On Fri, Mar 3, 2017 at 5:29 PM, Sam Gardner <lwnex...@gmail.com> wrote: > Thanks for the info - I'd like to explore what I can actually do with OSSEC > and do my due diligence before exploring other options. > > I've spun up the following conf file and am running ossec-analysisd and > ossec-syscheckd only - they seem to be healthy, but I'm not getting any > thing in /var/ossec/logs/alerts when I fiddle with stuff in /usr/bin. > > Any idea what might be going on? As far as I can tell syscheckd is > configured to realtime monitor /usr/bin (and inotify works on this system), > so my understanding is that I should be getting _something_ logged somewhere > - am I fundamentally misunderstanding something? > <ossec_config> > <global> > <email_notification>no</email_notification> > </global> > > <rules> > <include>rules_config.xml</include> > <include>ossec_rules.xml</include> > </rules> > > <syscheck> > <frequency>72000</frequency> > > <directories realtime="yes" > check_all="yes">/usr/bin,/usr/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > > <!-- Check the file, but never compute the diff --> > <nodiff>/etc/ssl/private.key</nodiff> > </syscheck> > > <rootcheck> > <disabled>yes</disabled> > </rootcheck> > > <remote> > <disabled>yes</disabled> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > <!-- Active Response Config --> > <active-response> > <disabled>yes</disabled> > </active-response> > </ossec_config> > > Analysisd and syscheckd appear to start up just fine: > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Starting ... > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Found user/group ... > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response initialized ... > 2017/03/03 22:06:26 adding rule: rules_config.xml > 2017/03/03 22:06:26 adding rule: ossec_rules.xml > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Read configuration ... > 2017/03/03 22:06:26 ossec-analysisd: Initializing PF decoder.. > 2017/03/03 22:06:26 ossec-analysisd: Initializing SonicWall decoder.. > 2017/03/03 22:06:26 ossec-analysisd: Initializing SymantecWS decoder.. > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading local decoder file. > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. > 2017/03/03 22:06:26 0 : rule:1, level 0, timeout: 0 > 2017/03/03 22:06:26 1 : rule:600, level 0, timeout: 0 > 2017/03/03 22:06:26 2 : rule:601, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:602, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:603, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:604, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:605, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:606, level 3, timeout: 0 > 2017/03/03 22:06:26 0 : rule:2, level 0, timeout: 0 > 2017/03/03 22:06:26 0 : rule:3, level 0, timeout: 0 > 2017/03/03 22:06:26 0 : rule:4, level 0, timeout: 0 > 2017/03/03 22:06:26 0 : rule:5, level 0, timeout: 0 > 2017/03/03 22:06:26 0 : rule:6, level 0, timeout: 0 > 2017/03/03 22:06:26 0 : rule:7, level 0, timeout: 0 > 2017/03/03 22:06:26 1 : rule:500, level 0, timeout: 0 > 2017/03/03 22:06:26 2 : rule:530, level 0, timeout: 0 > 2017/03/03 22:06:26 3 : rule:531, level 7, timeout: 7200 > 2017/03/03 22:06:26 4 : rule:532, level 0, timeout: 0 > 2017/03/03 22:06:26 3 : rule:533, level 7, timeout: 0 > 2017/03/03 22:06:26 3 : rule:534, level 1, timeout: 0 > 2017/03/03 22:06:26 3 : rule:535, level 1, timeout: 0 > 2017/03/03 22:06:26 2 : rule:593, level 9, timeout: 0 > 2017/03/03 22:06:26 2 : rule:592, level 8, timeout: 0 > 2017/03/03 22:06:26 2 : rule:555, level 7, timeout: 0 > 2017/03/03 22:06:26 2 : rule:501, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:502, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:503, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:504, level 3, timeout: 0 > 2017/03/03 22:06:26 2 : rule:591, level 3, timeout: 0 > 2017/03/03 22:06:26 1 : rule:509, level 0, timeout: 0 > 2017/03/03 22:06:26 2 : rule:510, level 7, timeout: 0 > 2017/03/03 22:06:26 3 : rule:511, level 0, timeout: 0 > 2017/03/03 22:06:26 3 : rule:515, level 0, timeout: 