Run rkhunter regularly on a desktop system

I want to get a warning on my desktop when rkhunter finds something odd on my system.

I whitelisted some files and dirs that seem ok in /etc/rkhunter.conf so I get no warnings anymore.

Now I want to put this command somewhere:

sudo rkhunter --checkall --report-warnings-only | while read OUTPUT; do notify-send "$OUTPUT"; done

I know how to use cron but that doesn't work, cause my computer is running at irregular times, so where do I have to put this so it is executed once a day but not during system-boot? Optimal would be 30 Minutes after startup.

Solution with anachron and notify-send

The answer to the problem is anachron that executes commands automatically as root, where root needs access to the dbus session of the main user.

1. Give root access to your desktop session (as user)

To let the root user access the default user's desktop, you first need to set the DBUS_SESSION_BUS_ADDRESS variable. By default cron does not have access to the variable that changes every system start. To remedy this put the following script in your home directory and call it ~/dbus-session-export

#!/bin/sh
touch ~/.dbus/Xdbus
chmod 600 ~/.dbus/Xdbus
env | grep DBUS_SESSION_BUS_ADDRESS > ~/.dbus/Xdbus
echo 'export DBUS_SESSION_BUS_ADDRESS' >> ~/.dbus/Xdbus
exit 0

Give it executable rights:

chmod +x ~/dbus-session-export

And call it in your startup programs. This will create/update the file ~/.dbus/Xdbus containing the required Dbus evironment variable for anachron to use at each system boot.

2. Cron script (as root)

Put a script in the folder /etc/cron.daily/ and make it executable:

sudo touch /etc/cron.daily/rkhunter-check
sudo chmod +x /etc/cron.daily/rkhunter-check

Edit the file gksu gedit /etc/cron.daily/rkhunter-check

#!/usr/bin/env bash
sleep 1800 # wait 30 minutes in case the script is called directly at boot
MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
if [ -r "/home/$MAINUSER/.dbus/Xdbus" ]; then
    . "/home/$MAINUSER/.dbus/Xdbus"
fi
su $MAINUSER -c 'notify-send "starting rkhunter scan... "'
rkhunter --checkall --report-warnings-only | while read OUTPUT; do
if [ "$OUTPUT" != "" ]; then
    OUTPUT="${OUTPUT//[\`\"\']/}"
    su $MAINUSER -c $"notify-send \"rkhunter: $OUTPUT\""
fi
done

This will run the script every day once and if the rkhunter run generates any output (only warnings), this script will show up as a notification for each warning in the top right of your screen as user

Source:

• https://unix.stackexchange.com/questions/111188/using-notify-send-with-cron
• how to create a notification on the screen initiated by root

Run at startup, display with zenity

Create a file /usr/local/sbin/rkhunter-check and make it executable:

sudo touch /usr/local/sbin/rkhunter-check
sudo chmod +x /usr/local/sbin/rkhunter-check

Edit the file gksu gedit /usr/local/sbin/rkhunter-check

#!/usr/bin/env bash
export DISPLAY=:0
MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
LOG=/tmp/.rkhunter-warnings
rm -f $LOG
touch $LOG
rkhunter --checkall --report-warnings-only  | while read OUTPUT; do 
  if [ "$OUTPUT" != "" ]; then
    OUTPUT="${OUTPUT//[\`\"\']/}"
    echo "$OUTPUT">>$LOG
  fi
done
if [ "$(cat $LOG)" = "" ]; then
  #like this there is always a notification, even if there is no warning, it will show an empty notification.
  echo "#no warnings">$LOG
fi
if [ "$(cat $LOG)" != "" ]; then
  su $MAINUSER -c 'zenity --text-info --width 800 --title "Rkhunter warnings" < '"$LOG"
fi

If the rkhunter run generates any output (only warnings), this script will show up as a scrollable window with the rkhunter output.

1. create a systemd startup script

   Create the script /etc/systemd/system/rkhunter.service:

   [Unit]
   Description=starts rkhunter and displays any findings with zenity
   
   [Service]
   TimeoutStartSec=infinity
   ExecStartPre=/bin/sleep 1800
   ExecStart=/usr/local/sbin/rkhunter-check
   
   [Install]
   WantedBy=default.target
   

   Update systemd with:

   sudo systemctl daemon-reload
   sudo systemctl enable rkhunter
   sudo systemctl start rkhunter
   

2. start by /etc/rc.local

   On systems without systemd call the script at runtime in /etc/rc.local and put a sleep before the whole command:

   gksu gedit /etc/rc.local
   

   Add this command before the last line in /etc/rc.local that contains exit 0:

   sleep 1800 && /usr/local/sbin/rkhunter-check &
   

Both solutions will wait 30 minutes before executing the rkhunter check as root.

You can also combine this solution with the notify-send solution, because in case there are no warnings, a zenity dialog is not perfect. a notification would suffice in that case

#!/usr/bin/env bash
export DISPLAY=:0
MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
LOG=/tmp/.rkhunter-warnings
echo ""> $LOG
rkhunter --checkall --report-warnings-only  | while read OUTPUT; do 
  if [ "$OUTPUT" != "" ]; then
    OUTPUT="${OUTPUT//[\`\"\']/}"
    echo "$OUTPUT">>$LOG
  fi
done
if [ "$(cat $LOG)" = "" ]; then
  MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
  if [ -r "/home/$MAINUSER/.dbus/Xdbus" ]; then
    . "/home/$MAINUSER/.dbus/Xdbus"
  fi
  su $MAINUSER -c $"notify-send \"rkhunter: no warnings\""
fi
if [ "$(cat $LOG)" != "" ]; then
  su $MAINUSER -c 'zenity --text-info --width 800 --title "Rkhunter warnings" < '"$LOG"
fi

source: How to run a script during boot as root