OSSEC File Integrity
341 views
Skip to first unread message
srikanth kalangi
Apr 16, 2015, 2:12:38 PM4/16/15
to ossec...@googlegroups.com
Hi Team,
Is there a way to show the difference in the email alert like what has changed between old & new file?
Please help.
It is showing the md5sum but the not the difference output.
Integrity checksum changed for: '/var/ossec/etc/ossec.conf'
Size changed from '2777' to '2817'
Old md5sum was: 'a69f4ab990235e4eeb61b5d2d839dcc8'
New md5sum is : '72ce6db1b1983a4a07de78abfdf0724e'
Old sha1sum was: 'c9f86b33392f7f2e87ac5e1e38344c0bd1be5cb9'
New sha1sum is : '8fe3613d520900260e1c3fceada8fdad8e2b00bb'
Thanks
Srikanth
dan (ddp)
Apr 16, 2015, 2:20:56 PM4/16/15
to ossec...@googlegroups.com
http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html?highlight=check_diff#element-check_diff
>
>
> Thanks
>
> Srikanth
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
srikanth kalangi
Apr 16, 2015, 10:54:50 PM4/16/15
to ossec...@googlegroups.com
Hi Dan,
Thank you very much for your reply.
Is it possible for you to provide the sample rule as I was unable to find it from http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ which gets me 404 error.
Thanks
Srikanth
dan (ddp)
Apr 16, 2015, 10:56:04 PM4/16/15
to ossec...@googlegroups.com
On Apr 16, 2015 10:54 PM, "srikanth kalangi" <srikant...@gmail.com> wrote:
>
> Hi Dan,
>
> Thank you very much for your reply.
> Is it possible for you to provide the sample rule as I was unable to find it from http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ which gets me 404 error.
>
What have you tried so far?
srikanth kalangi
Apr 17, 2015, 5:06:20 AM4/17/15
to ossec...@googlegroups.com
Hi Dan,
So this is what I have in my rule configuration on OSSEC server side.
 <rule id="550" level="8">
  <category>ossec</category>
  <decoded_as>syscheck_integrity_changed</decoded_as>
  <check_diff />
  <options>alert_by_email</options>
  <description>Integrity checksum changed.</description>
  <group>syscheck,</group>
 </rule>
But unfortunately , the alert didn't reported about output of differences between old and new file.
Rule: 550 fired (level 8) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/php.ini'
Size changed from '69097' to '69098'
Old md5sum was: 'a82c6a40a5bbd7188c2cbd81d98e5faa'
New md5sum is : 'db8fb0e4a4e288c8e7ae24491599ed0c'
Old sha1sum was: 'b1c5e70e5974d6cad46db5b21136d86d4718a03f'
New sha1sum is : 'baa0c22e2e7d51f34b3bc02ad234af045a9def05'
Any help would be greatly appreciated.
Thanks
Srikanth
srikanth kalangi
Apr 17, 2015, 5:07:17 AM4/17/15
to ossec...@googlegroups.com
Hi Dan,
This is what I have done so far.
 <rule id="550" level="8">
  <category>ossec</category>
  <decoded_as>syscheck_integrity_changed</decoded_as>
  <check_diff />
  <options>alert_by_email</options>
  <description>Integrity checksum changed.</description>
  <group>syscheck,</group>
 </rule>
But still in the email alert, output diff is not showing up.
Please let me know if you are looking for more info on this.
Thanks
Srikanth
dan (ddp)
Apr 17, 2015, 7:33:04 AM4/17/15
to ossec...@googlegroups.com
On Fri, Apr 17, 2015 at 2:57 AM, srikanth kalangi
<srikant...@gmail.com> wrote:
> Hi Dan,
rule? If so, try it again, but stop the processes, make sure they've
stopped, and start them again.
Other things to check are to make sure the disk isn't full on the
agent (df and df -i for inodes), and make sure permissions are correct
in /var/ossec/queue
<srikant...@gmail.com> wrote:
> Hi Dan,
> This is what I have done so far.
>
> <rule id="550" level="8">
> <category>ossec</category>
> <decoded_as>syscheck_integrity_changed</decoded_as>
> <check_diff />
> <options>alert_by_email</options>
> <description>Integrity checksum changed.</description>
> <group>syscheck,</group>
> </rule>
>
> But still in the email alert, output diff is not showing up.
> Please let me know if you are looking for more info on this.
