Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I suspect that the first line is due to my having changed the config file. However, I cannot under stand the messages about /etc/cups and its subdirectories. It appears they are related to cupsd, common unix printing system daemon. However I am not doing any printing from the server involved.
Should I zap that directory or should I white list it in /etc/samhain/samhainrc?
OtagoHarbour@app-server:~$ ls -idl /etc/cups
2884304 drwxr-xr-x 4 root lp 4096 Oct 17 20:43 /etc/cups
OtagoHarbour@app-server:~$ ls -idl /etc/cups/subscriptions.conf
2891300 -rw-r----- 1 root lp 389 Oct 17 20:43 /etc/cups/subscriptions.conf
Looks a bit scary since I don't have a printer hooked up and I haven't installed anything, or updated, that recently. Could it just be looking for a printer?
mtime changes mean file contents were modified and ctime changes mean the files (or parent directory) inode were modified (ownership, access permissions, etc, etc). The reason for that can be anything from CUPS automagical configuration on boot, updating software or due to accessing some printer or other control panel. The obvious problem with IDSes is that they do not record such process details that would help you determine the cause. Should you wish to find out more about the process in the future then you could place a watch using SELinux (see 'man auditctl' and /etc/audit/audit.rules) if you use that or, in a more distro-agnostic way, using Inotify.
mtime changes mean file contents were modified and ctime changes mean the files (or parent directory) inode were modified (ownership, access permissions, etc, etc). The reason for that can be anything from CUPS automagical configuration on boot, updating software or due to accessing some printer or other control panel. The obvious problem with IDSes is that they do not record such process details that would help you determine the cause. Should you wish to find out more about the process in the future then you could place a watch using SELinux (see 'man auditctl' and /etc/audit/audit.rules) if you use that or, in a more distro-agnostic way, using Inotify.
I don't have auditctlon my system by I did notice the following.
Code:
OtagoHarbour@app-server:~$ ls -lrt /etc/cups
total 48
drwxr-xr-x 2 root lp 4096 Mar 18 2013 ppd
-rw-r--r-- 1 root root 160 Mar 18 2013 snmp.conf
-rw-r--r-- 1 root root 2912 Mar 18 2013 cups-files.conf
-rw-r--r-- 1 root root 4663 Mar 18 2013 cupsd.conf.default
-rw-r--r-- 1 root root 211 May 26 00:05 raw.types
-rw-r--r-- 1 root root 240 May 26 00:05 raw.convs
drwx------ 2 root lp 4096 May 26 00:05 ssl
-rw-r--r-- 1 root root 4663 May 26 00:05 cupsd.conf
-rw-r----- 1 root lp 389 Oct 27 07:14 subscriptions.conf.O
-rw-r----- 1 root lp 389 Oct 27 08:13 subscriptions.conf
OtagoHarbour@app-server:~$
(May, 2013 was when I installed the Debian system.)
Since the inode at least is changing so rapidly, I made a backup of the subscriptions.conf and subscriptions.conf.O files and used diff to see how they had changed from 24 hours ago. The only thing that had changed was the Expiration time. It seems like it could be just looking for a printer although I do not have a printer connected. The files themselves do no appear to be malware. Should I whitelist them on Samhain?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.