On Tue, Apr 10, 2012 at 5:37 PM, Christina Plummer <[email protected]> wrote: > (Apologies if this is a duplicate - I sent my original message to > [email protected] as instructed on the web site, but it did not seem to > go through.) > Hello, > > I am taking over a relatively neglected OSSEC 2.3 (I know!) installation, > and I don't want to blow everything away. I'm trying to get a handle on what > we've got now, so I can make a plan for upgrading to 2.6. > > However, all the clients have PRELINKING enabled, so the integrity reports > ("/var/ossec/bin/syscheck_control -i $ID") are a mess. I plan to disable > prelinking to prevent this issue in the future, but I need a good to way to > clean up the data without just blowing everything away. (I still need the > records of what files were ACTUALLY changed - I just don't want all the > prelink non-changes cluttering things up, and, more importantly, hiding > future changes.) > > 1) I played around with scripting a way to loop through all the agents and > zeroing out each and every one of the files (with "syscheck_control -i $ID > -f $FILE -z")- so at least I'd be notified of any future changes - but it's > not a great solution. I can't seem to hit each of the files properly, even > when using quotes - "-f '/sbin/iw'" matches iwspy, iwlist, iwevent, iwpriv, > etc., when I use "-z" it just zeroes out the first one it hits. > > 2) I'm not totally clear on what the "-z" flag is doing, anyhow. I think it > just resets the "auto_ignore" flag so that it will keep telling me about > changes (although I can't find any hard evidence that files are being > ignored, other than the fact that I can see that some recent changes have > not been recorded - "auto_ignore" doesn't seem to exist in my ossec.conf). >
Auto ignore is enabled by default. If it's not set to no, it's active. > 3) What I would REALLY like it to do is "forget" about all changes since the > first scan, and then (after I undo prelinking) have the next syscheck > compare against that baseline. Is hacking up the files in > /var/ossec/queue/syscheck/ the only way to fix this? Or am I just SOL? > If you have a copy of the original you might be able to do this. Stop the processes on the manager, move the original into place, and start the processes back up. Not sure if it would work... > 4) On a related note, is there any way in OSSEC to "check in" or > "acknowledge" a change? I don't want to ignore the file forever - just have > some way of tagging that "yes, we approved that change so it's OK". > Nope. That's not OSSEC's job. That seems like something the ticketing system or whatever should handle. OSSEC doesn't care if that change is legit or not, it just tells you a change was made. > Thanks for any assistance/ideas anyone can provide. > > Christina >
