Hi Dan, Thanks.
Regards, Marcos On Tue, Jul 10, 2012 at 10:12 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Sat, Jun 30, 2012 at 2:02 PM, Marcos Tang <marcostang2...@yahoo.com> > wrote: > > Hi, > > > > I have 2 questions about OSSEC and I want to know your answer. > > > > Today, the syscheck_control -i 125 -f /usr/local/bin/test1 shows the > > following results (See background information section below). > > > > Scrolling to reference the information below then scrolling back to > read the questions was quite annoying. > > > My understanding to the syscheck_conrol output is > > (a) this file is initially added to the DB (first scan) at Jun 15 > 08:05:46. > > (b) However, this file is not found anymore on Jun 29 08:48:52. > > > > When OSSEC tells this file is not found at Jun 29 08:48:52, what is the > > exact meaning of this time stamp? Is it the time the next scan time? Or > is > > it the time the file is deleted? > > > > Check your logs. When does ossec.log say the scan was? Turn on the log > all option, check for log messages about a changed file and compare > the timestamps. I'm guessing it will be scan times, because I don't > know of a way to find the deleted time (when realtime isn't in use). > > > Besides, if I use the command "cp -p test1.bak test1" which copy back the > > file to the original location without changing the modified time, will > OSSEC > > able to detect it on the next scan? > > > > Did the file change? If so, then yes it should catch it. > > > Thanks & Regards, > > Marcos > > > > > > > > > > =============== > > Background Information > > =============== > > (1) Inside the agent.conf file, I set the frequency of the integrity > check > > is 24 hours > > > > <agent_config os="unix"> > > > > <!-- Syscheck - Integrity Checking config. --> > > <syscheck> > > > > <!-- Default frequency, every 24 hours. It doesn't need to be higher > > - on most systems and one a day should be enough. > > --> > > <frequency>86400</frequency> > > > > (2) From the syschceck_control output, I get the following: > > > > Integrity changes for agent 'agent123 (125) - 172.30.79.7': > > Detailed information for entries matching: '/usr/local/bin/test1' > > > > 2012 Jun 15 08:05:46,0 - /usr/local/bin/test1 > > File added to the database. > > Integrity checking values: > > Size: 19 > > Perm: rwxrwxrwx > > Uid: 269378 > > Gid: 30100 > > Md5: ad7dac2dc34dd91cf691847522c34ac2 > > Sha1: b17ddaeb2775ff652df6279eebc8ef6c6f4be906 > > > > 2012 Jun 29 08:48:52,0 - /usr/local/bin/test1 > > File changed. - 1st time modified. > > Integrity checking values: > > Size: 19 > > Perm: rwxrwxrwx > > Uid: 269378 > > Gid: 30100 > > Md5: >xxx > > Sha1: >xxx > > > > > > Regards, > > Marcos >