Date: Tue, 4 Mar 2003 19:53:16 -0000 From: "Jasvinder S. Bahra" <bbdl21548@blueyonder.co.uk> To: <security@FreeBSD.ORG> Subject: Tripwire (Cron <root@foo> /usr/local/sbin/tripwire --check --cfgfile /etc/tripwire/tw.cfg) Message-ID: <007801c2e287$b3075620$0200010a@orion>
next in thread | raw e-mail | index | archive | help
Evening folks. I'm having some problems receiving my tripwire reports.
I have a gateway-firewall system, running this version of FreeBSD...
FreeBSD foo.bar.org 4.6.2-RELEASE-p7 FreeBSD 4.6.2-RELEASE-p7 #0
(Please note that throughout this e-mail, domain details have been replaced with FOO.BAR.ORG - this is not the real domain info, for obvious reasons. I should point out that the domain is just something i've set locally. No services are open on the internet side of the machine.) : )
Now, tripwire runs at regular intervals using cron, and the reports are then e-mailed to me (/etc/rc.config has a 'sendmail_enable="NO"' entry so that the reports can be sent).
Entry in crontab...
0 23 * * * root /usr/local/sbin/tripwire --check --cfgfile /etc/tripwire/tw.cfg
I have set root's e-mail address in /etc/mail/aliases...
root: jazz,my_external_email_address@domain.com
...and run the command 'newaliases', after I updated the aliases file. Now, as far as I understand, this setup should run a tripwire security check at 11 in the evening, and then e-mail the report to the root e-mail address set in the aliases file.
After a fashion, this does work. The e-mail has a subject of 'Returned mail: see transcript for details', a body displayed below, and two attachments...
---------------------------------------------------------------8<----------------------------------------------------------------
The original message was received at Fri, 28 Feb 2003 23:00:28 GMT
from root@localhost
----- The following addresses had permanent fatal errors -----
root
(reason: 553 5.1.8 <root@foo.bar.org>... Domain of sender address root@foo.bar.org does not exist)
(expanded from: root)
----- Transcript of session follows -----
... while talking to localhost.my.domain.:
>>> MAIL From:<root@foo.bar.org> SIZE=4771
<<< 553 5.1.8 <root@foo.bar.org>... Domain of sender address root@foo.bar.org does not exist
501 5.6.0 Data format error
---------------------------------------------------------------8<----------------------------------------------------------------
The first attachment show the following...
---------------------------------------------------------------8<----------------------------------------------------------------
Reporting-MTA: dns; sirius.differentreality.org
Arrival-Date: Sat, 1 Mar 2003 23:00:28 GMT
Final-Recipient: RFC822; root@foo.bar.org
Action: failed
Status: 5.1.8
Diagnostic-Code: SMTP; 553 5.1.8 <root@foo.bar.org>... Domain of sender address root@foo.bar.org does not exist
Last-Attempt-Date: Sat, 1 Mar 2003 23:06:55 GMT
---------------------------------------------------------------8<----------------------------------------------------------------
The second attachment is the tripwire report itself - it has a subject of...
Cron <root@foo> /usr/local/sbin/tripwire --check --cfgfile /etc/tripwire/tw.cfg
Now, the first attachment shows that the mail server is doing a dns lookup when it receives the e-mail, and its because the lookup fails that the e-mail is received in this fashion. Does anyone know a way to get around this? The same thing is also happening for the 'foo.bar.org daily run output'. Admittedly this is somewhat minor - the reports *are* being received after all, but for neatness's sake, i'd like to clear it up. *shrugs*
Regards,
Jazz
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007801c2e287$b3075620$0200010a>