[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Custom integrity checking rules question
From: thak <tha.keller () gmail ! com>
Date: 2016-03-23 15:40:50
Message-ID: 40e55594-abbe-47a0-8aec-cab9ce0d0861 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Looks to be working. I added the home directory (again on my test server,
though production is very similar) and it caught the bash history changing
when I logged out of one of the agent servers.
** Alert 1458747452.33878: mail - ossec,syscheck,
2016 Mar 23 15:37:32 (al2) 10.20.0.10->syscheck
Rule: 552 (level 7) -> 'Integrity checksum changed again (3rd time).'
Integrity checksum changed for: '/home/ec2-user/.bash_history'
On Wednesday, March 23, 2016 at 10:53:29 AM UTC-4, thak wrote:
>
> Yeah, somehow I am JUST now realizing that it has to be explicitly added
> in as an option for the <directories> definitions. D'oh.
>
> 2016/03/23 14:44:40 ossec-syscheckd: INFO: Initializing real time file
> monitoring (not started).
> 2016/03/23 14:48:15 ossec-syscheckd: INFO: Real time file monitoring
> started.
>
> Got it now.
>
> On Wednesday, March 23, 2016 at 10:41:40 AM UTC-4, dan (ddpbsd) wrote:
> >
> > On Wed, Mar 23, 2016 at 10:30 AM, thak <tha.k...@gmail.com> wrote:
> > > Thank you for the suggestions!
> > >
> > > We definitely have the /var/application hashes in the manager's
> > > /var/ossec/queue/syscheck files.
> > >
> > > So it's definitely picking them up, just does not seem to be alerting
> > or
> > > emailing. On my test instance I also cannot seem to get realtime
> > alerting
> > > working. I know I enabled it during installation, I think, but it does
> > not
> > > seem to detect in realtime (despite inotify-tools being installed).
> > >
> >
> > Turn off the auto ignore option, see if alerts are generated then.
> > Make sure you have the realtime="yes" option set in your <directories>
> > blocks in the ossec.conf. Realtime detection does not happen
> > automatically just because the feature is present, you have to
> > explicitly enable it.
> >
> > >
> > >
> > > On Monday, March 21, 2016 at 8:09:01 PM UTC-4, Santiago Bassett wrote:
> > > >
> > > > Some questions that might help:
> > > >
> > > > - did you restart the agent after changing the configuration?
> > (required,
> > > > unless it is pushed from the manager using shared agent.conf file)
> > > >
> > > > - did you specify the frequency of the checks? Most cases alerts are
> > not
> > > > generated in real time. Even when using realtime option, it might take
> > a few
> > > > minutes (could be about 5-10 minutes) to get the alert (this happens
> > when
> > > > rootcheck is running)
> > > >
> > > > - did you get the file hashes listed in syscheck database (see
> > > > /var/ossec/queue/sysechck directory)?
> > > >
> > > > - did you configure the manager to alert for new files? (and also the
> > > > rule)
> > > >
> > > > - did you set auto_ignore option to no? (in case the file has been
> > > > modified more than three times)
> > > >
> > > > Also I would recommend to use scan_on start option in the agent.
> > > >
> > > > I hope that helps,
> > > >
> > > > Santiago.
> > > >
> > > > On Wed, Mar 16, 2016 at 2:02 PM, thak <tha.k...@gmail.com> wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > We added /var/application directories to our application servers'
> > > > > ossec.conf file, but we just rolled an application update
> > (introducing new
> > > > > files and absolutely modifying older ones) and didn't get any
> > updates.
> > > > >
> > > > > Any ideas on a likely issue here? Do we need to run the command to
> > clear
> > > > > the syscheck file integrity database? Is there some requirement that
> > OSSEC
> > > > > "rebaseline" the integrity hashes, such that they pick up this new
> > rule's
> > > > > target directories?
> > > > >
> > > > > --
> > > > >
> > > > > ---
> > > > > You received this message because you are subscribed to the Google
> > Groups
> > > > > "ossec-list" group.
> > > > > To unsubscribe from this group and stop receiving emails from it,
> > send an
> > > > > email to ossec-list+...@googlegroups.com.
