8

I would like Samhain to monitor a file, say for example, /root/somefile. This file does not currently exist, but I would like to be notified if it gets created at any point.

I add this to samhainrc:

[ReadOnly]
file = /root/somefile

This causes Samhain to emit these log entries:

Oct 18 22:54:04 ip-172-31-24-115 Samhain[17123]: CRIT   :  [2018-10-18T22:54:04+0000] interface=<lstat>, msg=<No such file or directory>, userid=<0>, path=</root/somefile>
Oct 18 22:54:04 ip-172-31-24-115 Samhain[17123]: CRIT   :  [2018-10-18T22:54:04+0000] msg=<POLICY MISSING>, path=</root/somefile>
Oct 18 22:54:19 ip-172-31-24-115 Samhain[17157]: INFO   :  [2018-10-18T22:54:19+0000] msg=<Checking       [ReadOnly]>, path=</root/somefile>
Oct 18 22:54:19 ip-172-31-24-115 Samhain[17157]: NOTICE :  [2018-10-18T22:54:19+0000] msg=<Check failed>, path=</root/somefile>

And if I create this file with echo test > /root/somefile, then I do not get any policy violations logged - the addition of this file has been unnoticed.

How can I configure Samhain to notify me if a previously non-existent file of interest gets created?

The IgnoreMissing configuration option would appear at first glance to be useful, but it is not. With IgnoreMissing = /root/somefile in samhainrc, there is no change in behaviour. It seems that this option is intended for files that are expected to go missing later - it suppresses an alert if a file used to exist, but now does not, for example if an automated process deletes files that are out of date.

Although /root/somefile is obviously made up in this case, an example of where a non-existent file suddenly starts to exist is if the file /home/someuser/.ssh/authorized_keys did not previously exist but then suddenly does exist - this could be a malicious user who exploited something to drop a backdoor allowing them to log on as a shell user. This is something I would like to be alerted about.

It is possible to use dir = /home/someuser/.ssh to monitor all changes in the user's .ssh folder, but this is unhelpful: if it's normal for the user to use SSH in their account, their .ssh/known_hosts file may change, they may change their ssh_config, etc., and I do not want to be alerted by those. Therefore I don't want to monitor the whole directory apart from some whitelisted file; I want to leave the directory unmonitored apart from specific, critical files.

Richard Downer
  • 411
  • 1
  • 3
  • 9
  • You might work around this by creating an empty file. In the case of `authorized_keys` this would work fine. – Michael Hampton Oct 19 '18 at 03:08
  • @MichaelHampton indeed, and this is the workaround that I have been using. It means I need to keep my setup script creating empty files synchronised with Samhain config - less than ideal but it does work. – Richard Downer Oct 19 '18 at 08:55

1 Answers1

0

If I correct understand, you need monitor all files in dir ,except some files or subdirs:

You can try next:

[ReadOnly] 
    #
    dir=/home/someuser/.ssh 
    # 
    [Attributes] 
    # 
    # less restrictive policy for the directory file itself 
    # 
    file=/home/someuser/.ssh 
    # 
    [IgnoreAll] 
    # 
    # exclude these file and directories 
    #
    file=/home/someuser/.ssh/known_hosts
    #dir=-1/etc/calendar
    #

More information https://www.la-samhna.de/samhain/manual/all-except.html

Ivan Gurzhiy
  • 306
  • 1
  • 1
  • 1
    "If I correct understand, you need monitor all files in dir ,except some files or subdirs" - this is not correct. I do not want to monitor all files. I want to monitor one specific file (or a small number of files) with known, specific names, and ignore all other ones. e.g. in a user's home directory, I want to monitor `.bashrc`. I don't want to have to whitelist every single possible file a user might create in their home directory. The problem is that if `.bashrc` does not exist ahead of time, Samhain will not monitor it at all, and won't alert me if it is created later with hostile content. – Richard Downer Oct 29 '18 at 10:37