>
Did you restart the OSSEC processes on the manager after changing the
>
> <rule id="550" level="8">
> <category>ossec</category>
> <decoded_as>syscheck_integrity_changed</decoded_as>
> <check_diff />
> <options>alert_by_email</options>
> <description>Integrity checksum changed.</description>
> <group>syscheck,</group>
> </rule>
>
> But still in the email alert, output diff is not showing up.
> Please let me know if you are looking for more info on this.
>
rule? If so, try it again, but stop the processes, make sure they've
stopped, and start them again.
Other things to check are to make sure the disk isn't full on the
agent (df and df -i for inodes), and make sure permissions are correct
in /var/ossec/queue
srikanth kalangi
Apr 17, 2015, 9:21:14 AM4/17/15
to ossec...@googlegroups.com, sda...@castlighthealth.com
Hi Dan,
yes tried all possibilities but still not working.
Can you please confirm if the rule is correct for check_diff ?
Rule: 551 fired (level 8) -> "Integrity checksum changed again (2nd time)."
Portion of the log(s):
Integrity checksum changed for: '/etc/sysctl.conf'
Size changed from '1178' to '1180'
Old md5sum was: '6c9e37b11ad582d5abcf48f960522052'
New md5sum is : 'c97d89abe2e63aa32e0d2d124bd87679'
Old sha1sum was: '98d2f9f67648002930280381042d09d7cad0f55b'
New sha1sum is : '6afc9406dab588f2e160b3d51596c3f1e2a93ad7'
Thanks
Srikanth
dan (ddp)
Apr 17, 2015, 9:26:49 AM4/17/15
to ossec...@googlegroups.com
On Fri, Apr 17, 2015 at 9:17 AM, srikanth kalangi
<srikant...@gmail.com> wrote:
> Hi Dan,
> Rule: 551 fired (level 8) -> "Integrity checksum changed again (2nd time)."
However, this alert is for rule 551, not 550. You'll probably have to
adjust 550, 551, 552, and 553 to ensure coverage.
<srikant...@gmail.com> wrote:
> Hi Dan,
> yes tried all possibilities but still not working.
>
> Can you please confirm if the rule is correct for check_diff ?
>
Without testing, no. But it looks correct.
>
> Can you please confirm if the rule is correct for check_diff ?
>
> Rule: 551 fired (level 8) -> "Integrity checksum changed again (2nd time)."
adjust 550, 551, 552, and 553 to ensure coverage.
srikanth kalangi
Apr 17, 2015, 10:11:12 AM4/17/15
to ossec...@googlegroups.com
Hi Dan,
I have tried to enable check_diff for rules 550, 551, 552 and 553.
Tested but somehow still not working.
Here are the rules info.
 <rule id="550" level="8">
  <category>ossec</category>
  <decoded_as>syscheck_integrity_changed</decoded_as>
  <check_diff />
  <options>alert_by_email</options>
  <description>Integrity checksum changed.</description>
  <group>syscheck,</group>
 </rule>
 Â
 <rule id="551" level="8">
  <category>ossec</category>
  <check_diff />
  <options>alert_by_email</options>
  <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
  <description>Integrity checksum changed again (2nd time).</description>
  <group>syscheck,</group>
 </rule>
 Â
 <rule id="552" level="8">
  <category>ossec</category>
  <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
  <check_diff />
  <options>alert_by_email</options>
  <description>Integrity checksum changed again (3rd time).</description>
  <group>syscheck,</group>
 </rule>
 Â
 <rule id="553" level="7">
  <category>ossec</category>
  <decoded_as>syscheck_deleted</decoded_as>
  <check_diff />
  <options>alert_by_email</options>
  <description>File deleted. Unable to retrieve checksum.</description>
  <group>syscheck,</group>
 </rule>
Here is the output from email alert
Rule: 550 fired (level 8) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/rsyslog.conf'
Size changed from '4334' to '4335'
Old md5sum was: 'a2862b03a2184b133a677a3cf68c8642'
New md5sum is : '1f44062e85aca68133c0204f319feb25'
Old sha1sum was: '3dff8cf28193d4feb03df7e136f968d27e00bd00'
New sha1sum is : '34472e2b29694e9233f5bf6ef2c178af7fe9764c'
Thanks
Srikanth
dan (ddp)
Apr 17, 2015, 10:15:09 AM4/17/15
to ossec...@googlegroups.com
On Fri, Apr 17, 2015 at 10:09 AM, srikanth kalangi
<srikant...@gmail.com> wrote:
> Hi Dan,
>
in the <directories> setting.
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syscheck.html?highlight=report_changes
check_diff is more for commands. Sorry about the confusion.
