ossec-syscheckd realtime scanning does not detect file integrity changes when rootcheck is enabled

[Liam Curtis]

Hello all,

Enjoying getting to know ossec deeper than when I have used in the past. Unfortunately, have run into an issue with realtime file integrity checking. This also happens on other machines with 2.8 debian package or by compiling from latest wazuh source or ossec-hids source. Have tried on ubuntu 16.04 and 14.04. 

With rootcheck disabled, realtime detection works instantly and without a hitch, but with rootcheck enabled, I get sporadic results...alert is delayed or does not occur at all.

I can see from strace of ossec-syscheckd that rootcheck gets quite busy checking PIDS....

Is this a known issue? Thank you in advance...

[Liam Curtis]

Well think I got it...details here:

https://github.com/ossec/ossec-hids/issues/973

seems like <auto_ignore> was biting me....also check_pids on rootkit taking forever to process, so between the two....

Hopefully this all helps someone down the road.

[Liam Curtis]

But Also....any way to speed up the PID_CHECK? seems to take a very long time to finish, during which realtime monitoring does not work.

[Victor Fernandez]

Hi Liam,

unfortunately Syscheck and Rootcheck features are run in the same process and can't work together (at the same time). In short, the process works looping over three steps:

1. Complete Syscheck scan.
2. Rootcheck test.
3. Real-time Syscheck monitoring.

So, every file changed during the Rootcheck scan should be checked just after Rootcheck ends, but events aren't being lost.

The setting <auto_ignore> doesn't work for that. This option must be at the manager (not the agent) and, when set to yes, makes it to discard any modified file event if that file has been changed more that 3 times, so files that change too often won't trigger an alert.

Best regards,

Victor.