On Tue, Aug 2, 2016 at 8:55 AM, Daniel Bray <[email protected]> wrote: > OK, I think that is the issue. With the settings like this: > > <scan_time>1am</scan_time> > <frequency>82800</frequency> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <scan_on_start>no</scan_on_start> > > It is not doing the realtime scan until after 1am. I confirmed this today. > When I got in this morning and started editing some files on one of the > servers, I started to get realtime alerts. I quickly checked the log files, > and this is what I see: > > 2016/08/02 01:00:45 ossec-rootcheck: INFO: Starting rootcheck scan. > 2016/08/02 01:07:51 ossec-rootcheck: INFO: Ending rootcheck scan. > 2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2016/08/02 03:14:52 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2016/08/02 03:34:28 ossec-syscheckd: INFO: Real time file monitoring > started. > > Ahhhh, OK....so, it is waiting until the 1am hour, it kicks off the regular > scan, and once completed, then enables the realtime scan. OK, not really > what we want, but at least we are onto something. What we want, though, is > nightly scans at a specific time (1am) but realtime scans all the time 24/7. > What would be the correct settings for that? >
If what you have doesn't work, I'm not sure there are correct settings to do it. You could probably setup cron to kick off a scan every morning at 1, but I don't think there's currently a way to do it in the config. > > On Tue, Aug 2, 2016 at 8:47 AM, dan (ddp) <[email protected]> wrote: >> >> On Mon, Aug 1, 2016 at 10:32 AM, Daniel Bray <[email protected]> wrote: >> > Can someone verify that all the proper settings are in place to allow >> > for >> > realtime scans on some directories? We are running CentOS 6 servers >> > (manager >> > and agents/clients), and we use the Atomic install method. >> > >> > Here is the latest available Atomic version installed (also noted >> > inotify is >> > installed) >> > $ rpm -qa | egrep "inotify|ossec" >> > ossec-hids-2.8.3-53.el6.art.x86_64 >> > inotify-tools-3.14-1.el6.x86_64 >> > ossec-hids-client-2.8.3-53.el6.art.x86_64 >> > >> > >> > Here is the important part of /var/ossec/etc/shared/agent.conf >> > <agent_config os="Linux"> >> > <syscheck> >> > <scan_time>1am</scan_time> >> > <frequency>82800</frequency> >> > <auto_ignore>no</auto_ignore> >> > <alert_new_files>yes</alert_new_files> >> > <scan_on_start>no</scan_on_start> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories check_all="yes">/bin,/sbin,/usr,/opt</directories> >> > <directories check_all="yes" report_changes="yes" >> > realtime="yes">/etc,/root,/var/named,/var/www</directories> >> > ... >> > >> > Here is the agent /var/ossec/etc/ossec.conf file >> > <ossec_config> >> > <client> >> > <server-ip>10.10.10.10</server-ip> >> > </client> >> > </ossec_config> >> > >> > The above exists on all our agents/clients. >> > >> > On the manager, it pretty much matches up exactly, with the exception >> > that >> > the server is installed, and not the client: >> > $ rpm -qa | egrep "inotify|ossec" >> > inotify-tools-3.14-1.el6.x86_64 >> > ossec-hids-server-2.8.3-53.el6.art.x86_64 >> > ossec-hids-2.8.3-53.el6.art.x86_64 >> > >> > >> > I have gone in an updated all servers (yum -y update) and rebooted to >> > the >> > latest kernel available on CentOS 6. I've waited a few days for the >> > normal >> > scans to complete, and I am seeing alerts for nightly changed files. >> > However, when I run a test on a file that exists in /root or /etc, I >> > never >> > get alerted. The test is simply >> > $ sudo vim /etc/hosts.allow >> > ...and I add/remove some entries, and :wq out for the update. >> > >> > After a clean update and reboot, here is the relevant log entries: >> > 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ... >> > 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ... >> > 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ... >> > 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send >> > buffer >> > set to: '124928'. >> > 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server >> > (10.10.10.10:1514). >> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/messages'. >> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/secure'. >> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/maillog'. >> > 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120). >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send >> > buffer >> > set to: '124928'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124). >> > 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124). >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: >> > '/sbin'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: >> > '/root'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: >> > '/var/named'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: >> > '/var/www'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> > monitoring: '/etc'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> > monitoring: '/root'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> > monitoring: '/var/named'. >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> > monitoring: '/var/www'. >> > 2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0 >> > >> > >> > >> > Is there anything obvious that I'm missing in the configs? >> > >> >> Not that I can see. >> I just checked, and realtime works with my setup. However, I'm not >> running Centos 6, I'm using 2.9rc2, and I don't have the scan_time >> option set (trying that now). >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/ZOJUW-SxzQA/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
