OK, I think that is the issue. With the settings like this:
<scan_time>1am</scan_time>
<frequency>82800</frequency>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
It is not doing the realtime scan until after 1am. I confirmed this today.
When I got in this morning and started editing some files on one of the
servers, I started to get realtime alerts. I quickly checked the log files,
and this is what I see:
2016/08/02 01:00:45 ossec-rootcheck: INFO: Starting rootcheck scan.
2016/08/02 01:07:51 ossec-rootcheck: INFO: Ending rootcheck scan.
2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2016/08/02 03:14:52 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2016/08/02 03:34:28 ossec-syscheckd: INFO: Real time file monitoring
started.
Ahhhh, OK....so, it is waiting until the 1am hour, it kicks off the regular
scan, and once completed, then enables the realtime scan. OK, not really
what we want, but at least we are onto something. What we want, though, is
nightly scans at a specific time (1am) but realtime scans all the time
24/7. What would be the correct settings for that?
On Tue, Aug 2, 2016 at 8:47 AM, dan (ddp) <[email protected]> wrote:
> On Mon, Aug 1, 2016 at 10:32 AM, Daniel Bray <[email protected]> wrote:
> > Can someone verify that all the proper settings are in place to allow for
> > realtime scans on some directories? We are running CentOS 6 servers
> (manager
> > and agents/clients), and we use the Atomic install method.
> >
> > Here is the latest available Atomic version installed (also noted
> inotify is
> > installed)
> > $ rpm -qa | egrep "inotify|ossec"
> > ossec-hids-2.8.3-53.el6.art.x86_64
> > inotify-tools-3.14-1.el6.x86_64
> > ossec-hids-client-2.8.3-53.el6.art.x86_64
> >
> >
> > Here is the important part of /var/ossec/etc/shared/agent.conf
> > <agent_config os="Linux">
> > <syscheck>
> > <scan_time>1am</scan_time>
> > <frequency>82800</frequency>
> > <auto_ignore>no</auto_ignore>
> > <alert_new_files>yes</alert_new_files>
> > <scan_on_start>no</scan_on_start>
> >
> > <!-- Directories to check (perform all possible verifications) -->
> > <directories check_all="yes">/bin,/sbin,/usr,/opt</directories>
> > <directories check_all="yes" report_changes="yes"
> > realtime="yes">/etc,/root,/var/named,/var/www</directories>
> > ...
> >
> > Here is the agent /var/ossec/etc/ossec.conf file
> > <ossec_config>
> > <client>
> > <server-ip>10.10.10.10</server-ip>
> > </client>
> > </ossec_config>
> >
> > The above exists on all our agents/clients.
> >
> > On the manager, it pretty much matches up exactly, with the exception
> that
> > the server is installed, and not the client:
> > $ rpm -qa | egrep "inotify|ossec"
> > inotify-tools-3.14-1.el6.x86_64
> > ossec-hids-server-2.8.3-53.el6.art.x86_64
> > ossec-hids-2.8.3-53.el6.art.x86_64
> >
> >
> > I have gone in an updated all servers (yum -y update) and rebooted to the
> > latest kernel available on CentOS 6. I've waited a few days for the
> normal
> > scans to complete, and I am seeing alerts for nightly changed files.
> > However, when I run a test on a file that exists in /root or /etc, I
> never
> > get alerted. The test is simply
> > $ sudo vim /etc/hosts.allow
> > ...and I add/remove some entries, and :wq out for the update.
> >
> > After a clean update and reboot, here is the relevant log entries:
> > 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ...
> > 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ...
> > 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ...
> > 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send
> buffer
> > set to: '124928'.
> > 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server
> > (10.10.10.10:1514).
> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
> > '/var/log/messages'.
> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
> > '/var/log/secure'.
> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
> > '/var/log/maillog'.
> > 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120).
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send
> buffer
> > set to: '124928'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124).
> > 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124).
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> > '/var/named'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> '/var/www'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> > monitoring: '/etc'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> > monitoring: '/root'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> > monitoring: '/var/named'.
> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> > monitoring: '/var/www'.
> > 2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0
> >
> >
> >
> > Is there anything obvious that I'm missing in the configs?
> >
>
> Not that I can see.
> I just checked, and realtime works with my setup. However, I'm not
> running Centos 6, I'm using 2.9rc2, and I don't have the scan_time
> option set (trying that now).
>
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/ZOJUW-SxzQA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
