Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
I was thinking either running a sum on the directory or each file...but thinking a simple date check would be fine.
The idea is web application, except the uploads area for photos, never has changes to its files except when I change it.
However, if it gets injected or hacked, I would want to know right away.
So thinking of running a script every minute looking for files where the date changed since 'x' date or something like that.
Anything out there like that?
thanks
Bob Hoffman wrote:
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
I was thinking either running a sum on the directory or each file...but thinking a simple date check would be fine.
The idea is web application, except the uploads area for photos, never has changes to its files except when I change it.
However, if it gets injected or hacked, I would want to know right away.
So thinking of running a script every minute looking for files where the date changed since 'x' date or something like that.
Anything out there like that?
ckrootkit?
mark
Have you looked at inotify(7) ? You'll need to do a bit of coding though.
Martin Rushton HPC System Manager, Weapons Technologies Tel: 01959 514777, Mobile: 07939 219057 email: jmrushton@QinetiQ.com www.QinetiQ.com QinetiQ - Delivering customer-focused solutions
Please consider the environment before printing this email. -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Bob Hoffman Sent: 21 June 2012 14:17 To: CentOS@centos.org Subject: [CentOS] reinventing the wheel? page checker
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
I was thinking either running a sum on the directory or each file...but thinking a simple date check would be fine.
The idea is web application, except the uploads area for photos, never has changes to its files except when I change it.
However, if it gets injected or hacked, I would want to know right away.
So thinking of running a script every minute looking for files where the date changed since 'x' date or something like that.
Anything out there like that?
thanks _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
From: Bob Hoffman bob@bobhoffman.com
So thinking of running a script every minute looking for files where the date changed since 'x' date or something like that. Anything out there like that?
You have inotify that can monitor a directory for any change of the type you want. Or make a script that "md5" the files and diff the results with a previous run: find $DIR -type f | while read F; do md5sum "$F"; done
JD
On Thu, Jun 21, 2012 at 8:17 AM, Bob Hoffman bob@bobhoffman.com wrote:
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
I was thinking either running a sum on the directory or each file...but thinking a simple date check would be fine.
The idea is web application, except the uploads area for photos, never has changes to its files except when I change it.
However, if it gets injected or hacked, I would want to know right away.
So thinking of running a script every minute looking for files where the date changed since 'x' date or something like that.
Anything out there like that?
One approach is to make the changes on a staging/test server, then rsync them to the real server. Then 'rsync -nv --delete' will list any changed files. The step beyond that is to commit all changes to a version control system like subversion, check them out on the staging box, then push to production with rsync - or update directly to the tested revision on the production server(s). The version control system will have its own commands to show changes from the repository version.
On Thu, 21 Jun 2012, Bob Hoffman wrote:
To: CentOS@centos.org From: Bob Hoffman bob@bobhoffman.com Subject: [CentOS] reinventing the wheel? page checker
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
*snip*
Anything out there like that?
http://www.changedetection.com/
HTH,
Keith
----------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------
On 6/21/2012 12:44 PM, Keith Roberts wrote:
On Thu, 21 Jun 2012, Bob Hoffman wrote:
To: CentOS@centos.org From: Bob Hoffmanbob@bobhoffman.com Subject: [CentOS] reinventing the wheel? page checker
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
*snip*
Anything out there like that?
http://www.changedetection.com/
HTH,
Keith
thanks Keith, I see where you are going with that. However I am going to be keeping an eye on all my files in the html folder, along with those outside of it (ones you keep outside of html for security), and my htaccessed admin areas and such...
Just gonna build a little script to sms and email me if anything changes. When I finally get around to doing it in the project I will post what I did and how it worked.
On 22/06/12 07:59, Bob Hoffman wrote:
On 6/21/2012 12:44 PM, Keith Roberts wrote:
On Thu, 21 Jun 2012, Bob Hoffman wrote:
To: CentOS@centos.org From: Bob Hoffmanbob@bobhoffman.com Subject: [CentOS] reinventing the wheel? page checker
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
*snip*
Anything out there like that?
http://www.changedetection.com/
HTH,
Keith
If its a security thing, you probably want an host based IDS.
