Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syscheck monitoring of /var/lib/tor/services/ #2963

Merged
merged 1 commit into from
Feb 3, 2018
Merged

Syscheck monitoring of /var/lib/tor/services/ #2963

merged 1 commit into from
Feb 3, 2018

Conversation

emkll
Copy link
Contributor

@emkll emkll commented Feb 2, 2018
edited
Loading

Status

Ready for review

Description of Changes

Fixes #2960:
Modify ossec-agent configuration to monitor /var/lib/tor/services/ directory.

Testing

  • make build-debs
  • vagrant up /staging/
  • vagrant ssh mon-staging
  • /var/ossec/queue/syscheck/\(app-staging\)\ 10.0.1.2-\>syscheck should contain hashes all files and folders in /var/lib/tor/services and monitor/alert on changes.

Deployment

Will require a new ossec-agent package to published.

Checklist

If you made changes to the system configuration:

@emkll
Modified ossec agent configuration to monitor /var/lib/tor/services d…
0274ca8 
…irectory and not only /var/lib/tor/services/hostname (which no longer exists)
@emkll emkll requested review from conorsch and msheiny February 2, 2018 15:52
@codecov-io
Copy link

Codecov Report

Merging #2963 into develop will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop    #2963   +/-   ##
========================================
  Coverage    89.28%   89.28%           
========================================
  Files           31       31           
  Lines         1810     1810           
  Branches       209      209           
========================================
  Hits          1616     1616           
  Misses         144      144           
  Partials        50       50

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update df97f93...0274ca8. Read the comment docs.

redshiftzero
redshiftzero approved these changes Feb 3, 2018
View reviewed changes
Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good and I've tested in staging following your test plan. Thanks @emkll!

@redshiftzero redshiftzero merged commit a4b34fe into develop Feb 3, 2018
@redshiftzero redshiftzero deleted the tor-services-ossec-config branch February 3, 2018 22:47
@ageis
Copy link
Contributor

ageis commented Feb 4, 2018
edited
Loading

@emkll @redshiftzero Hey both, just had a comment or thought here when I was looking at the list of directories that are being monitored. If we're speaking in terms of defense-in-depth, then you might want to monitor /var/run/tor as well. That's where the control socket and authentication cookie get written on Debian-based systems, so any changes would indicate someone has created a backdoor to the Tor process, which is explicitly disallowed, since you do not set a ControlSocket or CookieAuthentication in your torrc. However, there is a problem with doing this, which is that the PID file is in the same directory and subject to change.

@conorsch
Copy link
Contributor

conorsch commented Feb 5, 2018

@ageis #1261 describes switching to Unix sockets (i.e. files on disk) for the Tor service. If that gets implemented, then the socket path would ideally be monitored by OSSEC. As for watching anything under /var/run/, that'd generate too much noise for Admins without providing any meaningful information: files there are expected to change.

@msheiny
Copy link
Contributor

msheiny commented Mar 1, 2018

Hey @emkll should this also be monitored on upgrades? I can't see any logic that would add it as-is.

@emkll emkll mentioned this pull request Mar 1, 2018
Closed
emkll added a commit that referenced this pull request Mar 1, 2018
@emkll
Monitor only hostname in /var/lib/tor/services
6b9dee5 
PR #2963 introduced monitoring of /var/lib/tor folder, however these folders contain private key material. It would be more prudent (and at no cost integrity monitoring capabilities) to exclusively monitor the hostname.
Fixes #3090
@emkll emkll mentioned this pull request Mar 1, 2018
Merged
3 tasks
emkll added a commit that referenced this pull request Mar 1, 2018
@emkll
Monitor only hostname in /var/lib/tor/services
54ebfcf 
PR #2963 introduced monitoring of /var/lib/tor folder, however these folders contain private key material. It would be more prudent (and at no cost integrity monitoring capabilities) to exclusively monitor the hostname.
Fixes #3090
@emkll emkll mentioned this pull request Mar 1, 2018
Merged
3 tasks
emkll added a commit that referenced this pull request Mar 1, 2018
@emkll
Monitor only hostname in /var/lib/tor/services
4ec882b 
PR #2963 introduced monitoring of /var/lib/tor folder, however these folders contain private key material. It would be more prudent (and at no cost integrity monitoring capabilities) to exclusively monitor the hostname.
Fixes #3090

(cherry picked from commit 6b9dee5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redshiftzero redshiftzero redshiftzero approved these changes

@conorsch conorsch Awaiting requested review from conorsch

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@emkll @codecov-io @ageis @conorsch @msheiny @redshiftzero