Samhain: path=</etc/cups>

OtagoHarbour · 10-14-2013, 08:46 PM

I set Samhain up on Debian 7.0 with the default configuration except that I added

Code:

[IgnoreAll]
dir=-1/selinux
dir=-1/sys
dir=-1/srv
dir=-1/dev
dir=-1/lost+found

and

Code:

TrustedUser = OtagoHarbour

to

Code:

/etc/samhain/samhainrc

I tried checking the log file using

sudo more /var/log/samhain/samhain.log | grep CRIT | more

and got

Code:

CRIT : [2013-09-29T07:35:17-0400] msg=<Runtime configuration reloaded>
CRIT : [2013-09-29T08:22:36-0400] msg=<POLICY [ReadOnly] --------T->, path=</etc/cups>, ctime_old=<[2013-09-29T09:29:56]>, ctime_new=<[2013-09-29T11:26:36]>, mtime_old=<[201
3-09-29T09:29:56]>, mtime_new=<[2013-09-29T11:26:36]>,
CRIT : [2013-09-29T08:22:36-0400] msg=<POLICY [ReadOnly] C--I----T->, path=</etc/cups/subscriptions.conf.O>, inode_old=<2891313>, inode_new=<2891312>, dev_old=<8,1>, dev_new
=<8,1>, ctime_old=<[2013-09-29T09:29:56]>, ctime_new=<[2013-09-29T11:26:36]>, mtime_old=<[2013-09-29T08:31:36]>, mtime_new=<[2013-09-29T10:28:16]>, chksum_old=<7ADB26FCB3CAC280
26CC53AB399969D6BC6425DB13BEFF13>, chksum_new=<0E5ACD94A33DFCC6B483A540FD1BE7FA4696A95AC14EB426>,
CRIT : [2013-09-29T08:22:36-0400] msg=<POLICY [ReadOnly] C--I----T->, path=</etc/cups/subscriptions.conf>, inode_old=<2891236>, inode_new=<2891313>, dev_old=<8,1>, dev_new=<
8,1>, ctime_old=<[2013-09-29T09:29:56]>, ctime_new=<[2013-09-29T11:26:36]>, mtime_old=<[2013-09-29T09:29:56]>, mtime_new=<[2013-09-29T11:26:36]>, chksum_old=<7AB8089CC61FD59957
D1DEC39B043B4FE13D2ACA36EEC2D3>, chksum_new=<AB2C9A7E74A706CD37A8514FA49EADE15A0B4797AC251678>,

I suspect that the first line is due to my having changed the config file. However, I cannot under stand the messages about /etc/cups and its subdirectories. It appears they are related to cupsd, common unix printing system daemon. However I am not doing any printing from the server involved.

Should I zap that directory or should I white list it in /etc/samhain/samhainrc?

Thanks,
OH

unSpawn · 10-16-2013, 01:41 AM

First check if MAC time and inode changes were due to updates?

OtagoHarbour · 10-17-2013, 10:26 PM

Quote:

First check if MAC time and inode changes were due to updates?

Code:

OtagoHarbour@app-server:/var/www$ stat /etc/cups
  File: `/etc/cups'
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d	Inode: 2884304     Links: 4
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    7/      lp)
Access: 2013-10-17 18:54:01.523754706 -0400
Modify: 2013-10-17 18:46:36.791770409 -0400
Change: 2013-10-17 18:46:36.791770409 -0400
 Birth: -

Code:

OtagoHarbour@app-server:/var/www$ stat /etc/cups/subscriptions.conf
  File: `/etc/cups/subscriptions.conf'
  Size: 389       	Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d	Inode: 2891434     Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (    7/      lp)
Access: 2013-10-17 18:54:01.523754706 -0400
Modify: 2013-10-17 18:46:36.599770416 -0400
Change: 2013-10-17 18:46:36.791770409 -0400
 Birth: -

Code:

OtagoHarbour@app-server:~$ ls -idl /etc/cups
2884304 drwxr-xr-x 4 root lp 4096 Oct 17 20:43 /etc/cups
OtagoHarbour@app-server:~$ ls -idl /etc/cups/subscriptions.conf
2891300 -rw-r----- 1 root lp 389 Oct 17 20:43 /etc/cups/subscriptions.conf

Looks a bit scary since I don't have a printer hooked up and I haven't installed anything, or updated, that recently. Could it just be looking for a printer?

