My ideal solution for tripwire reports would be:
Daily e-mails would only generate if a violation was found
Every Sunday, a report would be e-mailed regardless of whether a violation was found
I'm also interested in the opinions of SF'ers about implementing this. Perhaps it goes against the purpose of tripwire? I could see someone making that argument I suppose.
-
My solution to getting a lot of tripwire reports from a lot of hosts is to have them all sent to an address which stacks them up in a file, then run a simple job on them that reports just the host name and violation counts, and only emails that report if there are any hosts with a non-zero violation count.
Firstly, all the hosts send their reports to the address
tripwire@company.com. That's easy to arrange from each of the crontab entries; I do it with:# check the tripwires MAILTO=tripwire@company.com 3 1 * * * /usr/sbin/tripwire --checkSecondly, on the mail server, I have an aliases entry that says:
# tripwire report autoprocessing tripwire: /var/tmp/tripwireThirdly, I have a cron job that runs every morning to process the contents of that file, and another that runs every evening to remove it (so I'm only looking at the most recent outputs):
# report problems with nightly tripwire runs 2 7 * * * /usr/local/bin/tripwire-check 45 23 * * * rm -f /var/tmp/tripwireAnd here's the contents of /usr/local/bin/tripwire-check; it's very simple:
#!/bin/tcsh grep "Total violation" /var/tmp/tripwire | grep -vw 0 > /dev/null || exit 0 egrep 'Host name|Total vio' /var/tmp/tripwire | mail -s "NIGHTLY TRIPWIRE VIOLATIONS `date +%Y%m%d`" my-real-address@company.comThe first grep exits without any mail or output IFO all the lines that contain a violation count also contain the number 0, as a whole word; the second, which is only invoked if the first line fails, produces the terse summary email and sends it to me.
And finally, here's a sample output when there's an error to report:
Subject: NIGHTLY TRIPWIRE VIOLATIONS 20050401 Date: Fri, 1 Apr 2005 07:02:00 +0100 To: the-real-me@company.com From: root <root@company.com> Host name: fw03b.company.com Total violations found: 0 Host name: je01b.company.com Total violations found: 0 Host name: ms01.company.com Total violations found: 1 Host name: fw05a.company.com Total violations found: 0 Host name: fw02b.company.com Total violations found: 0 Host name: fw01b.company.com Total violations found: 0 Host name: je02o.company.com Total violations found: 0 Host name: je01a.company.com Total violations found: 0 Host name: fw04a.company.com Total violations found: 0 Host name: fw04b.company.com Total violations found: 0 Host name: je02p.company.com Total violations found: 0 Host name: fw02a.company.com Total violations found: 0 Host name: fw03a.company.com Total violations found: 0 Host name: rp01a.company.com Total violations found: 0 Host name: rp01b.company.com Total violations found: 0 Host name: je03o.company.com Total violations found: 0 Host name: db03.company.com Total violations found: 0 Host name: lb02p.company.com Total violations found: 15 Host name: rp02o.company.com Total violations found: 23 Host name: as05.company.com Total violations found: 0 Host name: db02.company.com Total violations found: 0Hope that's of some use.
Nimmy Lebby : Impressive. I could definitely modify this for my own use.From MadHatter -
I know I already chose Mr. MadHatter's submission as the answer but after some thinking, I've thought of something else that might work. Does anyone see why this would not work?
tripwire_out=`/usr/sbin/tripwire --check`; test -z "`echo $tripwire_out | grep 'Total violations found: 0'`"&& echo $tripwire_outI've tested it out in the shell and it works as intended. However, I have not replaced the tripwire cron job yet.
What do you guys think?
Nimmy Lebby : Ok I replaced my tripwire cronjob with the command above. I'll see tomorrow morning if it works.Nimmy Lebby : FYI: Worked for me!From Nimmy Lebby
0 comments:
Post a Comment