I tried the following <syscheck> config on Linux centos 2.6.18.
<directories report_changes="yes" check_all="yes">/etc</directories>
Added a comment line a dummy file /etc/hosts.jb, the diff showed up under
queue/diff/local/etc/hosts.jb but did not show in alerts.log.
TODO: Who can trace the source code to debug this issue?
On Wednesday, November 28, 2012 8:25:53 AM UTC-8, mcrane0 wrote:
>
> Upon review, that's the non-testing env. Apologies for the confusion.
> Here is where it's not working:
>
> </agent_config>
>
> <agent_config os="Linux">
> <syscheck>
> <frequency>86400</frequency>
> <scan_on_start>yes</scan_on_start>
> <scan_time>03:00</scan_time>
> <auto_ignore>no</auto_ignore>
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories report_changes="yes" check_all="yes">/etc</directories>
> <directories check_all="yes">/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
>
> <directories check_all="yes">/var/ossec</directories>
> <ignore type="sregex">^/var/ossec/queue/</ignore>
> <ignore type="sregex">^/var/ossec/logs/</ignore>
> <ignore type="sregex">^/var/ossec/stats/</ignore>
>
> <!-- Files/directories to ignore -->
> <ignore type="sregex">^/var/spool/mail/</ignore>
> <ignore type="sregex">^/var/spool/mqueue/</ignore>
> <ignore>/etc/mtab</ignore>
> <ignore>/etc/mnttab</ignore>
> <ignore>/etc/hosts.deny</ignore>
> <ignore>/etc/mail/statistics</ignore>
> <ignore>/etc/random-seed</ignore>
> <ignore>/etc/adjtime</ignore>
> <ignore>/etc/httpd/logs</ignore>
> <ignore>/etc/utmpx</ignore>
> <ignore>/etc/wtmpx</ignore>
> <ignore>/etc/cups/certs</ignore>
> <ignore>/etc/dumpdates</ignore>
> <ignore>/etc/svc/volatile</ignore>
>
> </syscheck>
>
> <!-- Files to monitor (localfiles) -->
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/messages</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/secure</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/maillog</location>
> </localfile>
>
> </agent_config>
>
>
> On Wednesday, November 28, 2012 9:35:40 AM UTC-6, dan (ddpbsd) wrote:
>>
>> On Wed, Nov 28, 2012 at 10:01 AM, mcrane0 <[email protected]> wrote:
>> > ossec.conf on server, relevant portion:
>> >
>> > <directories report_changes="yes"
>> > check_all="yes">/etc,/var/ossec/etc</directories>
>> > <directories check_all="yes">/usr/bin,/usr/sbin</directories>
>> > <directories check_all="yes">/bin,/sbin</directories>
>> > <directories report_changes="yes"
>> > check_all="yes">/home/*/.ssh</directories>
>> >
>> > ###############################
>> >
>> > agent.conf on remote client, AIX:
>> >
>> > <agent_config os="AIX">
>> >
>> > <syscheck>
>> > <frequency>86400</frequency>
>> > <scan_on_start>no</scan_on_start>
>> > <scan_time>03:30</scan_time>
>> > <auto_ignore>false</auto_ignore>
>> >
>> > <!-- Directories to check (perform all possible verifications) -->
>> > <directories check_all="yes">/usr/bin,/usr/sbin</directories>
>> > <directories check_all="yes">/bin,/sbin</directories>
>> >
>> > <directories report_changes="yes"
>> check_all="yes">/etc</directories>
>> > <ignore type="sregex">^/etc/objrepos/</ignore>
>> > <ignore>/etc/mtab</ignore>
>> > <ignore>/etc/perf</ignore>
>> > <ignore>/etc/es/objrepos</ignore>
>> > <ignore>/etc/lp/diagnostics</ignore>
>> > <ignore>/etc/lpp/diagnostics</ignore>
>> > <ignore>/etc/mnttab</ignore>
>> > <ignore>/etc/hosts.deny</ignore>
>> > <ignore>/etc/mail/statistics</ignore>
>> > <ignore>/etc/random-seed</ignore>
>> > <ignore>/etc/adjtime</ignore>
>> > <ignore>/etc/httpd/logs</ignore>
>> > <ignore>/etc/utmp</ignore>
>> > <ignore>/etc/wtmp</ignore>
>> > <ignore>/etc/utmpx</ignore>
>> > <ignore>/etc/wtmpx</ignore>
>> > <ignore>/etc/cups/certs</ignore>
>> > <ignore>/etc/dumpdates</ignore>
>> > <ignore>/etc/svc/volatile</ignore>
>> > <ignore>/etc/prelink.cache</ignore>
>> > <ignore>/etc/security/failedlogin</ignore>
>> >
>> > <directories check_all="yes">/opt</directories>
>> > <ignore>/opt/splunkforwarder</ignore>
>> > <ignore>/opt/recon</ignore>
>> > <ignore>/opt/IBM</ignore>
>> >
>> > <directories check_all="yes">/var/ossec</directories>
>> > <ignore type="sregex">^/var/ossec/queue/</ignore>
>> > <ignore type="sregex">^/var/ossec/logs/</ignore>
>> > <ignore type="sregex">^/var/ossec/stats/</ignore>
>> >
>> > </syscheck>
>> >
>> > <localfile>
>> > <log_format>syslog</log_format>
>> > <location>/var/adm/secure/secure.out</location>
>> > </localfile>
>> >
>> > <localfile>
>> > <log_format>syslog</log_format>
>> > <location>/var/adm/syslog/kern.out</location>
>> > </localfile>
>> >
>> > </agent_config>
>> >
>> > #################
>> >
>> > agent.conf, linux:
>> >
>> > <agent_config os="Linux">
>> > <syscheck>
>> > <frequency>86400</frequency>
>> > <scan_on_start>yes</scan_on_start>
>> > <scan_time>03:00</scan_time>
>> > <auto_ignore>false</auto_ignore>
>> >
>> > <!-- Directories to check (perform all possible verifications) -->
>> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>> > <directories check_all="yes">/bin,/sbin</directories>
>> >
>> > <directories check_all="yes">/var/ossec</directories>
>>
>>
>> You don't have report_changes set.
