On Tue, Apr 10, 2012 at 5:37 PM, Christina Plummer <[email protected]> wrote:
(Apologies if this is a duplicate - I sent my original message to
[email protected] as instructed on the web site, but it did not seem to
go through.)
Hello,
I am taking over a relatively neglected OSSEC 2.3 (I know!) installation,
and I don't want to blow everything away. I'm trying to get a handle on what
we've got now, so I can make a plan for upgrading to 2.6.
However, all the clients have PRELINKING enabled, so the integrity reports
("/var/ossec/bin/syscheck_control -i $ID") are a mess. I plan to disable
prelinking to prevent this issue in the future, but I need a good to way to
clean up the data without just blowing everything away. (I still need the
records of what files were ACTUALLY changed - I just don't want all the
prelink non-changes cluttering things up, and, more importantly, hiding
future changes.)
1) I played around with scripting a way to loop through all the agents and
zeroing out each and every one of the files (with "syscheck_control -i $ID
-f $FILE -z")- so at least I'd be notified of any future changes - but it's
not a great solution. I can't seem to hit each of the files properly, even
when using quotes - "-f '/sbin/iw'" matches iwspy, iwlist, iwevent, iwpriv,
etc., when I use "-z" it just zeroes out the first one it hits.
2) I'm not totally clear on what the "-z" flag is doing, anyhow. I think it
just resets the "auto_ignore" flag so that it will keep telling me about
changes (although I can't find any hard evidence that files are being
ignored, other than the fact that I can see that some recent changes have
not been recorded - "auto_ignore" doesn't seem to exist in my ossec.conf).
Auto ignore is enabled by default. If it's not set to no, it's active.
3) What I would REALLY like it to do is "forget" about all changes since the
first scan, and then (after I undo prelinking) have the next syscheck
compare against that baseline. Is hacking up the files in
/var/ossec/queue/syscheck/ the only way to fix this? Or am I just SOL?
If you have a copy of the original you might be able to do this. Stop
the processes on the manager, move the original into place, and start
the processes back up. Not sure if it would work...
4) On a related note, is there any way in OSSEC to "check in" or
"acknowledge" a change? I don't want to ignore the file forever - just have
some way of tagging that "yes, we approved that change so it's OK".
Nope. That's not OSSEC's job. That seems like something the ticketing
system or whatever should handle. OSSEC doesn't care if that change is
legit or not, it just tells you a change was made.
Thanks for any assistance/ideas anyone can provide.
Christina
