I'm getting tons upon tons of samhain notices and I've been picking through them hoping to determine if there's really anything wrong. One of the greatest sources of spurious notifications is the sess_* files created by apache in /var/lib/php5. Some example filenames:
Code:
-rw------- 1 www-data www-data 202 Feb 9 21:17 sess_vdp08n6gnm7v46m4p34qk20641
-rw------- 1 www-data www-data 160 Feb 9 21:28 sess_vpemr9har228gmrvccuo3k1g76
-rw------- 1 www-data www-data 50 Feb 9 21:22 sess_vuv83getivrgjo7imn7v5k1uu5
I cannot seem to determine how to edit my /etc/samhain/samhainrc files to prevent notifications when these files are created, modified, and deleted. The directive in the samhainrc file that calls for these notifications is apparently this one:
Code:
[ReadOnly]
dir = 99/var
which, if i'm not mistaken, says that the /var directory is to be read-only so any changes should trigger a report UNLESS one of the subsequent exceptions countermands this directive. I have in fact added a couple of ignore directives hoping to prevent the notifications:
Code:
[IgnoreAll]
# all kinds of dir directives here
# this doesn't work
file = /var/lib/php5/sess_*
# recently added this one which doesn't work either
dir = /var/lib/php5/sess_*
I only just added that last directive a few minutes ago. Prior to adding it, I was getting (and I believe I still am) notifications like this one:
Code:
-----BEGIN MESSAGE-----
2016-02-09T18:53:01+0000 some-hostname.ec2.internal
<log sev="CRIT" tstamp="2016-02-09T18:52:47+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/php5" ctime_old="2016-02-09T15:50:18" ctime_new="2016-02-09T16:39:04" mtime_old="2016-02-09T15:50:18" mtime_new="2016-02-09T16:39:04" />
-----BEGIN SIGNATURE-----
6BDB4C19F3778FE68D638FDE65F121EFA787A944E63D507F
000678 1447117289::some-hostname.ec2.internal
-----END MESSAGE-----
Then if I refresh my samhain log file and catalog and restart samhain, I might get a dozen notifications like this:
Code:
-----BEGIN MESSAGE-----
2016-02-09T21:07:36+0000 some-hostname.ec2.internal
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0lkqer22tljq2af6d4fck7irr7" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0gbcmpv5rhj1955q19msnd7ib1" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0fg2nps8v4ci8m0o3s7buiplk1" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0fd8squb717siqqbravtomhv31" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0e71o8e9kf42vocvdglne2ltc0" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0caj76bhn387m166gh8mehd2n0" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_0btk0ovauk8t48ioradmbc0fh1" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_08ddnl3ii6tbnhn9pjgdsre675" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_06ta137npbk19olkmopl3k86s0" />
<log sev="CRIT" tstamp="2016-02-09T21:07:36+0000" msg="POLICY NODIRECTORY" path="/var/lib/php5/sess_05c0p7qs6tna87va34bnfuha64" />
-----BEGIN SIGNATURE-----
97A44019EE9BC11BEE479C35A7144974BA5B7E3B6843E926
000002 1455051774::some-hostname.ec2.internal
-----END MESSAGE-----
I believe these files are clearly benign. How can I prevent the samhain notifications? I would consider adding an ignoreall for /var/lib/php5 but there is one other directory in there which seems to need monitoring, namely
/var/lib/php5/modules.
Any help would be much appreciated.