Skip to content

Files

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Canary

Overview

Canary files can help you identify information breaches or ransomware attacks.

The script monitors when a file, or set of files, are accessed and upon detection execute several commands to help identify the source of the event.

This script should be run by cron every minute.

The file files2monitor should contain the files to monitor, all in one line, space separated.

Dependencies: inotify-tools, flock, zabbix_sender

Script and Zabbix template to:

Detect actions on canary files, read, write or open.

Support for multiple files monitoring.

Avoid multiple simultaneous execution of the script using flock.

Sends information to zabbix only when incident happens, for monitoring resource optimization.

Records information from inotify, top, netstat, lsof, who, ps and fuser upon event detection.

Dependencies: inotify-tools, flock, zabbix_sender

https://github.com/rggassner/gassnerZabbixScripts/tree/master/canary

The shell script can be found in the github repository above.

Suggestions are welcome!

Macros used

There are no macros links in this template.

Template links

There are no template links in this template.

Discovery rules

There are no discovery rules in this template.

Items collected

Name Description Type Key and additional info
Canary status

Status used for triggers. 1 - Canary is dead 0 - Canary is alive

Zabbix trapper canary.status[]

Update: 0

netstat

Show output of "netstat -tupan" (First one thousand lines)

Zabbix trapper canary.netstat[]

Update: 0

top

"top" command when canary file was triggered.

Zabbix trapper canary.top[]

Update: 0

ps

Show "ps -ef f" output (First one thousand lines)

Zabbix trapper canary.ps[]

Update: 0

who

"who -a" command when canary file was triggered.

Zabbix trapper canary.who[]

Update: 0

lsofile

Show lsof for the canary file that triggered.

Zabbix trapper canary.lsofile[]

Update: 0

fuser

Show fuser for all the pids using the file

Zabbix trapper canary.fuser[]

Update: 0

lsof

Show lsof for all the files (First one thousand lines)

Zabbix trapper canary.lsof[]

Update: 0

Triggers

There are no triggers in this template.