We all know that RootKit Hunter is a must have for paranoids and responsible SysOps even if it lacks on two things IMHO:
- RootKit Updates
- E-Mail alerts
In this post you can find an improved version for the 2nd point 😉
RootKit Hunter E-Mail Alerts
rkhunter already have a MAIL-ON-WARNING configuration on /etc/rkhunter.conf
[code lang=”bash”]# Email a message to this address if a warning is found when the system is
# being checked. Multiple addresses may be specified simply be separating
# them with a space. To disable the option, simply set it to the null string
# or comment it out.
#
# The option may be specified more than once.
#
# The default value is the null string.
#
# Also see the MAIL_CMD option.
#
#MAIL-ON-WARNING=”[email protected]”
#
# This option specifies the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but are required
# around the subject line if it contains spaces.
#
# The default is to use the ‘mail’ command, with a subject line
# of ‘[rkhunter] Warnings found for ${HOST_NAME}’.
#
#MAIL_CMD=mail -s “[rkhunter] Warnings found for ${HOST_NAME}”
[/code]
As you can see I commented the lines #12 and #23, this because the e-mail message is not configurable (except the mail object).
So basically I wanted to receive inside the email body the content of the RootKit Hunter report, if any.
I LOVE BASH SCRIPTING <3
[code lang=”bash”]
#!/bin/bash
#/usr/bin/rkhunter –versioncheck –nocolors
/usr/bin/rkhunter –update –nocolors
OUTPUT=`/usr/bin/rkhunter –cronjob –report-warnings-only –nocolors`
if [ “$OUTPUT” != “” ]
then
echo $OUTPUT | mail -s “WARNING!!! – rkhunter report” [email protected]
else
echo ‘EVERYTHING IS FINE 🙂 HOPEFULLY’ | mail -s “OK 🙂 – rkhunter report” [email protected]
fi
[/code]
Installing the above bash script in the crontab allows you to receive two types of output:
- an “EVERYTHING IS FINE 🙂 HOPEFULLY” mail – if there are no warnings (god bless rkhunter –report-warnings-only option)
- a “WARNING!!!” message containing in the body mail only the warnings output of rkhunter
Hope this short post helped you somehow 😉
S