# Issue
rkhunter email alerts only contain Please inspect this machine, because it may be infected.
Default rkhunter email:
[rkhunter] Warnings found for hostname
Please inspect this machine, because it may be infected.
It would be useful to get information about the actual warnings inside this email.
# Solution
Here is how to receive better email alerts from rkhunter.
# First: Use a custom rkhunter cron script
Here is the cron I am using inside /etc/cron.daily/rkhunter-check (chmod 755):
#!/bin/sh
OUTPUT=`rkhunter --update --cronjob --report-warnings-only --nocolors --skip-keypress`
if [ "$OUTPUT" != "" ]
then
echo $OUTPUT | mail -s "[rkhunter] Warnings found for $(hostname)" root@youremail
fi
Note: replace root@youremail by your email address ;)
# Example of email alerts
Here is an example of an email alert sent by this script:
[rkhunter] Warnings found for hostname
Warning: Changes found in the passwd file for user 'webserv': The login shell
has changed from '/usr/bin/zsh' to '/bin/sh'
# Second: Disable rkhunter default email alerts
As you don't need the default rkhunter reporting emails anymore, you can disable it so you don't receive duplicated messages :)
Open /etc/rkhunter.conf and comment these two lines:
# MAIL-ON-WARNING="mail@mail.com"
# MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
# Notes
You can still inspect /var/log/rkhunter.log if you want more context on these warnings.
Source: Thanks to Sebastiano Montino for his original post rkhunter, a better e-mail integration / alert.
