Getting Email Notifications from Software

For the more secure admins whom administer any type of *nix system, having automated scans locally is usually a very good idea and is normally performed once the server is initially setup and continually through it’s life-cycle. Today I’ll show you a simple trick to have these tools and others run and email the log to you,

Tools which are normally used include rkhunter and chkrootkit but having to login to each server, run the utility and check the results can be time consuming and not cost effective, instead piping to log management software or the good ol’ reading the log emailed to you is usually the norm,

 

What are these chkrootkit and rkhunter tools?

Both of these utilities perform a simular role – they scan a system, check for modifications and rootkits and send you a log.

Here’s a snippet from the chkrootkit website,
chkrootkit is a tool to locally check for signs of a rootkit. It contains:

  • chkrootkit: shell script that checks system binaries for rootkit modification.
  • ifpromisc.c: checks if the interface is in promiscuous mode.
  • chklastlog.c: checks for lastlog deletions.
  • chkwtmp.c: checks for wtmp deletions.
  • check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
  • chkproc.c: checks for signs of LKM trojans.
  • chkdirs.c: checks for signs of LKM trojans.
  • strings.c: quick and dirty strings replacement.
  • chkutmp.c: checks for utmp deletions.

rkhunter describes itself as –

Rootkit Hunter is a host-based, passive, post-incident, path-based tool.

      • Host-based means it only diagnoses the host you run it on.
      • Passive means it has to be scheduled or run manually.
      • Post-incident means it can only be effective when a breach of security
        is suspected, is in progress or has already occurred.
      • Path-based means RKH will check for filenames. It does not include or use
        heuristics or signatures like for instance an antivirus product could.

Email Notifications

I like to receive email/sms notifications from the servers I manage and so had to get these tools to run using the cron but to email me the output. These can be configured to run from cron so they update and scan when required,

The easiest way is to create a simple bash script and schedule it,

nano scans.sh

#!/bin/sh

( /usr/bin/rkhunter –update –nocolors
/usr/bin/rkhunter –cronjob –report-warnings-only –nocolors
) | mail -s “rkhunter scan” me@danfry.net

This will execute the update and then run rkhunter to perform a scan, finally emailing the output to me@danfry.net

You just need to configure it with a crontab schedule and you’re done! – just remember you’ll always get a few emails after any system update.