before using this script it mightbe usefull to finish your NethServer installation and consider it being in production
after that you should run to determine what is normal and not
# rkhunter --propupd
you could also receive email directly from rkhunter by giving your email into /etc/rkhunter
MAIL-ON-WARNING=“your_user@domain.com”
most of the time you will need to IGNORE .udev Warning, to do that find into /etc/rkhunter those further lines are an exemples and mightbe not fully suitable for your configuration.
#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.mdadm
…
ALLOWHIDDENFILE=/usr/share/man/man1/…1.gz
ALLOWHIDDENFILE=/usr/share/man/man5/..5.gz
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
…
#ALLOWDEVFILE=/dev/shm/pulse-shm-
#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
ALLOWDEVFILE=/dev/.udev/db/block:loop*
ALLOWDEVFILE=/dev/.udev/db/block:ram*
ALLOWDEVFILE=/dev/.udev/db/block:vda*
ALLOWDEVFILE=/dev/.udev/db/input:event*
ALLOWDEVFILE=/dev/.udev/db/input:mouse*
ALLOWDEVFILE=/dev/.udev/db/misc:kvm
ALLOWDEVFILE=/dev/.udev/db/serio:*
ALLOWDEVFILE=/dev/.udev/db/usb:*
ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
ALLOWDEVFILE=/dev/.udev/queue.bin…
##Now if you want to add CHRootKit and LogWatch and being noticed by email follow those line 
###to install chkrootkit from EPEL
# yum --enablerepo=epel -y install chkrootkit
###Install logwatch
# yum install logwatch
###and receiving all those logs by email
touch /etc/cron.daily/report-log
chmod a+x /etc/cron.daily/report-log
vi /etc/cron.daily/report-log
with this report-log script
#!/bin/bash
date=$(date +"%m-%d-%Y")
**email="your email here"**
## rkhunter
rkhunter --update
rkhunter --checkall --cronjob --report-warnings-only > rkhunter-check-$date.log
## chkrootkit
chkrootkit | grep -v not > chkrootkit-$date.log
## logwatch
logwatch --output html --detail High --range All > logwatch-all-$date.html
logwatch --output html --detail High --range Today > logwatch-today-$date.html
logwatch --output html --detail High --range Yesterday > logwatch-yesterday-$date.html
## send them
echo "RKHunter, CHKRootkit and LogWatch Logs for $date" | mutt -s "log $date" -a "rkhunter-check-$date.log" -a "chkrootkit-$date.log" -a "logwatch-all-$date.html" -a "logwatch-today-$date.html" -a "logwatch-yesterday-$date.html" -- $email
\## remote those logs
rm -f rkhunter-check-$date.log chkrootkit-$date.log logwatch-*.html