On Sat, Jun 30, 2012 at 2:02 PM, Marcos Tang <[email protected]> wrote: > Hi, > > I have 2 questions about OSSEC and I want to know your answer. > > Today, the syscheck_control -i 125 -f /usr/local/bin/test1 shows the > following results (See background information section below). >
Scrolling to reference the information below then scrolling back to read the questions was quite annoying. > My understanding to the syscheck_conrol output is > (a) this file is initially added to the DB (first scan) at Jun 15 08:05:46. > (b) However, this file is not found anymore on Jun 29 08:48:52. > > When OSSEC tells this file is not found at Jun 29 08:48:52, what is the > exact meaning of this time stamp? Is it the time the next scan time? Or is > it the time the file is deleted? > Check your logs. When does ossec.log say the scan was? Turn on the log all option, check for log messages about a changed file and compare the timestamps. I'm guessing it will be scan times, because I don't know of a way to find the deleted time (when realtime isn't in use). > Besides, if I use the command "cp -p test1.bak test1" which copy back the > file to the original location without changing the modified time, will OSSEC > able to detect it on the next scan? > Did the file change? If so, then yes it should catch it. > Thanks & Regards, > Marcos > > > > > =============== > Background Information > =============== > (1) Inside the agent.conf file, I set the frequency of the integrity check > is 24 hours > > <agent_config os="unix"> > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 24 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>86400</frequency> > > (2) From the syschceck_control output, I get the following: > > Integrity changes for agent 'agent123 (125) - 172.30.79.7': > Detailed information for entries matching: '/usr/local/bin/test1' > > 2012 Jun 15 08:05:46,0 - /usr/local/bin/test1 > File added to the database. > Integrity checking values: > Size: 19 > Perm: rwxrwxrwx > Uid: 269378 > Gid: 30100 > Md5: ad7dac2dc34dd91cf691847522c34ac2 > Sha1: b17ddaeb2775ff652df6279eebc8ef6c6f4be906 > > 2012 Jun 29 08:48:52,0 - /usr/local/bin/test1 > File changed. - 1st time modified. > Integrity checking values: > Size: 19 > Perm: rwxrwxrwx > Uid: 269378 > Gid: 30100 > Md5: >xxx > Sha1: >xxx > > > Regards, > Marcos
