Syscheck file integrity monitoring

139 views
Skip to first unread message

Felipe Andres Concha Sepúlveda

unread,
Nov 16, 2018, 8:18:45 AM11/16/18
to Wazuh mailing list
Hello everyone, a question: I am installing some agents in windows and I see that the documentation says that by default, the following directories are being monitored (see photo1)

When looking at the ossec.conf file of the windows agent (see photo 2) I have some questions:

1.- In the documentation (photo1) says that by default the route C:\Windows\System32 is monitored but that line is not in the ossec.conf, I understand that I must add it?
2.- in the same file ossec.cong of windows there is a configuration of the unix files (see photo2) and the directories /bin and /sbin are repeated why that happens?


Regards,




Foto1





Foto 2

Manuel Jiménez

unread,
Nov 16, 2018, 8:57:49 AM11/16/18
to felipeandresc...@gmail.com, wa...@googlegroups.com

Hello Felipe,

The ossec.conf file of the Windows agent already adds the System32 directory line. It looks like the first image that you attached here corresponds with the ossec.conf of a Linux agent.
In a Windows agent, a clean ossec.conf which has not been configured must look exactly like this. Did you modify the content of the file or did you paste the content of the Linux ossec.conf?
You can try by uninstalling the Windows agent and then install it again, the ossec.conf file should be restored.

Regarding your second question, the directories are not being duplicated, one line has /usr/bin and /usr/sbin and the other has /bin and /sbin. They’re different directories.

I hope this helps, let me know if you’re still having trouble.

Regards,
Manuel


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/C5C17234-F05A-4979-B20B-593BDB55E661%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
PastedGraphic-2.png
PastedGraphic-3.png

Felipe Andres Concha Sepúlveda

unread,
Nov 16, 2018, 9:07:58 AM11/16/18
to Manuel Jiménez, wa...@googlegroups.com
Thanks for your answer manuel, it is the file that remained after the installation with ansible

Can I copy the file you send me and replace it with the one I have?



_______________________________________________________________
<!-- Ansible managed -->
<!--
  Wazuh - Agent
-->

<ossec_config>
  <client>

    
    <server>
      <address>192.168.2.200</address>
      
      <port>1514</port>
      
      
      <protocol>udp</protocol>
      
    </server>
    

    
    
    <auto_restart>yes</auto_restart>
  </client>

  <logging>
    <log_format>plain</log_format>
  </logging>

  <active-response>
    <disabled>no</disabled>
  </active-response>

  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    
    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
    

    

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <syscheck>
    <disabled>no</disabled>
    
    <directories check_all="yes" realtime="yes" restrict="^C:\wazuh-agent/shared/agent.conf$">C:\wazuh-agent</directories>
    

    

    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->
    
    
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    
    <directories check_all="yes">/bin,/sbin</directories>
    
    

    <!-- Files/directories to ignore -->
    
    
    <ignore>/etc/mtab</ignore>
    
    <ignore>/etc/mnttab</ignore>
    
    <ignore>/etc/hosts.deny</ignore>
    
    <ignore>/etc/mail/statistics</ignore>
    
    <ignore>/etc/random-seed</ignore>
    
    <ignore>/etc/random.seed</ignore>
    
    <ignore>/etc/adjtime</ignore>
    
    <ignore>/etc/httpd/logs</ignore>
    
    <ignore>/etc/utmpx</ignore>
    
    <ignore>/etc/wtmpx</ignore>
    
    <ignore>/etc/cups/certs</ignore>
    
    <ignore>/etc/dumpdates</ignore>
    
    <ignore>/etc/svc/volatile</ignore>
    
    

    <!-- Files no diff -->
    
    <nodiff>/etc/ssl/private.key</nodiff>
    

    
    
    
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    
    
    
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    
    
    
  </syscheck>

  

  

  

  <!-- Files to monitor (localfiles) -->
    
    <localfile>
        <log_format>syslog</log_format>
    
        <location>/var/log/messages</location>
    
    </localfile>
  
    <localfile>
        <log_format>syslog</log_format>
    
        <location>/var/log/secure</location>
    
    </localfile>
  
    <localfile>
        <log_format>command</log_format>
    
        <command>df -P</command>
        <frequency>360</frequency>
    
    </localfile>
  
    <localfile>
        <log_format>full_command</log_format>
    
        <command>netstat -tln | grep -v 127.0.0.1 | sort</command>
        <frequency>360</frequency>
    
