Following the Rocky Linux rkhunter setup doc, does not produce working rkhunter emails daily reports on Rocky Linux 9.
Email reports do work for Rocky Linux 7 and 8.
https://docs.rockylinux.org/guides/web/apache_hardened_webserver/rkhunter/
/etc/rkhunter.conf
MAIL-ON-WARNING=root
postfix is working as other email reports are working like logwatch which also use root alias.
I do not recognize any rkhunter log email sending errors.
Wondering if anyone else has run into this as none of my Rocky 9 systems are sending rkhunter daily reports.
Thank you,
Dave
Greetings Dave and Welcome!
Have you removed the comment from the following line in the rkhunter.conf
file as well:
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
Also, have you tried running rkhunter --check
manually to see if any warnings are found that would generate an email?
You can take a look at our document for rkhunter here Admittedly, it needs to reference removing the comment on the MAIL-CMD
line as well.
Here is what I received on a fresh install of rkhunter
on a container where I expected some warnings (and got them):
tail -f /var/mail/root
id EC2F9C0001227; Thu, 13 Apr 2023 08:19:28 -0500 (CDT)
Date: Thu, 13 Apr 2023 08:19:28 -0500
To: root@rockylinux-test-9.localdomain
Subject: [rkhunter] Warnings found for rockylinux-test-9
User-Agent: s-nail v14.9.22
Message-Id: <20230413131928.EC2F9C0001227@rockylinux-test-9.localdomain>
From: root <root@rockylinux-test-9.localdomain>
Please inspect this machine, because it may be infected.
Maybe I just never noticed this before. But I just did Rocky 9 updates on the systems this morning and I made a no root login SSH change that usually causes a rkhunter report to sent the email.
Maybe a recent change to where rkhunter daily does not sent status unless it sees warnings?
if [ $XITVAL != 0 ]; then
/bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
fi
/bin/cat $TMPFILE1 >> $LOGFILE
otherwise it worked.
--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files…
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option ‘PermitRootLogin’: no
Rkhunter configuration option ‘ALLOW_SSH_ROOT_USER’: unset
----------------------- End Rootkit Hunter Scan -----------------------
Thank you!
Exactly, @ddestroyer : rkhunter
will run, but it isn’t going to send you anything unless it sees a warning. A manual run with --check
will give you a preview of the tests and whether there are any warnings or not. I’m not remembering if the SSH settings will generate a warning (just a notice in the log as you’ve shown) when you run --check
. If your checks return no warnings, then my guess is that rkhunter
is working as expected.
1 Like
You can also script your own report to echo the contents of the rkhunter log regardless of warning status.
Sounds good, thank you for the confirmation!