Judging samhain notifications. Are these problematic? If not, I could use config help
1 Attachment(s)
I've got an Amazon EC2 instance running Ubuntu 14.04. I've installed samhain for file integrity monitoring and have noticed that I get quite a few notifications every time I reboot this virtual machine. I've made some tweaks that I feel fairly comfortable with, but I'd like some help looking at these most recent notifications to make sure they are acceptable and, if they are, then I'd like to tweak my samhain rc configuration so that I don't get email for them -- but I don't want to defeat the purpose of samhain by instituting rules that are too permissive.
See the attached text file for about 8 emailed messages I received from samhain. I did a little grep search and some sorting and have distilled the paths complained about in these messages down to this list of files/dirs: Code:
/ Any help in would be much appreciated. I want to a: check if any of these messages should cause me concern b: generate samhainrc config rules to prevent any of these notifications that I should not be concerned about. |
Basic first question is "who is allowed to write to what directory or file?", should be clear for /var/log/ contents and files in /var/lib/{plymouth,postfix,update-notifier}/. In the case of "/" it's only change and modification time changing so from that you could conclude it's meta data, wrt one of the subdirectories being modified or created (my bet would be creation of dynamic "/run" directory), but I don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud.
|
Quote:
Code:
-rw------- 1 postfix postfix 33 Jul 7 23:30 /var/lib/postfix/master.lock Code:
should be clear for /var/log/ contents and files in /var/lib/{plymouth,postfix,update-notifier}/. [code]In the case of "/" it's only change and modification time changing so from that you could conclude it's meta data, wrt one of the subdirectories being modified or created (my bet would be creation of dynamic "/run" directory), but I don't know what writes /boot/grub/grubenv or what writes to /var/lib/cloud.[/QUOTE] So you are suggesting that "/" is reported because its contents change? Seems to me then that "/" should be ignored (or partially ignored) because this is going to happen EVERY TIME the machine reboots if we are altering its contents. On the other hand, perhaps we still want to be notified because this is a very important directory and we want to know if some user/process is mucking around in there? This is the essence of my question. Do I just deal with the notifications or is it safe to ignore changes to this directory somehow? E.g., we could change it to some other watch pattern than what it currently has: Code:
[ReadOnly] Code:
$ sudo ls -al / Generally speaking, this machine is pretty pristine and I have little reason to expect any intrusion at this point. I have simply fired up a machine from the official Ubuntu AMI, installed a few packages (apache, php5, mysql client) all using apt-get, and I have manually installed samhain 3.1.1. That said, I think I'm mostly interested in establishing samhain rules that will reasonably ignore such changes so I don't get notifications without undermining the work that samhain is supposed to do. E.g., I could just add some IgnoreAll statements but that may not be the best way to go? Should I ignore the entire directory /var/lib/cloud or add individual files? Seems to me the filenames are not especially predictable, but possibly targetable with glob patterns. Also: Can I ever ignore /boot/grub/grubenv? That sounds like a pretty important file. |
Quote:
Quote:
Quote:
Code:
[Attributes] Quote:
Quote:
Quote:
Quote:
Code:
[Attributes] |
All times are GMT -5. The time now is 05:16 PM. |