[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Tiger-user] pattern of messages from tigercron
From: |
Javier Fernandez-Sanguino |
Subject: |
Re: [Tiger-user] pattern of messages from tigercron |
Date: |
Mon, 07 Nov 2005 10:39:48 +0100 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 |
alex black wrote:
hi all,
Most of the other systems that run from cron follow the same "once
daily report" mail pattern. For example, tripwire sends a mail with
a summary of changed files & errors, if any.
The default Tiger configuration for cron (at /etc/tiger/cronrc) does
not do the reports daily, it simply runs some modules at given times.
Some modules are run more than once a day, some are run once a week.
Check out tigercron(1).
I have to say, even having taken a look at the tiger source a bit,
I am still mystified what the logic of tigercron's mail habits are.
I get these random messages with snippets of information, some
labeled "OLD" etc - some warning me that postfix is listening on
port 25, some telling me something genuinely useful.. but I never
get the sense that any of the messages are a complete report.
Anyway it's fairly confusing and *seems* useless - as opposed to
the reports that tiger generates, which are extremely easy to read,
clear, etc.
No, they are not complete report, at least not the same report that
you get when you run 'tiger'. It's the report of a given module, and
the diff of that run with previous runs. You can see all the runs at
/var/log/tiger.
Tigercon esentially does this:
1.- Determine which module to run (check_XXX something)
2.- Run it, save its output in (/var/log/tiger/xxx.1)
3.- Compare its output against the previous run (/var/log/tiger/xxxx.2)
4.- If the message dissappears (was in '2' but not in '1') then label
it 'OLD'), if it appears as new (is in '1' but not in '2'), label it
as NEW
The advantage of this approach vs. running a full report is that it is
more modular. User's can disable or enable modules as they see fit. Or
they might program them to run more often or less often. If you get
messages which are constantly flipping between NEW and OLD it might be
because there is something on the system going off an on (sample: a
dns resolver, like spamassasin, which is sometimes querying DNS
servers and with an open port and sometimes is not). You can filter
these out with /etc/tiger/tiger.ignore
Also, the main advantage is that, right after installation, you will
get a report from your system (divided per modules) but, after the
first run, you will get only changes in the system which, in a sense,
serves you as a host-IDS.
So, I'm writing to see if there's anyone on the list who is running
tiger from cron so that it will report once daily on its findings
(or not at all if there are no findings, which would be great). If
Tigercron does not report anything if there are no findings for a
given module (1==2)
no one is, I'm seriously considering just running a cronjob which
generates a report, reading the report, doing a diff between the
current and last report, and sending the diff contents if they
aren't empty.
Why don't you customise /etc/tiger/cronrc for this? You can have it
run all the modules at once, at a given point in time. I would suggest
against this (since it pushes too much load to the server and does not
allow you to detect sometimes issues in time)
Btw, every single other feature of tiger is fantastic, I use it
constantly and love it. Along with tripwire, nessus and a few
others it really helps me to maintain strict security on the
servers I run.
I'm glad you like it. I'm sure that once you fully understand the
flexibility given by tigercron you'll learn to love it too.
Regards
Javier