getting samhain notifications about session files in /var/lib/php5/

sneakyimp · 02-09-2016, 03:56 PM

I'm getting tons upon tons of samhain notices and I've been picking through them hoping to determine if there's really anything wrong. One of the greatest sources of spurious notifications is the sess_* files created by apache in /var/lib/php5. Some example filenames:

Code:

-rw-------  1 www-data www-data    202 Feb  9 21:17 sess_vdp08n6gnm7v46m4p34qk20641
-rw-------  1 www-data www-data    160 Feb  9 21:28 sess_vpemr9har228gmrvccuo3k1g76
-rw-------  1 www-data www-data     50 Feb  9 21:22 sess_vuv83getivrgjo7imn7v5k1uu5

I cannot seem to determine how to edit my /etc/samhain/samhainrc files to prevent notifications when these files are created, modified, and deleted. The directive in the samhainrc file that calls for these notifications is apparently this one:

Code:

[ReadOnly]
dir = 99/var

which, if i'm not mistaken, says that the /var directory is to be read-only so any changes should trigger a report UNLESS one of the subsequent exceptions countermands this directive. I have in fact added a couple of ignore directives hoping to prevent the notifications:

Code:

[IgnoreAll]
# all kinds of dir directives here
# this doesn't work
file = /var/lib/php5/sess_*
# recently added this one which doesn't work either
dir = /var/lib/php5/sess_*

I only just added that last directive a few minutes ago. Prior to adding it, I was getting (and I believe I still am) notifications like this one:

Code:

-----BEGIN MESSAGE-----
2016-02-09T18:53:01+0000 some-hostname.ec2.internal
<log sev="CRIT" tstamp="2016-02-09T18:52:47+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/php5" ctime_old="2016-02-09T15:50:18" ctime_new="2016-02-09T16:39:04" mtime_old="2016-02-09T15:50:18" mtime_new="2016-02-09T16:39:04"  />
-----BEGIN SIGNATURE-----
6BDB4C19F3778FE68D638FDE65F121EFA787A944E63D507F
000678 1447117289::some-hostname.ec2.internal
-----END MESSAGE-----

Then if I refresh my samhain log file and catalog and restart samhain, I might get a dozen notifications like this:

Code:

-----BEGIN MESSAGE-----
2016-02-09T21:07:36+0000 some-hostname.ec2.internal
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0lkqer22tljq2af6d4fck7irr7" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0gbcmpv5rhj1955q19msnd7ib1" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0fg2nps8v4ci8m0o3s7buiplk1" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0fd8squb717siqqbravtomhv31" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0e71o8e9kf42vocvdglne2ltc0" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0caj76bhn387m166gh8mehd2n0" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0btk0ovauk8t48ioradmbc0fh1" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_08ddnl3ii6tbnhn9pjgdsre675" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_06ta137npbk19olkmopl3k86s0" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_05c0p7qs6tna87va34bnfuha64" />
-----BEGIN SIGNATURE-----
97A44019EE9BC11BEE479C35A7144974BA5B7E3B6843E926
000002 1455051774::some-hostname.ec2.internal
-----END MESSAGE-----

I believe these files are clearly benign. How can I prevent the samhain notifications? I would consider adding an ignoreall for /var/lib/php5 but there is one other directory in there which seems to need monitoring, namely /var/lib/php5/modules.

Any help would be much appreciated.

unSpawn · 02-11-2016, 05:29 PM

Try this?

Code:

[IgnoreAll]
# Report no modifications for these files/directories. Access failures will still be reported.
dir=-1/var/lib/php5/

BTW monitoring PHP session files is not likely going to give you much of a heads up things are awry (IMHO).

sneakyimp · 02-12-2016, 02:50 PM

Thank you so much for your suggestion. I've tried numerous things.

Quote:

Originally Posted by unSpawn

Try this?

Code:

[IgnoreAll]
# Report no modifications for these files/directories. Access failures will still be reported.
dir=-1/var/lib/php5/

I've looked at the documentation regarding these recursion depth settings and it sounds like this would prevent samhain from looking inside the folder at all. I'm not certain but I think this presents a problem because I do want samhain to keep an eye on one of its sub-folders, /var/lib/php5/modules. Or don't I? I don't really know what gets put into that folder.

Quote:

Originally Posted by unSpawn

BTW monitoring PHP session files is not likely going to give you much of a heads up things are awry (IMHO).

I have no interest in monitoring these files at all. It was due to the default settings in samhainrc that the /var folder is being monitored:

Code:

[ReadOnly]
dir = 99/var

[IgnoreAll]
dir = -1/var/cache
dir = -1/var/backups
#dir = -1/var/games
#dir = -1/var/gdm
dir = -1/var/lock
dir = -1/var/mail
dir = -1/var/run
dir = -1/var/spool
dir = -1/var/tmp
#dir = -1/var/lib/texmf
#dir = -1/var/lib/scrollkeeper

unSpawn · 02-13-2016, 03:11 AM

Quote:

Originally Posted by sneakyimp

I'm not certain but I think this presents a problem because I do want samhain to keep an eye on one of its sub-folders, /var/lib/php5/modules.

You could try (as in test things yourself before questioning them?) first blocking /var/lib/php5 and then explicitly enabling /var/lib/php5/modules in a section below it?

Quote:

Originally Posted by sneakyimp

Or don't I?

PHP documentation say it puts dynamic libraries there. Find out how and when these libraries get there, who owns them and if the mechanism that puts them there alters those files?