[SOLVED] Tiger(cron): "broken" mail format on PVE6

Jan 21, 2016
96
8
73
43
Germany
www.pug.org
Hello,

we use Tiger as audit tool on all our hosts. The strange thing, why I posting here is, that this problem occurs only on PVE6. We get the Tigercron mails with an emtpy Subject and to the "wrong" RCPTO.
The "Subject:" and the "From:" is in the body, instead of the headers. We have hosts which where upgraded from PVE5 (where Tiger mails are ok) to PVE6 and also on new installations .... . If we install a plain Buster it works too.
The Tiger package itself is 100% identical to our other Buster hosts and also the configuration (Puppet) is identical. The only difference is ... Proxmox vs. plain buster.


Code:
...
Received: from ina-pmox-02.foo.local (ina-pmox-02.foo.local [172.25.50.3])
    by mx-01.foo.com (Postfix) with ESMTPS id 2972277
    for <sysops@foo-it.com>; Mon, 20 Jul 2020 00:00:14 +0200 (CEST)
Received: by ina-pmox-02.foo.local (Postfix)
    id 1626F262DC; Mon, 20 Jul 2020 00:00:14 +0200 (CEST)
Delivered-To: root@ina-pmox-02.foo.local
Received: by ina-pmox-02.foo.local (Postfix, from userid 0)
    id 10362262DB; Mon, 20 Jul 2020 00:00:14 +0200 (CEST)
Date: Mon, 20 Jul 2020 00:00:14 +0200
To: root@foo.local
User-Agent: s-nail v14.9.11
Message-Id: <20200719220014.10362262DB@ina-pmox-02.foo.local>
From: root <root@foo.local>

From: "Tiger automatic auditor at ina-pmox-02" <root@ina-pmox-02>
To: root
Subject: Tiger Auditing Report for ina-pmox-02

# Checking for known intrusion signs...
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
# Checking for existence of log files...
# Checking listening processes
OLD: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 32677.
OLD: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 32678.
OLD: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 32679.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 6879.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 9975.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 9976.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 9977.

As an example ... Does anybody has the same problem ?

cu denny
 
Glad you found the likely culprit! - Thanks for marking the post as SOLVED :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!