Can someone verify that all the proper settings are in place to allow for
realtime scans on some directories? We are running CentOS 6 servers
(manager and agents/clients), and we use the Atomic install method.
Here is the latest available Atomic version installed (also noted inotify
is installed)
$ rpm -qa | egrep "inotify|ossec"
ossec-hids-2.8.3-53.el6.art.x86_64
inotify-tools-3.14-1.el6.x86_64
ossec-hids-client-2.8.3-53.el6.art.x86_64
Here is the important part of /var/ossec/etc/shared/agent.conf
<agent_config os="Linux">
<syscheck>
<scan_time>1am</scan_time>
<frequency>82800</frequency>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/bin,/sbin,/usr,/opt</directories>
<directories check_all="yes"
report_changes="yes" realtime="yes">/etc,/root,/var/named,/var/www</directories>
...
Here is the agent /var/ossec/etc/ossec.conf file
<ossec_config>
<client>
<server-ip>10.10.10.10</server-ip>
</client>
</ossec_config>
The above exists on all our agents/clients.
On the manager, it pretty much matches up exactly, with the exception that
the server is installed, and not the client:
$ rpm -qa | egrep "inotify|ossec"
inotify-tools-3.14-1.el6.x86_64
ossec-hids-server-2.8.3-53.el6.art.x86_64
ossec-hids-2.8.3-53.el6.art.x86_64
I have gone in an updated all servers (yum -y update) and rebooted to the
latest kernel available on CentOS 6. I've waited a few days for the normal
scans to complete, and I am seeing alerts for nightly changed files.
However, when I run a test on a file that exists in /root or /etc, I never
get alerted. The test is simply
$ sudo vim /etc/hosts.allow
...and I add/remove some entries, and :wq out for the update.
After a clean update and reboot, here is the relevant log entries:
2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ...
2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ...
2016/08/01 14:25:13 ossec-rootcheck: Starting queue ...
2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '124928'.
2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server
(10.10.10.10:1514).
2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120).
2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '124928'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124).
2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124).
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
'/var/named'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/var/www'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/etc'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/root'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/var/named'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/var/www'.
2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0
Is there anything obvious that I'm missing in the configs?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