My current favourite is
Samhain (http://la-samhna.de/samhain/)
It is a little tricky to set up initially -- you have to read all the documentation first and compile it specifically for your target (it is aggressively paranoid) -- but it can be configured to use multiple logging channels, it knows about ACls and SELinux contexts, and version 3 uses inotify so resource impact is minimal. Also can be configured to just look at your web root and ignore your uploads directory.
Kal
On 22.6.2012 03:34, Kahlil Hodgson wrote:
On Thu, 21 Jun 2012, Bob Hoffman wrote:
Subject: [CentOS] reinventing the wheel? page checker
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
If its a security thing, you probably want an host based IDS.
I know this under the term file based IDS btw., in contrast to some stuff that scans the network traffic.
Samhain (http://la-samhna.de/samhain/)
tripwire and aide were two other examples and even with bacula you can do this stuff.
All these tools scan the filesystem and store things like checksum, ownership, size etc. in a database. One important feature in my opinion is that the database is not stored on the client itself. You don't want an intruder to get on that data, similar to why one wants a central logserver.
To no avail do reinvent the wheel, there are plenty of tools for that.
Bob Hoffman wrote:
On 6/21/2012 12:44 PM, Keith Roberts wrote:
On Thu, 21 Jun 2012, Bob Hoffman wrote:
From: Bob Hoffmanbob@bobhoffman.com
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
*snip*
Anything out there like that?
<snip> As I said originally, you might want to check out rkhunter. It'll check your system for rootkits, and once configured - which isn't a big deal, just a configuration file - will complain when run if something's changed. You can tell it to look at your web pages.
Another thing to consider (and I really, really don't enjoy suggesting it), is selinux. Turn it on to at least permissive, and it'll bitch and moan if something's changed. Turn it to enforcing, and *nothing* will be allowed to be changed. It is, however, a royal pain to configure, esp. when you want to be able to allow a directory for users to put pics.
mark
On 6/22/2012 9:50 AM, m.roth@5-cent.us wrote:
Bob Hoffman wrote:
On 6/21/2012 12:44 PM, Keith Roberts wrote:
On Thu, 21 Jun 2012, Bob Hoffman wrote:
From: Bob Hoffmanbob@bobhoffman.com
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/
*snip*
Anything out there like that?
<snip> As I said originally, you might want to check out rkhunter. It'll check your system for rootkits, and once configured - which isn't a big deal, just a configuration file - will complain when run if something's changed. You can tell it to look at your web pages.
Another thing to consider (and I really, really don't enjoy suggesting it), is selinux. Turn it on to at least permissive, and it'll bitch and moan if something's changed. Turn it to enforcing, and *nothing* will be allowed to be changed. It is, however, a royal pain to configure, esp. when you want to be able to allow a directory for users to put pics.
mark
Would love to use SElinux. I searched high and low for any kind of manual and there was none. Most of the information online was for versions that were not on centos 6, and little info on centos 6. I am considering going back to it for the virtual hosts, dns servers, but for production web servers I think it will take a long time. I know that fail2ban will not work properly with it in any case, as per their own website.
It seems that to run the webservers selinux wants me to allow a ton of privledges to apache, the ftp user, and a bunch of other things...seems like that defeats the purpose. And a script injection will have all those privledges.
I wish I had to time and knowledge to implement it...and add it to my handbook, but on a webserver that is doing mail ins, mail outs, httpd, mysql, php, self made scripts, fail2ban, and host of other programs it seems like it requires an experienced hand at it. Or a book. Neither of which are available to me.
Who knows, once I figure out the mutli_mysql back up, amanda, then I may go for it.
One thing I learned...SElinux in permissive mode only gives a warning once for an issue...and never again. Makes it hard to play with it that way, would prefer a constant error variable to keep them coming.
well. We derailed.
On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman bob@bobhoffman.com wrote:
It seems that to run the webservers selinux wants me to allow a ton of privledges to apache, the ftp user, and a bunch of other things...seems like that defeats the purpose. And a script injection will have all those privledges.
No, selinux doesn't give 'extra' privileges to anything. It adds extra restrictions based on the context of the processes and the files/directories besides the ones based on uid/gid.
