Syscheck Report_Change
90 views
Skip to first unread message
EvilZ
Jul 22, 2016, 9:25:51 AM7/22/16
to ossec-list
Hi ,
I would like to setup a monitoring for a txt file that is in a Linux server.
I have configured the syscheck and selected Report_Change to yes however after 3 changes it has stopped reporting any change i do to the file. I would like the monitoring to act like an agentless and alert whenever a change has been detected and also what exact text has been changed with the information such as the owner and group of the individual that has performed the modification . Is this the correct setting i should setup for the directory ?
<directories report_change="yes" check_all="yes">/input/ossec/</directories>
Thank you,
EvilZ
Jul 22, 2016, 9:29:03 AM7/22/16
to ossec-list
I realized a made typo mistake in the post sorry about that
<directories report_changes="yes" check_all="yes">/input/ossec/</directories>
dan (ddp)
Jul 22, 2016, 10:10:51 AM7/22/16
to ossec...@googlegroups.com
default. Turn off the auto ignore feature if you don't want this.
Reporting the user that has modified a file is trickier. You need to
monitor the file with some system process, and then ingest those logs
to find the change. Maybe auditd on Linux?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
EvilZ
Jul 22, 2016, 10:34:13 AM7/22/16
to ossec-list
Excellent thank you very much =)
srik
Jul 22, 2016, 12:07:05 PM7/22/16
to ossec-list
Dan,
is this 3 times thing for certain time threshold? like for once an hr, day, etc.,? If yes, is there a way to change that?
Thanks,
Sri
dan (ddp)
Jul 22, 2016, 12:10:27 PM7/22/16
to ossec...@googlegroups.com
On Fri, Jul 22, 2016 at 12:07 PM, srik <srihar...@gmail.com> wrote:
> Dan,
>
> is this 3 times thing for certain time threshold? like for once an hr, day,
> etc.,? If yes, is there a way to change that?
>
No, it's a total of 3 times ever.
> Dan,
>
> is this 3 times thing for certain time threshold? like for once an hr, day,
> etc.,? If yes, is there a way to change that?
>
EvilZ
Jul 22, 2016, 12:15:00 PM7/22/16
to ossec-list
Hi Dan,
I plated the<auto_ignore>no<auto_ignore> in the syscheck section and for some reason it simply does not trigger.
Is it possible that once it was triggered three times it goes in a do not check list that i have to reset ?
if ever i wish to perform the same locally is there a different step ?
Thank you,
On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) wrote:
dan (ddp)
Jul 22, 2016, 12:36:53 PM7/22/16
to ossec...@googlegroups.com
On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <laque...@gmail.com> wrote:
> Hi Dan,
>
> I plated the<auto_ignore>no<auto_ignore> in the syscheck section and for
> some reason it simply does not trigger.
>
> Is it possible that once it was triggered three times it goes in a do not
> check list that i have to reset ?
>
I don't think so, but I'm not positive. You set this on the server (if
> Hi Dan,
>
> I plated the<auto_ignore>no<auto_ignore> in the syscheck section and for
> some reason it simply does not trigger.
>
> Is it possible that once it was triggered three times it goes in a do not
> check list that i have to reset ?
>
this is an agent<>server setup), correct?
I'll try it out to see what happens. If it is an issue, you may have
to reset the syscheck db for that agent and take a new baseline.
EvilZ
Jul 22, 2016, 12:44:27 PM7/22/16
to ossec-list
actually i decided to try locally because i would like to see in both cases if a user was to modify a specific text file in the ossec server i would like to get an alert that would to the very least tell what was changed and what is the new text that was written. which is why i modified the option in ossec.conf
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>360</frequency>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications)
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories report_changes="yes" >/input/ossec/</directories>
however when i launch this script
bin/ossec-syscheckd
i get the following error:
2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled.
is it to say that syscheck is disabled on agents or on the server ? any idea's?
Thank you,
dan (ddp)
Jul 22, 2016, 12:54:13 PM7/22/16
to ossec...@googlegroups.com
On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <laque...@gmail.com> wrote:
> actually i decided to try locally because i would like to see in both cases
> if a user was to modify a specific text file in the ossec server i would
> like to get an alert that would to the very least tell what was changed and
> what is the new text that was written. which is why i modified the option in
> ossec.conf
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 22 hours -->
> <frequency>360</frequency>
> <auto_ignore>no</auto_ignore>
>
> <!-- Directories to check (perform all possible verifications)
> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
> <directories report_changes="yes" >/input/ossec/</directories>
> however when i launch this script
> bin/ossec-syscheckd
>
> i get the following error:
>
> 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory provided for
> syscheck to monitor.
> 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled.
>
> is it to say that syscheck is disabled on agents or on the server ? any
> idea's?
>
The agents don't do the processing. They collect the hashes and
> actually i decided to try locally because i would like to see in both cases
> if a user was to modify a specific text file in the ossec server i would
> like to get an alert that would to the very least tell what was changed and
> what is the new text that was written. which is why i modified the option in
> ossec.conf
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 22 hours -->
> <frequency>360</frequency>
> <auto_ignore>no</auto_ignore>
>
> <!-- Directories to check (perform all possible verifications)
> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
> <directories report_changes="yes" >/input/ossec/</directories>
> however when i launch this script
> bin/ossec-syscheckd
>
> i get the following error:
>
> 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory provided for
> syscheck to monitor.
> 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled.
>
> is it to say that syscheck is disabled on agents or on the server ? any
> idea's?
>
forward them to the server for analysis and alerting.
The auto_ignore option is only valid on a server (or a local
installation), not an agent.
And I just tested it. I managed to get alerts after setting the
auto_ignore option, even though there were 3+ previous changes to the
monitored file.
