Hi Ken, But wouldn't the alert time be determined by the time that syscheck runs, so if you have syscheck set to run every 3600 seconds, then syscheck could run at 9am and a file could be modified at 9:01am and the time of the alert won't be until approximately 10am? So the best I could say, in this example, is that a change happened sometime between 9am and 10am?
I'd use the realtime option within syscheck, which would presumably give me the exact time of the change, but it seems (at least on my systems) to not be recursive on a directory being watched. Thanks, ross. On Thu, 2009-08-13 at 13:44 -0500, Ken Wachtler wrote: > Russ, > An alert will be generated when syscheck scan detects a file has changed, > therefore you will able to determine the date/time that the change was > detected (diferent from when it actually changed) from the alert. > > What a File Integrity alert looks like in alerts.log ... > > ** Alert 1250140285.97227: mail - ossec,syscheck, > 2009 Aug 13 00:11:25 (xxx) 10.10.10.10->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Src IP: (none) > User: (none) > Integrity checksum changed for: '/usr/sbin/named-xfer' > Size changed from '63084' to '63088' > Old md5sum was: 'e0987552a775d9d72a4c6aee694063e1' > New md5sum is : '0aff00239ba655078f41ddf51449b6df' > Old sha1sum was: 'e80e4fe13fc59ed7fe21609a60cadc1e2d0c42cf' > New sha1sum is : '308f8a3dea64734f7fb7f0b3720471cbdad96b1f' > > Good Luck, > Ken Wachtler > ________________________________________ > From: ossec-list@googlegroups.com [ossec-l...@googlegroups.com] On Behalf Of > Ross Lawrie [r...@riverstyx.net] > Sent: Wednesday, August 12, 2009 2:05 PM > To: ossec-list@googlegroups.com > Subject: [ossec-list] Re: syscheck proper practices? > > Hi, > > I'm just wondering if someone can offer me a little bit of advice on > this. > > Does ./bin/syscheck_control -i xxx -u just update the the database to > say that the changes listed are approved as being okay, or does it stop > later checks of those files? If this is the proper way to do this, is > there a quick way to get a history of changes on a particular agent? > > Also, I noticed that it's been mentioned in the list that realtime > integrity checking doesn't seem to be recursive, which has been my > experience so far, is there any news on this? > > Lastly, is there a plan to include datetime stamps on file changes > reported by syscheck - another thing I notice has been mentioned on the > list but I haven't seen an answer to. > > Thanks for any help you can lend. > > Ross. > > On Wed, 2009-08-05 at 17:23 -0700, Ross Lawrie wrote: > > Hello, > > > > I couldn't find anything in the mailing list about this, nor did I see > > anything within the wiki or documentation, but I do apologize if this is > > a question which has been answered previously. > > > > I'm wondering what the proper procedure is from an admin point of view > > upon a notification of a changed file on a monitored system. > > > > If the file change is known and okay, is the procedure to Update (clear) > > the database for the agent? It's nice having the output of > > syscheck_control show a quick history of changes for a given agent, that > > list would zero upon an update (clear). > > > > If I update the database for an agent, is there a quick (command-line) > > method to view a history of changes for that agent, or would it require > > parsing the logs through ossec-reportd? > > > > Lastly, and this may be a useless question, but is it possible to update > > the database signature for a single file while not updating other > > changed files on an agent? I could see the argument being that > > signatures shouldn't be updated unless all changes are known to be good. > > > > Thanks, > > > > Ross. > >
signature.asc
Description: This is a digitally signed message part
