There used to be an ISPconfig config file that allowed rkhunter scans to start at different times. When rkhunter starts in many LXC containers at the same time it can take all CPU power of the host. Any way to randomize scan times?
The start time is part of the cron plugin, you can find it in the code at the beginning of the plugin. The corn plugins are in the folder /usr/local/ispconfig/server/lob/classes/cron.d/ The main problem with changing the time there is that it gets overwritten on update and there is currently no mechanism that you can do this in an update-safe way, yo you might e.g. use a shell script as a wrapper for the ispconfig_update.sh script that runs e.g. a sed command to alter the start time when the update is finished.
thx @till Here's my quick and dirty solution... nano /usr/local/ispconfig/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php protected $_schedule = '@daily'; chattr +i /usr/local/ispconfig/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php
I ended up removing all rkhunters from our servers. The load always hit at the same time no matter what. Here is a quote from cron.daily for apt. # Systemd systems use a systemd timer unit which is preferable to # run. We want to randomize the apt update and unattended-upgrade # runs as much as possible to avoid hitting the mirrors all at the # same time. The systemd time is better at this than the fixed # cron.daily time
You could have just add a sleep statement with a random delay and a && operator to the cron job. That should work just fine
