On Tue, Aug 28, 2012 at 11:50 AM, dkoleary <[email protected]> wrote: > Hi; > > Here's the goal: > * I want to monitor /etc for any changes > * I want to monitor /etc/passwd and /etc/shadow for ownership, group > ownership, and permissions changes only > > The basic logic being - I don't really care when people change their > passwords; but, if those files change ownership or permissions, something > unfortunate is happening. > > I have > > <directories realtime="yes" check_all="yes">/etc,[[snip]]</directories> > > in ossec.conf and that works. A sample alert that I would like to filter > is: > > OSSEC HIDS Notification. > 2012 Aug 27 15:06:45 > > Received From: (${myhost}) AAA.BB.CCC.Y ->syscheck > Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)." > Portion of the log(s): > > Integrity checksum changed for: '/etc/shadow' > Group ownership was '0', now it is '1' > #eof > > Based on a 09/18/09 posting from one Daniel Cid (anyone heard of him? :) ), > I tried: > > <rule id="100003" level="1"> > <if_group>syscheck</if_group> > <regex>/etc/passwd|/etc/shadow</regex> > <description>Logging but not alerting changes to passwd/shadow > files</description> > </rule> > > <rule id="100004" level="10"> > <if_sid>100003</if_sid> > <regex>[Oo]wner was</regex>
This isn't valid OSSEC regex. > <description>Ownership change for password or shadow file!</description> > </rule> > > but that didn't work as syscheck is not a valid group so syscheck wouldn't > restart. I also tried <decoded_as>syscheck</decoded_as> in place of the > if_group with the same results. > > I had a thought that these rules had to be in a different group in > local_rules.xml; but, that doesn't make sense because another syscheck rule > update works fine in the current group: > > # local_rules.xml > <group name="local,syslog,"> > [[snip]] > !-- Ramped up level. DOL 08/23/12 --> > <rule id="554" level="10" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > [[snip]] > </group> > > which lead me to try <if_group>syscheck,</if_group> - with a ',' after > syscheck so the rules now read: > > <rule id="100003" level="1"> > <if_group>syscheck,</if_group> > <regex>/etc/passwd|/etc/shadow</regex> > <description>Logging but not alerting changes to passwd/shadow > files</description> > </rule> > > <rule id="100004" level="10"> > <if_sid>100003</if_sid> > <regex>[Oo]wner was</regex> > <description>Ownership change for password or shadow file!</description> > </rule> > > And that seems to work - at least ossec and syscheck restarted w/o error. > Does that seem like it'll do what I want (minus permission changes which > aren't in there yet)? I have it in place now; but the pre-scan is running > so I have about 3.5 hours before I can find out... > > Thanks for any hints/tips/suggestions. > > Doug O'Leary
