On Wed, Oct 9, 2013 at 3:56 AM, Michiel van Es <[email protected]> wrote: > > > Op donderdag 3 oktober 2013 15:44:49 UTC+2 schreef dan (ddpbsd): >> >> On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es <[email protected]> >> wrote: >> > >> > >> > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): >> >> >> >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <[email protected]> >> >> wrote: >> >> > Is my ossec.conf on the agents correct? >> >> > tested again today after some days: >> >> > >> >> >> >> As far as I can tell it seems ok. >> >> >> >> > added an entry to /etc/hosts, nothing is detected and alerted >> >> > directly.. >> >> > >> >> >> >> >>What do you mean by "alerted directly?" >> > >> > >> > The realtime=yes should trigger an alert for OSSEC directly when I alter >> > the >> > file right? (I open the file with vim, add a new line with bogus , >> > write+quit) >> > It does nothing after that, only after the first syscheck run that is >> > scheduled to run every X hour/minutes. >> > >> >> It should trigger an alert very quickly, yes. >> I don't really have a way to troubleshoot this. Everytime I test >> realtime it works just fine. >> > > Did you tested it on multiple files in /etc/ for example?
No I have not. My ability to test realtime is a bit limited at the moment. > I tried /etc/resolv.conf which is instant, /etc/passwd where we change a > users last name did not have any impact. > The strange thing is that it is not consistent. > I am also not sure if it is related to: > > - Red Hat > - Atomic OSSEC-HIDS package > - VMware image > - kernel > >> >> >> >> >> >> >> > >> >> > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: >> >> >> >> >> >> Hello, I have the following setup : >> >> >> >> >> >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script >> >> >> 2 agents - OSSEC 2.7 64 bit Atomic repo install >> >> >> >> >> >> I have changes de <syscheck> in /var/ossec/etc/ossec.conf to the >> >> >> following >> >> >> on the manager: >> >> >> >> >> >> <syscheck> >> >> >> <!-- Frequency that syscheck is executed - default to every 22 >> >> >> hours >> >> >> in seconds --> >> >> >> <frequency>7200</frequency> >> >> >> >> >> >> <!-- Directories to check (perform all possible verifications) >> >> >> --> >> >> >> <directories realtime="yes" >> >> >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> >> <directories check_all="yes">/bin,/sbin</directories> >> >> >> >> >> >> <!-- Files/directories to ignore --> >> >> >> <ignore>/etc/mtab</ignore> >> >> >> <ignore>/etc/mnttab</ignore> >> >> >> <ignore>/etc/hosts.deny</ignore> >> >> >> <ignore>/etc/mail/statistics</ignore> >> >> >> <ignore>/etc/random-seed</ignore> >> >> >> <ignore>/etc/adjtime</ignore> >> >> >> <ignore>/etc/httpd/logs</ignore> >> >> >> <ignore>/etc/utmpx</ignore> >> >> >> <ignore>/etc/wtmpx</ignore> >> >> >> <ignore>/etc/cups/certs</ignore> >> >> >> <ignore>/etc/dumpdates</ignore> >> >> >> <ignore>/etc/svc/volatile</ignore> >> >> >> >> >> >> <!-- Windows files to ignore --> >> >> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> >> >> <ignore>C:\WINDOWS/Debug</ignore> >> >> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> >> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> >> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> >> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> >> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> >> >> <ignore>C:\WINDOWS/Temp</ignore> >> >> >> <ignore>C:\WINDOWS/system32/config</ignore> >> >> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> >> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> >> >> </syscheck> >> >> >> >> >> >> I want realtime monitoring of the /etc/ directories on the agents. >> >> >> I tested the active restarts and link with the agents via the >> >> >> agent_control -lc >> >> >> >> >> >> The agents have the following ossec.conf: >> >> >> >> >> >> <ossec_config> >> >> >> <client> >> >> >> <server-ip>10.10.138.69</server-ip> >> >> >> </client> >> >> >> </ossec_config> >> >> >> >> >> >> Nothing happens when I alter /etc/hosts on 1 of the agents. >> >> >> >> >> >> When I change the /etc/hosts on the manager it is instant (exactly >> >> >> what >> >> >> I >> >> >> want). >> >> >> >> >> >> I changed the ossec.conf on the agents with the following; >> >> >> >> >> >> <ossec_config> >> >> >> <client> >> >> >> <server-ip>10.10.138.69</server-ip> >> >> >> </client> >> >> >> >> >> >> <syscheck> >> >> >> <!-- Frequency that syscheck is executed - default to every 22 >> >> >> hours >> >> >> in seconds --> >> >> >> <frequency>7200</frequency> >> >> >> >> >> >> <!-- Directories to check (perform all possible verifications) >> >> >> --> >> >> >> <directories realtime="yes" >> >> >> check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin</directories> >> >> >> <directories check_all="yes">/bin,/sbin</directories> >> >> >> >> >> >> <!-- Files/directories to ignore --> >> >> >> <ignore>/etc/mtab</ignore> >> >> >> <ignore>/etc/mnttab</ignore> >> >> >> <ignore>/etc/hosts.deny</ignore> >> >> >> <ignore>/etc/mail/statistics</ignore> >> >> >> <ignore>/etc/random-seed</ignore> >> >> >> <ignore>/etc/adjtime</ignore> >> >> >> <ignore>/etc/httpd/logs</ignore> >> >> >> <ignore>/etc/utmpx</ignore> >> >> >> <ignore>/etc/wtmpx</ignore> >> >> >> <ignore>/etc/cups/certs</ignore> >> >> >> <ignore>/etc/dumpdates</ignore> >> >> >> <ignore>/etc/svc/volatile</ignore> >> >> >> >> >> >> <!-- Windows files to ignore --> >> >> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> >> >> <ignore>C:\WINDOWS/Debug</ignore> >> >> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> >> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> >> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> >> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> >> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> >> >> <ignore>C:\WINDOWS/Temp</ignore> >> >> >> <ignore>C:\WINDOWS/system32/config</ignore> >> >> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> >> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> >> >> </syscheck> >> >> >> >> >> >> </ossec_config> >> >> >> >> >> >> and restarted the ossec service on the agents, let sysstem-check >> >> >> rebuild >> >> >> its database on both agents: >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/etc'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/usr/bin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/usr/sbin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/bin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/sbin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/var/ossec/etc'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/etc'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/usr/bin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/usr/sbin'. >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan >> >> >> (forwarding database). >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck >> >> >> database >> >> >> (pre-scan). >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time >> >> >> file >> >> >> monitoring (not started). >> >> >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring >> >> >> started. >> >> >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating >> >> >> syscheck >> >> >> database (pre-scan completed). >> >> >> 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan >> >> >> (forwarding database) >> >> >> >> >> >> I change the /etc/hosts file again and multiple new lines to make >> >> >> sure >> >> >> it >> >> >> wont match the MD5 sum. >> >> >> Still nothing happening on the agents, no alert triggered (as on the >> >> >> manager it was instant) >> >> >> >> >> >> Am I correct that the realtime configuration should be in the >> >> >> ossec.conf >> >> >> on the agents? >> >> >> I have seen one error on 1 of the servers alerting: >> >> >> >> >> >> Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' >> >> >> File '/etc/hosts' was deleted. Unable to retrieve checksum. >> >> >> >> >> >> >> >> >> How can I recreate the database? >> >> >> >> >> >> Regards and sorry if I ask the obvious questions here. >> >> >> >> >> >> Michiel >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
