Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I first heard of samhain here and have installed it to monitor the integrity of some of my more important servers. This has resulted in a flood of email lately, most of which looks fairly benign, but I need to start cleaning things up. I'm hoping to get some advice about how to go about this. My understanding of how the samhain configuration works is reasonably good, but I would like to hone it -- and some of the things it reports do not look familiar to me, so I could use some help.
The system is Ubuntu 14.x (patched today), running as an Amazon EC2 instance.
The latest notification (with some details changed to protect my server's identity:
Most of these notifications appear to be related to Ubuntu's default behavior that checks for available updates/upgrades. Does this automatic check present any security risk? Should I disable the security check or should I ignore changes to the files listed here?
The last notification is due to some code being checked into a repository. I'm not sure what to do about this. If I make the changes myself, I don't want samhain to tell me about it. If someone else makes them, I'd want to know if it was some stranger, but not if it was a trusted companion. Anyone have suggestions?
I don't use shamain, but I use aide and my OpenBSD boxes have security scripts running limited integrity checks.
Any tool that gives you reports with massive amounts of false positives in them is not helping. You end up looking them over quickly and ignoring the lines out of pure boredoom. My advice is to monitor only things that are not supposed to change. Some tools are more flexible than others and allow you to decide what to look for in order to make a report.
An option for things like repositories is to have an integrity database just for them, make checks just before you start working with them, and update the database once you are over. Probably a lot of hassle anyway.
Last edited by BlackRider; 10-27-2016 at 01:31 PM.
Any tool that gives you reports with massive amounts of false positives in them is not helping. You end up looking them over quickly and ignoring the lines out of pure boredoom. My advice is to monitor only things that are not supposed to change. Some tools are more flexivle than others and allow you to decide what to look for in order to make a report.
Samhain is highly configurable, so I'm not really asking about samhain. I'm asking about the security implications really. I could easily suppress this output in samhain. I'm actually interested in knowing that it happens. I don't consider it especially risky for these files, but was looking for other opinions.
Quote:
Originally Posted by BlackRider
An option for things like repositories is to have an integrity database just for them, make checks just before you start working with them, and update the database once you are over. Probably a lot of hassle anyway.
This does sound like a hassle. My thinking (which may be flawed from a security perspective) is that a source code repo is going to change a lot and should therefore be excluded from integrity checking altogether. On the other hand, perhaps there are certain types of file integrity that I should be checking to make sure only authorized people change these files?
I have heard some people out there is using git with signed commits, so you can audit who commited what change. Maybe you can investigate such an option.
Most of these notifications appear to be related to Ubuntu's default behavior that checks for available updates/upgrades. Does this automatic check present any security risk? Should I disable the security check or should I ignore changes to the files listed here?
The last notification is due to some code being checked into a repository. I'm not sure what to do about this. If I make the changes myself, I don't want samhain to tell me about it. If someone else makes them, I'd want to know if it was some stranger, but not if it was a trusted companion. Anyone have suggestions?
First of all these /var/lib/update-notifier/ and /var/lib/ubuntu-release-upgrader/ files are clearly traceable to the application that uses them, meaning you can gauge from the application in which way local or networked users (ab)use them (or not). So if for example this application would have a port open, like say MySQL listening on TCP/3306, you can mitigate that by reconfiguring the service. In your case I'd guess both applications are short-lived, command line or cron driven and only provide information. Next most changes are done on purpose (whatever that purpose is): so unwanted changes in /sbin/init, /etc/ssh/sshd_config, /usr/bin/traceroute or "/usr/local/sbin/httpd -DSSL" and such, sure, but ask yourself what Indicators Of Compromise a change in these specific files would actually yield? They're most likely log files and not binaries, libraries, configuration files or such the system relies on for any reason. Security and auditing remains a trade-off and while you would like full coverage that's not always practical or necessary. IIRC Samhain has a "growing only" section for log files. Maybe these files fit into that category. And I agree you should find a GIT-centric way to validate its integrity.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.