[ossec-list] syscheck generating SHA1 sum even when configured not to do so

Thu, 19 Apr 2012 08:56:20 -0700 

Hi,

I changed my syscheck configuration in /var/ossec/etc/ossec.conf to monitor
only one directory and set specific check_* attributes.  (intentionally
left out the sha1 sum check)

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 6 hours -->
    <frequency>21600</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <!--  Previous config: Commented out
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
    <directories check_all="yes">/var/log/remote</directories>
    -->
    *<directories check_md5sum="yes" check_size="yes" check_owner="yes"
check_group="yes" check_perm="yes">/var/log/remote</directories>*


I restarted OSSEC and after syscheck had run, I noticed the expected change
in the large-file.log being monitored.

*< syscheck info before the config change >*
2012 Apr 18 12:11:17,0 - /var/log/remote/large-file.log
File changed. - 1st time modified.
Integrity checking values:
   Size: >11885815288
   Perm: rw-r-----
   Uid:  0
   Gid:  0
   Md5:  >a9ea704e336b5bf8fb39b172378f0ee9
   Sha1: >e055a69b526c8f7f63a8fd4d7a0b78ae302b7d4a

*< syscheck info AFTER the config change >*
2012 Apr 18 12:27:26,2 - /var/log/remote/large-file.log
File changed. - 2nd time modified.
Integrity checking values:
   Size: 11885815288
   Perm: rw-r-----
   Uid:  0
   Gid:  0
   Md5:  a9ea704e336b5bf8fb39b172378f0ee9
*   Sha1: >xxx*

Since sha1 sums were turned off, the value in the Sha1 field is 'xxx' and
ossec reports that as a change.

---  Till here everything is fine. ---


When I looked at the logs this morning, syscheckd has run another scan at
6:51 pm yesterday evening (which is the 6 hour interval as per the config),
but for some strange reason, it has not used the existing configuration for
the directory.  It has run syscheck with the previous config (where
check_all=yes was set)

*< syscheck info AFTER the config change >*
2012 Apr 18 18:51:39,3 - /var/log/remote/large-file.log
File changed. - 3rd time modified.
Integrity checking values:
   Size: 11885815288
   Perm: rw-r-----
   Uid:  0
   Gid:  0
   Md5:  a9ea704e336b5bf8fb39b172378f0ee9
*   Sha1: >e055a69b526c8f7f63a8fd4d7a0b78ae302b7d4a*

The large-file.log file has not changed and neither has the ossec.conf
file.   However in the last run which was scheduled, OSSEC generated the
Sha1 sum even though it is configured not to do so.

Does anyone have an idea of what the problem could be?

Regards,
Chris

Reply via email to