Hello.
We're running OSSEC 2.7.1 on Linux servers and syscheck is setup to monitor
in real time and report changes (with diff) on all files under /etc.
<directories check_all="yes" report_changes="yes">/etc</directories>
The problem I'm facing is that inside a subfolder in /etc there are
sensitive files generated out of automatically deployed encrypted files.
However, since syscheck is configured to report changes, it makes copies of
these unencrypted sensitive files to be able to report diffs.
Since the generated sensitive files are generated protected in /etc, it
would be nice if syscheck would not make copies of them, but since they are
generated dynamically and there are hundreds of them, we can't use <ignore>
for each one of them (and restart ossec agent each time a new one shows up).
My problem is that <ignore> supports only sregex and I need to make the
filter as specific as possible. The manual is a bit vague about the syntax
("only supports simple string matching"), so I guess that means text only
and ^, $ and |.
In OSSEC regex syntax I would need something like this:
<ignore>^/etc/SOMEDIR/\.+.data$</ignore>
so that only files that are located in or below /etc/SOMEDIR and that end
in .data are ignored.
Is this possible? I found a thread from near 4 years ago in which the
poster claimed it would work, but I've tried and the change in a file in
that location still gets reported.
https://groups.google.com/forum/#!topic/ossec-list/_mdqPu-EhZU
I also found this thread:
https://groups.google.com/forum/#!msg/ossec-list/a2aWYaa7moY/G6YmwFZfwwUJ
but my issue is not the reporting/emailing, but the copy ossec makes for
diff, so tweaking with the rules it's not a solution.
I would not mind being notified about the sensitive files changing
(md5/sha1, owner/group or permissions), but not content changes, but I do
want the changes in /etc as diffs.
There is also another thing that it's not clear (and I was not able to test
it for now): I remember reading that even for ignored files, syscheck still
makes the necessary computations, but just ignores the outcome. Does that
mean that if in the end I set the whole folder to be ignored, on the first
ossec run those files will still be copied?
I was also thinking about adding a new directories entry below the /etc
one, like this:
<directories check_all="yes" report_changes="no">/etc/SOMEDIR</directories>
Has anyone used this setup? Would it work? (the manual says nothing on
subfolders with different monitoring setup as the parent folder)
Thank you for your time.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
