Russ, An alert will be generated when syscheck scan detects a file has changed, therefore you will able to determine the date/time that the change was detected (diferent from when it actually changed) from the alert.
What a File Integrity alert looks like in alerts.log ... ** Alert 1250140285.97227: mail - ossec,syscheck, 2009 Aug 13 00:11:25 (xxx) 10.10.10.10->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Src IP: (none) User: (none) Integrity checksum changed for: '/usr/sbin/named-xfer' Size changed from '63084' to '63088' Old md5sum was: 'e0987552a775d9d72a4c6aee694063e1' New md5sum is : '0aff00239ba655078f41ddf51449b6df' Old sha1sum was: 'e80e4fe13fc59ed7fe21609a60cadc1e2d0c42cf' New sha1sum is : '308f8a3dea64734f7fb7f0b3720471cbdad96b1f' Good Luck, Ken Wachtler ________________________________________ From: [email protected] [[email protected]] On Behalf Of Ross Lawrie [[email protected]] Sent: Wednesday, August 12, 2009 2:05 PM To: [email protected] Subject: [ossec-list] Re: syscheck proper practices? Hi, I'm just wondering if someone can offer me a little bit of advice on this. Does ./bin/syscheck_control -i xxx -u just update the the database to say that the changes listed are approved as being okay, or does it stop later checks of those files? If this is the proper way to do this, is there a quick way to get a history of changes on a particular agent? Also, I noticed that it's been mentioned in the list that realtime integrity checking doesn't seem to be recursive, which has been my experience so far, is there any news on this? Lastly, is there a plan to include datetime stamps on file changes reported by syscheck - another thing I notice has been mentioned on the list but I haven't seen an answer to. Thanks for any help you can lend. Ross. On Wed, 2009-08-05 at 17:23 -0700, Ross Lawrie wrote: > Hello, > > I couldn't find anything in the mailing list about this, nor did I see > anything within the wiki or documentation, but I do apologize if this is > a question which has been answered previously. > > I'm wondering what the proper procedure is from an admin point of view > upon a notification of a changed file on a monitored system. > > If the file change is known and okay, is the procedure to Update (clear) > the database for the agent? It's nice having the output of > syscheck_control show a quick history of changes for a given agent, that > list would zero upon an update (clear). > > If I update the database for an agent, is there a quick (command-line) > method to view a history of changes for that agent, or would it require > parsing the logs through ossec-reportd? > > Lastly, and this may be a useless question, but is it possible to update > the database signature for a single file while not updating other > changed files on an agent? I could see the argument being that > signatures shouldn't be updated unless all changes are known to be good. > > Thanks, > > Ross. >