>>
>> > <ignore type="sregex">^/var/ossec/queue/</ignore>
>> > <ignore type="sregex">^/var/ossec/logs/</ignore>
>> > <ignore type="sregex">^/var/ossec/stats/</ignore>
>> >
>> > <!-- Files/directories to ignore -->
>> > <ignore type="sregex">^/var/spool/mail/</ignore>
>> > <ignore type="sregex">^/var/spool/mqueue/</ignore>
>> > <ignore>/etc/mtab</ignore>
>> > <ignore>/etc/mnttab</ignore>
>> > <ignore>/etc/hosts.deny</ignore>
>> > <ignore>/etc/mail/statistics</ignore>
>> > <ignore>/etc/random-seed</ignore>
>> > <ignore>/etc/adjtime</ignore>
>> > <ignore>/etc/httpd/logs</ignore>
>> > <ignore>/etc/utmpx</ignore>
>> > <ignore>/etc/wtmpx</ignore>
>> > <ignore>/etc/cups/certs</ignore>
>> > <ignore>/etc/dumpdates</ignore>
>> > <ignore>/etc/svc/volatile</ignore>
>> >
>> > </syscheck>
>> >
>> > <!-- Files to monitor (localfiles) -->
>> > <localfile>
>> > <log_format>syslog</log_format>
>> > <location>/var/log/messages</location>
>> > </localfile>
>> >
>> > <localfile>
>> > <log_format>syslog</log_format>
>> > <location>/var/log/secure</location>
>> > </localfile>
>> >
>> > <localfile>
>> > <log_format>syslog</log_format>
>> > <location>/var/log/maillog</location>
>> > </localfile>
>> >
>> > </agent_config>
>> >
>> >
>> >
>> >
>> > On Thursday, November 15, 2012 2:20:11 PM UTC-6, Jb Cheng wrote:
>> >>
>> >> This is strange --- AIX works OK, but Linux does not.
>> >> I would like to reproduce the issue on Linux. Could you post the
>> relevant
>> >> ossec.conf section here?
>> >>
>> >> On Thursday, November 15, 2012 7:36:48 AM UTC-8, mcrane0 wrote:
>> >>>
>> >>> It's worth noting that this is only occurring in our Linux
>> environment.
>> >>> The AIX agents are correctly reporting diffs with file integrity
>> alerts.
>> >>> Both AIX and Linux syscheck directives have the same contents on
>> >>> client/server.
>> >>>
>> >>> Is there any way to debug this? I've set syscheck debug level to 2
>> on
>> >>> client and see no change in logging. It's very frustrating as a.)
>> the alert
>> >>> is triggering and, b.) the diff is appearing in
>> >>> /var/ossec/queue/diff/local/etc/<file>, but it's not being reported
>> with the
>> >>> alert.
>> >>>
>> >>> On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote:
>> >>>>
>> >>>> Trying to include filesystem integrity alert diffs.
>> >>>>
>> >>>> Testing with /etc
>> >>>>
>> >>>> I have verified that both ossec.conf on server and
>> >>>> /var/ossec/etc/shared/agent.conf has 'report_changes=yes' for /etc.
>> >>>> /var/ossec/queue/diff/local/etc/fstab folder includes the diff file
>> on
>> >>>> the client.
>> >>>>
>> >>>> The alert triggers, but the diff is not included with the alert. Is
>> >>>> there some other hidden setting I need to look for? Does ossec.conf
>> on the
>> >>>> server need to match agent.conf on the client?
>> >>>>
>> >
>>
>