I wish I had to time and knowledge to implement it...and add it to my handbook, but on a webserver that is doing mail ins, mail outs, httpd, mysql, php, self made scripts, fail2ban, and host of other programs it seems like it requires an experienced hand at it. Or a book.
Yes, it has taken years to get just the standard distributed packages configured correctly - and that's probably with expert advice available to the packagers... You can't just drop it in on top of stuff that has evolved organically for years.
On 22/6/2012 9:28 μμ, Bob Hoffman wrote:
it seems like it requires an experienced hand at it. Or a book.
Some googling took me to: http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html
It seems interesting and comprehensive from a quick browsing. And it's public domain too.
Yet, I agree that SElinux is a pain. There are other measures to keep things under control. Unless you know what you are doing with it, selinux is going to produce trouble and only trouble.
That's my experience.
(I don't know if I'll ever find the significant time needed to invest in knowing selinux well enough to use it in production.)
Nick
Bob Hoffman wrote:
On 6/22/2012 9:50 AM, m.roth@5-cent.us wrote:
Bob Hoffman wrote:
On 6/21/2012 12:44 PM, Keith Roberts wrote:
On Thu, 21 Jun 2012, Bob Hoffman wrote:
From: Bob Hoffmanbob@bobhoffman.com
<snip>
Another thing to consider (and I really, really don't enjoy suggesting it), is selinux. Turn it on to at least permissive, and it'll bitch and moan if something's changed. Turn it to enforcing, and *nothing* will be allowed to be changed. It is, however, a royal pain to configure, esp. when you want to be able to allow a directory for users to put pics.
Would love to use SElinux. I searched high and low for any kind of manual and there was none.
Look for RHEL's 5 or 6; there's professional documentation.
Not that anything's that wonderful.
There's also the selinux list. <snip>
One thing I learned...SElinux in permissive mode only gives a warning once for an issue...and never again. Makes it hard to play with it that way, would prefer a constant error variable to keep them coming.
Not true. It will issue an AVC every time something tries to happen. Big things to know: a) ll -Z shows you the selinux context b) chcon [-R] -[urt] <whatever> <file or directory> c) getsebool and setsebool
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/22/2012 04:38 PM, m.roth@5-cent.us wrote:
Bob Hoffman wrote:
On 6/22/2012 9:50 AM, m.roth@5-cent.us wrote:
Bob Hoffman wrote:
On 6/21/2012 12:44 PM, Keith Roberts wrote:
On Thu, 21 Jun 2012, Bob Hoffman wrote:
From: Bob Hoffmanbob@bobhoffman.com
<snip> >> Another thing to consider (and I really, really don't enjoy suggesting >> it), is selinux. Turn it on to at least permissive, and it'll bitch >> and moan if something's changed. Turn it to enforcing, and *nothing* >> will be allowed to be changed. It is, however, a royal pain to >> configure, esp. when you want to be able to allow a directory for users >> to put pics. >> > Would love to use SElinux. I searched high and low for any kind of manual > and there was none.
Look for RHEL's 5 or 6; there's professional documentation.
Not that anything's that wonderful.
There's also the selinux list. <snip>
One thing I learned...SElinux in permissive mode only gives a warning once for an issue...and never again. Makes it hard to play with it that way, would prefer a constant error variable to keep them coming.
Not true. It will issue an AVC every time something tries to happen. Big things to know: a) ll -Z shows you the selinux context b) chcon [-R] -[urt] <whatever> <file or directory> c) getsebool and setsebool
mark
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you are having problems with SELinux just send an email to me or mention it on the list. There is also pretty good help available on #freenode.
Permissive AVC's are only reported once. You can read this blog for more info.
http://danwalsh.livejournal.com/10972.html
Other blogs you might be interested in:
http://danwalsh.livejournal.com/24537.html http://danwalsh.livejournal.com/42394.html
-
Bob Hoffman -
Daniel J Walsh -
John Doe -
Kahlil Hodgson -
Keith Roberts -
Les Mikesell -
m.roth@5-cent.us -
Markus Falb -
Nikolaos Milas -
Rushton Martin