My ideal solution for tripwire reports would be:
Daily e-mails would only generate if a violation was found
Every Sunday, a report would be e-mailed regardless of whether a violation was found
I'm also interested in the opinions of SF'ers about implementing this. Perhaps it goes against the purpose of tripwire? I could see someone making that argument I suppose.
My solution to getting a lot of tripwire reports from a lot of hosts is to have them all sent to an address which stacks them up in a file, then run a simple job on them that reports just the host name and violation counts, and only emails that report if there are any hosts with a non-zero violation count.
Firstly, all the hosts send their reports to the address tripwire@company.com. That's easy to arrange from each of the crontab entries; I do it with:
# check the tripwires
MAILTO=tripwire@company.com
3 1 * * * /usr/sbin/tripwire --check
Secondly, on the mail server, I have an aliases entry that says:
# tripwire report autoprocessing
tripwire: /var/tmp/tripwire
Thirdly, I have a cron job that runs every morning to process the contents of that file, and another that runs every evening to remove it (so I'm only looking at the most recent outputs):
# report problems with nightly tripwire runs
2 7 * * * /usr/local/bin/tripwire-check
45 23 * * * rm -f /var/tmp/tripwire
And here's the contents of /usr/local/bin/tripwire-check; it's very simple:
#!/bin/tcsh
grep "Total violation" /var/tmp/tripwire | grep -vw 0 > /dev/null || exit 0
egrep 'Host name|Total vio' /var/tmp/tripwire | mail -s "NIGHTLY TRIPWIRE VIOLATIONS `date +%Y%m%d`" my-real-address@company.com
The first grep exits without any mail or output IFO all the lines that contain a violation count also contain the number 0, as a whole word; the second, which is only invoked if the first line fails, produces the terse summary email and sends it to me.
And finally, here's a sample output when there's an error to report:
Subject: NIGHTLY TRIPWIRE VIOLATIONS 20050401
Date: Fri, 1 Apr 2005 07:02:00 +0100
To: the-real-me@company.com
From: root <root@company.com>
Host name: fw03b.company.com
Total violations found: 0
Host name: je01b.company.com
Total violations found: 0
Host name: ms01.company.com
Total violations found: 1
Host name: fw05a.company.com
Total violations found: 0
Host name: fw02b.company.com
Total violations found: 0
Host name: fw01b.company.com
Total violations found: 0
Host name: je02o.company.com
Total violations found: 0
Host name: je01a.company.com
Total violations found: 0
Host name: fw04a.company.com
Total violations found: 0
Host name: fw04b.company.com
Total violations found: 0
Host name: je02p.company.com
Total violations found: 0
Host name: fw02a.company.com
Total violations found: 0
Host name: fw03a.company.com
Total violations found: 0
Host name: rp01a.company.com
Total violations found: 0
Host name: rp01b.company.com
Total violations found: 0
Host name: je03o.company.com
Total violations found: 0
Host name: db03.company.com
Total violations found: 0
Host name: lb02p.company.com
Total violations found: 15
Host name: rp02o.company.com
Total violations found: 23
Host name: as05.company.com
Total violations found: 0
Host name: db02.company.com
Total violations found: 0
Hope that's of some use.
Tripwire has an option to suppress reports that have no errors (MAILNOVIOLATIONS), it is found in the config file...
You could set up 2 different twcfg files, one with MAILNOVIOLATIONS set to TRUE, and one with this option set to FALSE
MAILNOVIOLATIONS =true (or false)
Then your cronjob could run tripwire using the -c flag to select the twcfg file
Daily report crontab:
30 12 * * 1,2,3,4,5,6 /usr/sbin/tripwire --check -c PATH_TO_DAILY_CFG_FILE | mail -s "Tripwire report for `uname -n`, errors found" your_email@domain.com
Sunday report crontab:
30 12 * * 0 /usr/sbin/tripwire --check -c PATH_TO_WEEKLY_CFG_FILE | mail -s "Weekly Tripwire report for `uname -n`" your_email@domain.com
This way, your daily cronjob would run tripwire using the config file that only emails reports if violations are found, and your weekly cronjob would email you a report regardless.
p.s. the above crontab commands are from a system using Debian, you may need to edit the path to your Tripwire binary.
I know I already chose Mr. MadHatter's submission as the answer but after some thinking, I've thought of something else that might work. Does anyone see why this would not work?
tripwire_out=`/usr/sbin/tripwire --check`; test -z "`echo $tripwire_out | grep 'Total violations found: 0'`"&& echo $tripwire_out
I've tested it out in the shell and it works as intended. However, I have not replaced the tripwire cron job yet.
What do you guys think?
Another possible simple solution, not exactly what is being asked but possible useful for someone.
Simply send the number of "Total violations found" in the subject of the mail, so I keep receiving the notifications, but I don't have the need to open them although I see some violation is happening. That way I'm also sure tripwire keeps working as expected:
tripwire --check > /tmp/twreport; mail -s "Tripwire report for `uname -n`: `grep 'Total violations found' /tmp/twreport`" mymail@example.com < /tmp/twreport; rm /tmp/twreport
Step by step:
1.- I save in the file "twreport" the tripwire report
tripwire --check > /tmp/twreport;
2.- I do a grep on the twreport file for the line "Total violations found". I insert this in the subject of the mail command. And I get the twreport text contents in the body of the mail:
mail -s "Tripwire report for `uname -n`: `grep 'Total violations found' /tmp/twreport`" mymail@example.com < /tmp/twreport
3.- Finally I remove the twreport file:
rm /tmp/twreport
