Run rkhunter regularly on a desktop system
I want to get a warning on my desktop when rkhunter finds something odd on my system.
I whitelisted some files and dirs that seem ok in /etc/rkhunter.conf
so I get no warnings anymore.
Now I want to put this command somewhere:
sudo rkhunter --checkall --report-warnings-only | while read OUTPUT; do notify-send "$OUTPUT"; done
I know how to use cron
but that doesn't work, cause my computer is running at irregular times, so where do I have to put this so it is executed once a day but not during system-boot? Optimal would be 30 Minutes after startup.
Solution with anachron
and notify-send
The answer to the problem is anachron that executes commands automatically as root, where root needs access to the dbus session of the main user.
1. Give root access to your desktop session (as user)
To let the root user access the default user's desktop, you first need to set the DBUS_SESSION_BUS_ADDRESS
variable. By default cron does not have access to the variable that changes every system start. To remedy this put the following script in your home directory and call it ~/dbus-session-export
#!/bin/sh
touch ~/.dbus/Xdbus
chmod 600 ~/.dbus/Xdbus
env | grep DBUS_SESSION_BUS_ADDRESS > ~/.dbus/Xdbus
echo 'export DBUS_SESSION_BUS_ADDRESS' >> ~/.dbus/Xdbus
exit 0
Give it executable rights:
chmod +x ~/dbus-session-export
And call it in your startup programs.
This will create/update the file ~/.dbus/Xdbus
containing the required Dbus evironment variable for anachron to use at each system boot.
2. Cron script (as root)
Put a script in the folder /etc/cron.daily/
and make it executable:
sudo touch /etc/cron.daily/rkhunter-check
sudo chmod +x /etc/cron.daily/rkhunter-check
Edit the file gksu gedit /etc/cron.daily/rkhunter-check
#!/usr/bin/env bash
sleep 1800 # wait 30 minutes in case the script is called directly at boot
MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
if [ -r "/home/$MAINUSER/.dbus/Xdbus" ]; then
. "/home/$MAINUSER/.dbus/Xdbus"
fi
su $MAINUSER -c 'notify-send "starting rkhunter scan... "'
rkhunter --checkall --report-warnings-only | while read OUTPUT; do
if [ "$OUTPUT" != "" ]; then
OUTPUT="${OUTPUT//[\`\"\']/}"
su $MAINUSER -c $"notify-send \"rkhunter: $OUTPUT\""
fi
done
This will run the script every day once and if the rkhunter run generates any output (only warnings), this script will show up as a notification for each warning in the top right of your screen as user
Source:
- https://unix.stackexchange.com/questions/111188/using-notify-send-with-cron
- how to create a notification on the screen initiated by root
Run at startup, display with zenity
Create a file /usr/local/sbin/rkhunter-check
and make it executable:
sudo touch /usr/local/sbin/rkhunter-check
sudo chmod +x /usr/local/sbin/rkhunter-check
Edit the file gksu gedit /usr/local/sbin/rkhunter-check
#!/usr/bin/env bash
export DISPLAY=:0
MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
LOG=/tmp/.rkhunter-warnings
rm -f $LOG
touch $LOG
rkhunter --checkall --report-warnings-only | while read OUTPUT; do
if [ "$OUTPUT" != "" ]; then
OUTPUT="${OUTPUT//[\`\"\']/}"
echo "$OUTPUT">>$LOG
fi
done
if [ "$(cat $LOG)" = "" ]; then
#like this there is always a notification, even if there is no warning, it will show an empty notification.
echo "#no warnings">$LOG
fi
if [ "$(cat $LOG)" != "" ]; then
su $MAINUSER -c 'zenity --text-info --width 800 --title "Rkhunter warnings" < '"$LOG"
fi
If the rkhunter run generates any output (only warnings), this script will show up as a scrollable window with the rkhunter output.
-
create a systemd startup script
Create the script
/etc/systemd/system/rkhunter.service
:[Unit] Description=starts rkhunter and displays any findings with zenity [Service] TimeoutStartSec=infinity ExecStartPre=/bin/sleep 1800 ExecStart=/usr/local/sbin/rkhunter-check [Install] WantedBy=default.target
Update systemd with:
sudo systemctl daemon-reload sudo systemctl enable rkhunter sudo systemctl start rkhunter
-
start by
/etc/rc.local
On systems without
systemd
call the script at runtime in/etc/rc.local
and put a sleep before the whole command:gksu gedit /etc/rc.local
Add this command before the last line in
/etc/rc.local
that containsexit 0
:sleep 1800 && /usr/local/sbin/rkhunter-check &
Both solutions will wait 30 minutes before executing the rkhunter check as root.
You can also combine this solution with the notify-send solution, because in case there are no warnings, a zenity dialog is not perfect. a notification would suffice in that case
#!/usr/bin/env bash
export DISPLAY=:0
MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
LOG=/tmp/.rkhunter-warnings
echo ""> $LOG
rkhunter --checkall --report-warnings-only | while read OUTPUT; do
if [ "$OUTPUT" != "" ]; then
OUTPUT="${OUTPUT//[\`\"\']/}"
echo "$OUTPUT">>$LOG
fi
done
if [ "$(cat $LOG)" = "" ]; then
MAINUSER="$(awk -F: '$3==1000{print $1}' /etc/passwd)"
if [ -r "/home/$MAINUSER/.dbus/Xdbus" ]; then
. "/home/$MAINUSER/.dbus/Xdbus"
fi
su $MAINUSER -c $"notify-send \"rkhunter: no warnings\""
fi
if [ "$(cat $LOG)" != "" ]; then
su $MAINUSER -c 'zenity --text-info --width 800 --title "Rkhunter warnings" < '"$LOG"
fi
source: How to run a script during boot as root