Chris ShireMy project this weekend was to get server notifications from the Smartd daemon to send as encrypted messages. This effectively completes my aim of having all email notifications from my main server moved off Gmail and sent encrypted.
Smartd is a pretty essential bit of server software. It monitors the reported S.M.A.R.T values of Hard Drives installed and reports when it detects a change. Changes in certain values indicate that a disk is potentially going to fail. In theory, and often with a bit of luck, a disk exhibiting potential symptoms of failure can be replaced with a new one before it fails and the disk RAID array can rebuild itself. I had a pretty catastrophic failure of several disks at once a few years ago, but was effectively saved by notifications of changes in S.M.A.R.T values. Given I did not have a backup at the time (which I now realise was completely stupid…), the notifications gave me enough time to start copying data off the array.
The method by which I encrypted messages is much the same as with encrypting logwatch notifications and how I scripted my automated backup solution. Essentially a log file is created, that file is then encrypted with the public GPG key of my main email account and that file is then send as the message body of an email to said account. This works much the same, but a script is triggered by Smartd.
First I added the -M exec option to /etc/smartd.conf to trigger a script. To do this;
$ sudo nano /etc/smartd.conf
and edit your command to this (make sure you don’t have another uncommented line with DEVICESCAN on it!);
DEVICESCAN -a -m <email address> -M exec /usr/local/bin/smartdnotify
It’s worth noting that, according to the Ubuntu manpage, the -M option will not function if the -m option hasn’t also been called first. The /usr/local/bin/smartdnotify file will be our script. Create that with;
$ sudo nano /usr/local/bin/smartdnotify
Paste the following in;
#!/bin/sh
## Create log file
echo "$SMARTD_FAILTYPE" >> /path/to/notification/file/smartd.txt
echo "" >> /path/to/notification/file/smartd.txt
echo "$SMARTD_TFIRST" >> /path/to/notification/file/smartd.txt
echo ""
echo "$SMARTD_FULLMESSAGE" >> /path/to/notification/file/smartd.txt
## Encrypt and send log file
gpg --encrypt --armor -r <email address> /path/to/notification/file/smartd.txt
cat /path/to/notification/file/smartd.txt.asc | mutt -s "Smartd has found a problem!" <email address>
## Clean up files
rm /path/to/notification/file/smartd.txt
rm /path/to/notification/file/smartd.txt.asc
Type Ctrl X to exit and make sure the file is saved. Then restart the smartd service with;
$ sudo systemctl restart smartd.service
You can check it is running with;
$ sudo systemctl status smartd.service
And that should be it! You can add -M test to your DEVICESCAN line in the smartd config file and test your configuration works too. This is probably a good idea given the potential importance of these notifications.
I found the following links particularly helpful. The Arch Wiki resource is always amazing, but in this case it detailed how to trigger a script. The Ubuntu manpage entry was particularly good at explaining the variables created by smartd that enabled a script to be written (things like $SMARTD_FULLMESSAGE in the script above).