"Integrity checksum changed" triggered for files added to ignore

255 views
Skip to first unread message

Florin Andrei

unread,
Nov 23, 2016, 11:51:40 PM11/23/16
to ossec-list
OSSEC-2.8.3 on Ubuntu 16.04

One OSSEC server with multiple agents.

/var/ossec/etc/ossec.conf on an agent:

#################
<ossec_config>
  <client>
    <server-ip>X.Y.Z.K</server-ip>
  </client>
</ossec_config>
#################

/var/ossec/etc/shared/agent.conf on the server (and it's matched by /var/ossec/etc/shared/agent.conf on all agents):

##############################
<agent_config os="linux">
  <syscheck>
  <!-- Directories to check (perform all possible verifications) -->
  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes">/bin,/sbin</directories>
    <!-- files we don't watch/ignore -->
    <frequency>7200</frequency>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/etc/rc*.d/*our-api</ignore>
    <ignore>/etc/init.d/our-api</ignore>
    <ignore>/dev/.blkid.tab</ignore>
    <ignore>/dev/.blkid.tab.old</ignore>
  </syscheck>

  <!-- Files to monitor (localfiles) -->
  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/auth.log</location>
  </localfile>
  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/messages</location>
  </localfile>
  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/syslog</location>
  </localfile>
  <localfile>
     <log_format>apache</log_format>
     <location>/var/log/nginx/access.log</location>
  </localfile>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>

</agent_config>
##############################

So /etc/init.d/our-api is in the ignore list, I added it there earlier today. However, I just got an alert from multiple agents, after that file had changed after a deploy:

#####################
OSSEC HIDS Notification.
2016 Nov 23 21:25:49

Received From: (api-p1-front-012) any->syscheck
Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)."
Portion of the log(s):

Integrity checksum changed for: '/etc/init.d/our-api'
#####################

What is going on? It looks like adding a file to the ignore list does not exempt it from being flagged by the rules. If so, how do I truly ignore a given file everywhere?
Reply all
Reply to author
Forward
0 new messages