<srikant...@gmail.com> wrote:
> Hi Dan,
>
> I have tried to enable check_diff for rules 550, 551, 552 and 553.
> Tested but somehow still not working.
>
Ok, I think I got this one wrong. You need the report_changes option
> Tested but somehow still not working.
>
in the <directories> setting.
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syscheck.html?highlight=report_changes
check_diff is more for commands. Sorry about the confusion.
srikanth kalangi
Apr 17, 2015, 10:24:07 AM4/17/15
to ossec...@googlegroups.com
Sure Dan, thank you for clarification.
Can you please confirm if the below settings are correct ? as we have already enabled this before.
  <!-- Directories to check  (perform all possible verifications) -->
  <directories report_changes="yes" realtime="yes" check_all="yes">/usr/bin,/usr/sbin</directories>  Â
  <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/etc</directories>
Thanks
Srikanth
Srikanth
dan (ddp)
Apr 17, 2015, 10:38:04 AM4/17/15
to ossec...@googlegroups.com
On Fri, Apr 17, 2015 at 10:23 AM, srikanth kalangi
<srikant...@gmail.com> wrote:
> Sure Dan, thank you for clarification.
>
> Can you please confirm if the below settings are correct ? as we have
> already enabled this before.
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories report_changes="yes" realtime="yes"
> check_all="yes">/usr/bin,/usr/sbin</directories>
> <directories report_changes="yes" realtime="yes"
> check_all="yes">/bin,/sbin,/etc</directories>
>
These look correct. Does `/var/ossec/queue/diff` exist on the agent
<srikant...@gmail.com> wrote:
> Sure Dan, thank you for clarification.
>
> Can you please confirm if the below settings are correct ? as we have
> already enabled this before.
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories report_changes="yes" realtime="yes"
> check_all="yes">/usr/bin,/usr/sbin</directories>
> <directories report_changes="yes" realtime="yes"
> check_all="yes">/bin,/sbin,/etc</directories>
>
and/or manager? What subdirectories does it contain (I only have a
local install at the moment, and /var/ossec/queue/diff/local is the
directory I'm seeing)?
sriman dharba
Apr 18, 2015, 12:08:34 AM4/18/15
to ossec...@googlegroups.com
Hi Dan,
We have /var/ossec/queue/diff on both agent and manager. We see directories based on agent host names and files under those folder on ossec manager under /var/ossec/queue/diff/. We dont see any files/directories under /var/ossec/queue/diff on agents.
Thanks,
Sriman
We have /var/ossec/queue/diff on both agent and manager. We see directories based on agent host names and files under those folder on ossec manager under /var/ossec/queue/diff/. We dont see any files/directories under /var/ossec/queue/diff on agents.
Thanks,
Sriman
dan (ddp)
Apr 20, 2015, 7:35:38 AM4/20/15
to ossec...@googlegroups.com
On Fri, Apr 17, 2015 at 11:53 PM, sriman dharba <srima...@gmail.com> wrote:
> Hi Dan,
>
> We have /var/ossec/queue/diff on both agent and manager. We see directories
> based on agent host names and files under those folder on ossec manager
> under /var/ossec/queue/diff/. We dont see any files/directories under
> /var/ossec/queue/diff on agents.
>
Ok, do you see "diff.RANDOM" files under /var/ossec/queue/diff/AGENT/DIRECTORY/?
> Hi Dan,
>
> We have /var/ossec/queue/diff on both agent and manager. We see directories
> based on agent host names and files under those folder on ossec manager
> under /var/ossec/queue/diff/. We dont see any files/directories under
> /var/ossec/queue/diff on agents.
>
sriman dharba
Apr 21, 2015, 5:17:37 AM4/21/15
to ossec...@googlegroups.com
Hi Dan,
Yes, We are able to see different diff.random files under each hostname directories. I have checked around the different files present in those directories but couldnt not find any files capturing the differences in old and new files. Any help here.You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/e4EZy1xZINw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Apr 21, 2015, 8:35:38 AM4/21/15
to ossec...@googlegroups.com
> Yes, We are able to see different diff.random files under each hostname
> directories. I have checked around the different files present in those
> directories but couldnt not find any files capturing the differences in old
> and new files. Any help here.
>
The diff files should contain the actual diffs. I haven't been able to
> directories. I have checked around the different files present in those
> directories but couldnt not find any files capturing the differences in old
> and new files. Any help here.
>
get alerts to contain the diffs on my setup, and haven't had a lot of
time to dig into the code to try and figure out why.
Reply all
Reply to author
Forward
0 new messages