Beruflich Dokumente
Kultur Dokumente
Last large-scale attacks of cryptolocker viruses, have inspired me and my friend Marco to create
something though cannot block them upstream, at least recognizes what is happening
downstream and warns IT staff.
It's really bad when someone encrypts all files in a share without noticing for many days, far
beyond the retention of backups limit. An hard problem for recovery.
For this reason, we design a nagios probe that alerts IT staff for the problem, in order to
immediately intervene with shadow copy, without try slow recovery from backups.
I wrote a first probe (very simple) that exploits the NTFS ownership of the Sentinel (or canary in
the coal mine) files distribuited in folders to check: in case of attack of Cryto virus, it generates an
alert complete with account of the user.
After, this type of virus has changed behavior and this mode is no longer enough to recognize the
adverse event. Then I passed to a version that checks the sentinel files using 128-bit MD5 hashes
(md5sum command).
Starting from this idea, Marco wrote a complete version (published), that can automate a few
setup steps and management (in the first version were standalone bash script).
Installation
The probe must be able to achieve share folders to be kept under control. For this reason it must
be mounted directly from Nagios server. You need to mount the share as shown below.
Edit /etc/fstab (with root privileges), add a line like this (modify capitalized word for your
environment):
//SERVER.DOMAIN/SHARE /usr/local/nagios/libexec/check_krypto/mounts/share
cifs domain=DOMAIN,credentials=/etc/samba/krypto.cred,uid=nagios
Modify included file canary.doc or canary.odt; add your company logo and readable message
for curious users (Warning! You're copying an alien file into all users and area/office folders).
We recommend an official mail to everyone: “In order to protect company's information assets,
we have set up an automatic monitoring system that use a canary file with .. “.
DO NOT CREATE A LARGE FILE!! (probe checks file with a md5 control every N minutes).
Save as pdf file (is more convenient because usually not modifiable from users).
cp PATH/canary.pdf /usr/local/nagios/libexec/check_krypto/etc
Now, edit check_krypto.sh file and update variable at top of code, like:
# Domain credentials file (domain,user,pwd) of a user that can read the ACLs
DOMAIN_CREDENTIALS="/etc/samba/krypto.cred"
# Base path where shares are mounted (must be configured into /etc/fstab)
MOUNTS_BASEPATH="${PROBE_BASEPATH}/mounts"
# Canary file name when it will be installed into the target directories
# (is better use first underscore char for semplify user view)
CANARY_FILENAME="_Canary_file_DO_NOT_DELETE.pdf"
# File that contains a list of paths (directories) that shouldn't have a canary
EXCEPTIONS_BASEPATH="${PROBE_BASEPATH}/mount/exceptions"
If necessary, you can customize other variables like FIND, SMBCACLS, MD5SUM and so on.
In this way, krypto probe verifies if the folders in SHARE have identical ACL; if a folder has different
ACL, runs folders recursively until it finds identical ACL to parent folder. the probe also creates
/usr/local/nagios/libexec/check_krypto/mounts/share_canarys.cache
that contains paths list of the canary files copied during scanning. Please DO NOT MODIFY this file.
But, if you want to check only first level folders of a share, you can use one-level-discovery mode
with option -o
./check_krypto.sh SHARE -o
krypto probe list only first level of folders in SHARE and creates share_canarys.cache.
At this point, you have a reference cache file and canaries copied in folders to check. Now, you can
run:
./check_krypto.sh share -c
that uses cache file to check directories without any discovery (faster option).
If everything is ok:
OK - Verified 6 Canaries, 0 Problems Found | All the 6 Canaries on //share are in their original
state
try to delete or modify one canary file and result:
WARNING: Anomaly Detected - Verified 6 Canaries, 1 Problems Found | Canary NOT found on //share/DIR1
Now, reinstall canaries into a consistent state after an alarm (using cache file, without any
discovery) use rebuild option:
./check_krypto.sh share -r
(Note: second run reports OK state)
now, retry normal check:
./check_krypto.sh share -c
to obtain OK state.
If you need to manage an exception, you can use:
./check_krypto.sh share -e
that creates
/usr/local/nagios/libexec/check_krypto/mounts/share_exceptions.list
a file with path folder which should not be controlled.
define command {
command_name check_krypto_acl
command_line /usr/local/nagios/libexec/check_krypto/bin/check_krypto.sh $ARG1$ -a
}
define command {
command_name check_krypto_onelevel
command_line /usr/local/nagios/libexec/check_krypto/bin/check_krypto.sh $ARG1$ -o
}