Thanks for the info - I'd like to explore what I can actually do with OSSEC
and do my due diligence before exploring other options.
I've spun up the following conf file and am running ossec-analysisd and
ossec-syscheckd only - they seem to be healthy, but I'm not getting any
thing in /var/ossec/logs/alerts when I fiddle with stuff in /usr/bin.
Any idea what might be going on? As far as I can tell syscheckd is
configured to realtime monitor /usr/bin (and inotify works on this system),
so my understanding is that I should be getting _something_ logged
somewhere - am I fundamentally misunderstanding something?
<ossec_config>
<global>
<email_notification>no</email_notification>
</global>
<rules>
<include>rules_config.xml</include>
<include>ossec_rules.xml</include>
</rules>
<syscheck>
<frequency>72000</frequency>
<directories realtime="yes"
check_all="yes">/usr/bin,/usr/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
</syscheck>
<rootcheck>
<disabled>yes</disabled>
</rootcheck>
<remote>
<disabled>yes</disabled>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<!-- Active Response Config -->
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
Analysisd and syscheckd appear to start up just fine:
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Starting ...
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Found user/group ...
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response initialized ...
2017/03/03 22:06:26 adding rule: rules_config.xml
2017/03/03 22:06:26 adding rule: ossec_rules.xml
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Read configuration ...
2017/03/03 22:06:26 ossec-analysisd: Initializing PF decoder..
2017/03/03 22:06:26 ossec-analysisd: Initializing SonicWall decoder..
2017/03/03 22:06:26 ossec-analysisd: Initializing SymantecWS decoder..
2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder.
2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder.
2017/03/03 22:06:26 ossec-analysisd: INFO: Reading local decoder file.
2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied.
2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied.
2017/03/03 22:06:26 0 : rule:1, level 0, timeout: 0
2017/03/03 22:06:26 1 : rule:600, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:601, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:602, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:603, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:604, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:605, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:606, level 3, timeout: 0
2017/03/03 22:06:26 0 : rule:2, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:3, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:4, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:5, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:6, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:7, level 0, timeout: 0
2017/03/03 22:06:26 1 : rule:500, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:530, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:531, level 7, timeout: 7200
2017/03/03 22:06:26 4 : rule:532, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:533, level 7, timeout: 0
2017/03/03 22:06:26 3 : rule:534, level 1, timeout: 0
2017/03/03 22:06:26 3 : rule:535, level 1, timeout: 0
2017/03/03 22:06:26 2 : rule:593, level 9, timeout: 0
2017/03/03 22:06:26 2 : rule:592, level 8, timeout: 0
2017/03/03 22:06:26 2 : rule:555, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:501, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:502, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:503, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:504, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:591, level 3, timeout: 0
2017/03/03 22:06:26 1 : rule:509, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:510, level 7, timeout: 0
2017/03/03 22:06:26 3 : rule:511, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:515, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:513, level 9, timeout: 0
2017/03/03 22:06:26 3 : rule:512, level 3, timeout: 0
2017/03/03 22:06:26 3 : rule:516, level 3, timeout: 0
2017/03/03 22:06:26 4 : rule:519, level 7, timeout: 0
2017/03/03 22:06:26 3 : rule:514, level 2, timeout: 0
2017/03/03 22:06:26 4 : rule:518, level 9, timeout: 0
2017/03/03 22:06:26 1 : rule:554, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:598, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:700, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:701, level 0, timeout: 0
2017/03/03 22:06:26 1 : rule:580, level 8, timeout: 0
2017/03/03 22:06:26 1 : rule:581, level 8, timeout: 0
2017/03/03 22:06:26 1 : rule:550, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:594, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:551, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:595, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:552, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:596, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:553, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:597, level 5, timeout: 0
2017/03/03 22:06:26 ossec-analysisd: INFO: Total rules enabled: '53'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file:
'/etc/mail/statistics'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2017/03/03 22:06:26 ossec-analysisd: INFO: Chrooted to directory: /var/ossec
2017/03/03 22:06:26 ossec-analysisd: INFO: Using user: ossec
2017/03/03 22:06:26 ossec-analysisd: INFO: Started (pid: 1761).
2017/03/03 22:06:26 ossec-analysisd: SyscheckInit completed.
2017/03/03 22:06:26 ossec-analysisd: RootcheckInit completed.
