No problem. You were looking at the right file. After the change, you probably need to restart the OSSEC agent as well. Also, syscheck/rootcheck are scheduled processes (if you look at the ossec.conf on your Ubuntu box you'll see it is scheduled to run every 79200 seconds: <frequency>79200</frequency> - you can make this number smaller if you'd like. And if you want to kick syscheck off instantly, you should just be able to restart the OSSEC server on Ubuntu (/etc/init.d/ossec restart).
The way syscheck (integrity checking) works is if any file within that directory (C:\Test_TPS) changes, OSSEC will alert you *at* the time the syscheck process runs. You can view the logs to see if certain things are running, etc (on the OSSEC server on Ubuntu, the logs are at /var/ossec/logs/ossec.log and /var/ossec/logs/alerts/alerts.log). In terms of new users and directories being created: 1) For new users, OSSEC will notify you if new users are added in Linux. As far as with Windows, I'm not 100% sure - I haven't really played with this much. Are you talking about adding new users in AD or to the local machine? 2) If you have syscheck enabled to watch a particular directory where a new sub-directory may be created, OSSEC should trigger on it. 3) Multiple failed logons works but you need to make sure you have the Windows audit policy (secpol.msc) set to record failed logon attempts, etc. Hope that helps --Jeremy On Wed, Sep 15, 2010 at 2:19 PM, Aamir Niazi <[email protected]> wrote: > Thanks a lot Jeremy, but just to add to that I was looking at the > windows agent and there is a file called OSSEC on the OSSEC ->Edit > Config I went ahead edited that file and added that directory that I > want to monitor on the agent and saved it but apparently it did not do > anything for me. So that file should not be touched? I am just trying > to figure out ins and outs of OSSEC and playing around to make sure I > understand what everything does. > > I will go ahead and test what you wrote and write the results back. > Also at the same note how would I go about checking if a new user or > new directory was created and for failed logins multiple times on > windows agents? > > Thanks once again for your input. > > On Wed, Sep 15, 2010 at 4:33 PM, Jeremy Lee <[email protected]> wrote: > > Hi there, > > > > Welcome! > > > > It sounds like you want to do some integrity checking to notify you of > any > > changes to files in the C:\Test_TPS directory, correct? If so, it should > be > > pretty straightforward. You just need to edit the ossec.conf > > (/var/ossec/etc/ossec.conf is the default path on your OSSEC server) and > add > > the following under the <syscheck> section: > > > > <directories check_all="yes">C:\Test_TPS</directories> > > > > > > > > Hope that helps! > > > > --Jeremy > > > > On Wed, Sep 15, 2010 at 1:22 PM, Aamir Niazi <[email protected]> > wrote: > >> > >> Hello List, My first time writing to this list. > >> > >> I have OSSEC running on Ubuntu 10.4 and have windows client machines. > >> There is not much on the website regarding rules so I purchased the > >> OSSEC book. But I am still confused about how to you custom write > >> rules to monitor specific directories. Lets say if I wanted to monitor > >> C:\Test_TPS folder and files within this directory on the windows > >> machine, what would I have to do in order to make sure that client is > >> configured for this and server is also monitoring this directory for > >> any changes and integrity? If anyone can elaborate a little bit on > >> this I would highly appreciate it. FYI i am a *nix newbie. > >> > >> Thanks a lot in advance. > >> > >> -- > >> Best Regards, > >> > >> Aamir Niazi > > > > > > > > -- > Best Regards, > > Aamir Niazi > Senior Security Analyst >
