this fails which makes the scan fail. ISPConfig is not affected by this fix, it just fixes rkhunter updates and therefore the scan will start working again.
    Jemt likes this.
  5. Jemt

    Jemt Member HowtoForge Supporter

    Great - thanks a lot :)
  6. Jemt

    Jemt Member HowtoForge Supporter

    Additional information: The update to Debian's RKHunter package is described here:

    Notice the following section:
    * Disable remote updates to fix CVE-2017-7480 and prevent bugs like it in the future (closes: #765895, #866677)

    Till, I think ISPConfig needs to address this problem. Currently we basically have to make our system insecure to make the RKHunter integration work which seems like a bad solution. Could ISPConfig avoid trying to update RKHunter if remote updates have been disabled? Or simply log a warning if the update fails but continue with the scan never the less ?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I'll add this to the bug tracker that we add a workaround. In my opinion, rkhunter should fix their update procedure or remove the update function from their software :)

Share This Page