#!/bin/sh # Last Update: sb, 18.jan.02 # /secure/tripwire/trip_all # # Function: A quickie script to check for (tripwire) changes on diverse hosts. # - some hosts use the free tripwire (tw1_targets) # - Local check using commercial TW ###### ## -- process arguments arg1="$1"; arg2="$2"; USAGE="USAGE: $0 -h|-help | -check|-check.quick "; if [ "$arg1" = "-check" ] ; then mode="-check"; quick=""; elif [ "$arg1" = "-check.quick" ] ; then mode="-check"; quick=".quick"; elif [ "$arg1" = "-help" ] ; then echo $USAGE; exit 1; elif [ "$arg1" = "-h" ] ; then echo $USAGE; exit 1; else echo "Your must select an option -initialise or -check." echo $USAGE exit 1; fi ## read in settings from config file config="/secure/secure.conf" group=`uname -n` tool="tripwire${quick}" # Free Tripwire clients tw1_targets=`awk -F: '{if ($1==g && $2==t) print $3}' g=$group t=$tool $config` # notification user=` awk -F: '{if ($1==g && $2==t) print $4}' g=$group t=$tool $config` DEBUG='0'; subject="$group tripwire${quick}"; # if report is larger that 200 blocks (100k), compress it before emailing. COMPRESS_LIMIT=300 COMPRESS="gzip" tw1="/secure/tripwire/trip_host.sh -check${quick}"; # --- security precautions --- PATH='/usr/bin:/opt/openssh/bin:/opt/OBSDssh/bin:/usr/local/bin'; SHELL='/bin/sh'; IFS=' '; umask 077; # -rw------- ##### don't normally need to change these allow2='^Host name|^Modified object|^"|^Deleted|^New|^\t'; #'^Host|^Database|^Modified|^\* |^"|^ Property|^\t' work="/secure/tripwire${quick}"; ignore='^###|^ *$'; allow2='^Host name|^Modified object|^"|^Deleted|^New'; ssh="ssh -q -x"; scp="scp"; tmpfile=/secure/tmp/trip_all.$$ errfile=/secure/tmp/trip_all.err.$$ month=`date +%h` day=`date +%d | sed 's/^0/ /'` #if [ $DEBUG -eq '1' ] ; then echo "Settings: $user, $targets, $subject, $work"; fi started_at=`date` cd $work for target in $tw1_targets; do $tw1 $target 2>&1 |egrep -v "$ignore" >> $tmpfile if [ -s $tmpfile ] ; then #ls -al $tmpfile #cp $tmpfile $tempfile.$$ echo "\n^^^^^ $target ^^^^^\n" >> $tmpfile fi done ## Local check using Tripwire commercial v2.0 #echo "\n>>>>>>>>>> Checking localhost ........\n" >> $tmpfile nice /secure/tss/tripwire --check --quiet -c /secure/tss/twcfg${quick} 2>$errfile | egrep '^Modified object|^"|^Deleted|^New' >> $tmpfile #if [ -s $errfile ]; then #echo "Possible errors:" >> $tmpfile #cat $errfile >> $tmpfile #fi # too man junk errors, check status? rm $errfile; if [ -s $tmpfile ] ; then echo "Started at - $started_at" >> $tmpfile echo "Finished at -`date`" >> $tmpfile echo "" >> $tmpfile echo "This email was created by:" >> $tmpfile echo " `uname -n`:$0" >> $tmpfile siz=`ls -s $tmpfile|awk '{print $1}'` if [ $siz -gt $COMPRESS_LIMIT ] ; then # 200 blocks = 100k #echo "Report is large, so lets compress it" $COMPRESS <$tmpfile |uuencode `uname -n`.tripwire.$$.txt.gz |\ mailx -s "$subject $day.$month" "$user"; else mailx -s "$subject $day.$month" "$user" < $tmpfile ; fi fi /bin/rm $tmpfile