On Wed, Oct 5, 2016 at 2:30 AM, Kumar G <[email protected]> wrote: > Hi Dan, > > What would be the syscheck db file size we have to watch for or how often we > should clear the syscheck files on ossec servers? >
I've never run into any issues with it, just kind of a guess. Most of my installs don't last long enough to run into issues like that, due to testing and whatnot. > > Thanks > Kumar > > On 3 October 2016 at 17:18, dan (ddp) <[email protected]> wrote: >> >> On Fri, Sep 30, 2016 at 4:40 PM, David <[email protected]> wrote: >> > >> > Greetings -- >> > >> > I see frequent occasions where new or changed files seem to be reported >> > by >> > syscheck days, weeks, or even months after they were known to be added >> > or >> > modified. >> > >> > As an example, this is from the ossec server's alert log on Sept. 25: >> > >> > ** Alert 1474812143.8448019: mail - ossec, syscheck, >> > 2016 Sep 25 07:02:23 (sampleclient) 172.21.255.143->syscheck >> > Rule: 554 (level 10) -> 'File added to the system.' >> > New file '/usr/lib/klibc/bin/cpio' added to the file system. >> > >> > Yet this file was present at least as far back as May 18. This is from >> > samplehost: >> > >> > $ dpkg -S /usr/lib/klibc/bin/cpio >> > klibc-utils: /usr/lib/klibc/bin/cpio >> > >> > $ zgrep -h -B2 klibc-utils /var/log/apt/history.log* >> > Start-Date: 2016-05-18 10:58:30 >> > Commandline: /usr/bin/apt-get -y -o Dpkg::Options::=--force-confdef -o >> > Dpkg::Options::=--force-confold dist-upgrade >> > Upgrade: libnl-genl-3-200:amd64 (3.2.21-1, 3.2.21-1ubuntu1.1), >> > libnl-3-200:amd64 (3.2.21-1, 3.2.21-1ubuntu1.1), klibc-utils:amd64 >> > (2.0.3-0ubuntu1, 2.0.3-0ubuntu1.14.04.1), lsb-base:amd64 >> > (4.1+Debian11ubuntu6, 4.1+Debian11ubuntu6.1), lsb-release:amd64 >> > (4.1+Debian11ubuntu6, 4.1+Debian11ubuntu6.1), libklibc:amd64 >> > (2.0.3-0ubuntu1, 2.0.3-0ubuntu1.14.04.1) >> > >> > $ stat /usr/lib/klibc/bin/cpio >> > File: /usr/lib/klibc/bin/cpio >> > Size: 5168 Blocks: 16 IO Block: 4096 regular file >> > Device: 802h/2050d Inode: 2360114 Links: 1 >> > Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) >> > Access: 2016-09-30 08:33:46.193812724 -0700 >> > Modify: 2016-04-27 21:27:30.000000000 -0700 >> > Change: 2016-05-18 10:58:33.066735324 -0700 >> > Birth: - >> > >> > Below are the syscheck-related configurations on the server side which >> > affect /usr on the client: >> > >> > <syscheck> >> > <!-- global options --> >> > <auto_ignore>no</auto_ignore> >> > <alert_new_files>yes</alert_new_files> >> > >> > <! -- global exclusions --> >> > <ignore>/etc/mtab</ignore> >> > <ignore>/etc/blkid.tab</ignore> >> > </syscheck> >> > >> > And here are the relevant client-side directives: >> > >> > <syscheck> >> > <!-- Frequency in seconds that syscheck is executed --> >> > <frequency>43200</frequency> >> > >> > <directories >> > realtime="no" >> > check_md5sum="no" >> > check_sha1sum="yes" >> > check_size="yes" >> > check_owner="yes" >> > check_group="yes" >> > >> > >> > check_perm="yes">/bin,/boot,/lib,/lib64,/opt,/sbin,/srv,/usr</directories> >> > </syscheck> >> > >> > I did a spot check of ossec.log on this client (and others), and >> > syscheck is >> > taking about 3 hours to run, which is well within the specified >> > frequency: >> > >> > 2016/09/25 06:28:55 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2016/09/25 06:28:55 ossec-syscheckd: INFO: Starting syscheck database >> > (pre-scan). >> > 2016/09/25 09:38:29 ossec-syscheckd: INFO: Ending syscheck scan >> > (forwarding >> > database). >> > 2016/09/25 21:39:02 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2016/09/26 00:48:32 ossec-syscheckd: INFO: Ending syscheck scan >> > >> > >> > If there's something obvious that I screwed up or overlooked, can anyone >> > hit >> > me on the head with it? >> > >> >> How large is the syscheck db file for this host? Is it the only system >> to exhibit this issue? >> Have you tried clearing this system's syscheckdb file and running a >> new baseline? >> >> > -David >> > >> > -- >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
