Hello,
we use Tiger as audit tool on all our hosts. The strange thing, why I posting here is, that this problem occurs only on PVE6. We get the Tigercron mails with an emtpy Subject and to the "wrong" RCPTO.
The "Subject:" and the "From:" is in the body, instead of the headers. We have hosts which where upgraded from PVE5 (where Tiger mails are ok) to PVE6 and also on new installations .... . If we install a plain Buster it works too.
The Tiger package itself is 100% identical to our other Buster hosts and also the configuration (Puppet) is identical. The only difference is ... Proxmox vs. plain buster.
As an example ... Does anybody has the same problem ?
cu denny
we use Tiger as audit tool on all our hosts. The strange thing, why I posting here is, that this problem occurs only on PVE6. We get the Tigercron mails with an emtpy Subject and to the "wrong" RCPTO.
The "Subject:" and the "From:" is in the body, instead of the headers. We have hosts which where upgraded from PVE5 (where Tiger mails are ok) to PVE6 and also on new installations .... . If we install a plain Buster it works too.
The Tiger package itself is 100% identical to our other Buster hosts and also the configuration (Puppet) is identical. The only difference is ... Proxmox vs. plain buster.
Code:
...
Received: from ina-pmox-02.foo.local (ina-pmox-02.foo.local [172.25.50.3])
by mx-01.foo.com (Postfix) with ESMTPS id 2972277
for <sysops@foo-it.com>; Mon, 20 Jul 2020 00:00:14 +0200 (CEST)
Received: by ina-pmox-02.foo.local (Postfix)
id 1626F262DC; Mon, 20 Jul 2020 00:00:14 +0200 (CEST)
Delivered-To: root@ina-pmox-02.foo.local
Received: by ina-pmox-02.foo.local (Postfix, from userid 0)
id 10362262DB; Mon, 20 Jul 2020 00:00:14 +0200 (CEST)
Date: Mon, 20 Jul 2020 00:00:14 +0200
To: root@foo.local
User-Agent: s-nail v14.9.11
Message-Id: <20200719220014.10362262DB@ina-pmox-02.foo.local>
From: root <root@foo.local>
From: "Tiger automatic auditor at ina-pmox-02" <root@ina-pmox-02>
To: root
Subject: Tiger Auditing Report for ina-pmox-02
# Checking for known intrusion signs...
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
# Checking for existence of log files...
# Checking listening processes
OLD: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 32677.
OLD: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 32678.
OLD: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 32679.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 6879.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 9975.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 9976.
NEW: --WARN-- [lin003w] The process `kvm' is listening on socket 274285 (IPv4 on 274285 interface) is run by 9977.As an example ... Does anybody has the same problem ?
cu denny
I saw, that the useragent is "s-nail" and I replaced it with the default bsd-mailx. I'm pretty sure, that this will solve our problems.
