Hi, I have 2 questions about OSSEC and I want to know your answer.
Today, the syscheck_control -i 125 -f /usr/local/bin/test1 shows the following results (See background information section below). My understanding to the syscheck_conrol output is (a) this file is initially added to the DB (first scan) at Jun 15 08:05:46. (b) However, this file is not found anymore on Jun 29 08:48:52. When OSSEC tells this file is not found at Jun 29 08:48:52, what is the exact meaning of this time stamp? Is it the time the next scan time? Or is it the time the file is deleted? Besides, if I use the command "cp -p test1.bak test1" which copy back the file to the original location without changing the modified time, will OSSEC able to detect it on the next scan? Thanks & Regards, Marcos =============== Background Information =============== (1) Inside the agent.conf file, I set the frequency of the integrity check is 24 hours <agent_config os="unix"> <!-- Syscheck - Integrity Checking config. --> <syscheck> <!-- Default frequency, every 24 hours. It doesn't need to be higher - on most systems and one a day should be enough. --> <frequency>86400</frequency> (2) From the syschceck_control output, I get the following: Integrity changes for agent 'agent123 (125) - 172.30.79.7': Detailed information for entries matching: '/usr/local/bin/test1' 2012 Jun 15 08:05:46,0 - /usr/local/bin/test1 File added to the database. Integrity checking values: Size: 19 Perm: rwxrwxrwx Uid: 269378 Gid: 30100 Md5: ad7dac2dc34dd91cf691847522c34ac2 Sha1: b17ddaeb2775ff652df6279eebc8ef6c6f4be906 2012 Jun 29 08:48:52,0 - /usr/local/bin/test1 File changed. - 1st time modified. Integrity checking values: Size: 19 Perm: rwxrwxrwx Uid: 269378 Gid: 30100 Md5: >xxx Sha1: >xxx Regards, Marcos