0 > 2017/03/03 22:06:26 3 : rule:513, level 9, timeout: 0 > 2017/03/03 22:06:26 3 : rule:512, level 3, timeout: 0 > 2017/03/03 22:06:26 3 : rule:516, level 3, timeout: 0 > 2017/03/03 22:06:26 4 : rule:519, level 7, timeout: 0 > 2017/03/03 22:06:26 3 : rule:514, level 2, timeout: 0 > 2017/03/03 22:06:26 4 : rule:518, level 9, timeout: 0 > 2017/03/03 22:06:26 1 : rule:554, level 0, timeout: 0 > 2017/03/03 22:06:26 2 : rule:598, level 5, timeout: 0 > 2017/03/03 22:06:26 1 : rule:700, level 0, timeout: 0 > 2017/03/03 22:06:26 2 : rule:701, level 0, timeout: 0 > 2017/03/03 22:06:26 1 : rule:580, level 8, timeout: 0 > 2017/03/03 22:06:26 1 : rule:581, level 8, timeout: 0 > 2017/03/03 22:06:26 1 : rule:550, level 7, timeout: 0 > 2017/03/03 22:06:26 2 : rule:594, level 5, timeout: 0 > 2017/03/03 22:06:26 1 : rule:551, level 7, timeout: 0 > 2017/03/03 22:06:26 2 : rule:595, level 5, timeout: 0 > 2017/03/03 22:06:26 1 : rule:552, level 7, timeout: 0 > 2017/03/03 22:06:26 2 : rule:596, level 5, timeout: 0 > 2017/03/03 22:06:26 1 : rule:553, level 7, timeout: 0 > 2017/03/03 22:06:26 2 : rule:597, level 5, timeout: 0 > 2017/03/03 22:06:26 ossec-analysisd: INFO: Total rules enabled: '53' > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: > '/etc/mail/statistics' > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' > 2017/03/03 22:06:26 ossec-analysisd: INFO: Chrooted to directory: /var/ossec > 2017/03/03 22:06:26 ossec-analysisd: INFO: Using user: ossec > 2017/03/03 22:06:26 ossec-analysisd: INFO: Started (pid: 1761). > 2017/03/03 22:06:26 ossec-analysisd: SyscheckInit completed. > 2017/03/03 22:06:26 ossec-analysisd: RootcheckInit completed. > 2017/03/03 22:06:26 ossec-analysisd: OS_CreateEventList completed. > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: FTSInit completed. > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Accumulator Init completed. > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response Init completed. > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Startup completed. Waiting for > new messages.. > 2017/03/03 22:06:55 ossec-syscheckd: DEBUG: Starting ... > 2017/03/03 22:06:55 syscheckd: Reading Configuration > [/var/ossec/etc/ossec.conf] > 2017/03/03 22:06:55 rootcheck: DEBUG: Starting ... > 2017/03/03 22:06:55 rootcheck: Rootcheck disabled. Exiting. > 2017/03/03 22:06:55 ossec-syscheckd: WARN: Rootcheck module disabled. > 2017/03/03 22:06:59 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer > set to: '8388608'. > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Started (pid: 1792). > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', > with options perm | size | owner | group | md5sum | sha1sum | realtime. > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum | > realtime. > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mtab' > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' > 2017/03/03 22:06:59 ossec-syscheckd: INFO: No diff for file: > '/etc/ssl/private.key' > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/bin'. > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/sbin'. > 2017/03/03 22:07:11 ossec-syscheckd: Setting SCHED_BATCH returned: 0 > 2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2017/03/03 22:08:01 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2017/03/03 22:08:01 ossec-syscheckd: DEBUG: Directory added for real time > monitoring: '/usr/bin'. > 2017/03/03 22:09:28 ossec-syscheckd: DEBUG: Directory added for real time > monitoring: '/usr/sbin'. > 2017/03/03 22:10:19 ossec-syscheckd: INFO: Real time file monitoring > started. > 2017/03/03 22:10:19 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2017/03/03 22:10:31 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > > If I shuffle stuff around in /usr/bin, I don't see any logs anywhere. How > can I verify that the FIM monitoring is actually working? I see there are > various entries in the syscheck queue for the existing files, but nothing > else. >
After a second full scan runs, do you get alerts? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.