Sendmail を再起動すると変更されるファイル
- /var/lock/subsys/sendmail
- /var/lock/subsys/sm-client
- /var/run/sendmail.pid
- /var/run/sm-client.pid
これはなにも Sendmail に限ったことではないと思います。パッケージを起動しますと OS が、Linux が、lock と pid を管理して、今どんなアプリが動いているかを管理する、そのような理解でよいと考えています。
一度きちんと勉強してみたい部分でございますね。
それはともかく、パッケージの起動でファイルが変わりますので、Tripwire の改ざん検知に引っかかる、という点を覚えておきます。
Sendmail 再起動で改ざん検知した Tripwire のレポートの一部分
実際に次のように検知されました。レポート全部はとても長いですので、「Object Summary」部分のみ抜粋します。
また、ログのローテーションも検知されたため、いつもよりも改ざん検知数が増えている点も特長です。
=============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: System boot changes (/var/lock/subsys) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/var/lock/subsys/sendmail" [x] "/var/lock/subsys/sm-client" ------------------------------------------------------------------------------- Rule Name: System boot changes (/var/run) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/var/run/sendmail.pid" [x] "/var/run/sm-client.pid" ------------------------------------------------------------------------------- Rule Name: System boot changes (/var/log) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/var/log/sa/sa18" [x] "/var/log/sa/sar17" Removed: [x] "/var/log/sa/sa09" Modified: [x] "/var/log/boot.log" [x] "/var/log/boot.log.1" [x] "/var/log/boot.log.2" [x] "/var/log/boot.log.3" [x] "/var/log/boot.log.4" [x] "/var/log/cron" [x] "/var/log/cron.1" [x] "/var/log/cron.2" [x] "/var/log/cron.3" [x] "/var/log/cron.4" [x] "/var/log/httpd/access_log" [x] "/var/log/httpd/access_log.1" [x] "/var/log/httpd/access_log.2" [x] "/var/log/httpd/access_log.3" [x] "/var/log/httpd/access_log.4" [x] "/var/log/httpd/error_log" [x] "/var/log/httpd/error_log.1" [x] "/var/log/httpd/error_log.2" [x] "/var/log/httpd/error_log.3" [x] "/var/log/httpd/error_log.4" [x] "/var/log/httpd/ssl_access_log" [x] "/var/log/httpd/ssl_access_log.1" [x] "/var/log/httpd/ssl_access_log.2" [x] "/var/log/httpd/ssl_access_log.3" [x] "/var/log/httpd/ssl_access_log.4" [x] "/var/log/httpd/ssl_error_log" [x] "/var/log/httpd/ssl_error_log.1" [x] "/var/log/httpd/ssl_error_log.2" [x] "/var/log/httpd/ssl_error_log.3" [x] "/var/log/httpd/ssl_error_log.4" [x] "/var/log/httpd/ssl_request_log" [x] "/var/log/httpd/ssl_request_log.1" [x] "/var/log/httpd/ssl_request_log.2" [x] "/var/log/httpd/ssl_request_log.3" [x] "/var/log/httpd/ssl_request_log.4" [x] "/var/log/maillog" [x] "/var/log/maillog.1" [x] "/var/log/maillog.2" [x] "/var/log/maillog.3" [x] "/var/log/maillog.4" [x] "/var/log/messages" [x] "/var/log/messages.1" [x] "/var/log/messages.2" [x] "/var/log/messages.3" [x] "/var/log/messages.4" [x] "/var/log/php_errors.log" [x] "/var/log/php_errors.log.1" [x] "/var/log/php_errors.log.2" [x] "/var/log/php_errors.log.3" [x] "/var/log/php_errors.log.4" [x] "/var/log/rpmpkgs" [x] "/var/log/rpmpkgs.1" [x] "/var/log/rpmpkgs.2" [x] "/var/log/rpmpkgs.3" [x] "/var/log/rpmpkgs.4" [x] "/var/log/secure" [x] "/var/log/secure.1" [x] "/var/log/secure.2" [x] "/var/log/secure.3" [x] "/var/log/secure.4" [x] "/var/log/spooler" [x] "/var/log/spooler.1" [x] "/var/log/spooler.2" [x] "/var/log/spooler.3" [x] "/var/log/spooler.4" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/root/.viminfo"
おわりに
WordPress サーバからのメール送信が失敗!?ということがありまして、ログを確認しましたり、Sendmail を再起動しましたり、テストでメールを送信してみたりいたしました。
しかしすべてエラーもなく上手く実行できており、にも関わらずメールは受信できませんでした。
結局のところ、迷惑メールボックスに入っているだけでした><。
今回はそんなドタバタの中で、Tripwire レポートに影響がありまして、大変興味深く感じましたのでメモいたしました。
以上です。
「★9★Sendmail 再起動するだけで改ざん検知レポートされる【Tripwire】わたくしだって WordPress サーバの改ざん検知したい!【CentOS】」への1件の返信
[…] ★9★Sendmail 再起動するだけで改ざん検知レポートされる【Tripwire】わたくしだって WordPress サーバの改ざん検知したい!【CentOS】 | oki2a24 […]