(Apologies if this is a duplicate - I sent my original message to
[email protected] as instructed on the web site, but it did not seem to
go through.)
Hello,
I am taking over a relatively neglected OSSEC 2.3 (I know!) installation,
and I don't want to blow everything away. I'm trying to get a handle on
what we've got now, so I can make a plan for upgrading to 2.6.
However, all the clients have PRELINKING enabled, so the integrity reports
("/var/ossec/bin/syscheck_control -i $ID") are a mess. I plan to disable
prelinking to prevent this issue in the future, but I need a good to way to
clean up the data without just blowing everything away. (I still need the
records of what files were ACTUALLY changed - I just don't want all the
prelink non-changes cluttering things up, and, more importantly, hiding
future changes.)
1) I played around with scripting a way to loop through all the agents and
zeroing out each and every one of the files (with "syscheck_control -i $ID
-f $FILE -z")- so at least I'd be notified of any future changes - but it's
not a great solution. I can't seem to hit each of the files properly, even
when using quotes - "-f '/sbin/iw'" matches iwspy, iwlist, iwevent, iwpriv,
etc., when I use "-z" it just zeroes out the first one it hits.
2) I'm not totally clear on what the "-z" flag is doing, anyhow. I think it
just resets the "auto_ignore" flag so that it will keep telling me about
changes (although I can't find any hard evidence that files are being
ignored, other than the fact that I can see that some recent changes have
not been recorded - "auto_ignore" doesn't seem to exist in my ossec.conf).
3) What I would REALLY like it to do is "forget" about all changes since
the first scan, and then (after I undo prelinking) have the next syscheck
compare against that baseline. Is hacking up the files in
/var/ossec/queue/syscheck/ the only way to fix this? Or am I just SOL?
4) On a related note, is there any way in OSSEC to "check in" or
"acknowledge" a change? I don't want to ignore the file forever - just
have some way of tagging that "yes, we approved that change so it's OK".
Thanks for any assistance/ideas anyone can provide.
Christina
