zabbix_export: version: '5.4' date: '2021-11-21T22:06:20Z' groups: - uuid: 7df96b18c230490a9a0a9e2307226338 name: Templates templates: - uuid: 4926648ab6d0481e882471b9b8481cc7 template: Canary name: Canary description: | ## Overview Canary files can help you identify information breaches or ransomware attacks. The script monitors when a file, or set of files, are accessed and upon detection execute several commands to help identify the source of the event. This script should be run by cron every minute. The file files2monitor should contain the files to monitor, all in one line, space separated. Dependencies: inotify-tools, flock, zabbix\_sender Script and Zabbix template to: Detect actions on canary files, read, write or open. Support for multiple files monitoring. Avoid multiple simultaneous execution of the script using flock. Sends information to zabbix only when incident happens, for monitoring resource optimization. Records information from inotify, top, netstat, lsof, who, ps and fuser upon event detection. Dependencies: inotify-tools, flock, zabbix\_sender https://github.com/rggassner/gassnerZabbixScripts/tree/master/canary The shell script can be found in the github repository above. Suggestions are welcome! groups: - name: Templates items: - uuid: a19fddc2632d45dbb68b1c68da36b7ef name: fuser type: TRAP key: 'canary.fuser[]' delay: '0' trends: '0' value_type: TEXT allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: 'Show fuser for all the pids using the file' tags: - tag: Application value: 'Canary files' - uuid: b97612c9bf0341a1853f5c7c9ba9f12c name: lsofile type: TRAP key: 'canary.lsofile[]' delay: '0' trends: '0' value_type: TEXT allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: 'Show lsof for the canary file that triggered.' tags: - tag: Application value: 'Canary files' - uuid: 560b278f731f4745898b0f2101b0f880 name: lsof type: TRAP key: 'canary.lsof[]' delay: '0' trends: '0' value_type: TEXT allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: 'Show lsof for all the files (First one thousand lines)' tags: - tag: Application value: 'Canary files' - uuid: 068d74fddcc84857be4defd82ed203ff name: netstat type: TRAP key: 'canary.netstat[]' delay: '0' trends: '0' value_type: TEXT allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: 'Show output of "netstat -tupan" (First one thousand lines)' tags: - tag: Application value: 'Canary files' - uuid: 21f698630c254bf1b57d675248bf4770 name: ps type: TRAP key: 'canary.ps[]' delay: '0' trends: '0' value_type: TEXT allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: 'Show "ps -ef f" output (First one thousand lines)' tags: - tag: Application value: 'Canary files' - uuid: 48e0ef51b1fc4068bc14a47303cf6189 name: 'Canary status' type: TRAP key: 'canary.status[]' delay: '0' history: 7d allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: | Status used for triggers. 1 - Canary is dead 0 - Canary is alive tags: - tag: Application value: 'Canary files' triggers: - uuid: ce8c22ed69d1434ca54a408fb70d42a3 expression: | max(/Canary/canary.status[],3600s)=1 and nodata(/Canary/canary.status[],3600s)=0 name: 'Canary file was accessed in the last hour' priority: HIGH tags: - tag: feature value: canary - uuid: bb3301a4b00947a5bd3ccf393c80a9e3 name: top type: TRAP key: 'canary.top[]' delay: '0' trends: '0' value_type: TEXT allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: '"top" command when canary file was triggered.' tags: - tag: Application value: 'Canary files' - uuid: 962f0aea1c9746ec96d9b548d9d9796a name: who type: TRAP key: 'canary.who[]' delay: '0' trends: '0' value_type: TEXT allowed_hosts: '10.0.0.0/8,192.168.0.0/16,127.0.0.0/8' description: '"who -a" command when canary file was triggered.' tags: - tag: Application value: 'Canary files' tags: - tag: attack value: 'data breach' - tag: feature value: canary - tag: service value: DLP - tag: team value: security