Re: [Rkhunter-users] mail from root
On Sat, May 04, 2013 at 10:09:27PM +0100, John Horne wrote: On Fri, 2013-05-03 at 10:29 -0700, Robert Holtzman wrote: On Fri, May 03, 2013 at 10:01:04AM +0100, John Horne wrote: On Fri, 2013-05-03 at 00:29 -0700, Robert Holtzman wrote: I don't know about 'msmtp', but I assume some log file in /var/log (possibly /var/log/maillog') should contain any errors from the msmtp command. Also try looking in /var/log/cron. less .msmtp.log | grep rkhunter showed only posts to the list. Okay, so what happens when you force RKH to produce an error. Does anything get emailed? No. In which case I can't help. This isn't an RKH problem since your cron job is set up to pipe any output through to msmtp, and that is not emailing you anything. I was beginning to suspect the problem wasn't with rkhunter as I seem to have exhausted the possible failure modes with it. I guess I'll have to start digging into msmtp. Many thaks for your effort. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 signature.asc Description: Digital signature -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
On Fri, 2013-05-03 at 10:29 -0700, Robert Holtzman wrote: On Fri, May 03, 2013 at 10:01:04AM +0100, John Horne wrote: On Fri, 2013-05-03 at 00:29 -0700, Robert Holtzman wrote: I don't know about 'msmtp', but I assume some log file in /var/log (possibly /var/log/maillog') should contain any errors from the msmtp command. Also try looking in /var/log/cron. less .msmtp.log | grep rkhunter showed only posts to the list. Okay, so what happens when you force RKH to produce an error. Does anything get emailed? No. In which case I can't help. This isn't an RKH problem since your cron job is set up to pipe any output through to msmtp, and that is not emailing you anything. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
On Mon, Apr 29, 2013 at 11:20:46AM +0100, John Horne wrote: On Fri, 2013-04-26 at 18:02 -0700, Robert Holtzman wrote: /etc/cron.daily looks like this (in part): case $CRON_DAILY_RUN in [Yy]*) OUTFILE=`mktemp` || exit 1 /usr/bin/nice -n $NICE $RKHUNTER --cronjob --report-warnings-only --appendlog $OUTFILE if [ -s $OUTFILE ]; then ( echo Subject: [rkhunter] $(hostname -f) - Daily report echo To: $REPORT_EMAIL echo cat $OUTFILE # ) | /usr/sbin/sendmail $REPORT_EMAIL ) | /usr/bin/msmtp $REPORT_EMAIL fi rm -f $OUTFILE ;; *) exit 0 ;; esac which looks right but C (I presume that's what it is) isn't my strong point.i This is just shell script. Shows you what *I* know :-) The cron job captures any output from RKH and then emails that using msmtp. So I would leave the RKH setting MAIL_CMD as , and let the cron job handle the email. That's the impression I had I don't know about 'msmtp', but I assume some log file in /var/log (possibly /var/log/maillog') should contain any errors from the msmtp command. Also try looking in /var/log/cron. less .msmtp.log | grep rkhunter showed only posts to the list. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 signature.asc Description: Digital signature -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
On Fri, May 03, 2013 at 10:01:04AM +0100, John Horne wrote: On Fri, 2013-05-03 at 00:29 -0700, Robert Holtzman wrote: I don't know about 'msmtp', but I assume some log file in /var/log (possibly /var/log/maillog') should contain any errors from the msmtp command. Also try looking in /var/log/cron. less .msmtp.log | grep rkhunter showed only posts to the list. Okay, so what happens when you force RKH to produce an error. Does anything get emailed? No. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 signature.asc Description: Digital signature -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
