Re: [Tiger-user] pattern of messages from tigercron

[Javier Fernandez-Sanguino]

alex black wrote:

> hi all,

> Most of the other systems that run from cron follow the same "once
> daily report" mail pattern. For example, tripwire sends a mail with
> a summary of changed files & errors, if any.

The default Tiger configuration for cron (at /etc/tiger/cronrc) does 
not do the reports daily, it simply runs some modules at given times. 
Some modules are run more than once a day, some are run once a week. 
Check out tigercron(1).

> I have to say, even having taken a look at the tiger source a bit,
> I am still mystified what the logic of tigercron's mail habits are.
> I get these random messages with snippets of information, some
> labeled "OLD" etc - some warning me that postfix is listening on
> port 25, some telling me something genuinely useful.. but I never
> get the sense that any of the messages are a complete report.
> Anyway it's fairly confusing and *seems* useless - as opposed to
> the reports that tiger generates, which are extremely easy to read,
> clear, etc.

No, they are not complete report, at least not the same report that 
you get when you run 'tiger'. It's the report of a given module, and 
the diff of that run with previous runs. You can see all the runs at 
/var/log/tiger.

Tigercon esentially does this:

1.- Determine which module to run (check_XXX something)
2.- Run it, save its output in (/var/log/tiger/xxx.1)
3.- Compare its output against the previous run (/var/log/tiger/xxxx.2)
4.- If the message dissappears (was in '2' but not in '1') then label 
it 'OLD'), if it appears as new (is in '1' but not in '2'), label it 
as NEW

The advantage of this approach vs. running a full report is that it is 
more modular. User's can disable or enable modules as they see fit. Or 
they might program them to run more often or less often. If you get 
messages which are constantly flipping between NEW and OLD it might be 
because there is something on the system going off an on (sample: a 
dns resolver, like spamassasin, which is sometimes querying DNS 
servers and with an open port and sometimes is not). You can filter 
these out with /etc/tiger/tiger.ignore

Also, the main advantage is that, right after installation, you will 
get a report from your system (divided per modules) but, after the 
first run, you will get only changes in the system which, in a sense, 
serves you as a host-IDS.

> So, I'm writing to see if there's anyone on the list who is running
> tiger from cron so that it will report once daily on its findings
> (or not at all if there are no findings, which would be great). If

Tigercron does not report anything if there are no findings for a 
given module (1==2)

> no one is, I'm seriously considering just running a cronjob which
> generates a report, reading the report, doing a diff between the
> current and last report, and sending the diff contents if they
> aren't empty.

Why don't you customise /etc/tiger/cronrc for this? You can have it 
run all the modules at once, at a given point in time. I would suggest 
against this (since it pushes too much load to the server and does not 
allow you to detect sometimes issues in time)

> Btw, every single other feature of tiger is fantastic, I use it
> constantly and love it. Along with tripwire, nessus and a few
> others it really helps me to maintain strict security on the
> servers I run.

I'm glad you like it. I'm sure that once you fully understand the 
flexibility given by tigercron you'll learn to love it too.

Regards

Javier