[Rkhunter-users] rkhunter bash script

[abgiraldez]

Even if rkhunter has been ran firstly with --propupd option some 
warnings are show in logs. This is a little bit annoying because it is 
caused of known alerts. I wrote a short batch script that stores last 
log and compares it with a new log when rkh runs. So it can assume that 
old known warnings should no be shown. Just when a difference between 
old and new log exists, a popup window (need zenity in your system) 
notice you. I am not a good batch coder but it works. It's enougth for 
me. I hope for you too and it will be helpfull.
You can edit an .sh file, set +x permission and run it as root
$sudo ./rkhunter_diff.sh option
option must be assume or noassume
First run time option is autoset to noassume if log not found
_____________________________

#!/bin/bash
# Var
return_code=0
rkhunterlog="/var/log/rkhunter.log"
last_rkhunterlog="/var/log/last_rkhunter.log"


# Check  root
if [[ $EUID -ne 0 ]]; then
     echo "Rkhunter need root" 1>&2
     exit 1
fi


#Check chkrootkit log
if [ ! -f $rkhunterlog ]
then
echo "No exists "$rkhunterlog"..." " setting option: noassume"
opt="noassume"
else
        #Check opt
        if [ "$1" == "assume" ] || [ "$1" == "noassume" ]
        then
        opt=$1
        echo "Option set to:"$opt
        else
        echo "Must set an option: assume or noassume"
        exit 1
        fi
fi

#Copy log to lastlog
if [ "$opt" == "assume" ]
then
sudo cp $rkhunterlog $last_rkhunterlog
fi

#Update rkhunter
sudo rkhunter --update
return_code=$?


if [ $return_code -ne 0 ]
then
echo "Error while rkhunter update, using old data"
else
echo "rkhunter successfully updated"
fi

# Start rkhunter
sudo rkhunter --check -sk
return_code=$?

# Show scanner
if [[ $return_code -ne 0  &&  $return_code -ne 1 ]]
then
     echo "";echo "rkhunter error"; echo ""
else

        #Compare new and old log
        if [ "$opt" = "assume" ] ; then
        r_diff=`sudo diff $rkhunterlog $last_rkhunterlog`
        if [ ! "$r_diff" == "" ]; then
        set_popup="0"
        fi
        fi


        if [ "$opt" = "noassume" ] ; then
        set_popup="1"
        fi


        if  ! sudo grep 'Possible rootkits: 0'  $rkhunterlog; then
             if [ "$set_popup" == "1" ]
             then
             zenity --warning --text="rkhunter message: possible rootkit \n 
check the log file (/var/log/rkhunter.log)"
             fi
        fi

        if ! sudo grep 'Suspect files: 0' $rkhunterlog; then
                if [ "$set_popup" == "1" ]
                then
                zenity --warning --text="rkhunter message: suspect files \n 
check the 
log file (/var/log/rkhunter.log)"
                fi
        fi
fi



------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users