RKHunter - Send mail logs (SOLVED)

Discussion in 'Linux Beginners' started by Taxick, Oct 8, 2021 at 9:06 PM.

Tags:
  1. Taxick

    Taxick Member

    Hi :)
    Another N00B question is incoming. I have installed RKHunter (1.4.6)
    Now I want to send the rkhunter log to my mail..
    Right now I only get this mail:
    I want RKHunter to send the log file and only the warnings to my mail.
    Here is the mail config from /etc/rkhunter.conf
    Code:
    #
    # Email a message to this address if a warning is found when the system is
    # being checked. Multiple addresses may be specified simply be separating
    # them with a space. To disable the option, simply set it to the null string
    # or comment it out.
    #
    # The option may be specified more than once.
    #
    # The default value is the null string.
    #
    # Also see the MAIL_CMD option.
    #
    [email protected]
    #
    # This option specifies the mail command to use if MAIL-ON-WARNING is set.
    #
    # NOTE: Double quotes are not required around the command, but are required
    # around the subject line if it contains spaces.
    #
    # The default is to use the 'mail' command, with a subject line
    # of '[rkhunter] Warnings found for ${HOST_NAME}'.
    #
    MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
    I use ubuntu 20.04 :)
     
    Last edited: Oct 8, 2021 at 9:25 PM
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    do you have a /etc/default/rkhunter file? If so, is REPORT_EMAIL set there?
     
  3. Taxick

    Taxick Member

    HI @Jesse Norell
    Yes i have this file, but I think I have fixed it..
    I created a file in: /etc/cron.daily
    Code:
    #!/bin/sh
    (
    /usr/local/bin/rkhunter --versioncheck
    /usr/local/bin/rkhunter --update
    /usr/local/bin/rkhunter --propupd
    /usr/local/bin/rkhunter --cronjob --report-warnings-only
    ) | /bin/mail -s 'rkhunter Daily Run (MYSERVER)' [email protected]
    But I get these warnings when running the rkhunter! Should I be afraid

    If the warnings are safe... Can I exclude them from the scan????

    Code:
    [ Rootkit Hunter version 1.4.6 ]
    File updated: searched for 180 files, found 141
    Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script text executable
    Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
    Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
    Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
    Warning: Suspicious file types found in /dev:
             /dev/shm/sem.netdata_sem_cgroup_ebpf: data
             /dev/shm/netdata_shm_cgroup_ebpf: data
     
    Last edited: Oct 9, 2021 at 4:39 PM
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    do not run rkhunter --propupd directly before running the rkhunter scans.
    it'll update the file checksums with the ones for the files as they currently are and then compare the current files against that. if any have been changed since the last rkhunter scan, it won't tell you about it as they will always match the checksum.

    run the scan first, if it warns of anything, check those files. only when you're sure anything that's changed is legit, should you run the propupd to update the checksums.
     
  5. Steini86

    Steini86 Active Member

    Yes. Usually these files are whitelisted in the standard configuration. Don't know about Ubuntu though.
    Code:
    # grep SCRIPTWHITELIST /etc/rkhunter.conf
    SCRIPTWHITELIST=/bin/egrep
    SCRIPTWHITELIST=/bin/fgrep
    SCRIPTWHITELIST=/bin/which
    SCRIPTWHITELIST=/usr/bin/ldd
    SCRIPTWHITELIST=/usr/bin/lwp-request
    SCRIPTWHITELIST=/usr/sbin/adduser
    #SCRIPTWHITELIST=/usr/sbin/prelink
    #SCRIPTWHITELIST=/usr/sbin/unhide.rb
    Apart from that you can create your own exceptions: 'Should' work also in Ubuntu:
    Create file /etc/rkhunter.conf.local and place your exceptions there. As a starting point (read the manual!), mine looks like:
    Code:
    #PKGMGR=DPKG
    ALLOW_SSH_ROOT_USER=prohibit-password
    
    # Apache uses a lot of shared memory
    ALLOWIPCPROC=/usr/sbin/apache2
    ALLOWDEVFILE=/dev/shm/PostgreSQL.*
    
    # RSpamd
    ALLOWDEVFILE=/dev/shm/rhm*
     
  6. Taxick

    Taxick Member

    Hi @nhybgtvfr :)
    Thanks for explaining this to me. - It makes sense!
    I have removed --propupd from my script.

    Hi @Steini86
    Thanks a lot for the help
    I have made the changes to /etc/rkhunter.conf - but i cant get rid om this warning.
    The files a safe!
    Code:
    /dev/shm/sem.netdata_sem_cgroup_ebpf: data
    /dev/shm/netdata_shm_cgroup_ebpf: data
    Can you help me?
     
    Last edited: Oct 10, 2021 at 11:07 AM
  7. Steini86

    Steini86 Active Member

    Have a look at the documentation: https://github.com/crunchsec/rkhunter/blob/master/files/FAQ
    Section 6: WHITELISTING EXAMPLES
    Change the path to match your rkhunter.log file and execute
    Code:
         grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' rkhunter.log |\
          awk '{print "ALLOWDEVFILE="$2}' | sed -e "s|:$||g"
    This shows you the command you need to put into your local conf file for whitelisting. Also have a look at the other examples.
     
    till and Taxick like this.
  8. Taxick

    Taxick Member

    Hi @Steini86
    Thanks a lot. It works perfectly :)
     

Share This Page