#!/bin/bash
# original author: Aaron Walker <ka0ttic@gentoo.org>
########################## Begin Configuration ###############################
# Default options - more options may be added depending on the
# configuration variables you set below
# --cronjob implies -c, --nocolor, --sk
RKHUNTER_OPTS="--cronjob --summary"
# Set this to 'yes' to enable ; this script does nothing otherwise
ENABLE=no
# Automatically update rkhunter's dat files prior to running?
UPDATE=no
# Set this to 'yes' if you wish the output to be mailed to you
SEND_EMAIL=no
# NOTE: the following EMAIL_* variables are only relevant if you set the
# SEND_EMAIL variable to 'yes'
EMAIL_SUBJECT="${HOSTNAME}: rkhunter output"
EMAIL_RECIPIENT=root
EMAIL_CMD="|mail -s \"${EMAIL_SUBJECT}\" ${EMAIL_RECIPIENT}"
# Log rkhunter output?
LOG=no
# The default log location is /var/log/rkhunter.log. Set this variable if
# you'd like to use an alternate location.
#LOGFILE=""
# By default, the log file created by rkhunter is world-readable (0644). If
# you'd like to modify the permissions afterwards, set this variable. The
# value of this variable, must be a valid chmod argument such as '0600' or
# 'u+rw,go-rwx'. See the chmod(1) manual page for more information.
#LOGFILE_PERMS="0600"
# By default, rkhunter overwrites the previous log. Set this variable
# to 'yes' if you'd like the log output appended to the logfile, instead
# of overwriting it.
SAVE_OLD_LOGS=no
# Set to 1 to recieve only warnings & errors
# Set to 2 to recieve ALL rkhunter output
# Set to 3 to recieve rkhunter report
VERBOSITY=3
########################### End Configuration ################################
# exit immediately, unless enabled
[[ "${ENABLE}" == "yes" ]] || exit 0
# debug mode? (mainly for my benefit)
if [[ -n "${1}" ]] && [[ ${1} = "-d" ]] ; then
set -o verbose -o xtrace
fi
[[ -z "${LOGFILE}" ]] && LOGFILE="/var/log/rkhunter.log"
# moved this out of config section since it'll
# probably never need to be changed
RKHUNTER_EXEC="/usr/sbin/rkhunter"
# sanity check
if [[ ! -x "${RKHUNTER_EXEC}" ]] ; then
echo "${RKHUNTER_EXEC} does not exist or is not executable!"
exit 1
fi
# we create a few tmp files, so let's at least make
# them readable/writable by root only
umask 0077
# all output goes to this temp file
_tmpout=$(mktemp /tmp/rkhunter.cron.XXXXXX)
exec > ${_tmpout} 2>&1
# update data files
if [[ "${UPDATE}" == "yes" ]] ; then
# save the output of --update in a tmp file so that it can be mailed
# along with the scan output; otherwise the user will get 2 mails
#${RKHUNTER_EXEC} --nocolor --update
echo "In Gentoo, update option is disabled due to CVE-2017-7480."
fi
# formulate options string according to user configuration
[[ "${LOG}" == "yes" ]] && \
RKHUNTER_OPTS="${RKHUNTER_OPTS} --createlogfile ${LOGFILE}"
case "${VERBOSITY}" in
# warnings and errors only
1) RKHUNTER_OPTS="${RKHUNTER_OPTS} --quiet" ;;
# default rkhunter output (no extra options)
# 2) ;;
# default to option 3
*) ;;
esac
# save old log
if [[ "${LOG}" == "yes" && "${SAVE_OLD_LOGS}" == "yes" ]] ; then
if [[ -e "${LOGFILE}" ]] ; then
_tmpfile=$(mktemp ${LOGFILE}.XXXXXX)
mv -f ${LOGFILE} ${_tmpfile}
echo -e "--\nrkhunter.cron commencing at: $(date)\n--" >> ${_tmpfile}
fi
fi
# finally, run rkhunter
CMD="${RKHUNTER_EXEC} ${RKHUNTER_OPTS}"
eval ${CMD}
RV=$?
# email output?
if [[ "${SEND_EMAIL}" == "yes" ]] ; then
CMD="cat ${_tmpout} ${EMAIL_CMD}"
eval ${CMD}
fi
# remove temp file
[[ -n "${_tmpout}" ]] && rm -f ${_tmpout}
[[ "${LOG}" != "yes" ]] && exit ${RV}
# from this point on, we can assume logging is enabled
# append new log to old log and restore
if [[ -n "${_tmpfile}" ]] ; then
cat ${LOGFILE} >> ${_tmpfile}
mv ${_tmpfile} ${LOGFILE}
fi
chmod ${LOGFILE_PERMS:-0644} ${LOGFILE}
exit ${RV}