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > Groups
> > > "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > an
> > > email to ossec-list+...@googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Looks to be working. I added the home directory (again on my test \
server, though production is very similar) and it caught the bash history changing \
when I logged out of one of the agent servers.<div><br></div><div><div>** Alert \
1458747452.33878: mail - ossec,syscheck,</div><div>2016 Mar 23 15:37:32 (al2) \
10.20.0.10->syscheck</div><div>Rule: 552 (level 7) -> 'Integrity checksum \
changed again (3rd time).'</div><div>Integrity checksum changed for: \
'/home/ec2-user/.bash_history'</div><div><br>On Wednesday, March 23, 2016 at \
10:53:29 AM UTC-4, thak wrote:<blockquote class="gmail_quote" style="margin: \
0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><div \
dir="ltr">Yeah, somehow I am JUST now realizing that it has to be explicitly added in \
as an option for the <directories> definitions. D'oh. \
<div><br></div><div><div>2016/03/23 14:44:40 ossec-syscheckd: INFO: Initializing real \
time file monitoring (not started).</div><div>2016/03/23 14:48:15 ossec-syscheckd: \
INFO: Real time file monitoring started.</div><div><br></div><div>Got it now. \
</div><br>On Wednesday, March 23, 2016 at 10:41:40 AM UTC-4, dan (ddpbsd) \
wrote:<blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">On \
Wed, Mar 23, 2016 at 10:30 AM, thak <<a rel="nofollow">tha.k...@gmail.com</a>> \
wrote: <br>> Thank you for the suggestions!
<br>>
<br>> We definitely have the /var/application hashes in the manager's
<br>> /var/ossec/queue/syscheck files.
<br>>
<br>> So it's definitely picking them up, just does not seem to be alerting or
<br>> emailing. On my test instance I also cannot seem to get realtime alerting
<br>> working. I know I enabled it during installation, I think, but it does not
<br>> seem to detect in realtime (despite inotify-tools being installed).
<br>>
<br>
<br>Turn off the auto ignore option, see if alerts are generated then.
<br>Make sure you have the realtime="yes" option set in your \
<directories> <br>blocks in the ossec.conf. Realtime detection does not happen
<br>automatically just because the feature is present, you have to
<br>explicitly enable it.
<br>
<br>>
<br>>
<br>> On Monday, March 21, 2016 at 8:09:01 PM UTC-4, Santiago Bassett wrote:
<br>>>
<br>>> Some questions that might help:
<br>>>
<br>>> - did you restart the agent after changing the configuration? (required,
<br>>> unless it is pushed from the manager using shared agent.conf file)
<br>>>
<br>>> - did you specify the frequency of the checks? Most cases alerts are not
<br>>> generated in real time. Even when using realtime option, it might take a \
few <br>>> minutes (could be about 5-10 minutes) to get the alert (this happens \
when <br>>> rootcheck is running)
<br>>>
<br>>> - did you get the file hashes listed in syscheck database (see
<br>>> /var/ossec/queue/sysechck directory)?
<br>>>
<br>>> - did you configure the manager to alert for new files? (and also the
<br>>> rule)
<br>>>
<br>>> - did you set auto_ignore option to no? (in case the file has been
<br>>> modified more than three times)
<br>>>
<br>>> Also I would recommend to use scan_on start option in the agent.
<br>>>
<br>>> I hope that helps,
<br>>>
<br>>> Santiago.
<br>>>
<br>>> On Wed, Mar 16, 2016 at 2:02 PM, thak <<a>tha.k...@gmail.com</a>> \
wrote: <br>>>>
<br>>>> Hi,
<br>>>>
<br>>>> We added /var/application directories to our application \
servers' <br>>>> ossec.conf file, but we just rolled an application \
update (introducing new <br>>>> files and absolutely modifying older ones) \
and didn't get any updates. <br>>>>
<br>>>> Any ideas on a likely issue here? Do we need to run the command to \
clear <br>>>> the syscheck file integrity database? Is there some \
requirement that OSSEC <br>>>> "rebaseline" the integrity hashes, \
such that they pick up this new rule's <br>>>> target directories?
<br>>>>
<br>>>> --
<br>>>>
<br>>>> ---
<br>>>> You received this message because you are subscribed to the Google \
Groups <br>>>> "ossec-list" group.
<br>>>> To unsubscribe from this group and stop receiving emails from it, \
send an <br>>>> email to <a>ossec-list+...@googlegroups.<wbr>com</a>.
<br>>>> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. <br>>>
<br>>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a rel="nofollow">ossec-list+...@googlegroups.<wbr>com</a>.
<br>> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. \
<br></blockquote></div></div></blockquote></div></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_288_1150508646.1458747651050--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic