OSSEC-2.8.3 on Ubuntu 16.04 One OSSEC server with multiple agents.
/var/ossec/etc/ossec.conf on an agent: ################# <ossec_config> <client> <server-ip>X.Y.Z.K</server-ip> </client> </ossec_config> ################# /var/ossec/etc/shared/agent.conf on the server (and it's matched by /var/ossec/etc/shared/agent.conf on all agents): ############################## <agent_config os="linux"> <syscheck> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- files we don't watch/ignore --> <frequency>7200</frequency> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/svc/volatile</ignore> <ignore>/etc/rc*.d/*our-api</ignore> <ignore>/etc/init.d/our-api</ignore> <ignore>/dev/.blkid.tab</ignore> <ignore>/dev/.blkid.tab.old</ignore> </syscheck> <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/auth.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/syslog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/nginx/access.log</location> </localfile> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck> </agent_config> ############################## So /etc/init.d/our-api is in the ignore list, I added it there earlier today. However, I just got an alert from multiple agents, after that file had changed after a deploy: ##################### OSSEC HIDS Notification. 2016 Nov 23 21:25:49 Received From: (api-p1-front-012) any->syscheck Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)." Portion of the log(s): Integrity checksum changed for: '/etc/init.d/our-api' ##################### What is going on? It looks like adding a file to the ignore list does not exempt it from being flagged by the rules. If so, how do I truly ignore a given file everywhere? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.