Dan,
Really appreciate your help and attention to this. I guess I will just have
to drop the idea of "nightly scans", and go with something like this:
<frequency>28800</frequency> <!-- every 8 hours -->
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<scan_on_start>yes</scan_on_start>
This should force the scan on start, and thereby force the realtime scan to
kick in soon after that completes. Then, just run regular scans every 8
hours ( 28800 seconds ). That should be a good enough approach, and keep
things scanned regularly and monitored. Honestly, that gives more of a 24/7
feel any way.
Thanks again, at least now we know.
On Tue, Aug 2, 2016 at 9:01 AM, dan (ddp) <[email protected]> wrote:
> On Tue, Aug 2, 2016 at 8:55 AM, Daniel Bray <[email protected]> wrote:
> > OK, I think that is the issue. With the settings like this:
> >
> > <scan_time>1am</scan_time>
> > <frequency>82800</frequency>
> > <auto_ignore>no</auto_ignore>
> > <alert_new_files>yes</alert_new_files>
> > <scan_on_start>no</scan_on_start>
> >
> > It is not doing the realtime scan until after 1am. I confirmed this
> today.
> > When I got in this morning and started editing some files on one of the
> > servers, I started to get realtime alerts. I quickly checked the log
> files,
> > and this is what I see:
> >
> > 2016/08/02 01:00:45 ossec-rootcheck: INFO: Starting rootcheck scan.
> > 2016/08/02 01:07:51 ossec-rootcheck: INFO: Ending rootcheck scan.
> > 2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck scan
> > (forwarding database).
> > 2016/08/02 01:08:31 ossec-syscheckd: INFO: Starting syscheck database
> > (pre-scan).
> > 2016/08/02 03:14:52 ossec-syscheckd: INFO: Initializing real time file
> > monitoring (not started).
> > 2016/08/02 03:34:28 ossec-syscheckd: INFO: Real time file monitoring
> > started.
> >
> > Ahhhh, OK....so, it is waiting until the 1am hour, it kicks off the
> regular
> > scan, and once completed, then enables the realtime scan. OK, not really
> > what we want, but at least we are onto something. What we want, though,
> is
> > nightly scans at a specific time (1am) but realtime scans all the time
> 24/7.
> > What would be the correct settings for that?
> >
>
> If what you have doesn't work, I'm not sure there are correct settings to
> do it.
>
> You could probably setup cron to kick off a scan every morning at 1,
> but I don't think there's currently a way to do it in the config.
>
> >
> > On Tue, Aug 2, 2016 at 8:47 AM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Mon, Aug 1, 2016 at 10:32 AM, Daniel Bray <[email protected]>
> wrote:
> >> > Can someone verify that all the proper settings are in place to allow
> >> > for
> >> > realtime scans on some directories? We are running CentOS 6 servers
> >> > (manager
> >> > and agents/clients), and we use the Atomic install method.
> >> >
> >> > Here is the latest available Atomic version installed (also noted
> >> > inotify is
> >> > installed)
> >> > $ rpm -qa | egrep "inotify|ossec"
> >> > ossec-hids-2.8.3-53.el6.art.x86_64
> >> > inotify-tools-3.14-1.el6.x86_64
> >> > ossec-hids-client-2.8.3-53.el6.art.x86_64
> >> >
> >> >
> >> > Here is the important part of /var/ossec/etc/shared/agent.conf
> >> > <agent_config os="Linux">
> >> > <syscheck>
> >> > <scan_time>1am</scan_time>
> >> > <frequency>82800</frequency>
> >> > <auto_ignore>no</auto_ignore>
> >> > <alert_new_files>yes</alert_new_files>
> >> > <scan_on_start>no</scan_on_start>
> >> >
> >> > <!-- Directories to check (perform all possible verifications)
> -->
> >> > <directories check_all="yes">/bin,/sbin,/usr,/opt</directories>
> >> > <directories check_all="yes" report_changes="yes"
> >> > realtime="yes">/etc,/root,/var/named,/var/www</directories>
> >> > ...
> >> >
> >> > Here is the agent /var/ossec/etc/ossec.conf file
> >> > <ossec_config>
> >> > <client>
> >> > <server-ip>10.10.10.10</server-ip>
> >> > </client>
> >> > </ossec_config>
> >> >
> >> > The above exists on all our agents/clients.
> >> >
> >> > On the manager, it pretty much matches up exactly, with the exception
> >> > that
> >> > the server is installed, and not the client:
> >> > $ rpm -qa | egrep "inotify|ossec"
> >> > inotify-tools-3.14-1.el6.x86_64
> >> > ossec-hids-server-2.8.3-53.el6.art.x86_64
> >> > ossec-hids-2.8.3-53.el6.art.x86_64
> >> >
> >> >
> >> > I have gone in an updated all servers (yum -y update) and rebooted to
> >> > the
> >> > latest kernel available on CentOS 6. I've waited a few days for the
> >> > normal
> >> > scans to complete, and I am seeing alerts for nightly changed files.
> >> > However, when I run a test on a file that exists in /root or /etc, I
> >> > never
> >> > get alerted. The test is simply
> >> > $ sudo vim /etc/hosts.allow
> >> > ...and I add/remove some entries, and :wq out for the update.
> >> >
> >> > After a clean update and reboot, here is the relevant log entries:
> >> > 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ...
> >> > 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ...
> >> > 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ...
> >> > 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send
> >> > buffer
> >> > set to: '124928'.
> >> > 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server
> >> > (10.10.10.10:1514).
> >> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
> >> > '/var/log/messages'.
> >> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
> >> > '/var/log/secure'.
> >> > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
> >> > '/var/log/maillog'.
> >> > 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120).
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send
> >> > buffer
> >> > set to: '124928'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124).
> >> > 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124).
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> '/bin'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> >> > '/sbin'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> '/usr'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> '/opt'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> '/etc'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> >> > '/root'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> >> > '/var/named'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
> >> > '/var/www'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> >> > monitoring: '/etc'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> >> > monitoring: '/root'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> >> > monitoring: '/var/named'.
> >> > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
> >> > monitoring: '/var/www'.
> >> > 2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0
> >> >
> >> >
> >> >
> >> > Is there anything obvious that I'm missing in the configs?
> >> >
> >>
> >> Not that I can see.
> >> I just checked, and realtime works with my setup. However, I'm not
> >> running Centos 6, I'm using 2.9rc2, and I don't have the scan_time
> >> option set (trying that now).
> >>
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/ZOJUW-SxzQA/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/ZOJUW-SxzQA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
