Victor,
The nightly scans are working just fine. That's not the problem The problem
is the real time scans are not working. Each night around 1am, I get
various reports of changed or added filesall good there. However,
during the day or really any time, if I edit/add/delete files in /etc or
/root, I am not instantly getting alerted. In other words, the realtime
scan is not monitoring those directories, even though it states:
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/etc'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/root'.
On Mon, Aug 1, 2016 at 6:25 PM, Victor Fernandez wrote:
> Hi Daniel.
>
> I had never used before, but I think it works for weekly
> scans since OSSEC prints this log (even when setting frequency=84800):
>
> 2016/08/01 14:27:33 ossec-syscheckd: INFO: Syscheck scan frequency: 604800
> seconds
>
> This amount of time is one week, so I think that works only
> for weekly scans, and then you should also introduce the the
> parameter, since it appears to have no default value. For example:
>
> 1am
> monday
>
> I tested that configuration and Syscheck appears to work properly.
>
> Hope it helps.
>
> Best regards.
>
>
> On Monday, August 1, 2016 at 7:32:13 AM UTC-7, Daniel Bray wrote:
>>
>> Can someone verify that all the proper settings are in place to allow for
>> realtime scans on some directories? We are running CentOS 6 servers
>> (manager and agents/clients), and we use the Atomic install method.
>>
>> Here is the latest available Atomic version installed (also noted inotify
>> is installed)
>> $ rpm -qa | egrep "inotify|ossec"
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> inotify-tools-3.14-1.el6.x86_64
>> ossec-hids-client-2.8.3-53.el6.art.x86_64
>>
>>
>> Here is the important part of /var/ossec/etc/shared/agent.conf
>>
>>
>> 1am
>> 82800
>> no
>> yes
>> no
>>
>>
>> /bin,/sbin,/usr,/opt
>> > report_changes="yes"
>> realtime="yes">/etc,/root,/var/named,/var/www
>> ...
>>
>> Here is the agent /var/ossec/etc/ossec.conf file
>>
>>
>> 10.10.10.10
>>
>>
>>
>> The above exists on all our agents/clients.
>>
>> On the manager, it pretty much matches up exactly, with the exception
>> that the server is installed, and not the client:
>> $ rpm -qa | egrep "inotify|ossec"
>> inotify-tools-3.14-1.el6.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-hids-2.8.3-53.el6.art.x86_64
>>
>>
>> I have gone in an updated all servers (yum -y update) and rebooted to the
>> latest kernel available on CentOS 6. I've waited a few days for the normal
>> scans to complete, and I am seeing alerts for nightly changed files.
>> However, when I run a test on a file that exists in /root or /etc, I never
>> get alerted. The test is simply
>> $ sudo vim /etc/hosts.allow
>> ...and I add/remove some entries, and :wq out for the update.
>>
>> After a clean update and reboot, here is the relevant log entries:
>> 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ...
>> 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ...
>> 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ...
>> 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send
>> buffer set to: '124928'.
>> 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server (
>> 10.10.10.10:1514).
>> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/messages'.
>> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/secure'.
>> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/maillog'.
>> 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120).
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send
>> buffer set to: '124928'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124).
>> 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124).
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
>> '/var/named'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
>> '/var/www'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/etc'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/root'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/var/named'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/var/www'.