I can't for the life of me determine how to force rkhunter to send something more useful than "Please inspect this machine, because it may be infected." via email when a scan is run that results in one or more warnings. Here's what I've tried thus far: 1. Create /etc/rkhunter.conf.local and add to it the following: Code: MAIL-ON-WARNING=root REPORT_EMAIL=root MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" 2. Schedule a cron job that executes the following command: Code: rkhunter --update --check --sk --nocolors --pkgmgr dpkg I am under the impression that the cron facility emails all output to "root", by default. Why is that not happening in this case? The above command produces a lot of output, yet I only receive the one-line email message, which is not helpful. What I would really like to do is use Code: rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg so that I receive an email only when warnings are reported. I've tried adding shell redirection operators to try and force rkhunter to email me the very same output that it prints to the screen during a scan, but that doesnt work either: Code: rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg 2>&1 I still receive the useless one-line email: I'm a bit puzzled because if I do this Code: rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg > stdout.txt 2> stderr.txt the stdout.txt file contains exactly the text that I would like to be emailed to me: just the warnings. For example: Code: Warning: Found passwordless account in shadow file: www-data Warning: Found passwordless account in shadow file: mysql-backup Warning: Found passwordless account in shadow file: web1 Warning: Found passwordless account in shadow file: web3 The rkhunter FAQ makes this sound like a breeze. From http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ : Code: 30 5 * * * /usr/local/bin/rkhunter --cronjob --update --rwo No. This still sends the worthless one-liner. In fact, if I remove "MAIL-ON-WARNING=root" from the local configuration file, I don't receive an email message at all. And I've tailed the mail log while running the report; no attempt is made to send email (it's not as though the recipient address is invalid and the mail is failing to be delivered). Any help here would be much appreciated!
I managed to solve it. 1.) Ensure that user as whom cron script is being executed (most likely "root") has mail alias defined in ~/.forward so that mail is not accidentally sent to /var/mail/root and never noticed. (I don't think this was happening in my case, before I reworked the approach, but this is highly recommended if using root@localhost in next step.) Code: echo '[email protected]' > ~/.forward 2.) Install the "ifne" utility to prevent an empty email from being sent when rkhunter does not produce output (i.e., there are no warnings). Code: apt install moreutils 3.) Use the following command in the cron job: Code: rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg | ifne mail -s "rkhunter warnings for `uname -n`" root@localhost I'm still not sure why "ifne" and "mail" are even necessary here, given that every other cron script I run sends an email to me whenever the output is not empty. I'm just happy that it works.