Hi Matthias, You raise a valid concern and I will to explain how it works with OSSEC. The integrity checking process is executed periodically, so if between each scan a file is changed 1, 2 or 10 times, OSSEC will not know the difference (just that it changed). In addition to that, the "change time" in the file system is not a reliable source, since it can be easily changed (plus, some backup and change management tools, update these values very often).
Because of that, within OSSEC we use the time that the integrity checking process ran as the change time. Note, that this is open to discussion, if people find useful to have the real change time being used we can add that as a config option. Now back to your test case. The <scan_time> is that time that the scan will start. By default, it runs slowly (we delay a few seconds after a number of files) and do one file at a time to avoid using lots of CPU. That's why these files were only scanned at 17:25 and not at 17:15, when the scan was started. Makes sense? That's why when I use the "<time>" within a rule for syscheck, I use large time frames (like <time>17:00-17:45</time> instead of <time>17:00-17:10</time>). Hope it clears... -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Jul 7, 2008 at 1:07 PM, Matthias Schmidt <[EMAIL PROTECTED]> wrote: > > Hi Daniel, Hi List > > I tried it and it doesn't work. Maybe I am just to silly... > What is the right syntax for this? I used the syntax from the manual > pages. > > What I did: > 1) Created /tmp/checkme/one, two, three > > 2) Added this rule to the local_rules: > > <rule id="100122" level="0"> > <if_group>syscheck</if_group> > <time>17:00-17:10</time> > <weekday>monday</weekday> > <description>Ignore syscheck during that time</description> > </rule> > > 3) Changed syscheck time in ossec.conf to 17:15 (<scan_time>17:15</ > scan_time>), added /tmp/checkme for syschecking, restarted ossec. > > 4) I manually changed the files one and two at 17:01 (should be > ignored) > > 5) ... changed file three at 17:11 (should be detected) > > What happened: > > Syscheck runs at 17:25 (Why not 17:15?): > > ** Alert 1215444332.2858: mail - ossec,syscheck, > 2008 Jul 07 17:25:32 machine->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Src IP: (none) > User: (none) > Integrity checksum changed for: '/tmp/checkme/one' > ... > > ** Alert 1215444332.3335: mail - ossec,syscheck, > 2008 Jul 07 17:25:32 machine->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Src IP: (none) > User: (none) > Integrity checksum changed for: '/tmp/checkme/two' > ... > > ** Alert 1215444332.3812: mail - ossec,syscheck, > 2008 Jul 07 17:25:32 machine->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Src IP: (none) > User: (none) > Integrity checksum changed for: '/tmp/checkme/three' > ... > > > So it is not relevant at which time the file was changed. It is only > relevant, when syscheck detects the changed files. Is this correct? If > yes, this is a bug from my point of view. > > Thanks & Regards, > Matthias >
