Realtime and report_changes syscheck for existing files and directories

[Богдан Браткив]

Hi, team

I have a question regarding using syscheck and report_changes option.

The goal is to use realtime monitoring and report_changes for a specific directory which already exists.

Here is the wazuh agent configuration (shared config):

<agent_config os="Linux">


  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>


    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>
    <auto_ignore>no</auto_ignore>
    <scan_on_start>yes</scan_on_start>


    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes" realtime="yes" report_changes="yes">/etc/httpd/conf.d</directories>
    <!-- Files/directories to ignore -->
    <ignore>/etc</ignore>
    <ignore>/usr</ignore>


    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>


    <skip_nfs>yes</skip_nfs>
  </syscheck>


</agent_config>

Here is the part of the log after the agent restart:

2018/02/21 00:13:30 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc/httpd/conf.d'.
2018/02/21 00:13:32 ossec-logcollector: INFO: Monitoring output of command(360): df -P
2018/02/21 00:13:32 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2018/02/21 00:13:32 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20
2018/02/21 00:13:32 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.
2018/02/21 00:13:32 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/access_log'.
2018/02/21 00:13:32 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2018/02/21 00:13:32 ossec-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2018/02/21 00:13:32 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.
2018/02/21 00:13:32 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.
2018/02/21 00:13:32 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.
2018/02/21 00:13:32 ossec-logcollector: INFO: Started (pid: 20753).
2018/02/21 00:14:02 ossec-syscheckd: INFO: Syscheck scan frequency: 43200 seconds
2018/02/21 00:14:32 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2018/02/21 00:14:32 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2018/02/21 00:20:43 ossec-syscheckd: INFO: Initializing real time file monitoring engine.
2018/02/21 00:20:43 ossec-syscheckd: INFO: Real time file monitoring engine started.
2018/02/21 00:20:43 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2018/02/21 00:20:53 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2018/02/21 00:21:13 rootcheck: INFO: Starting rootcheck scan.
2018/02/21 00:21:49 rootcheck: INFO: Ending rootcheck scan.
2018/02/21 00:21:49 ossec-syscheckd: INFO: Starting syscheck real-time monitoring.

However none of the diff files are created. /var/ossec/queue/diff/local/ directory is empty.

Diff file is only created  when a new file is touched in the monitored directory.

How can existing files be monitored? I need to know what have changed inside the files of this directory. 

[Dmitriy]

Hi, I'm not a developer but maybe I can help you.

You should try write into agent.conf only this:

 

<syscheck>

   <directories check_all="yes" realtime="yes" report_changes="yes">/etc/httpd/conf.d</directories>

</syscheck>

Different rules you should write into different <syscheck> .

First part of your config is unnecessary, becouse it's default config of agents.

I think the problem may be related, including associated with the string 

<ignore>/etc</ignore> 

You can try ignore it's directory into custom rules or exclude it directory in default config.

среда, 21 февраля 2018 г., 13:34:08 UTC+3 пользователь Богдан Браткив написал:

[Богдан Браткив]

Hi, thanks for response.

I've tried to put only syscheck section in agent.conf as you proposed.

After restarting the agent(waited for INFO: Starting syscheck real-time monitoring. message), diff directory is still empty.

среда, 21 февраля 2018 г., 14:32:20 UTC+2 пользователь Dmitriy написал:

[Kat]

You are putting in a specific file to monitor then in the next line telling Wazuh to ignore the entire folder. 

Not sure why you would want that. Especially if you do not specifically monitor /etc somewhere else.  

Try removing the ignore of /etc.

Kat

[Богдан Браткив]

Yes, good, catch!

But even after removing ignore /etc/ directory option diff files are not created. Diff file is only created when a new file is created in the directory. Existing one are not being tracked.

среда, 21 февраля 2018 г., 18:43:00 UTC+2 пользователь Kat написал:

[Kat]

And for sure you are making a change to an existing file AFTER the real-time function has finished initializing?

On Wednesday, February 21, 2018 at 4:34:08 AM UTC-6, Богдан Браткив wrote:

[alberto....@wazuh.com]

Hello 

  Indeed, as Kat has indicated, please verify that your changes were done after real-time function finish initialization. Take into account that real-time doesn't work when a "normal" scheduled Syscheck is under execution. 

In addition to this:

https://github.com/wazuh/wazuh/commit/6923908c7ea82f2a2197fed4aae4ae9094a5b0b5

This commit fixes the following issue: in versions 3.0 and earlier the first Syscheck scan on a file showed as an alert if a file has changed, but didn't show the diff. After a first change, the diff it was showed. That occurred after an agent reboot. What version of Wazuh are you using? You can verify executing:

cat /etc/ossec-init.conf

What about the alert? Are you receiving the Syscheck alert or it is missing?

Best regards, 

[Богдан Браткив]

Seems that the issue was indeed in the ignore statements. Now everything seems to be working..

I'm using wazuh v3.2 for the agent and wazuh v3.1. for the server.

Thanks everyone

среда, 21 февраля 2018 г., 20:17:34 UTC+2 пользователь alberto....@wazuh.com написал:

[Santiago Bassett]

Hi,

we always recommend that server version is at least equal or higher than the agents. Servers are compatible with older agent versions, but not the other way around.

Best regards

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/52ee20ff-1972-416b-8516-5a631aafe89f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.