Stefan Viljoen
2015-Jan-09 07:29 UTC
[asterisk-users] Asterisk executable suddenly about 40KB larger - modules (Andres)
>I would also start by putting an audit rule on the binary. Something likethis:>auditctl -w /usr/sbin/asterisk -p war -k asterisk-bin>then you can get a report on who modified it and when by using: >ausearch -f /usr/sbin/asterisk>Its a start, but eventually you might need to monitor even keystrokes withpam_tty_audit.so to understand who is doing this:>http://poorlydocumented.com/2014/05/enabling-pam_tty_audit-on-rhel-centos-or-scientific-linux/ Thanks I'll keep that in mind. Just to report back, stopping pre-linking as detailed yesterday and setting immutable with chattr on the Asterisk executable on the Head Office box here appears to have solved the problem. The box did not crash this morning as it did the previous two days and is working fine... strange, but good. Previous to the problem starting on Tuesday, the box had been running fine for about three years 24/7 - so I might still have some kind of compromise going on. Anyway thanks for the assistance everyone Regards Stefan
Tech Support
2015-Jan-09 15:15 UTC
[asterisk-users] Asterisk executable suddenly about 40KB larger - modules (Andres)
What you may want to consider is if you have a network management system such as Nagios is create a service that checks the size of the binary every 5 minutes. You're notified if the size goes over a certain threshold. You can also take the perf data and graph it using one of the many Nagios graphing tools available. You can even use something like Munin for a task like this. I couldn't get along without this. On some PBX's I have, I monitor over 600 different metrics spread out every 1,5,10,15,30, and 60 minutes. Because they're spread out, the load average from these checks is zero. Just a suggestion. Regards; John -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Stefan Viljoen Sent: Friday, January 09, 2015 2:30 AM To: asterisk-users at lists.digium.com Subject: Re: [asterisk-users] Asterisk executable suddenly about 40KB larger - modules (Andres)>I would also start by putting an audit rule on the binary. Something >likethis:>auditctl -w /usr/sbin/asterisk -p war -k asterisk-bin>then you can get a report on who modified it and when by using: >ausearch -f /usr/sbin/asterisk>Its a start, but eventually you might need to monitor even keystrokes >withpam_tty_audit.so to understand who is doing this:>http://poorlydocumented.com/2014/05/enabling-pam_tty_audit-on-rhel-cent >os-or-scientific-linux/ Thanks I'll keep that in mind. Just to report back, stopping pre-linking as detailed yesterday and setting immutable with chattr on the Asterisk executable on the Head Office box here appears to have solved the problem. The box did not crash this morning as it did the previous two days and is working fine... strange, but good. Previous to the problem starting on Tuesday, the box had been running fine for about three years 24/7 - so I might still have some kind of compromise going on. Anyway thanks for the assistance everyone Regards Stefan -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users