On Tue, Mar 28, 2017 at 5:16 PM, Keith Goodlip <ke...@neoakira.com> wrote: > I've been trying to setup policy audit in a lab I've set up to no avail. > > My setup is 2 servers (server, client) using CentOS 7.3 and RPMs from the > atomic repository (selinux, firewalld are disabled) (ipv6 is enabled) > > All server processes are up and running: > > [root@ossec-server ossec]# bin/ossec-control status > ossec-monitord is running... > ossec-logcollector is running... > ossec-remoted is running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd is running... > ossec-dbd is running... > > > client enrolled via manage_agents and I can see it registered and active: > > [root@ossec-server ossec]# bin/agent_control -i 001 > OSSEC HIDS agent_control. Agent information: > Agent ID: 001 > Agent Name: ossec-client.infosec > IP address: 172.16.29.6/32 > Status: Active > > Operating system: Linux ossec-client.infosec > 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 > Client version: OSSEC HIDS v2.9.0 / 9fd969bbe7f4a3f52951a3e3acb1953b > Last keep alive: Tue Mar 28 23:09:30 2017 > > Syscheck last started at: Tue Mar 28 23:00:35 2017 > Rootcheck last started at: Tue Mar 28 22:41:41 2017 > > > here is my agent.conf: > <agent_config os="Linux"> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>3600</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > </syscheck> > > <!-- Files to monitor (localfiles) --> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/yum.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/ossec/logs/active-responses.log</location> > </localfile> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit> > </rootcheck> > > </agent_config> > > MD5 matches between /var/ossec/etc/shared/agent.conf and the client version > I get from bin/agent_control -i 001 > > However I'm not getting any results from the system_audit. > > What am I doing wrong? >
Try running ossec-syscheckd in debug mode, and check ossec.log for messages about it. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.