Quote:
Originally Posted by unSpawn
Basic first question is "who is allowed to write to what directory or file?"
|
Given there are ~55 different files/dirs mentioned, there might be 55 different answers to this question, but I'm guessing you don't particularly care to know and are just encouraging me to check out the permissions on these 55 locations. I'm not sure what gain this knowledge might bring as samhain won't tell me who has written a file, only that it has changed (e.g., missing, new, ctime changed, mtime changed). I've fiddled around and come up with a listing of all these files' owners and groups (cat files_to_check.txt | xargs sudo ls -dal) and they are pretty much ALL root:root except for a few exceptions:
Code:
-rw------- 1 postfix postfix 33 Jul 7 23:30 /var/lib/postfix/master.lock
-rw-r--r-- 1 root adm 16787 Jul 7 23:30 /var/log/dmesg
-rw-rw-r-- 1 root utmp 292876 Jul 7 23:30 /var/log/lastlog
So the short answer is that pretty much all of these files are owned by root and group-owned by root.
Code:
should be clear for /var/log/ contents and files in /var/lib/{plymouth,postfix,update-notifier}/.
Not sure exactly what you mean here except perhaps to suggest that the dir names in /var/log and /var/lib should pretty much match the package/process that is busy changing a given folder. However, I would remind you that all but 3 paths are owned root:root.
[code]In the case of "/" it's only change and modification time changing so from that you could conclude it's meta data, wrt one of the subdirectories being modified or created (my bet would be creation of dynamic "/run" directory), but I don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud.[/QUOTE]
So you are suggesting that "/" is reported because its contents change? Seems to me then that "/" should be ignored (or partially ignored) because this is going to happen EVERY TIME the machine reboots if we are altering its contents. On the other hand, perhaps we
still want to be notified because this is a very important directory and we want to know if some user/process is mucking around in there? This is the essence of my question. Do I just deal with the notifications or is it safe to ignore changes to this directory somehow? E.g., we could change it to some other watch pattern than what it currently has:
Code:
[ReadOnly]
dir = 0/
Metadata? I'm not sure . Contents of "/" currently are:
Code:
$ sudo ls -al /
total 92
drwxr-xr-x 22 root root 4096 Jul 7 23:30 .
drwxr-xr-x 22 root root 4096 Jul 7 23:30 ..
drwxr-xr-x 2 root root 4096 Jul 4 21:08 bin
drwxr-xr-x 3 root root 4096 Jul 4 21:09 boot
drwxr-xr-x 13 root root 3880 Jul 7 23:30 dev
drwxr-xr-x 102 root root 4096 Jul 7 23:30 etc
drwxr-xr-x 5 root root 4096 Jun 17 02:43 home
lrwxrwxrwx 1 root root 33 Jun 14 04:37 initrd.img -> boot/initrd.img-3.13.0-29-generic
drwxr-xr-x 21 root root 4096 Jun 27 20:48 lib
drwxr-xr-x 2 root root 4096 Jun 14 04:35 lib64
drwx------ 2 root root 16384 Jun 14 04:38 lost+found
drwxr-xr-x 2 root root 4096 Jun 14 04:35 media
drwxr-xr-x 2 root root 4096 Apr 10 22:12 mnt
drwxr-xr-x 2 root root 4096 Jun 14 04:35 opt
dr-xr-xr-x 91 root root 0 Jul 7 23:30 proc
drwx------ 4 root root 4096 Jul 4 19:02 root
drwxr-xr-x 21 root root 700 Jul 7 23:30 run
drwxr-xr-x 2 root root 12288 Jul 4 21:08 sbin
drwxr-xr-x 2 root root 4096 Jun 14 04:35 srv
dr-xr-xr-x 13 root root 0 Jul 7 23:30 sys
drwxrwxrwt 2 root root 4096 Jul 8 00:17 tmp
drwxr-xr-x 10 root root 4096 Jun 14 04:35 usr
drwxr-xr-x 14 root root 4096 Jul 2 00:17 var
lrwxrwxrwx 1 root root 30 Jun 14 04:37 vmlinuz -> boot/vmlinuz-3.13.0-29-generic
I also don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud. I can only speculate that these directories are written as part of some process when the virtual machine boots. It's not clear to me whether these write actions would be initiated by some internal configuration routines concocted by Canonical in writing Ubuntu or whether Amazon is somehow able to write files on the EBS store. I think the latter is unlikely because it is apparently possible to create an encrypted machine. Additionally, the only key that grants access to this machine is my personal private key which is not stored anywhere in Amazon's network.
Generally speaking, this machine is pretty pristine and I have little reason to expect any intrusion at this point. I have simply fired up a machine from the official Ubuntu AMI, installed a few packages (apache, php5, mysql client) all using apt-get, and I have manually installed samhain 3.1.1. That said, I think I'm mostly interested in establishing samhain rules that will reasonably ignore such changes so I don't get notifications without undermining the work that samhain is supposed to do. E.g., I could just add some IgnoreAll statements but that may not be the best way to go? Should I ignore the entire directory /var/lib/cloud or add individual files? Seems to me the filenames are not especially predictable, but possibly targetable with glob patterns. Also: Can I ever ignore /boot/grub/grubenv? That sounds like a pretty important file.