Hi guys,
I've gone for the lazy admin option of:
#!/usr/bin/perl -w
#
# Run a rkhunter scan and email admin if something interesting found
#
use strict;
use constant TRUE => 1;
use constant FALSE => not TRUE;
use constant SUBJECT => "$ENV{HOSTNAME} weekly rkhunter check";
use constant EMAIL => 'admin';
use constant ONLY_ON_FAIL => TRUE;
use constant FULL_REPORT => TRUE;
my $command='/usr/local/bin/rkhunter --cronjob'.(FULL_REPORT?'':' --quiet');
my $results=$command;
if(not ONLY_ON_FAIL or $results=~/warning/i){
open(OUTPUT,'|/bin/mail -s "'.SUBJECT.'" '.EMAIL)
or die "$0: Can't send email $?";
print OUTPUT $results;
close(OUTPUT);
}
So I'm only sent an email if there is anything wrong but when it does email it sends the whole report for me to look through. One advantage is that once you have rkhunter running clean you can move the script from a weekly check up to a more frequent scan, daily or even hourly depending on your degree of paranoia, giving a faster notification of an potential security problem.
Regards,
Lee