    </localfile>
  
    <localfile>
        <log_format>full_command</log_format>
    
        <command>last -n 20</command>
        <frequency>360</frequency>
    
    </localfile>
  

</ossec_config>




Regards
Felipe

<PastedGraphic-3.png><PastedGraphic-2.png><PastedGraphic-3.png><PastedGraphic-3.png>

Manuel Jiménez

unread,
Nov 16, 2018, 9:16:57 AM11/16/18
to felipeandresc...@gmail.com, wa...@googlegroups.com
Hi Felipe,

Sure, you can take it. Just make sure that you change the required parameters of your configurations on it. After that, please restart the agent.
Don't hesitate to write again if you have any questions.

Best regards,
Manuel

Felipe Andres Concha Sepúlveda

unread,
Nov 16, 2018, 9:18:34 AM11/16/18
to Manuel Jiménez, wa...@googlegroups.com
Perfect, thanks manuel!!!

Felipe Andres Concha Sepúlveda

unread,
Nov 19, 2018, 11:06:34 AM11/19/18
to Manuel Jiménez, Wazuh mailing list
Thanks for the response and with this I have some questions

01 I copied the ossec.conf file in the agent, - the file that you indicated to me this, changing the ip to set my manager's wazuh,  but when I checked its log I have the following errors:



02 why when installing with ansible the agent, the ossec.conf file is incorrect?

this is the ossec.conf file created by ansible
El 16-11-2018, a las 15:16, Manuel Jiménez <manuel....@wazuh.com> escribió:

Manuel Jiménez

unread,
Nov 19, 2018, 11:38:31 AM11/19/18
to Felipe Andres Concha Sepúlveda, wa...@googlegroups.com

Hello Felipe,

It seems that the value of the crypto_method field is not correct. According to the documentation, that field can only contain these certain values: blowfish, aes.
Please check your ossec.conf at that point or try to find any wrong XML notation on it. Also, and if you didn’t yet, you could try to completely remove that corrupted ossec.conf file and create it again with the content of the attached file
If that doesn’t fix your problem, and in order to provide a better assistance for you, it’d be helpful if you please attach here the full content of the ossec.conf file of your Windows agent. In the case that it contains sensible information, please hide it by writing ‘*‘. Additionally, please indicate the version of Windows you’re working on.

Regarding your other question, we’ve checked that the ossec.conf template used by our ansible playbooks are currently incomplete, that’s why you did not see the default ignored directories. There already is an issue for approaching this, you can keep track of it here.

I hope this helps. Don’t hesitate to write here again if you need it.

Regards,
Manuel

PastedGraphic-4.png

Felipe Andres Concha Sepúlveda

unread,
Nov 19, 2018, 12:14:09 PM11/19/18
to Manuel Jiménez, Wazuh mailing list
Hello, I have reinstalled the agent with ansible to see its behavior.
Again, an ossec.conf file was created that does not correspond to the correct one.
it's good that your team is already working on it.

But there is another thing, when I install it with ansible it is created in a direct path in C: and not inside the folders "Program Files (x86)" as the documentation says as it is installed when it is done manually.

Is this also a problem?




<PastedGraphic-4.png><PastedGraphic-4.png>

Manuel Jiménez

unread,
Nov 19, 2018, 12:35:04 PM11/19/18
to Felipe Andres Concha Sepúlveda, wa...@googlegroups.com
Hi Felipe,

Regarding your question, it shouldn't be a problem. However, I'll let the DevOps team know about this in order to test it, and then I will let you know in the case of this provokes any error.
In any case, we will modify our Ansible playbooks to make the very expected behavior than when installing by the normal process.
I'd like to thank you for the collaboration you're doing, it's being very valuable for us.

I'll be glad to help you with anything you may need.

