Hi;
Here's the goal:
* I want to monitor /etc for any changes
* I want to monitor /etc/passwd and /etc/shadow for ownership, group
ownership, and permissions changes only
The basic logic being - I don't really care when people change their
passwords; but, if those files change ownership or permissions, something
unfortunate is happening.
I have
<directories realtime="yes" check_all="yes">/etc,[[snip]]</directories>
in ossec.conf and that works. A sample alert that I would like to filter
is:
OSSEC HIDS Notification.
2012 Aug 27 15:06:45
Received From: (${myhost}) AAA.BB.CCC.Y ->syscheck
Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)."
Portion of the log(s):
Integrity checksum changed for: '/etc/shadow'
Group ownership was '0', now it is '1'
#eof
Based on a 09/18/09 posting from one Daniel Cid (anyone heard of him? :) ),
I tried:
<rule id="100003" level="1">
<if_group>syscheck</if_group>
<regex>/etc/passwd|/etc/shadow</regex>
<description>Logging but not alerting changes to passwd/shadow
files</description>
</rule>
<rule id="100004" level="10">
<if_sid>100003</if_sid>
<regex>[Oo]wner was</regex>
<description>Ownership change for password or shadow file!</description>
</rule>
but that didn't work as syscheck is not a valid group so syscheck wouldn't
restart. I also tried <decoded_as>syscheck</decoded_as> in place of the
if_group with the same results.
I had a thought that these rules had to be in a different group in
local_rules.xml; but, that doesn't make sense because another syscheck rule
update works fine in the current group:
# local_rules.xml
<group name="local,syslog,">
[[snip]]
!-- Ramped up level. DOL 08/23/12 -->
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
[[snip]]
</group>
which lead me to try <if_group>syscheck,</if_group> - with a ',' after
syscheck so the rules now read:
<rule id="100003" level="1">
<if_group>syscheck,</if_group>
<regex>/etc/passwd|/etc/shadow</regex>
<description>Logging but not alerting changes to passwd/shadow
files</description>
</rule>
<rule id="100004" level="10">
<if_sid>100003</if_sid>
<regex>[Oo]wner was</regex>
<description>Ownership change for password or shadow file!</description>
</rule>
And that seems to work - at least ossec and syscheck restarted w/o error.
Does that seem like it'll do what I want (minus permission changes which
aren't in there yet)? I have it in place now; but the pre-scan is running
so I have about 3.5 hours before I can find out...
Thanks for any hints/tips/suggestions.
Doug O'Leary
