Samhain: path=</etc/cups>
I set Samhain up on Debian 7.0 with the default configuration except that I added
Code:
[IgnoreAll] Code:
TrustedUser = OtagoHarbour Code:
/etc/samhain/samhainrc sudo more /var/log/samhain/samhain.log | grep CRIT | more and got Code:
CRIT : [2013-09-29T07:35:17-0400] msg=<Runtime configuration reloaded> Should I zap that directory or should I white list it in /etc/samhain/samhainrc? Thanks, OH |
First check if MAC time and inode changes were due to updates?
|
Quote:
Code:
OtagoHarbour@app-server:/var/www$ stat /etc/cups Code:
OtagoHarbour@app-server:/var/www$ stat /etc/cups/subscriptions.conf Code:
OtagoHarbour@app-server:~$ ls -idl /etc/cups Thanks, OH. |
mtime changes mean file contents were modified and ctime changes mean the files (or parent directory) inode were modified (ownership, access permissions, etc, etc). The reason for that can be anything from CUPS automagical configuration on boot, updating software or due to accessing some printer or other control panel. The obvious problem with IDSes is that they do not record such process details that would help you determine the cause. Should you wish to find out more about the process in the future then you could place a watch using SELinux (see 'man auditctl' and /etc/audit/audit.rules) if you use that or, in a more distro-agnostic way, using Inotify.
|
Sorry again about my slow reply.
Quote:
Code:
OtagoHarbour@app-server:~$ ls -lrt /etc/cups Code:
OtagoHarbour@app-server:~$ sudo cat /etc/cups/subscriptions.conf Code:
OtagoHarbour@app-server:~$ sudo cat /etc/cups/subscriptions.conf.O Thanks, OH. |
All times are GMT -5. The time now is 11:42 PM. |