Integrity Monitoring

[Andrew A]

Hello, 

    Need some assistance with integrity monitoring. I can't honestly tell if it's doing anything at all. I've had this working perfectly fine on other builds with whodata running, but it doesn't appear to be doing anything when I dont have live monitoring turned on. 

Here's my group config

<agent_config>

    <syscheck>
        <frequency>36000</frequency>
        <directories>/etc,/usr/bin,/usr/sbin,/tmp</directories>
        <directories>/bin,/sbin</directories>
        <alert_new_files>yes</alert_new_files>
    </syscheck>

</agent_config>

I placed a new file in /tmp to test and I've gotten no notifications in my integrity monitor module over the last couple of days. 

The logs are saying a scan is running: 

Jul 13, 2022 @ 02:32:27.000 wazuh-syscheckd INFO (6008): File integrity monitoring scan started. Jul 13, 2022 @ 02:32:31.000 wazuh-syscheckd INFO (6009): File integrity monitoring scan ended.

[Andrew A]

I can get it to work fine using: 

<syscheck>

<directories check_all="yes" whodata="yes">/tmp</directories>

<alert_new_files>yes</alert_new_files>

</syscheck>

but is live monitoring the only option here? Thought I should get the same results over the ~10 hr scan

[Delfina Lizarralde Bressan]

Hi Andrew!

No, real monitoring isn't the only option. For the scheduled scans, you can use the frequency, scan_time and scan_day options.

Could you try with this please:

   <syscheck>
        <frequency>36000</frequency>
        <directories check_all="yes" report_changes="yes">/etc,/usr/bin,/usr/sbin,/tmp</directories>
        <directories check_all="yes" report_changes="yes">/bin,/sbin</directories>
        <alert_new_files>yes</alert_new_files>
    </syscheck>

The check_all attribute of the directories option allows checks of the file size, permissions, owner, last modification date, inode, and all the hash sums (MD5, SHA1, and SHA256). By default, syscheck scans selected directories, whose list depends on the default configuration for the host's operating system.

To report the exact content changed in a text file or a Windows registry value, syscheck can be configured with the report_changes attribute of the directories or the registries options. Report_changes should be used with caution as Wazuh copies every single monitored file to a private location.

Here is an example: 

<syscheck> 

  <disabled>no</disabled> 

  <scan_on_start>yes</scan_on_start>

  <frequency>300</frequency> 

  <directories check_all="yes" realtime="yes" report_changes="yes">C:/apple</directories> 

  <directories check_all="yes">C:/orange</directories> 

</syscheck>

The above enables syscheck FIM on the windows-agent, such that a periodic scan of C:\orange will take place shortly after the start or restart of the Wazuh agent, and then every 300 seconds thereafter.

The C:\apple directory will be monitored in real-time for file changes, while the C:\orange directory will only be periodically scanned for changes. Changes to existing text files in C:\apple will trigger an alert that includes the details of the actual text that was changed, while changes to C:\orange files will not include details of actual file content changes.

Alerts about changes in C:\apple\ will show up promptly, while alerts about changes in C:\orange\ will not be notified until the next periodic (5 minute) syscheck scan. You can force a periodic syscheck scan sooner by restarting the Windows agent, but still expect to wait a minute or so before the scan runs.

Here is more information about this:

example: https://documentation.wazuh.com/current/learning-wazuh/detect-fs-changes.html?highlight=syscheck

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#fim-examples

Hope this helps you.

[Andrew A]

I think that's puts it nicely. I must be terrible at reading docs... after someone explains it on here it makes much more sense. 

Thank you