[ossec-list] Re: report_changes=yes not reporting diffs in alerts

[mcrane0]

ossec.conf on server, relevant portion:

    <directories report_changes="yes" 
check_all="yes">/etc,/var/ossec/etc</directories>
    <directories check_all="yes">/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
    <directories report_changes="yes" 
check_all="yes">/home/*/.ssh</directories>

###############################

agent.conf on remote client, AIX:

<agent_config os="AIX">

  <syscheck>
    <frequency>86400</frequency>
    <scan_on_start>no</scan_on_start>
    <scan_time>03:30</scan_time>
    <auto_ignore>false</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <directories report_changes="yes" check_all="yes">/etc</directories>
      <ignore type="sregex">^/etc/objrepos/</ignore>
      <ignore>/etc/mtab</ignore>
      <ignore>/etc/perf</ignore>
      <ignore>/etc/es/objrepos</ignore>
      <ignore>/etc/lp/diagnostics</ignore>
      <ignore>/etc/lpp/diagnostics</ignore>
      <ignore>/etc/mnttab</ignore>
      <ignore>/etc/hosts.deny</ignore>
      <ignore>/etc/mail/statistics</ignore>
      <ignore>/etc/random-seed</ignore>
      <ignore>/etc/adjtime</ignore>
      <ignore>/etc/httpd/logs</ignore>
      <ignore>/etc/utmp</ignore>
      <ignore>/etc/wtmp</ignore>
      <ignore>/etc/utmpx</ignore>
      <ignore>/etc/wtmpx</ignore>
      <ignore>/etc/cups/certs</ignore>
      <ignore>/etc/dumpdates</ignore>
      <ignore>/etc/svc/volatile</ignore>
      <ignore>/etc/prelink.cache</ignore>
      <ignore>/etc/security/failedlogin</ignore>

    <directories check_all="yes">/opt</directories>
      <ignore>/opt/splunkforwarder</ignore>
      <ignore>/opt/recon</ignore>
      <ignore>/opt/IBM</ignore>

    <directories check_all="yes">/var/ossec</directories>
      <ignore type="sregex">^/var/ossec/queue/</ignore>
      <ignore type="sregex">^/var/ossec/logs/</ignore>
      <ignore type="sregex">^/var/ossec/stats/</ignore>

  </syscheck>

<localfile>
<log_format>syslog</log_format>
<location>/var/adm/secure/secure.out</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/adm/syslog/kern.out</location>
</localfile>

</agent_config>

#################

agent.conf, linux:

<agent_config os="Linux">
  <syscheck>
    <frequency>86400</frequency>
    <scan_on_start>yes</scan_on_start>
    <scan_time>03:00</scan_time>
    <auto_ignore>false</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

      <directories check_all="yes">/var/ossec</directories>
      <ignore type="sregex">^/var/ossec/queue/</ignore>
      <ignore type="sregex">^/var/ossec/logs/</ignore>
      <ignore type="sregex">^/var/ossec/stats/</ignore>

    <!-- Files/directories to ignore -->
    <ignore type="sregex">^/var/spool/mail/</ignore>
    <ignore type="sregex">^/var/spool/mqueue/</ignore>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

  </syscheck>

  <!-- Files to monitor (localfiles) -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

</agent_config>




On Thursday, November 15, 2012 2:20:11 PM UTC-6, Jb Cheng wrote:
>
> This is strange  --- AIX works OK, but Linux does not. 
> I would like to reproduce the issue on Linux.  Could you post the relevant 
> ossec.conf section here? 
>
> On Thursday, November 15, 2012 7:36:48 AM UTC-8, mcrane0 wrote:
>>
>> It's worth noting that this is only occurring in our Linux environment. 
>>  The AIX agents are correctly reporting diffs with file integrity alerts.   
>> Both AIX and Linux syscheck directives have the same contents on 
>> client/server.
>>
>> Is there any way to debug this?  I've set syscheck debug level to 2 on 
>> client and see no change in logging.  It's very frustrating as a.) the 
>> alert is triggering and, b.) the diff is appearing in 
>> /var/ossec/queue/diff/local/etc/<file>, but it's not being reported with 
>> the alert.  
>>
>> On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote:
>>>
>>> Trying to include filesystem integrity alert diffs.
>>>
>>> Testing with /etc
>>>
>>> I have verified that both ossec.conf on server and 
>>> /var/ossec/etc/shared/agent.conf has 'report_changes=yes' for /etc.  
>>> /var/ossec/queue/diff/local/etc/fstab folder includes the diff file on 
>>> the client.
>>>
>>> The alert triggers, but the diff is not included with the alert.  Is 
>>> there some other hidden setting I need to look for?  Does ossec.conf on the 
>>> server need to match agent.conf on the client?  
>>>
>>>