2017/03/03 22:06:26 ossec-analysisd: OS_CreateEventList completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: FTSInit completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Accumulator Init completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response Init completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Startup completed. Waiting for
new messages..
2017/03/03 22:06:55 ossec-syscheckd: DEBUG: Starting ...
2017/03/03 22:06:55 syscheckd: Reading Configuration
[/var/ossec/etc/ossec.conf]
2017/03/03 22:06:55 rootcheck: DEBUG: Starting ...
2017/03/03 22:06:55 rootcheck: Rootcheck disabled. Exiting.
2017/03/03 22:06:55 ossec-syscheckd: WARN: Rootcheck module disabled.
2017/03/03 22:06:59 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '8388608'.
2017/03/03 22:06:59 ossec-syscheckd: INFO: Started (pid: 1792).
2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory:
'/usr/bin', with options perm | size | owner | group | md5sum | sha1sum |
realtime.
2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum |
realtime.
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mtab'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/random-seed'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/adjtime'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs'
2017/03/03 22:06:59 ossec-syscheckd: INFO: No diff for file:
'/etc/ssl/private.key'
2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/usr/bin'.
2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/usr/sbin'.
2017/03/03 22:07:11 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2017/03/03 22:08:01 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2017/03/03 22:08:01 ossec-syscheckd: DEBUG: Directory added for real time
monitoring: '/usr/bin'.
2017/03/03 22:09:28 ossec-syscheckd: DEBUG: Directory added for real time
monitoring: '/usr/sbin'.
2017/03/03 22:10:19 ossec-syscheckd: INFO: Real time file monitoring
started.
2017/03/03 22:10:19 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2017/03/03 22:10:31 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
If I shuffle stuff around in /usr/bin, I don't see any logs anywhere. How
can I verify that the FIM monitoring is actually working? I see there are
various entries in the syscheck queue for the existing files, but nothing
else.
On Friday, March 3, 2017 at 12:54:10 PM UTC-6, dan (ddpbsd) wrote:
>
> On Fri, Mar 3, 2017 at 7:17 AM, Noilson Caio <[email protected]
> <javascript:>> wrote:
> > @dan - is there problems if Mr. @Gardner deactivate "ossec-monitord,
> > ossec-logcollector, ossec-analysisd and ossec-execd" in ossec-control
> > startup script ? maybe he asking for that. i did try this in the past
> but i
> > remember that ossec-syscheckd log showed "queue not accessible erro", i
> > guess =]
> >
>
> Yes, there will be issues. ossec-analysisd does the analysis,
> including checking the syscheck hashes. I've been thinking about
> pushing the syscheck hash checking to its own daemon, but haven't done
> any actual work on it. It's basically in the "shower thoughts" stage.
>
> I can't remember off hand whether syscheckd communicates with
> logcollector or some other daemon, but that one is probably necessary.
> You can find out easily by killing logcollector and seeing if syscheck
> complains.
>
> ossec-monitord does stuff. What stuff? I can't remember off hand, but
> basically various tasks required by OSSEC. I'd be wary of disabling
> that one.
>
> execd is safe to remove.
>
> I think if someone only wants FIM capabilities and an extremely
> minimal footprint, OSSEC may not be the package for them. Projects
> like Aide are great at what they do without the fluff.
> But that kind of decision is very project/requirement specific, so
> don't consider this a professional opinion. :-)
>
> > On Thu, Mar 2, 2017 at 4:44 PM, dan (ddp) <[email protected]
> <javascript:>> wrote:
> >>
> >> On Thu, Mar 2, 2017 at 2:33 PM, Sam Gardner <[email protected]
> <javascript:>> wrote:
> >> > Hi All -
> >> >
> >> > I'd like to run only the syscheck subsystem in order to provide FIM.
> >> >
> >> > I don't see anything in the docs that immediately appears to do what
> I
> >> > want
> >> > - is there any way to run syscheckd in "standalone" mode or only
> >> > alongside
> >> > analysisd?
> >> >
> >>
> >> Remove the localfile configurations. Disable active response. Disable
> >> rootcheck (if that's not something you want).
> >>
> >> > Thanks,
> >> > Sam Gardner
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected] <javascript:>.
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to [email protected] <javascript:>.
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> > Noilson Caio Teixeira de Araújo
> > https://ncaio.wordpress.com
> > https://br.linkedin.com/in/ncaio
> > https://twitter.com/noilsoncaio
> > https://jammer4.wordpress.com/
> > http://8bit.academy
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
