Judging samhain notifications. Are these problematic? If not, I could use config help

sneakyimp · 07-07-2014, 05:20 PM

I've got an Amazon EC2 instance running Ubuntu 14.04. I've installed samhain for file integrity monitoring and have noticed that I get quite a few notifications every time I reboot this virtual machine. I've made some tweaks that I feel fairly comfortable with, but I'd like some help looking at these most recent notifications to make sure they are acceptable and, if they are, then I'd like to tweak my samhain rc configuration so that I don't get email for them -- but I don't want to defeat the purpose of samhain by instituting rules that are too permissive.

See the attached text file for about 8 emailed messages I received from samhain.

I did a little grep search and some sorting and have distilled the paths complained about in these messages down to this list of files/dirs:

Code:

/
/boot/grub/grubenv
/run
/var/lib/cloud
/var/lib/cloud/data
/var/lib/cloud/data/instance-id
/var/lib/cloud/data/previous-datasource
/var/lib/cloud/data/previous-instance-id
/var/lib/cloud/data/result.json
/var/lib/cloud/data/status.json
/var/lib/cloud/handlers
/var/lib/cloud/instance
/var/lib/cloud/instances
/var/lib/cloud/instances/i-874b1dd4
/var/lib/cloud/instances/i-874b1dd4/boot-finished
/var/lib/cloud/instances/i-874b1dd4/cloud-config.txt
/var/lib/cloud/instances/i-874b1dd4/datasource
/var/lib/cloud/instances/i-874b1dd4/handlers
/var/lib/cloud/instances/i-874b1dd4/obj.pkl
/var/lib/cloud/instances/i-874b1dd4/scripts
/var/lib/cloud/instances/i-874b1dd4/sem
/var/lib/cloud/instances/i-874b1dd4/user-data.txt
/var/lib/cloud/instances/i-874b1dd4/user-data.txt.i
/var/lib/cloud/instances/i-874b1dd4/vendor-data.txt
/var/lib/cloud/instances/i-874b1dd4/vendor-data.txt.i
/var/lib/cloud/scripts
/var/lib/cloud/scripts/per-boot
/var/lib/cloud/scripts/per-instance
/var/lib/cloud/scripts/per-once
/var/lib/cloud/scripts/vendor
/var/lib/cloud/seed
/var/lib/cloud/sem
/var/lib/plymouth/boot-duration
/var/lib/postfix/master.lock
/var/lib/update-notifier/fsck-at-reboot
/var/log/boot.log
/var/log/dmesg
/var/log/lastlog
/var/log/samhain/samhain.log.lock
/var/log/udev
/var/log/upstart/acpid.log
/var/log/upstart/console-setup.log
/var/log/upstart/container-detect.log
/var/log/upstart/cryptdisks.log
/var/log/upstart/hwclock-save.log
/var/log/upstart/network-interface-eth0.log
/var/log/upstart/networking.log
/var/log/upstart/pollinate.log
/var/log/upstart/procps-static-network-up.log
/var/log/upstart/procps-virtual-filesystems.log
/var/log/upstart/rsyslog.log
/var/log/upstart/systemd-logind.log
/var/log/upstart/ttyS0.log
/var/state/samhain/samhain_file

Most of these files seem to be related to reboot and cloud self-configuration on bootup.

Any help in would be much appreciated. I want to
a: check if any of these messages should cause me concern
b: generate samhainrc config rules to prevent any of these notifications that I should not be concerned about.

unSpawn · 07-07-2014, 06:25 PM

Basic first question is "who is allowed to write to what directory or file?", should be clear for /var/log/ contents and files in /var/lib/{plymouth,postfix,update-notifier}/. In the case of "/" it's only change and modification time changing so from that you could conclude it's meta data, wrt one of the subdirectories being modified or created (my bet would be creation of dynamic "/run" directory), but I don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud.

sneakyimp · 07-07-2014, 07:39 PM

Quote:

Originally Posted by unSpawn

Basic first question is "who is allowed to write to what directory or file?"

