| Red Hat Linux 7.3: The Official Red Hat Linux Reference Guide | ||
|---|---|---|
| Prev | Chapter 12. Installing and Configuring Tripwire | Next |
Tripwire can email someone if a specific type of rule in the policy file is violated. To configure Tripwire to do this, you first have to know the email address of the person to be contacted if a particular integrity violation occurs, plus the name of the rule you would like to monitor. Note that on large systems with multiple administrators, you can have different sets of people notified for certain violations and no one notified for minor violations.
Once you know who to notify and what to notify them about, add an emailto= line to the rule directive section of each rule. Do this by adding a comma after the severity= line and putting emailto= on the next line, followed by the email addresses to send the violation reports for that rule. Multiple emails will be sent if more than one email address is specified and they are separated by a semi-colon.
For example, if you would like two administrators, Sam and Bob, notified if a networking program is modified, change the Networking Programs rule directive in the policy file to look like this:
( rulename = "Networking Programs", severity = $(SIG_HI), emailto = bob@domain.com;sam@domain.com ) |
Once a new signed policy file is generated from the /etc/tripwire/twpol.txt file, the specified email addresses will be notified upon violations of that particular rule. For instructions on signing your policy file, see the Section called Updating the Policy File.
To make sure that Tripwire's email notification configuration can actually send email correctly, use the following command:
/usr/sbin/tripwire --test --email your@email.address |
A test email will immediately be sent to the email address by the tripwire program.