Hi Another N00B question is incoming. I have installed RKHunter (1.4.6) Now I want to send the rkhunter log to my mail.. Right now I only get this mail: I want RKHunter to send the log file and only the warnings to my mail. Here is the mail config from /etc/rkhunter.conf Code: # # Email a message to this address if a warning is found when the system is # being checked. Multiple addresses may be specified simply be separating # them with a space. To disable the option, simply set it to the null string # or comment it out. # # The option may be specified more than once. # # The default value is the null string. # # Also see the MAIL_CMD option. # [email protected] # # This option specifies the mail command to use if MAIL-ON-WARNING is set. # # NOTE: Double quotes are not required around the command, but are required # around the subject line if it contains spaces. # # The default is to use the 'mail' command, with a subject line # of '[rkhunter] Warnings found for ${HOST_NAME}'. # MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" I use ubuntu 20.04
HI @Jesse Norell Yes i have this file, but I think I have fixed it.. I created a file in: /etc/cron.daily Code: #!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (MYSERVER)' mymail@MYDOMAIN But I get these warnings when running the rkhunter! Should I be afraid If the warnings are safe... Can I exclude them from the scan???? Code: [ Rootkit Hunter version 1.4.6 ] File updated: searched for 180 files, found 141 Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script text executable Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable Warning: Suspicious file types found in /dev: /dev/shm/sem.netdata_sem_cgroup_ebpf: data /dev/shm/netdata_shm_cgroup_ebpf: data
do not run rkhunter --propupd directly before running the rkhunter scans. it'll update the file checksums with the ones for the files as they currently are and then compare the current files against that. if any have been changed since the last rkhunter scan, it won't tell you about it as they will always match the checksum. run the scan first, if it warns of anything, check those files. only when you're sure anything that's changed is legit, should you run the propupd to update the checksums.
Yes. Usually these files are whitelisted in the standard configuration. Don't know about Ubuntu though. Code: # grep SCRIPTWHITELIST /etc/rkhunter.conf SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/ldd SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser #SCRIPTWHITELIST=/usr/sbin/prelink #SCRIPTWHITELIST=/usr/sbin/unhide.rb Apart from that you can create your own exceptions: 'Should' work also in Ubuntu: Create file /etc/rkhunter.conf.local and place your exceptions there. As a starting point (read the manual!), mine looks like: Code: #PKGMGR=DPKG ALLOW_SSH_ROOT_USER=prohibit-password # Apache uses a lot of shared memory ALLOWIPCPROC=/usr/sbin/apache2 ALLOWDEVFILE=/dev/shm/PostgreSQL.* # RSpamd ALLOWDEVFILE=/dev/shm/rhm*
Hi @nhybgtvfr Thanks for explaining this to me. - It makes sense! I have removed --propupd from my script. Hi @Steini86 Thanks a lot for the help I have made the changes to /etc/rkhunter.conf - but i cant get rid om this warning. The files a safe! Code: /dev/shm/sem.netdata_sem_cgroup_ebpf: data /dev/shm/netdata_shm_cgroup_ebpf: data Can you help me?
Have a look at the documentation: https://github.com/crunchsec/rkhunter/blob/master/files/FAQ Section 6: WHITELISTING EXAMPLES Change the path to match your rkhunter.log file and execute Code: grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' rkhunter.log |\ awk '{print "ALLOWDEVFILE="$2}' | sed -e "s|:$||g" This shows you the command you need to put into your local conf file for whitelisting. Also have a look at the other examples.