Regards,
Manuel
PastedGraphic-5.png

Felipe Andres Concha Sepúlveda

unread,
Nov 20, 2018, 6:48:58 AM11/20/18
to Manuel Jiménez, Wazuh mailing list
Hello, thank you Manuel for your response !!!
The problem I have when replacing the ossec.conf file after the installation of ansible by the correct one, can be related to when I install the ansible agents, this is not installing the latest version, but it is installing version 3.1.0, probably therefore when replacing the file ossec.conf gives me the errors.


Then we can see that here the main problem is what an incorrect version is being installed and also when installing it does not completely create the ossec.conf file


I was comparing my ansible tasks file and it is the same one that I currently have published on GitHub, the only difference is in the Line 65





Ansible Install 


<PastedGraphic-5.png><PastedGraphic-5.png>

Manuel Jiménez

unread,
Nov 20, 2018, 9:18:17 AM11/20/18
to Felipe Andres Concha Sepúlveda, wa...@googlegroups.com

Hello again, Felipe,

The reason why your Ansible playbook for the Windows agent is installing the v3.3.1 is that maybe you took the playbooks from the master branch of the wazuh-ansible repository. You can get the latest version of the roles and playbooks from the 3.7 branch. You can check this Pull Request where the changes for installing the latest version of the Wazuh agent in Windows were made. Please, try to deploy the Wazuh agent again using the updated playbooks.

I hope it helps.

Regards,
Manuel

PastedGraphic-1.png
PastedGraphic-2.png

Felipe Andres Concha Sepúlveda

unread,
Nov 20, 2018, 9:31:07 AM11/20/18
to Manuel Jiménez, Wazuh mailing list
Thanks, Manuel was making the manual change, but since you send it to me, I save that effort!
All my agents have them in version 3.6.1, is there a problem if I install new ones with version 3.7?




Regards,
Felipe

<PastedGraphic-1.png><PastedGraphic-2.png><PastedGraphic-2.png><PastedGraphic-2.png>

Manuel Jiménez

unread,
Nov 20, 2018, 10:06:18 AM11/20/18
to Felipe Andres Concha Sepúlveda, wa...@googlegroups.com

Hello Felipe,

In order to install the v3.6.1 agent in Windows with Ansible, you can modify the vars block of the wazuh-agent playbook , so that the package to be installed must be the v3.6.1. Please, edit the wazuh-agent.yml playbook and add the following content to it:

 ...
  vars:
     ...
     wazuh_winagent_config:
      install_dir: 'C:\wazuh-agent\'
      version: '3.6.1'
      revision: '1'
      repo: https://packages.wazuh.com/3.x/windows/
      md5: adea07f0b575b63f0328b49eb09f2173

Additionally, we created an issue for the current installation directory in Windows. As you said, it's not being installed in C:\Program Files(x86)\ossec-agent as the documentation indicates. You can keep a track of it here.

Regards,
Manuel

Felipe Andres Concha Sepúlveda

unread,
Nov 21, 2018, 6:40:42 AM11/21/18
to Manuel Jiménez, Wazuh mailing list
Manuel, thanks for your help!!!

Question: to do a manual installation of version 3.6.1, simply change the current link and change the version to 3.6.1
Would it be this way?




I did a test and the 3.6.1 package was downloaded, I just wanted to confirm with you that this is the correct one?



Regards
Felipe


Hello Felipe,

In order to install the v3.6.1 agent in Windows with Ansible, you can modify the vars block of the wazuh-agent playbook , so that the package to be installed must be the v3.6.1. Please, edit the wazuh-agent.yml playbook and add the following content to it:

Manuel Jiménez

unread,
Nov 21, 2018, 6:45:25 AM11/21/18
to Felipe Andres Concha Sepúlveda, wa...@googlegroups.com
Hi Felipe,

Yes, that's the correct package for installing a Wazuh agent v3.6.1 for Windows.
Write here again if you have any questions.

Regards,
Manuel
PastedGraphic-3.png

Felipe Andres Concha Sepúlveda

unread,
Nov 21, 2018, 6:47:46 AM11/21/18
to Manuel Jiménez, Wazuh mailing list
Thanks Manuel!!!


<PastedGraphic-3.png><PastedGraphic-3.png>

Reply all
Reply to author
Forward
0 new messages