Hi Alisha,
Taking up your question one-by-one...
a. Could someone please explain which process does what?
Syscheck process upon starting build up a pre-scan database of the
md5-sum & sha1-sum of the default file/ any other files specified in
the ossec.conf, and this is why it consumes 35-40% of the CPU Utilisation.
After completely building this pre-scan database, it start the normal
syscheck scan depending upon the way it has been configured in the
ossec.conf. During this process, it just regenerates the md5-sum &
sha1-sum of the default files/ other files specified in the ossec.conf.
In case of any change in either of these, it produces an alert.
Md5-sum & sha1-sum data is used to indicate the integrity of the
files, however during the pre-scan database, it also takes a note of the
file permissions w.r.t each file and alerts the user upon finding any change
in the file permissions.
Root check, on the otherhand is another feature in OSSEC that checks
forany rootkits, installed on the system. Rootkit is a group of malicious
tools/utilities that can be used for malicious/ offending purposes viz.
masking intrusion, altering the log files, creating backdoors etc.
Again, when the Rootcheck is run for the first time, it builds up a
database, which is then compared after the time specified in the
ossec.conf
b. Why does ossec-syscheckd show significant activity during rootcheck and
scan_on_start, but do nothing during a scheduled syscheck?
I think the above points answers ur questions
c. Why does ossec-agentd show activity during a syscheck?
Regarding ossec-agentd, it is a daemon that runs at the client side, and is
responsible for sending the logs collected by the agent using the
ossec-logcollector daemon, to the OSSEC Server. Hence, at the time of
syscheck, in case the agent finds any change in the integrity/ permissions
of the file, the agentd sends the log corresponding to the same to the
server, and hence is active.
I hope this answers all your questions.
Regards
Tanishk
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Alisha Kloc
Sent: Thursday, January 06, 2011 10:26 PM
To: ossec-list
Subject: [ossec-list] Processes for syscheck and rootcheck
Hi list,
We are trying to examine the impact of the OSSEC agent on our more
sensitive systems. However, we're quite confused about which OSSEC
process does what.
Our agents are configured with syscheck and rootcheck both enabled and
syscheck set to scan on start. We watched the agent restart by tailing
ossec.log and using top to monitor CPU usage and process activity.
We saw significant activity by ossec-syscheckd, jumping as high as 40%
CPU, in the minute or so after the agent started. This was expected
given the scan_on_start=yes.
Five minutes later, the log showed the message "Starting syscheck
scan", but ossec-syscheckd didn't even make top's list of processes
using the CPU, while ossec-agentd went up to around 1% CPU usage and
stayed there. Then ossec-agentd dropped back to 0% usage immediately
after the "Ending syscheck scan" message in the logs. This was odd
since we were expecting to see ossec-syscheckd in use during the
syscheck.
Next came the rootcheck, at which point ossec-syscheckd became active,
again shooting up to 35-40% CPU usage for the duration of rootcheck.
After the "Ending rootcheck scan" message, ossec-syscheckd gradually
dropped back down to 0% usage, leaving us thoroughly confused.
Could someone please explain which process does what? Why does ossec-
syscheckd show significant activity during rootcheck and
scan_on_start, but do nothing during a scheduled syscheck? Why does
ossec-agentd show activity during a syscheck?
Thanks in advance!
-Alisha
