I set up a crontab. I've installed AIDE and I have an AIDE database to check for file integrity.
How do I get cron to email me ONLY when files have been modified?
The script:
#!/bin/bash
if aide -c /etc/aide/aide.conf --check
then echo "AIDE detected no changes"
else
echo "Alert!: AIDE detected changes!"
The crontab:
* */12 * * * /root/script.sh | mail [email protected]
On
How do I get cron to email me ONLY when files have been modified?
If you are on Linux with a local file system (e.g. ext4(5) or BTRFS), consider using inotify(7) facilities and then install incrond (on Debian or Ubuntu: the incron package) and use incrontab(5).
Be aware that incron and inotify don't work on remote file systems such as NFS or SMB/CIFS or on pseudofile systems like proc(5).
If you cannot use incron you'll need to use find(1) and perhaps stat(1) in your shell script periodically called by cron
BTW, some files (e.g. those under /var/run/, see hier(7) for more) are very often modified. And so are the data files handled by RDBMS such as PostGreSQL
Regarding AIDE, be sure to read its documentation. Since it is open source and even free software, consider studying then improving its code (e.g. to use inotify).
On
by default aide sends email to local root user, it's probably best to create an alias for the local root user to [email protected] or whatever you use for your incoming email address, this way you not only get aide emails but also other system mail that's destined for the user root
On
We wrote a Perl script that sends out an email if something went wrong and updates the database so that this email won't go out again.
#!/usr/bin/perl
my $aide = "/usr/sbin/aide -c /etc/aide.conf";
my $email = "security\@your-domain.com";
my $timestamp = `/bin/date +\%Y-\%m-\%d.\%H-\%M`;
my $output = "";
my $added = -1;
my $removed = -1;
my $changed = -1;
my $warning = 0;
my $found_no_differences = 0;
open(AIDE, "$aide --check|");
while (my $line=<AIDE>) {
chomp($line);
$output = $output.$line."\n";
if ($line =~ /Added entries\:\s*(\w+)/) { $added = $1; }
if ($line =~ /Removed entries\:\s*(\w+)/) { $removed = $1; }
if ($line =~ /Changed entries\:\s*(\w+)/) { $changed = $1; }
if ($line =~ /WARNING\:/) { $warning = $warning + 1; }
if ($line =~ /AIDE found NO differences/) { $found_no_differences = 1; }
}
close(AIDE);
if ($found_no_differences > 0) { exit(0); }
if ($added > 0 || $removed > 0 || $changed > 0 || $warning > 0 || $added == -1 || $changed == -1) {
open MAIL, "|mail -s 'AIDE $timestamp' $email";
print MAIL $output;
close MAIL;
system("$aide --init");
system("mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz");
}
Use the
MAILTOcrontab variable rather then piping tomail. Then change your script so that it doesn't output anything unless there is a problem:The crontab:
Notes:
root.MAILTO=""is to stop following cron rules from sending mails. If you want them to do that, leave it out. It must beMAILTO=""notMAILTO=. (Cron is not implementing shell syntax here. Another clue is that the you can put spaces around the=which you can't do with shell syntax.)crontabis not part of the POSIX spec. There have been many implementations ofcronover the years and not all of them support variable setting. Check whatman 5 crontabsays on your system.Alternatively, you could use
... | mailx -E [email protected]rather than... | mail [email protected]. This will skip sending the mail if the body (i.e. stdin) is empty.