On Mon, Mar 24, 2014 at 5:35 PM, Valentin Avram <[email protected]> wrote: > Hello. > > We're running OSSEC 2.7.1 on Linux servers and syscheck is setup to monitor > in real time and report changes (with diff) on all files under /etc. > <directories check_all="yes" report_changes="yes">/etc</directories> > > The problem I'm facing is that inside a subfolder in /etc there are > sensitive files generated out of automatically deployed encrypted files. > > However, since syscheck is configured to report changes, it makes copies of > these unencrypted sensitive files to be able to report diffs. > > Since the generated sensitive files are generated protected in /etc, it > would be nice if syscheck would not make copies of them, but since they are > generated dynamically and there are hundreds of them, we can't use <ignore> > for each one of them (and restart ossec agent each time a new one shows up). > > My problem is that <ignore> supports only sregex and I need to make the > filter as specific as possible. The manual is a bit vague about the syntax > ("only supports simple string matching"), so I guess that means text only > and ^, $ and |. > > In OSSEC regex syntax I would need something like this: > <ignore>^/etc/SOMEDIR/\.+.data$</ignore> > so that only files that are located in or below /etc/SOMEDIR and that end in > .data are ignored. > > Is this possible? I found a thread from near 4 years ago in which the poster > claimed it would work, but I've tried and the change in a file in that > location still gets reported. > https://groups.google.com/forum/#!topic/ossec-list/_mdqPu-EhZU > > I also found this thread: > https://groups.google.com/forum/#!msg/ossec-list/a2aWYaa7moY/G6YmwFZfwwUJ > but my issue is not the reporting/emailing, but the copy ossec makes for > diff, so tweaking with the rules it's not a solution. > > I would not mind being notified about the sensitive files changing > (md5/sha1, owner/group or permissions), but not content changes, but I do > want the changes in /etc as diffs. > > There is also another thing that it's not clear (and I was not able to test > it for now): I remember reading that even for ignored files, syscheck still > makes the necessary computations, but just ignores the outcome. Does that > mean that if in the end I set the whole folder to be ignored, on the first > ossec run those files will still be copied? > > I was also thinking about adding a new directories entry below the /etc one, > like this: > <directories check_all="yes" report_changes="no">/etc/SOMEDIR</directories> > Has anyone used this setup? Would it work? (the manual says nothing on > subfolders with different monitoring setup as the parent folder) >
That's a bad idea. It'll try to do the checks on the files twice and confuse things. > Thank you for your time. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
