LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-15-2017, 05:58 PM   #1
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Rep: Reputation: 78
samhain reporting and rotated logs


I'm getting too many notifications from samhain -- it's generating so much email. I'm hoping someone might help me solve two problems:

Problem 1 - mysql log notifications
I received a notification email today with these two entries:
Code:
<log sev="CRIT" tstamp="2017-06-15T08:17:19+0000" msg="POLICY [GrowingLogs] ---I------" path="/var/log/mysql/error.log" inode_old="12146" inode_new="2400"  />
<log sev="CRIT" tstamp="2017-06-15T08:17:03+0000" msg="POLICY [GrowingLogs] ---I------" path="/var/log/mysql.log" inode_old="1004" inode_new="330"  />
The GrowingLogs policy seems like a logical place for these, but the logs do get rotated occasionally by the logrotate daemon -- as far as I can tell, it is this totally normal rotation of log files that is causing the notification. There is a note to this effect in the default samhainrc file:
Code:
[GrowingLogFiles]
##
## For these files, changes in signature, timestamps, and increase in size
## are ignored. Logfile rotation will cause a report because of shrinking
## size and different inode.
##
dir = 99/var/log
I'm tempted to just change GrowingLogFiles to LogFiles which, according to samhain docs is a valid "monitoring policy" but I'm pretty confused by the structure of the samhainrc document and don't want to break what looks like a pretty fundamental directive.

Seems fairly safe to me to just change /var/log to LogFiles instead of GrowingLogFiles. I hope that someone more experienced might help me do the right thing here.

Problem 2 - automated apt cron job notifications
I received some other notifications today too:
Code:
<log sev="CRIT" tstamp="2017-06-15T08:17:02+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt-xapian-index/update-timestamp" ctime_old="2017-06-14T06:37:11" ctime_new="2017-06-15T06:49:54" mtime_old="2017-06-14T06:36:54" mtime_new="2017-06-15T06:49:36"  />
<log sev="CRIT" tstamp="2017-06-15T08:17:02+0000" msg="POLICY [ReadOnly] C--I----TS" path="/var/lib/apt-xapian-index/cataloged_times.p" inode_old="964" inode_new="780" size_old="2314158" size_new="2316071" ctime_old="2017-06-14T06:37:10" ctime_new="2017-06-15T06:49:51" mtime_old="2017-06-14T06:37:10" mtime_new="2017-06-15T06:49:51" chksum_old="6E7218D37CC0849E4D6997779BF7B1C90B9F51E9A4E11EFE" chksum_new="08F83DF8C9316099BA9A182894331B8911668C58C6A4D339"  />
<log sev="CRIT" tstamp="2017-06-15T08:17:02+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt-xapian-index" ctime_old="2017-06-14T06:37:11" ctime_new="2017-06-15T06:49:54" mtime_old="2017-06-14T06:37:11" mtime_new="2017-06-15T06:49:54"  />
<log sev="CRIT" tstamp="2017-06-15T08:17:00+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt/periodic/update-stamp" ctime_old="2017-06-14T06:36:54" ctime_new="2017-06-15T06:49:36" mtime_old="2017-06-14T06:36:54" mtime_new="2017-06-15T06:49:36"  />
<log sev="CRIT" tstamp="2017-06-15T08:17:00+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt/periodic/update-success-stamp" ctime_old="2017-06-14T06:36:50" ctime_new="2017-06-15T06:49:33" mtime_old="2017-06-14T06:36:50" mtime_new="2017-06-15T06:49:33"  />
I don't know what process affects these files or what this might mean. In this case, I don't think modifying the samhainrc file would do the trick. Seems like I should disable this cron job?

Thoughts? Any advice much appreciated.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what are rotated logs kedarp Linux - Newbie 3 08-20-2012 01:37 PM
Easy logrotate question - remove rotated logs after 7 days SmurfGGM Linux - Newbie 1 08-17-2011 06:58 PM
Logs are not rotated BroX Slackware 11 06-03-2009 06:49 PM
How Do zmd-messages Logs Get Rotated? ThisGuyIKnow SUSE / openSUSE 2 11-22-2006 11:49 AM
Monitoring and Reporting of Squid Logs debloxie Linux - Networking 1 08-09-2006 03:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration