Force rkhunter to send detailed email, instead of unhelpful "Please inspect this machine ..."

I can't for the life of me determine how to force rkhunter to send something more useful than "Please inspect this machine, because it may be infected." via email when a scan is run that results in one or more warnings.

Here's what I've tried thus far:

1. Create /etc/rkhunter.conf.local and add to it the following:

Code:

MAIL-ON-WARNING=root
REPORT_EMAIL=root
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

2. Schedule a cron job that executes the following command:

Code:

rkhunter --update --check --sk --nocolors --pkgmgr dpkg

I am under the impression that the cron facility emails all output to "root", by default. Why is that not happening in this case? The above command produces a lot of output, yet I only receive the one-line email message, which is not helpful.

What I would really like to do is use

Code:

rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg

so that I receive an email only when warnings are reported.

I've tried adding shell redirection operators to try and force rkhunter to email me the very same output that it prints to the screen during a scan, but that doesnt work either:

Code:

rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg 2>&1

I still receive the useless one-line email:

I'm a bit puzzled because if I do this

Code:

rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg > stdout.txt 2> stderr.txt

the stdout.txt file contains exactly the text that I would like to be emailed to me: just the warnings. For example:

Code:

Warning: Found passwordless account in shadow file: www-data
Warning: Found passwordless account in shadow file: mysql-backup
Warning: Found passwordless account in shadow file: web1
Warning: Found passwordless account in shadow file: web3

The rkhunter FAQ makes this sound like a breeze. From http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ :

Code:

30 5 * * * /usr/local/bin/rkhunter --cronjob --update --rwo

No. This still sends the worthless one-liner.

In fact, if I remove "MAIL-ON-WARNING=root" from the local configuration file, I don't receive an email message at all. And I've tailed the mail log while running the report; no attempt is made to send email (it's not as though the recipient address is invalid and the mail is failing to be delivered).

Any help here would be much appreciated!

 

I managed to solve it.

1.) Ensure that user as whom cron script is being executed (most likely "root") has mail alias defined in ~/.forward so that mail is not accidentally sent to /var/mail/root and never noticed. (I don't think this was happening in my case, before I reworked the approach, but this is highly recommended if using root@localhost in next step.)

Code:

echo '[email protected]' > ~/.forward

2.) Install the "ifne" utility to prevent an empty email from being sent when rkhunter does not produce output (i.e., there are no warnings).

Code:

apt install moreutils

3.) Use the following command in the cron job:

Code:

rkhunter --update --check --sk --nocolors --rwo --pkgmgr dpkg | ifne mail -s "rkhunter warnings for `uname -n`" root@localhost

I'm still not sure why "ifne" and "mail" are even necessary here, given that every other cron script I run sends an email to me whenever the output is not empty. I'm just happy that it works.