On Fri, 2013-04-26 at 18:02 -0700, Robert Holtzman wrote: /etc/cron.daily looks like this (in part): case $CRON_DAILY_RUN in [Yy]*) OUTFILE=`mktemp` || exit 1 /usr/bin/nice -n $NICE $RKHUNTER --cronjob --report-warnings-only --appendlog $OUTFILE if [ -s $OUTFILE ]; then ( echo Subject: [rkhunter] $(hostname -f) - Daily report echo To: $REPORT_EMAIL echo cat $OUTFILE # ) | /usr/sbin/sendmail $REPORT_EMAIL ) | /usr/bin/msmtp $REPORT_EMAIL fi rm -f $OUTFILE ;; *) exit 0 ;; esac which looks right but C (I presume that's what it is) isn't my strong point. This is just shell script. The cron job captures any output from RKH and then emails that using msmtp. So I would leave the RKH setting MAIL_CMD as , and let the cron job handle the email. I don't know about 'msmtp', but I assume some log file in /var/log (possibly /var/log/maillog') should contain any errors from the msmtp command. Also try looking in /var/log/cron. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
On Sat, Apr 27, 2013 at 10:57:05PM +0200, Bosse Johansson wrote: In Ubuntu 12.04 you set the $REPORT_EMAIL in /etc/default/rkhunter. Perhaps that differs between the desktop and the laptop? .snip. The laptop and desktop have identical /etc/default/rkhunter files. # Set this to the email address where reports and run output should be # sent REPORT_EMAIL=root I had fogotten to check in /etc/default. Many thanks for your effort. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 signature.asc Description: Digital signature -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
Hi,
at least the OpenSuse distribution do send emails with the output from
cron runs, usually to 'root@localhost'.
That behavior has been consistent since many OpenSuse versions including
the 12.2 (latest?).
The behavior can be traced though parsing crontab, -*/15 * * * * root
test -x /usr/lib/cron/run-crons /usr/lib/cron/run-crons /dev/null 21.
Extract from '/usr/lib/cron/run-crons':
# CRON Result EMail is sent to
if test -z $MAILTO ; then
SEND_TO=root
else
SEND_TO=$MAILTO
fi
In my case I have a Postfix setting on the OpenSuse server that directs
all mails through a mailserver on my home network which in turn delivers
all mails to 'root@localhost' to a specific imap account for administration.
Quite handy to collect system mails from all machines (well, 3 actually,
including the mail server).
Note that this setting will send mails with output from rkhunter when
run from cron irrespective of the rkhunter settings.
I do not know how other distributions behave.
/Bosse J
2013-04-27 03:02, Robert Holtzman skrev:
On Fri, Apr 26, 2013 at 11:14:25PM +0100, John Horne wrote:
On Tue, 2013-04-23 at 21:25 -0700, 'Robert Holtzman' wrote:
Next I added my email address to MAIL-ON-WARNING in /etc/rkhunter.conf.
It had been MAIL-ON-WARNING=. I thought that was weird but it was the
same on my desktop where I got the emails every day. Result...still no
joy.
I'm out of Ideas. If anyone has a clue please let me know.
Hello,
If MAIL-ON-WARNING is not set (or set to ), then RKH will not send an
email message if there are warnings. However, it may well be your cron
system that is capturing the output from RKH and sending the message.
As I said previously, the settings are the same as on the desktop ()
which sends mail. Hadn't ever heard of cron acting as you describe.
Could you please elaborate?
I don't know how RKH is set up on a Debian system. What are the settings
of MAIL-ON-WARNING and MAIL_CMD in the rkhunter.conf file on a standard
Debian system? What does the RKH cron entry look like?
/etc/cron.daily looks like this (in part):
case $CRON_DAILY_RUN in
[Yy]*)
OUTFILE=`mktemp` || exit 1
/usr/bin/nice -n $NICE $RKHUNTER --cronjob
--report-warnings-only --appendlog $OUTFILE
if [ -s $OUTFILE ]; then
(
echo Subject: [rkhunter] $(hostname -f) - Daily report
echo To: $REPORT_EMAIL
echo
cat $OUTFILE
# ) | /usr/sbin/sendmail $REPORT_EMAIL
) | /usr/bin/msmtp $REPORT_EMAIL
fi
rm -f $OUTFILE
;;
*)
exit 0
;;
esac
which looks right but C (I presume that's what it is) isn't my strong
point.
