File Integrity not working

1,095 views
Skip to first unread message

krunal kalaria

unread,
Mar 30, 2018, 2:58:07 AM3/30/18
to Wazuh mailing list
Hello Guys,

I am running wazuh 3.2 and ELK 6.2 in RHEL 7 i am facing issue with file integrity module i am trying to modify and delete or add some new files but its not showing before that it was running perfectly but now its not working whenever i change the file its will not shown in file integrity module.

Following is my ossec.conf file:


 <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>36000</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 3 times -->
    <auto_ignore>no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
    <directories check_all="yes" realtime="yes">/home</directories>
    <directories check_all="yes" realtime="yes">/root</directories>
  <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
  </syscheck>

Can you suggest me if i am wrong with this configuration.

Thanks & Regards,
Krunal. 

Santiago Bassett

unread,
Mar 30, 2018, 12:03:31 PM3/30/18
to krunal kalaria, Wazuh mailing list
Hi Krunal,

here are some comments that may help:

'auto_ignore' and 'alert_new_files':

These are settings that are used on the server side, they are not used if included in agents ossec.conf files.

'agent.conf':

This file is pushed from the server to the agents. Unless you have defined different agent groups, you will find this file in your server under /var/ossec/etc/shared/default directory. 

Whatever is included in 'agent.conf' is appended to the 'ossec.conf' settings and then read by the agent. In case of conflict (e.g. two different frequencies for 'syscheck'), then last setting read is the one that is used (that would be in the 'agent.conf' file)

Rootcheck scans, syscheck scans and realtime:

They are used for different things:
  • Rootcheck scans: Used for configuration assessment, malware and rootkits detection.
  • Syscheck scans: Run periodically (by default every 12 hours) to detect file changes.
  • Syscheck realtime option: Allows you to monitor directories in real-time.
Because of how the agent has been designed, realtime monitoring pauses during Rootcheck and Syscheck scheduled scans. This means that realtime syscheck alerts (for FIM) are only sent after these scans are completed. 

There are situations where these scans take several minutes to complete, or are launched just after the agent starts or restarts. This is why you will not see syscheck real-time alerts until they are done. We are in the process of redesigning the agent architecture so this does not happen in future versions..

'/var/ossec/etc/local_internal_options.conf':

Try the following settings:
  • rootcheck.sleep=0
  • syscheck.sleep=0
  • syscheck.debug=2
There are several sleeps used by syscheck and rootcheck that slow the scans on purpose. This is done to avoid impacting the performance of production servers. For testing you can set them to zero, and both syscheck and rootcheck scheduled scans will complete much much faster.

The debug option set to '2' will also write more info on what is going on in your /var/ossec/logs/ossec.log file.

Don't forget to restart your agent after this changes are done. Other than that, your configuration settings look good.

Best regards,

Santiago.




--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0bd94ad6-6549-4e45-a3dd-728b933aeeb4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

krunal kalaria

unread,
Apr 3, 2018, 12:04:33 AM4/3/18
to Wazuh mailing list
Thanks Santiago,

Ill try this as you guide me after this any issue or any error occur then ill let you know.

Thanks & Regards,
Krunal.
Reply all
Reply to author
Forward
0 new messages