I am running Debian GNU/Linux 8 (jessie) and was trying to get RKHunter to send the daily warning report email so I uncommented and modified the following lines in /etc/rkhunter.conf: MAIL-ON-WARNING= [email protected] MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" This did not work and caused the following error in rkhunter.log: Invalid MAIL_CMD configuration option: command is non-existent or not executable: mail I then removed these lines and tried editing /etc/default/rkhunter and added: REPORT_EMAIL="[email protected]" This did not work either, RKHunter ran successfully at 23:00 last night but no email was received. I had a look on Google and someone suggested installing mailx. Before I go installing extra packages to my ISPConfig install (I am trying to keep it as close to the original The Perfect Server - Debian 8 Jessie as possible to avoid any issues) would installing this and re-adding the lines to /etc/rkhunter.conf be the way to get these emails?
As an experiment I installed mailx which prompted me to choose from three other packages - I chose mailutils. I then re-added my details back in to /etc/rkhunter.conf and ran rkhunter -c to see what happened. I got the following email: Please inspect this machine, because it may be infected. As this did not give much detail I left the changes in place overnight to give ISPConfig a chance to run the scan and got the same email. I then added my email back in to /etc/default/rkhunter and did the scan, I still got the same email. I left it one more time over night just in case but still only got this general warning message. I was hoping to get an email containing the log as shown in ISPConfig's control panel but after a hunt around on Google it looks like others who have wanted this feature have made their own cronjob to grab the log file once the scan is complete and email it to them. I might have a look at doing this once I have read up more on how it is done.
I've seen that issue intermittently, where some machines email a list of affected files and others do not, so just dug into it. The short solution is: edit /etc/default/rkhunter and set REPORT_EMAIL to an email address you receive. The longer explanation is that there are actually 2 emails sent out, and the one you're missing turns out to be an issue of where mail to 'root' from the commandline goes, as REPORT_EMAIL is set to 'root' by default. On machines where I get 'root' email, I see the email with warnings; on machines where I don't, someone else saw them. This email is sent by the debian cronjobs running rkhunter. On all machines I see that 'Please inspect this machine, because it may be infected.' email you are getting. This appears to be sent by rkhunter itself to the MAIL-ON-WARNING address. So on some machines I got two emails, on other machines only one.
Thanks Jesse, I have just had a look at the rkhunter file in cron.daily and see what you mean. It checks to see if CRON_DAILY_RUN is set to true in /etc/default/rkhunter and then if it is it proceeds. As a test I have set CRON_DAILY_RUN="true" and added my email again to REPORT_EMAIL in /etc/default/rkhunter. I am now thinking I should get the second email but this does mean that rkhunter will be run twice in a day. which may not really be necessary - as this is just an experiment I will leave it for now and see what happens.
With the options set as mentioned in my last post, this morning I had the following three emails: [rkhunter] Warnings found for mountains ---> ISPConfig [rkhunter] Warnings found for mountains ---> RKHunter Daily [rkhunter] my.server.example.com - Daily report ---> RKHunter Daily The daily report contained much more information.
Just a quick follow up note: When reading the Daily Report it started with the following lines (these were not present on the ISPConfig RKHunter information page): Warning: The O/S name or version has changed since the last run: Old O/S value: Debian 8.1 New value: Debian 8.5 Because of the change(s) the file properties checks may give some false-positive results. You may need to re-run rkhunter with the '--propupd' option. Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option is used, all the files on their system are known to be genuine, and installed from a reliable source. The rkhunter '--check' option will compare the current file properties against previously stored values, and report if any values differ. However, rkhunter cannot determine what has caused the change, that is for the user to do. Warning: The file properties have changed ... ... ... As shown above I ran the following two commands: rkhunter --propupd rkhunter --check My next Daily Report just showed: Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no As I do have root access I modified /etc/rkhunter.conf to: ALLOW_SSH_ROOT_USER=yes Today I did not get a warning report or Daily Report as no warnings were generated - this appears to be a good thing as now if I see any reports I know something needs looking at.