#49 Request for documented exit codes

[Martin Gregorie]

Please extend the rkhunter manpage to document its exit codes. I ask because, when running it from a script, it would be very helpful to distinguish configuration mistakes and other errors from requirements to update the rkhunter properties databsase.

As an example, I run RedHat Linux and use a perivarely developed script to run system updates using dnf. The script immediately follows a successful dnf update with an rkhunter check, which then does a --propupd run on the assumption that the non zero exit code means that dnf applied changes that aere not included in the master rkhunter properties database. Since rkhunter exit codes are not documented in the manpage, that's about all I can do although I would obviously prefer to have my script report misconfigurations and other errors rather than using then to trigger an rkhunter --propupd run.

[John Horne]

What is the command-line your script uses to invoke rkhunter?

[Martin Gregorie]

On Mon, 2019-05-06 at 22:58 +0000, John Horne wrote:

What is the command-line your script uses to invoke rkhunter?

My script runs the following fragment is immediately after a successful
dnf update operation.

rkhunter --check --report-warnings-only --nomow
r=$?
if [ "$r" == '1' ]
then
echo "===== Warnings found: updating the rkhunter database"
rkhunter --propupd
fi

Apologies for the late reply: your e-mail was in a group of e-mails in
my inbox that I was using as reminders and got overlooked until now.

Martin

[John Horne]

As the rkh man page says:

rkhunter will return a non-zero exit code if any error or warning occurs

That is basically all there is to it. The update and versioncheck commands will return a 1 or 2 value depending on what went wrong or 0 for no error, other commands will return 0 or 1.

Any configuration error will cause rkh to stop (and return a 1), unless the '-C' option is being used. In that case it will continue with the checks, but return a 1 at the end.

If configuration errors are to be checked each time, then I would suggest using something like:

rkhunter -C
r=$?
if [ $r -eq 0 ]; then
rkhunter --check --rwo --nomow
if [ $r -eq 1 ]; then
...
fi
else
echo "Configuration file errors"
fi

Even then of course you may get false information. You are assuming that using '--check' and getting a '1' result means that the file properties check has failed and requires the use of '--propupd'. However, the '1' result simply means something was found. It could be a rootkit, some new or missing files, or some other check has failed.

I would not run '--propupd' simply based on getting a '1' code returned. If you want to run '--propupd' automatically then I would suggest something along the lines of:

rkhunter --enable properties --rwo --nomow
r=$?
if [ $r -eq 1 ]; then
echo "File properties check failed, running propupd..."
rkhunter --propupd -q
fi
rkhunter --check --disable properties --rwo --nomow
r=$?
if [ $r -eq 1 ]; then
echo "Warnings found..."
fi

[John Horne]

I have added an 'EXIT STATUS' section to the man page to explain a bit more about the exit codes.