Home / server / Questions / 936248
In Process
Richard Downer
Asked: 2018-10-19 15:09:20 +0800 CST

Can Samhain monitor for a file that does not exist, but might in future?

  • 772

I would like Samhain to monitor a file, say for example, /root/somefile. This file does not currently exist, but I would like to be notified if it gets created at any point.

I add this to samhainrc:

[ReadOnly]
file = /root/somefile

This causes Samhain to emit these log entries:

Oct 18 22:54:04 ip-172-31-24-115 Samhain[17123]: CRIT   :  [2018-10-18T22:54:04+0000] interface=<lstat>, msg=<No such file or directory>, userid=<0>, path=</root/somefile>
Oct 18 22:54:04 ip-172-31-24-115 Samhain[17123]: CRIT   :  [2018-10-18T22:54:04+0000] msg=<POLICY MISSING>, path=</root/somefile>
Oct 18 22:54:19 ip-172-31-24-115 Samhain[17157]: INFO   :  [2018-10-18T22:54:19+0000] msg=<Checking       [ReadOnly]>, path=</root/somefile>
Oct 18 22:54:19 ip-172-31-24-115 Samhain[17157]: NOTICE :  [2018-10-18T22:54:19+0000] msg=<Check failed>, path=</root/somefile>

And if I create this file with echo test > /root/somefile, then I do not get any policy violations logged - the addition of this file has been unnoticed.

How can I configure Samhain to notify me if a previously non-existent file of interest gets created?

The IgnoreMissing configuration option would appear at first glance to be useful, but it is not. With IgnoreMissing = /root/somefile in samhainrc, there is no change in behaviour. It seems that this option is intended for files that are expected to go missing later - it suppresses an alert if a file used to exist, but now does not, for example if an automated process deletes files that are out of date.

Although /root/somefile is obviously made up in this case, an example of where a non-existent file suddenly starts to exist is if the file /home/someuser/.ssh/authorized_keys did not previously exist but then suddenly does exist - this could be a malicious user who exploited something to drop a backdoor allowing them to log on as a shell user. This is something I would like to be alerted about.

It is possible to use dir = /home/someuser/.ssh to monitor all changes in the user's .ssh folder, but this is unhelpful: if it's normal for the user to use SSH in their account, their .ssh/known_hosts file may change, they may change their ssh_config, etc., and I do not want to be alerted by those. Therefore I don't want to monitor the whole directory apart from some whitelisted file; I want to leave the directory unmonitored apart from specific, critical files.

linux

1 Answers

  1. If I correct understand, you need monitor all files in dir ,except some files or subdirs:

    You can try next:

    [ReadOnly] 
    #
    dir=/home/someuser/.ssh 
    # 
    [Attributes] 
    # 
    # less restrictive policy for the directory file itself 
    # 
    file=/home/someuser/.ssh 
    # 
    [IgnoreAll] 
    # 
    # exclude these file and directories 
    #
    file=/home/someuser/.ssh/known_hosts
    #dir=-1/etc/calendar
    #

    More information https://www.la-samhna.de/samhain/manual/all-except.html

    • 0