See above for MAIL-ON-WARNING. MAIL_CMD is:
MAIL_CMD=mail -s [rkhunter] Warnings found for ${HOST_NAME}
The same as the desktop.
As someone else pointed out, the laptop simply may not have any
warnings. I would suggest looking in the rkhunter log file to see if
there were any warnings (using 'grep' obviously makes this easier). If
there are warnings, but you do not get a message then there is a
problem. If there are no warnings, then you may want to forcibly create
one - I tend to use something like 'date /dev/dummyfile'. The
'filesystem' test will then report the file as being suspicious.
Again, as I said previously, the warnings are the same as those on the
desktop.
Thanks for your reply.
I remain frustrated.
--
Try New Relic Now We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
--
Try New Relic Now We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
On Tue, 2013-04-23 at 21:25 -0700, 'Robert Holtzman' wrote: Next I added my email address to MAIL-ON-WARNING in /etc/rkhunter.conf. It had been MAIL-ON-WARNING=. I thought that was weird but it was the same on my desktop where I got the emails every day. Result...still no joy. I'm out of Ideas. If anyone has a clue please let me know. Hello, If MAIL-ON-WARNING is not set (or set to ), then RKH will not send an email message if there are warnings. However, it may well be your cron system that is capturing the output from RKH and sending the message. I don't know how RKH is set up on a Debian system. What are the settings of MAIL-ON-WARNING and MAIL_CMD in the rkhunter.conf file on a standard Debian system? What does the RKH cron entry look like? As someone else pointed out, the laptop simply may not have any warnings. I would suggest looking in the rkhunter log file to see if there were any warnings (using 'grep' obviously makes this easier). If there are warnings, but you do not get a message then there is a problem. If there are no warnings, then you may want to forcibly create one - I tend to use something like 'date /dev/dummyfile'. The 'filesystem' test will then report the file as being suspicious. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
On Tue, Apr 09, 2013 at 07:49:57PM +, Walter Hurry wrote: On Tue, 09 Apr 2013 11:46:01 -0700, Robert Holtzman wrote: Running a desktop pc and a Lenovo laptop, both running Debian 6 and rkhunter 1.3.6-4. On the desk top I get daily mail from root showing 2 false positives. On the laptop I get no daily mail. Thinking I had missed something in the rkhunter.conf file I copied the one from the desktop. No joy. Any ideas/pointers appreciated. Then your mail from the rkhunter process on the laptop isn't getting through. If you're sure that rkhunter *is* actually running on the laptop, check the MAIL-ON-WARNING and MAIL_CMD entries in rkhunter.conf and go from there. Both entries are identical on the two computers. They should be. As I said on my original post, I copied the file from the pc, where it was working to the laptop. I assume rkhunter is running on the laptop as rkhunter --check works. If I'm wrong, please correct me. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 signature.asc Description: Digital signature -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] mail from root
Running a desktop pc and a Lenovo laptop, both running Debian 6 and rkhunter 1.3.6-4. On the desk top I get daily mail from root showing 2 false positives. On the laptop I get no daily mail. Thinking I had missed something in the rkhunter.conf file I copied the one from the desktop. No joy. Any ideas/pointers appreciated. Then your mail from the rkhunter process on the laptop isn't getting through. If you're sure that rkhunter *is* actually running on the laptop, check the MAIL-ON-WARNING and MAIL_CMD entries in rkhunter.conf and go from there. Both entries are identical on the two computers. They should be. As I said on my original post, I copied the file from the pc, where it was working to the laptop. I assume rkhunter is running on the laptop as rkhunter --check works. If I'm wrong, please correct me. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 I actually had to drop the cron jobs on my system, and call rkhunter from a bash script, which is then run from cron. I don't know why, and since the solution is simple enough, I'm not bothering to find out why it doesn't work. Anyhow, take a look at /var/log/rkhunter.log, if you don't see the date at the top corresponding with when you set it to run in cron, it's not running. Nick -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