Thanks,
OH.

unSpawn · 10-19-2013, 05:06 AM

mtime changes mean file contents were modified and ctime changes mean the files (or parent directory) inode were modified (ownership, access permissions, etc, etc). The reason for that can be anything from CUPS automagical configuration on boot, updating software or due to accessing some printer or other control panel. The obvious problem with IDSes is that they do not record such process details that would help you determine the cause. Should you wish to find out more about the process in the future then you could place a watch using SELinux (see 'man auditctl' and /etc/audit/audit.rules) if you use that or, in a more distro-agnostic way, using Inotify.

OtagoHarbour · 10-27-2013, 07:56 AM

Sorry again about my slow reply.

Quote:

Originally Posted by unSpawn

mtime changes mean file contents were modified and ctime changes mean the files (or parent directory) inode were modified (ownership, access permissions, etc, etc). The reason for that can be anything from CUPS automagical configuration on boot, updating software or due to accessing some printer or other control panel. The obvious problem with IDSes is that they do not record such process details that would help you determine the cause. Should you wish to find out more about the process in the future then you could place a watch using SELinux (see 'man auditctl' and /etc/audit/audit.rules) if you use that or, in a more distro-agnostic way, using Inotify.

I don't have auditctlon my system by I did notice the following.

Code:

OtagoHarbour@app-server:~$ ls -lrt /etc/cups
total 48
drwxr-xr-x 2 root lp   4096 Mar 18  2013 ppd
-rw-r--r-- 1 root root  160 Mar 18  2013 snmp.conf
-rw-r--r-- 1 root root 2912 Mar 18  2013 cups-files.conf
-rw-r--r-- 1 root root 4663 Mar 18  2013 cupsd.conf.default
-rw-r--r-- 1 root root  211 May 26 00:05 raw.types
-rw-r--r-- 1 root root  240 May 26 00:05 raw.convs
drwx------ 2 root lp   4096 May 26 00:05 ssl
-rw-r--r-- 1 root root 4663 May 26 00:05 cupsd.conf
-rw-r----- 1 root lp    389 Oct 27 07:14 subscriptions.conf.O
-rw-r----- 1 root lp    389 Oct 27 08:13 subscriptions.conf
OtagoHarbour@app-server:~$

(May, 2013 was when I installed the Debian system.)

Code:

OtagoHarbour@app-server:~$ sudo cat /etc/cups/subscriptions.conf
# Subscription configuration file for CUPS v1.5.3
# Written by cupsd
NextSubscriptionId 3
<Subscription 2>
Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped
Owner OtagoHarbour
Recipient dbus://
LeaseDuration 3600
Interval 0
ExpirationTime 1382879565
NextEventId 1
</Subscription>
OtagoHarbour@app-server:~$

Code:

OtagoHarbour@app-server:~$ sudo cat /etc/cups/subscriptions.conf.O
# Subscription configuration file for CUPS v1.5.3
# Written by cupsd
NextSubscriptionId 3
<Subscription 2>
Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped
Owner OtagoHarbour
Recipient dbus://
LeaseDuration 3600
Interval 0
ExpirationTime 1382876065
NextEventId 1
</Subscription>
OtagoHarbour@app-server:~$

Since the inode at least is changing so rapidly, I made a backup of the subscriptions.conf and subscriptions.conf.O files and used diff to see how they had changed from 24 hours ago. The only thing that had changed was the Expiration time. It seems like it could be just looking for a printer although I do not have a printer connected. The files themselves do no appear to be malware. Should I whitelist them on Samhain?

Thanks,
OH.