The Blog

rkhunter, a better e-mail integration / alert

13 Mag 15

We all know that RootKit Hunter is a must have for paranoids and responsible SysOps  even if it lacks on two things IMHO:

  1. RootKit Updates
  2. E-Mail alerts

In this post you can find an improved version for the 2nd point 😉

RootKit Hunter E-Mail Alerts

rkhunter already have a MAIL-ON-WARNING configuration on /etc/rkhunter.conf

[code lang=”bash”]# Email a message to this address if a warning is found when the system is
# being checked. Multiple addresses may be specified simply be separating
# them with a space. To disable the option, simply set it to the null string
# or comment it out.
#
# The option may be specified more than once.
#
# The default value is the null string.
#
# Also see the MAIL_CMD option.
#
#MAIL-ON-WARNING=”[email protected]

#
# This option specifies the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but are required
# around the subject line if it contains spaces.
#
# The default is to use the ‘mail’ command, with a subject line
# of ‘[rkhunter] Warnings found for ${HOST_NAME}’.
#
#MAIL_CMD=mail -s “[rkhunter] Warnings found for ${HOST_NAME}”
[/code]

As you can see I commented the lines #12 and #23, this because the e-mail message is not configurable (except the mail object).

rkhunter-email

So basically I wanted to receive inside the email body the content of the RootKit Hunter report, if any.

I LOVE BASH SCRIPTING <3

[code lang=”bash”]
#!/bin/bash

#/usr/bin/rkhunter –versioncheck –nocolors

/usr/bin/rkhunter –update –nocolors

OUTPUT=`/usr/bin/rkhunter –cronjob –report-warnings-only –nocolors`

if [ “$OUTPUT” != “” ]
then
echo $OUTPUT | mail -s “WARNING!!! – rkhunter report” [email protected]
else
echo ‘EVERYTHING IS FINE 🙂 HOPEFULLY’ | mail -s “OK 🙂 – rkhunter report” [email protected]
fi
[/code]

Installing the above bash script in the crontab allows you to receive two types of output:

  1. an “EVERYTHING IS FINE 🙂 HOPEFULLY” mail – if there are no warnings (god bless rkhunter –report-warnings-only option)
  2. a “WARNING!!!” message containing in the body mail only the warnings output of rkhunter

Hope this short post helped you somehow 😉

S

Comments