Rkhunter daily email not being sent

Following the Rocky Linux rkhunter setup doc, does not produce working rkhunter emails daily reports on Rocky Linux 9.
Email reports do work for Rocky Linux 7 and 8.


postfix is working as other email reports are working like logwatch which also use root alias.
I do not recognize any rkhunter log email sending errors.
Wondering if anyone else has run into this as none of my Rocky 9 systems are sending rkhunter daily reports.

Thank you,

Greetings Dave and Welcome!

Have you removed the comment from the following line in the rkhunter.conf file as well:

MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

Also, have you tried running rkhunter --check manually to see if any warnings are found that would generate an email?

You can take a look at our document for rkhunter here Admittedly, it needs to reference removing the comment on the MAIL-CMD line as well.

Here is what I received on a fresh install of rkhunter on a container where I expected some warnings (and got them):

tail -f /var/mail/root 
	id EC2F9C0001227; Thu, 13 Apr 2023 08:19:28 -0500 (CDT)
Date: Thu, 13 Apr 2023 08:19:28 -0500
To: root@rockylinux-test-9.localdomain
Subject: [rkhunter] Warnings found for rockylinux-test-9
User-Agent: s-nail v14.9.22
Message-Id: <20230413131928.EC2F9C0001227@rockylinux-test-9.localdomain>
From: root <root@rockylinux-test-9.localdomain>

Please inspect this machine, because it may be infected.

Maybe I just never noticed this before. But I just did Rocky 9 updates on the systems this morning and I made a no root login SSH change that usually causes a rkhunter report to sent the email.
Maybe a recent change to where rkhunter daily does not sent status unless it sees warnings?

if [ $XITVAL != 0 ]; then
     /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
/bin/cat $TMPFILE1 >> $LOGFILE

otherwise it worked.

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files…
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option ‘PermitRootLogin’: no
Rkhunter configuration option ‘ALLOW_SSH_ROOT_USER’: unset

----------------------- End Rootkit Hunter Scan -----------------------

Thank you!

Exactly, @ddestroyer : rkhunter will run, but it isn’t going to send you anything unless it sees a warning. A manual run with --check will give you a preview of the tests and whether there are any warnings or not. I’m not remembering if the SSH settings will generate a warning (just a notice in the log as you’ve shown) when you run --check. If your checks return no warnings, then my guess is that rkhunter is working as expected.

1 Like

You can also script your own report to echo the contents of the rkhunter log regardless of warning status.

Sounds good, thank you for the confirmation!