The Blog

rkhunter, a better e-mail integration / alert

13 Mag 15

We all know that RootKit Hunter is a must have for paranoids and responsible SysOps  even if it lacks on two things IMHO:

  1. RootKit Updates
  2. E-Mail alerts

In this post you can find an improved version for the 2nd point 😉

RootKit Hunter E-Mail Alerts

rkhunter already have a MAIL-ON-WARNING configuration on /etc/rkhunter.conf

  1. # Email a message to this address if a warning is found when the system is
  2. # being checked. Multiple addresses may be specified simply be separating
  3. # them with a space. To disable the option, simply set it to the null string
  4. # or comment it out.
  5. #
  6. # The option may be specified more than once.
  7. #
  8. # The default value is the null string.
  9. #
  10. # Also see the MAIL_CMD option.
  11. #
  12. #MAIL-ON-WARNING="[email protected]"
  13.  
  14. #
  15. # This option specifies the mail command to use if MAIL-ON-WARNING is set.
  16. #
  17. # NOTE: Double quotes are not required around the command, but are required
  18. # around the subject line if it contains spaces.
  19. #
  20. # The default is to use the ‘mail’ command, with a subject line
  21. # of ‘[rkhunter] Warnings found for ${HOST_NAME}’.
  22. #
  23. #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
# Email a message to this address if a warning is found when the system is
# being checked. Multiple addresses may be specified simply be separating
# them with a space. To disable the option, simply set it to the null string
# or comment it out.
#
# The option may be specified more than once.
#
# The default value is the null string.
#
# Also see the MAIL_CMD option.
#
#MAIL-ON-WARNING="[email protected]"

#
# This option specifies the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but are required
# around the subject line if it contains spaces.
#
# The default is to use the 'mail' command, with a subject line
# of '[rkhunter] Warnings found for ${HOST_NAME}'.
#
#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

As you can see I commented the lines #12 and #23, this because the e-mail message is not configurable (except the mail object).

rkhunter-email

So basically I wanted to receive inside the email body the content of the RootKit Hunter report, if any.

I LOVE BASH SCRIPTING <3

  1. #!/bin/bash
  2.  
  3. #/usr/bin/rkhunter –versioncheck –nocolors
  4.  
  5. /usr/bin/rkhunter –update –nocolors
  6.  
  7. OUTPUT=`/usr/bin/rkhunter –cronjob –report-warnings-only –nocolors`
  8.  
  9. if [ "$OUTPUT" != "" ]
  10. then
  11. echo $OUTPUT | mail -s "WARNING!!! – rkhunter report" mail@mail.com
  12. else
  13. echo ‘EVERYTHING IS FINE 🙂 HOPEFULLY’ | mail -s "OK 🙂 – rkhunter report" mail@mail.com
  14. fi
#!/bin/bash

#/usr/bin/rkhunter --versioncheck --nocolors

/usr/bin/rkhunter --update --nocolors

OUTPUT=`/usr/bin/rkhunter --cronjob --report-warnings-only --nocolors`

if [ "$OUTPUT" != "" ]
then
echo $OUTPUT | mail -s "WARNING!!! - rkhunter report" [email protected]
else
echo 'EVERYTHING IS FINE 🙂 HOPEFULLY' | mail -s "OK 🙂 - rkhunter report" [email protected]
fi

Installing the above bash script in the crontab allows you to receive two types of output:

  1. an “EVERYTHING IS FINE 🙂 HOPEFULLY” mail – if there are no warnings (god bless rkhunter –report-warnings-only option)
  2. a “WARNING!!!” message containing in the body mail only the warnings output of rkhunter

Hope this short post helped you somehow 😉

S

Comments