Here is a solution. One thing I was not sure about was that sometimes
you get on a third event "ignoring", wasnt sure how to defeat this.
How to add an active response to OSSEC to get diffs when the Integrity
checksum changed rules 550/1/2 fire.
To install create diff-alert.sh and diff-alert-filename.awk in /var/
ossec/active-response/bin.
Add the ossec.conf fragments to /var/ossec/etc/ossec.conf
This implementation uses a simple directory structure under /var/ossec/
etc/diff-checks
to determine whether a file should diff'ed.
Create /var/ossec/etc/diff-checks
Under this directory create full paths of files to be checked, ie
mkdir -p /var/ossec/etc/diff-checks/etc/awstats
touch /var/ossec/etc/diff-checks/etc/awstats/
awstats.objectgizmos.com.conf
Using touch means you get a full diff on first change, alternatively you
can just copy the file of interest into diff-checks.
restart ossec
/var/ossec/bin/ossec-control restart
---- Main script /var/ossec/active-response/bin/diff-alert.sh
#!/bin/bash
# E-mails an alert - showing diff of selected files
#
# Author: Martin West based on Daniel Cids mail-test.sh
# Set to root and use /etc/aliases to redirect root as needed.
MAILADDRESS="root"
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
BINDIR=`dirname $0`;
cd $BINDIR
BINDIR=`pwd`
cd ../..
OSSEC_DIR=`pwd`
#** Alert 1257620885.280781: mail - ossec,syscheck,
#2009 Nov 07 19:08:05 lenovo2->syscheck
#Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'
#Src IP: (none)
#User: (none)
#Integrity checksum changed for: '/etc/awstats/
awstats.objectgizmos.com.conf'
if [ $ACTION = TEST ]; then
ALERTID="1257620885.280781"
LOGFILE=${BINDIR}/test.log
else
LOGFILE=${OSSEC_DIR}/logs/alerts/alerts.log
fi
# Get alert prefix
ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
# Get alert suffix
ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
# Getting full alert
GREPARG="$ALERTTIME\.$ALERTLAST"
# Put awk program in file to avoid complications of single quote
FILENAME=`grep -A 10 $GREPARG $LOGFILE | grep "Integrity checksum
changed for:" | awk -f ${BINDIR}/diff-alert-filen
ame.awk `
if [ $ACTION = TEST ]; then
echo "$FILENAME"
fi
DIFF_ROOT_DIR="${OSSEC_DIR}/etc/diff-checks"
if [ -f ${DIFF_ROOT_DIR}/${FILENAME:1} ]; then
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8 $FILENAME" >> ${OSSEC_DIR}/
logs/active-responses.log
DIFF_CMD="diff -s $FILENAME ${DIFF_ROOT_DIR}/${FILENAME:1}"
if [ $ACTION = TEST ]; then
DIFF_OUTPUT=`${DIFF_CMD}`
echo "$DIFF_OUTPUT"
fi
SUBJECT="OSSEC Alert ${FILENAME} diff"
$DIFF_CMD | mail $MAILADDRESS -s "OSSEC Alert ${FILENAME} diff"
cp --backup=t $FILENAME ${DIFF_ROOT_DIR}/${FILENAME:1}
else
logger "$0 $FILENAME not found in ${DIFF_ROOT_DIR}/${FILENAME:1}"
if [ $ACTION = TEST ]; then
echo "not found ${DIFF_ROOT_DIR}/${FILENAME:1}"
fi
fi
---- awk script /var/ossec/active-response/bin/diff-alert-filename.awk
BEGIN { FS = "[ :']+" } ; { print $5 }
---- /var/ossec/etc/ossec.conf
<command>
<name>diff-alert</name>
<executable>diff-alert.sh</executable>
<expect/>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>diff-alert</command>
<location>server</location>
<rules_id>550,551,552</rules_id>
</active-response>
Martin West
skype:amartinwest
On 7 Nov 2009, at 17:43, Martin West wrote:
> Thanks, thats a good lead, Ill investigate and if I get anywhere Ill
> post the results
