Hi all,
Is anyone having trouble with getting alerts to fire on deletion of a file?
I want to alert if a file has been deleted between syscheck checkpoints.
I think this is the bit that's not quite working for me ...
--syschec.c
/* File deleted */
if(c_sum[0] == '-' && c_sum[1] == '1')
{
sdb.syscheck_dec->id = sdb.idd;
snprintf(sdb.comment, OS_MAXSTR,
"File '%.756s' was deleted. Unable to retrieve "
"checksum.", f_name);
}
/* If file was re-added, do not compare changes */
else if(saved_sum[0] == '-' && saved_sum[1] == '1')
{
sdb.syscheck_dec->id = sdb.idn;
snprintf(sdb.comment, OS_MAXSTR,
"File '%.756s' was re-added.", f_name);
}
I can get all the rules relating to files to fire off OK - 550,551,552,554
... All OK
BUT NOT DARN 553!
--- ossec_rules.xml
<rule id="553" level="7">
<category>ossec</category>
<decoded_as>syscheck_deleted</decoded_as>
<description>File deleted. Unable to retrieve checksum.</description>
<group>syscheck,</group>
</rule>
<rule id="554" level="7">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
(Running on Centos 5.4)
Any ideas? I've trawled the past list postings but not found any quick
solution.
Regards
/nick
