Syscheck not alerting on realtime scans

107 views
Skip to first unread message

Daniel Bray

unread,
Aug 1, 2016, 10:32:13 AM8/1/16
to ossec-list
Can someone verify that all the proper settings are in place to allow for realtime scans on some directories? We are running CentOS 6 servers (manager and agents/clients), and we use the Atomic install method.

Here is the latest available Atomic version installed (also noted inotify is installed)
$ rpm -qa | egrep "inotify|ossec"
ossec-hids-2.8.3-53.el6.art.x86_64
inotify-tools-3.14-1.el6.x86_64
ossec-hids-client-2.8.3-53.el6.art.x86_64


Here is the important part of /var/ossec/etc/shared/agent.conf
<agent_config os="Linux">
  <syscheck>
    <scan_time>1am</scan_time>
    <frequency>82800</frequency>
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <scan_on_start>no</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/bin,/sbin,/usr,/opt</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">/etc,/root,/var/named,/var/www</directories>
...

Here is the agent /var/ossec/etc/ossec.conf file
<ossec_config>
  <client>
    <server-ip>10.10.10.10</server-ip>
  </client>
</ossec_config>

The above exists on all our agents/clients. 

On the manager, it pretty much matches up exactly, with the exception that the server is installed, and not the client:
$  rpm -qa | egrep "inotify|ossec"
inotify-tools-3.14-1.el6.x86_64
ossec-hids-server-2.8.3-53.el6.art.x86_64
ossec-hids-2.8.3-53.el6.art.x86_64


I have gone in an updated all servers (yum -y update) and rebooted to the latest kernel available on CentOS 6. I've waited a few days for the normal scans to complete, and I am seeing alerts for nightly changed files. However, when I run a test on a file that exists in /root or /etc, I never get alerted. The test is simply
$ sudo vim /etc/hosts.allow
...and I add/remove some entries, and :wq out for the update.

After a clean update and reboot, here is the relevant log entries:
2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ...
2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ...
2016/08/01 14:25:13 ossec-rootcheck: Starting queue ...
2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '124928'.
2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server (10.10.10.10:1514).
2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120).
2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '124928'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124).
2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124).
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/var/named'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/var/www'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/root'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/named'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/www'.
2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0



Is there anything obvious that I'm missing in the configs?


Victor Fernandez

unread,
Aug 1, 2016, 6:25:53 PM8/1/16
to ossec-list
Hi Daniel.

I had never used <scan_time> before, but I think it works for weekly scans since OSSEC prints this log (even when setting frequency=84800):

2016/08/01 14:27:33 ossec-syscheckd: INFO: Syscheck scan frequency: 604800 seconds

This amount of time is one week, so I think that <scan_time> works only for weekly scans, and then you should also introduce the the <scan_day> parameter, since it appears to have no default value. For example:

<scan_time>1am</scan_time>
<scan_day>monday</scan_day>

I tested that configuration and Syscheck appears to work properly. 

Hope it helps.

Best regards.

Daniel Bray

unread,
Aug 2, 2016, 7:11:29 AM8/2/16
to ossec...@googlegroups.com
Victor,

The nightly scans are working just fine. That's not the problem The problem is the real time scans are not working. Each night around 1am, I get various reports of changed or added files....all good there. However, during the day or really any time, if I edit/add/delete files in /etc or /root, I am not instantly getting alerted. In other words, the realtime scan is not monitoring those directories, even though it states:

2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/root'.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ZOJUW-SxzQA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

dan (ddp)

unread,
Aug 2, 2016, 8:47:44 AM8/2/16
to ossec...@googlegroups.com
Not that I can see.
I just checked, and realtime works with my setup. However, I'm not
running Centos 6, I'm using 2.9rc2, and I don't have the scan_time
option set (trying that now).

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

Daniel Bray

unread,
Aug 2, 2016, 8:55:40 AM8/2/16
to ossec...@googlegroups.com
OK, I think that is the issue. With the settings like this:

    <scan_time>1am</scan_time>
    <frequency>82800</frequency>
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <scan_on_start>no</scan_on_start>

It is not doing the realtime scan until after 1am. I confirmed this today. When I got in this morning and started editing some files on one of the servers, I started to get realtime alerts. I quickly checked the log files, and this is what I see:

2016/08/02 01:00:45 ossec-rootcheck: INFO: Starting rootcheck scan.
2016/08/02 01:07:51 ossec-rootcheck: INFO: Ending rootcheck scan.
2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2016/08/02 03:14:52 ossec-syscheckd: INFO: Initializing real time file monitoring (not started).
2016/08/02 03:34:28 ossec-syscheckd: INFO: Real time file monitoring started.

Ahhhh, OK....so, it is waiting until the 1am hour, it kicks off the regular scan, and once completed, then enables the realtime scan. OK, not really what we want, but at least we are onto something.  What we want, though, is nightly scans at a specific time (1am) but realtime scans all the time 24/7. What would be the correct settings for that?


You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ZOJUW-SxzQA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

dan (ddp)

unread,
Aug 2, 2016, 9:01:20 AM8/2/16
to ossec...@googlegroups.com
If what you have doesn't work, I'm not sure there are correct settings to do it.

You could probably setup cron to kick off a scan every morning at 1,
but I don't think there's currently a way to do it in the config.

Daniel Bray

unread,
Aug 2, 2016, 9:09:24 AM8/2/16
to ossec...@googlegroups.com
Dan,

Really appreciate your help and attention to this. I guess I will just have to drop the idea of "nightly scans", and go with something like this:

    <frequency>28800</frequency>    <!-- every 8 hours -->
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <scan_on_start>yes</scan_on_start>

This should force the scan on start, and thereby force the realtime scan to kick in soon after that completes. Then, just run regular scans every 8 hours ( 28800 seconds ). That should be a good enough approach, and keep things scanned regularly and monitored. Honestly, that gives more of a 24/7 feel any way.

Thanks again, at least now we know.
Reply all
Reply to author
Forward
0 new messages