Modify the source?
On Thu, Mar 31, 2011 at 4:05 PM, Nate Woodward <[email protected]> wrote: > I finally got around to investigating this a bit more today. Instead of > just removing a few lines from a log, this time I clobbered the whole > thing: > > > root@muon:log# cp /var/log/secure{,.back} > root@muon:log# : >/var/log/secure; date > Thu Mar 31 14:38:23 CDT 2011 > > > The notification I got was this: > > > OSSEC HIDS Notification. > 2011 Mar 31 14:39:49 > > Received From: (muon) 192.168.5.33->ossec-logcollector > Rule: 592 fired (level 8) -> "Log file size reduced." > Portion of the log(s): > > ossec: File size reduced (inode remained): '/var/log/secure'. > > > I'm assuming the timestamp in that notification is when OSSEC detected > that the log file size decreased (as opposed to when the email was sent > out or whatever). If that's right, then there's a minute+ delay between > when the file was tampered with and when that tampering was detected. If > I had only removed a few lines instead of everything, it wouldn't have > taken much log activity in that time to make OSSEC miss the tampering. > Is there any way to decrease this delay? > > >> -----Original Message----- >> From: Nate Woodward >> Sent: Monday, March 28, 2011 2:31 PM >> To: ossec-list >> Subject: RE: [ossec-list] Deletion of log data >> >> Yeah, I found that info on google a few weeks back and >> re-tested with nano. Still didn't get an alert on the rule. >> >> > -----Original Message----- >> > From: dan (ddp) [mailto:[email protected]] >> > Sent: Monday, March 28, 2011 2:22 PM >> > To: [email protected] >> > Subject: Re: [ossec-list] Deletion of log data >> > >> > vim typically saves the file to a new inode. In this instance OSSEC >> > generally detects that the log file was rotated, and may >> re-check all >> > of the log messages in the log file. >> > >> > On Fri, Mar 4, 2011 at 11:08 AM, Nate Woodward >> > <[email protected]> wrote: >> > > Hi, >> > > >> > > I'm trying to get OSSEC to detect data deletion in log >> > files. The page >> > > at http://www.ossec.net/doc/manual/monitoring/index.html >> indicates >> > > that log monitoring is done in real time, and ossec_rules.xml has >> > > these >> > > rules: >> > > >> > > >> > > <!-- File rotation/reducded rules --> >> > > <rule id="591" level="3"> >> > > <if_sid>500</if_sid> >> > > <match>^ossec: File rotated </match> >> > > <description>Log file rotated.</description> >> > > </rule> >> > > >> > > <rule id="592" level="8"> >> > > <if_sid>500</if_sid> >> > > <match>^ossec: File size reduced</match> >> > > <description>Log file size reduced.</description> >> > > <group>attacks,</group> >> > > </rule> >> > > >> > > <rule id="593" level="9"> >> > > <if_sid>500</if_sid> >> > > <match>^ossec: Event log cleared</match> >> > > <description>Microsoft Event log cleared.</description> >> > > <group>logs_cleared,</group> >> > > </rule> >> > > >> > > >> > > When I open up a log file in vim, delete a few lines and >> > save it, rule >> > > 592 doesn't trigger. Am I doing something wrong? Does >> real-time log >> > > monitoring include the rules above, or do those rules >> only trigger >> > > when syscheck is run (at which time the log would have >> grown bigger >> > > than what it was before, despite my deletions)? >> > > >> > > How can I ensure log file integrity? >> > > >> > > -Nate >> > > >> > >> > >> >> >
