Canary files can help you identify information breaches or ransomware attacks.
The script monitors when a file, or set of files, are accessed and upon detection execute several commands to help identify the source of the event.
This script should be run by cron every minute.
The file files2monitor should contain the files to monitor, all in one line, space separated.
Dependencies: inotify-tools, flock, zabbix_sender
Script and Zabbix template to:
Detect actions on canary files, read, write or open.
Support for multiple files monitoring.
Avoid multiple simultaneous execution of the script using flock.
Sends information to zabbix only when incident happens, for monitoring resource optimization.
Records information from inotify, top, netstat, lsof, who, ps and fuser upon event detection.
Dependencies: inotify-tools, flock, zabbix_sender
https://github.com/rggassner/gassnerZabbixScripts/tree/master/canary
The shell script can be found in the github repository above.
Suggestions are welcome!
There are no macros links in this template.
There are no template links in this template.
There are no discovery rules in this template.
Name | Description | Type | Key and additional info |
---|---|---|---|
Canary status | Status used for triggers. 1 - Canary is dead 0 - Canary is alive |
Zabbix trapper |
canary.status[] Update: 0 |
netstat | Show output of "netstat -tupan" (First one thousand lines) |
Zabbix trapper |
canary.netstat[] Update: 0 |
top | "top" command when canary file was triggered. |
Zabbix trapper |
canary.top[] Update: 0 |
ps | Show "ps -ef f" output (First one thousand lines) |
Zabbix trapper |
canary.ps[] Update: 0 |
who | "who -a" command when canary file was triggered. |
Zabbix trapper |
canary.who[] Update: 0 |
lsofile | Show lsof for the canary file that triggered. |
Zabbix trapper |
canary.lsofile[] Update: 0 |
fuser | Show fuser for all the pids using the file |
Zabbix trapper |
canary.fuser[] Update: 0 |
lsof | Show lsof for all the files (First one thousand lines) |
Zabbix trapper |
canary.lsof[] Update: 0 |
There are no triggers in this template.