On Mon, Aug 1, 2016 at 10:32 AM, Daniel Bray <dbray...@gmail.com> wrote: > Can someone verify that all the proper settings are in place to allow for > realtime scans on some directories? We are running CentOS 6 servers (manager > and agents/clients), and we use the Atomic install method. > > Here is the latest available Atomic version installed (also noted inotify is > installed) > $ rpm -qa | egrep "inotify|ossec" > ossec-hids-2.8.3-53.el6.art.x86_64 > inotify-tools-3.14-1.el6.x86_64 > ossec-hids-client-2.8.3-53.el6.art.x86_64 > > > Here is the important part of /var/ossec/etc/shared/agent.conf > <agent_config os="Linux"> > <syscheck> > <scan_time>1am</scan_time> > <frequency>82800</frequency> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <scan_on_start>no</scan_on_start> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/bin,/sbin,/usr,/opt</directories> > <directories check_all="yes" report_changes="yes" > realtime="yes">/etc,/root,/var/named,/var/www</directories> > ... > > Here is the agent /var/ossec/etc/ossec.conf file > <ossec_config> > <client> > <server-ip>10.10.10.10</server-ip> > </client> > </ossec_config> > > The above exists on all our agents/clients. > > On the manager, it pretty much matches up exactly, with the exception that > the server is installed, and not the client: > $ rpm -qa | egrep "inotify|ossec" > inotify-tools-3.14-1.el6.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-hids-2.8.3-53.el6.art.x86_64 > > > I have gone in an updated all servers (yum -y update) and rebooted to the > latest kernel available on CentOS 6. I've waited a few days for the normal > scans to complete, and I am seeing alerts for nightly changed files. > However, when I run a test on a file that exists in /root or /etc, I never > get alerted. The test is simply > $ sudo vim /etc/hosts.allow > ...and I add/remove some entries, and :wq out for the update. > > After a clean update and reboot, here is the relevant log entries: > 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ... > 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ... > 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ... > 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer > set to: '124928'. > 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server > (10.10.10.10:1514). > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120). > 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer > set to: '124928'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124). > 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124). > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: > '/var/named'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/var/www'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/etc'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/root'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/named'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/www'. > 2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0 > > > > Is there anything obvious that I'm missing in the configs? >
Not that I can see. I just checked, and realtime works with my setup. However, I'm not running Centos 6, I'm using 2.9rc2, and I don't have the scan_time option set (trying that now). > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