Given there are ~55 different files/dirs mentioned, there might be 55 different answers to this question, but I'm guessing you don't particularly care to know and are just encouraging me to check out the permissions on these 55 locations. I'm not sure what gain this knowledge might bring as samhain won't tell me who has written a file, only that it has changed (e.g., missing, new, ctime changed, mtime changed). I've fiddled around and come up with a listing of all these files' owners and groups (cat files_to_check.txt | xargs sudo ls -dal) and they are pretty much ALL root:root except for a few exceptions:

Code:

-rw-------  1 postfix postfix       33 Jul  7 23:30 /var/lib/postfix/master.lock
-rw-r--r--  1 root    adm        16787 Jul  7 23:30 /var/log/dmesg
-rw-rw-r--  1 root    utmp      292876 Jul  7 23:30 /var/log/lastlog

So the short answer is that pretty much all of these files are owned by root and group-owned by root.

Code:

should be clear for /var/log/ contents and files in /var/lib/{plymouth,postfix,update-notifier}/.

Not sure exactly what you mean here except perhaps to suggest that the dir names in /var/log and /var/lib should pretty much match the package/process that is busy changing a given folder. However, I would remind you that all but 3 paths are owned root:root.

[code]In the case of "/" it's only change and modification time changing so from that you could conclude it's meta data, wrt one of the subdirectories being modified or created (my bet would be creation of dynamic "/run" directory), but I don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud.[/QUOTE]
So you are suggesting that "/" is reported because its contents change? Seems to me then that "/" should be ignored (or partially ignored) because this is going to happen EVERY TIME the machine reboots if we are altering its contents. On the other hand, perhaps we still want to be notified because this is a very important directory and we want to know if some user/process is mucking around in there? This is the essence of my question. Do I just deal with the notifications or is it safe to ignore changes to this directory somehow? E.g., we could change it to some other watch pattern than what it currently has:

Code:

[ReadOnly]
dir = 0/

Metadata? I'm not sure . Contents of "/" currently are:

Code:

$ sudo ls -al /
total 92
drwxr-xr-x  22 root root  4096 Jul  7 23:30 .
drwxr-xr-x  22 root root  4096 Jul  7 23:30 ..
drwxr-xr-x   2 root root  4096 Jul  4 21:08 bin
drwxr-xr-x   3 root root  4096 Jul  4 21:09 boot
drwxr-xr-x  13 root root  3880 Jul  7 23:30 dev
drwxr-xr-x 102 root root  4096 Jul  7 23:30 etc
drwxr-xr-x   5 root root  4096 Jun 17 02:43 home
lrwxrwxrwx   1 root root    33 Jun 14 04:37 initrd.img -> boot/initrd.img-3.13.0-29-generic
drwxr-xr-x  21 root root  4096 Jun 27 20:48 lib
drwxr-xr-x   2 root root  4096 Jun 14 04:35 lib64
drwx------   2 root root 16384 Jun 14 04:38 lost+found
drwxr-xr-x   2 root root  4096 Jun 14 04:35 media
drwxr-xr-x   2 root root  4096 Apr 10 22:12 mnt
drwxr-xr-x   2 root root  4096 Jun 14 04:35 opt
dr-xr-xr-x  91 root root     0 Jul  7 23:30 proc
drwx------   4 root root  4096 Jul  4 19:02 root
drwxr-xr-x  21 root root   700 Jul  7 23:30 run
drwxr-xr-x   2 root root 12288 Jul  4 21:08 sbin
drwxr-xr-x   2 root root  4096 Jun 14 04:35 srv
dr-xr-xr-x  13 root root     0 Jul  7 23:30 sys
drwxrwxrwt   2 root root  4096 Jul  8 00:17 tmp
drwxr-xr-x  10 root root  4096 Jun 14 04:35 usr
drwxr-xr-x  14 root root  4096 Jul  2 00:17 var
lrwxrwxrwx   1 root root    30 Jun 14 04:37 vmlinuz -> boot/vmlinuz-3.13.0-29-generic

I also don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud. I can only speculate that these directories are written as part of some process when the virtual machine boots. It's not clear to me whether these write actions would be initiated by some internal configuration routines concocted by Canonical in writing Ubuntu or whether Amazon is somehow able to write files on the EBS store. I think the latter is unlikely because it is apparently possible to create an encrypted machine. Additionally, the only key that grants access to this machine is my personal private key which is not stored anywhere in Amazon's network.

