[ossec-list] "Integrity checksum changed" triggered for files added to ignore

Wed, 23 Nov 2016 20:52:04 -0800 

OSSEC-2.8.3 on Ubuntu 16.04

One OSSEC server with multiple agents.

/var/ossec/etc/ossec.conf on an agent:

#################
<ossec_config>
  <client>
    <server-ip>X.Y.Z.K</server-ip>
  </client>
</ossec_config>
#################

/var/ossec/etc/shared/agent.conf on the server (and it's matched 
by /var/ossec/etc/shared/agent.conf on all agents):

##############################
<agent_config os="linux">
  <syscheck>
  <!-- Directories to check (perform all possible verifications) -->
  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes">/bin,/sbin</directories>
    <!-- files we don't watch/ignore -->
    <frequency>7200</frequency>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/etc/rc*.d/*our-api</ignore>
    <ignore>/etc/init.d/our-api</ignore>
    <ignore>/dev/.blkid.tab</ignore>
    <ignore>/dev/.blkid.tab.old</ignore>
  </syscheck>

  <!-- Files to monitor (localfiles) -->
  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/auth.log</location>
  </localfile>
  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/messages</location>
  </localfile>
  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/syslog</location>
  </localfile>
  <localfile>
     <log_format>apache</log_format>
     <location>/var/log/nginx/access.log</location>
  </localfile>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>

</agent_config>
##############################

So /etc/init.d/our-api is in the ignore list, I added it there earlier 
today. However, I just got an alert from multiple agents, after that file 
had changed after a deploy:

#####################
OSSEC HIDS Notification.
2016 Nov 23 21:25:49

Received From: (api-p1-front-012) any->syscheck
Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)."
Portion of the log(s):

Integrity checksum changed for: '/etc/init.d/our-api'
#####################

What is going on? It looks like adding a file to the ignore list does not 
exempt it from being flagged by the rules. If so, how do I truly ignore a 
given file everywhere?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to