Rkhunter daily email not being sent

Documentation
1

Following the Rocky Linux rkhunter setup doc, does not produce working rkhunter emails daily reports on Rocky Linux 9.
Email reports do work for Rocky Linux 7 and 8.
https://docs.rockylinux.org/guides/web/apache_hardened_webserver/rkhunter/

/etc/rkhunter.conf
MAIL-ON-WARNING=root

postfix is working as other email reports are working like logwatch which also use root alias.
I do not recognize any rkhunter log email sending errors.
Wondering if anyone else has run into this as none of my Rocky 9 systems are sending rkhunter daily reports.

Thank you,
Dave

2

Greetings Dave and Welcome!

Have you removed the comment from the following line in the rkhunter.conf file as well:

MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

Also, have you tried running rkhunter --check manually to see if any warnings are found that would generate an email?

You can take a look at our document for rkhunter here Admittedly, it needs to reference removing the comment on the MAIL-CMD line as well.

Here is what I received on a fresh install of rkhunter on a container where I expected some warnings (and got them):

tail -f /var/mail/root 
	id EC2F9C0001227; Thu, 13 Apr 2023 08:19:28 -0500 (CDT)
Date: Thu, 13 Apr 2023 08:19:28 -0500
To: root@rockylinux-test-9.localdomain
Subject: [rkhunter] Warnings found for rockylinux-test-9
User-Agent: s-nail v14.9.22
Message-Id: <20230413131928.EC2F9C0001227@rockylinux-test-9.localdomain>
From: root <root@rockylinux-test-9.localdomain>

Please inspect this machine, because it may be infected.
3

Maybe I just never noticed this before. But I just did Rocky 9 updates on the systems this morning and I made a no root login SSH change that usually causes a rkhunter report to sent the email.
Maybe a recent change to where rkhunter daily does not sent status unless it sees warnings?

if [ $XITVAL != 0 ]; then
     /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
fi
/bin/cat $TMPFILE1 >> $LOGFILE

otherwise it worked.

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files…
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option ‘PermitRootLogin’: no
Rkhunter configuration option ‘ALLOW_SSH_ROOT_USER’: unset

----------------------- End Rootkit Hunter Scan -----------------------

Thank you!

4

Exactly, @ddestroyer : rkhunter will run, but it isn’t going to send you anything unless it sees a warning. A manual run with --check will give you a preview of the tests and whether there are any warnings or not. I’m not remembering if the SSH settings will generate a warning (just a notice in the log as you’ve shown) when you run --check. If your checks return no warnings, then my guess is that rkhunter is working as expected.

1 Like
5

You can also script your own report to echo the contents of the rkhunter log regardless of warning status.

6

Sounds good, thank you for the confirmation!