Generally speaking, this machine is pretty pristine and I have little reason to expect any intrusion at this point. I have simply fired up a machine from the official Ubuntu AMI, installed a few packages (apache, php5, mysql client) all using apt-get, and I have manually installed samhain 3.1.1. That said, I think I'm mostly interested in establishing samhain rules that will reasonably ignore such changes so I don't get notifications without undermining the work that samhain is supposed to do. E.g., I could just add some IgnoreAll statements but that may not be the best way to go? Should I ignore the entire directory /var/lib/cloud or add individual files? Seems to me the filenames are not especially predictable, but possibly targetable with glob patterns. Also: Can I ever ignore /boot/grub/grubenv? That sounds like a pretty important file.

unSpawn · 07-08-2014, 05:54 PM

Quote:

Originally Posted by sneakyimp

(..) I'm guessing you don't particularly care to know and are just encouraging me to check out the permissions on these 55 locations.

Indeed. I'm trying to trigger you into thinking creatively about and efficiently investigating things.

Quote:

Originally Posted by sneakyimp

I'm not sure what gain this knowledge might bring as samhain won't tell me who has written a file, only that it has changed (e.g., missing, new, ctime changed, mtime changed). I've fiddled around and come up with a listing of all these files' owners and groups (cat files_to_check.txt | xargs sudo ls -dal) and they are pretty much ALL root:root except for a few exceptions:

Code:

-rw-------  1 postfix postfix       33 Jul  7 23:30 /var/lib/postfix/master.lock
-rw-r--r--  1 root    adm        16787 Jul  7 23:30 /var/log/dmesg
-rw-rw-r--  1 root    utmp      292876 Jul  7 23:30 /var/log/lastlog

So the short answer is that pretty much all of these files are owned by root and group-owned by root.

Exactly! So that, together with having verified integrity of the packages containing the binaries or scripts that write to those file locations and users of these processes should tell you it's verified OK. (The master.lock name speaks of itself and there's valid reasons why adm and utmp groups have those access rights on those files.)

Quote:

Originally Posted by sneakyimp

This is the essence of my question. Do I just deal with the notifications or is it safe to ignore changes to this directory somehow? E.g., we could change it to some other watch pattern than what it currently has

Sure, you could limit the amount of checks to whatever you like. You could for example:

Code:

[Attributes]
dir=/

which would mean just changes to ownership and access permissions will be checked and reported. Yes, you will loose some granularity but if that's a trade off because a machine gets rebooted often for example it's at least one made after thinking it through and knowing the consequences.

Quote:

Originally Posted by sneakyimp

Metadata? I'm not sure .

In the sense that a directory inode stores information about the files (remember the "everything is a file" mantra) it contains.

Quote:

Originally Posted by sneakyimp

I also don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud.

See "/etc/init.d/grub-common", The GRUB environment block and cloud-init.

Quote:

Originally Posted by sneakyimp

(..) Generally speaking, this machine is pretty pristine and I have little reason to expect any intrusion at this point.

Indeed, but then this thread isn't so much about investigating a breach as it is about getting to know your system, its tools and how they work. See it as an investment honing your admin skills.

Quote:

Originally Posted by sneakyimp

That said, I think I'm mostly interested in establishing samhain rules that will reasonably ignore such changes so I don't get notifications without undermining the work that samhain is supposed to do. E.g., I could just add some IgnoreAll statements but that may not be the best way to go? Should I ignore the entire directory /var/lib/cloud or add individual files? Seems to me the filenames are not especially predictable, but possibly targetable with glob patterns. Also: Can I ever ignore /boot/grub/grubenv? That sounds like a pretty important file.

Something like this?:

Code:

[Attributes]
file=/
file=/run
file=/var/lib/cloud
dir=-1/
dir=-1/run
dir=-1/var/lib/cloud
file=/boot/grub/grubenv
file=/var/state/samhain/samhain_file

[LogFiles]
/var/log/samhain/samhain.log.lock
/var/lib/plymouth/boot-duration
/var/lib/postfix/master.lock
/var/lib/update-notifier/fsck-at-reboot

[GrowingLogFiles]
/var/log/boot.log
/var/log/dmesg
/var/log/lastlog
/var/log/udev
/var/log/upstart/acpid.log
/var/log/upstart/console-setup.log
/var/log/upstart/container-detect.log
/var/log/upstart/cryptdisks.log
/var/log/upstart/hwclock-save.log
/var/log/upstart/network-interface-eth0.log
/var/log/upstart/networking.log
/var/log/upstart/pollinate.log
/var/log/upstart/procps-static-network-up.log
/var/log/upstart/procps-virtual-filesystems.log
/var/log/upstart/rsyslog.log
/var/log/upstart/systemd-logind.log
/var/log/upstart/ttyS0.log

Please see the manual about file check policies and how to interpret the above.