EvilZ
Jul 22, 2016, 2:19:29 PM7/22/16
to ossec-list
ok
so basically you configured the same things as i did in the ossec.conf or in the agent.conf ?
Thank you,
dan (ddp)
Jul 22, 2016, 2:41:03 PM7/22/16
to ossec...@googlegroups.com
On Fri, Jul 22, 2016 at 2:19 PM, EvilZ <laque...@gmail.com> wrote:
> ok
>
> so basically you configured the same things as i did in the ossec.conf or in
> the agent.conf ?
>
You mean the "<auto_ignore>no</auto_ignore>" option? It belongs in the
> ok
>
> so basically you configured the same things as i did in the ossec.conf or in
> the agent.conf ?
>
server's ossec.conf. It does nothing good anywhere else.
EvilZ
Jul 22, 2016, 2:44:59 PM7/22/16
to ossec-list
ok not a problem,
just to make sure, when you launch the script ossec-syscheckd does it inform you that it is disabled ?
thank you,
dan (ddp)
Jul 22, 2016, 2:49:29 PM7/22/16
to ossec...@googlegroups.com
On Fri, Jul 22, 2016 at 2:44 PM, EvilZ <laque...@gmail.com> wrote:
> ok not a problem,
>
> just to make sure, when you launch the script ossec-syscheckd does it inform
> you that it is disabled ?
>
AGENT:
> ok not a problem,
>
> just to make sure, when you launch the script ossec-syscheckd does it inform
> you that it is disabled ?
>
root@ossec283-agent:~/ossec-hids-2.8.3/src# pkill ossec-syscheckd
root@ossec283-agent:~/ossec-hids-2.8.3/src# ps auxww | grep ossec-syscheckd
root 21118 0.0 0.0 8860 648 ? S+ 18:48 0:00 grep
--color=auto ossec-syscheckd
root@ossec283-agent:~/ossec-hids-2.8.3/src# /var/ossec/bin/ossec-syscheckd -df
2016/07/22 18:48:17 ossec-syscheckd: DEBUG: Starting ...
2016/07/22 18:48:17 ossec-rootcheck: DEBUG: Starting ...
2016/07/22 18:48:17 ossec-rootcheck: Starting queue ...
2016/07/22 18:48:17 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '212992'.
2016/07/22 18:48:21 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '212992'.
2016/07/22 18:48:21 ossec-syscheckd: INFO: Started (pid: 21119).
2016/07/22 18:48:21 ossec-rootcheck: INFO: Started (pid: 21119).
2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: '/var/test'.
2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory:
'/var/ossec/etc'.
SERVER:
root@ossec283-server:/var/ossec/queue/syscheck# pkill ossec-syscheckd
root@ossec283-server:/var/ossec/queue/syscheck# ps auxww | grep syscheck
root 25897 0.0 0.0 8860 644 ? S+ 18:48 0:00 grep
--color=auto syscheck
root@ossec283-server:/var/ossec/queue/syscheck#
/var/ossec/bin/ossec-syscheckd -df
2016/07/22 18:48:50 ossec-syscheckd: DEBUG: Starting ...
2016/07/22 18:48:50 ossec-rootcheck: DEBUG: Starting ...
2016/07/22 18:48:50 ossec-rootcheck: Starting queue ...
2016/07/22 18:48:50 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '212992'.
2016/07/22 18:48:54 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '212992'.
2016/07/22 18:48:54 ossec-syscheckd: INFO: Started (pid: 25898).
2016/07/22 18:48:54 ossec-rootcheck: INFO: Started (pid: 25898).
2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
EvilZ
Jul 22, 2016, 2:59:25 PM7/22/16
to ossec-list
Hi Dan,
well here is what i get when i launch the commdand ossec-syscheckd -df
it still mentions Syscheck disabled.....
that is so weird......
[root@LNA-ALA-FIM ossec]# bin/ossec-syscheckd -df
2016/07/22 14:54:13 ossec-syscheckd: DEBUG: Starting ...
2016/07/22 14:54:13 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
2016/07/22 14:54:13 ossec-syscheckd: WARN: Syscheck disabled.
2016/07/22 14:54:13 ossec-rootcheck: DEBUG: Starting ...
2016/07/22 14:54:13 ossec-rootcheck: Starting queue ...
2016/07/22 14:54:13 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '124928'.
2016/07/22 14:54:17 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '124928'.
2016/07/22 14:54:17 ossec-syscheckd: INFO: Started (pid: 4502).
2016/07/22 14:54:17 ossec-rootcheck: INFO: Started (pid: 4502).
dan (ddp)
Jul 25, 2016, 8:01:49 AM7/25/16
to ossec...@googlegroups.com
> well here is what i get when i launch the commdand ossec-syscheckd -df
>
> it still mentions Syscheck disabled.....
> that is so weird......
>
What is your <syscheck> configuration on that system?
>
> it still mentions Syscheck disabled.....
> that is so weird......
>
EvilZ
Jul 27, 2016, 2:57:57 PM7/27/16
to ossec-list
Hi Dan,
well i solved the issue by reinstalling Ossec (its a test environment) anyway so the syscheck is now functional however i have basically have one last question and its about the actual information that is pulled from alerts.log.
My goal is to have a text file that will have a list who will be updated every now and then and I would like for the monitoring to tell me what is the next text that has been added. So far all i see is Checksum however not the text....
any clues ?
Rocio Romero
Jul 27, 2016, 5:14:48 PM7/27/16
to ossec-list
Hi EvilZ,
I think this link can be useful for you :)
Let me know if you get it!
Best,
Rocio
EvilZ
Jul 28, 2016, 9:09:42 AM7/28/16
to ossec-list
Hi Rocio,
thank you for the link, i will definitly work on it and give you a feedback . Thank you =)
Reply all
Reply to author
Forward
0 new messages