I finally got around to investigating this a bit more today. Instead of
just removing a few lines from a log, this time I clobbered the whole
thing:
root@muon:log# cp /var/log/secure{,.back}
root@muon:log# : >/var/log/secure; date
Thu Mar 31 14:38:23 CDT 2011
The notification I got was this:
OSSEC HIDS Notification.
2011 Mar 31 14:39:49
Received From: (muon) 192.168.5.33->ossec-logcollector
Rule: 592 fired (level 8) -> "Log file size reduced."
Portion of the log(s):
ossec: File size reduced (inode remained): '/var/log/secure'.
I'm assuming the timestamp in that notification is when OSSEC detected
that the log file size decreased (as opposed to when the email was sent
out or whatever). If that's right, then there's a minute+ delay between
when the file was tampered with and when that tampering was detected. If
I had only removed a few lines instead of everything, it wouldn't have
taken much log activity in that time to make OSSEC miss the tampering.
Is there any way to decrease this delay?
> -----Original Message-----
> From: Nate Woodward
> Sent: Monday, March 28, 2011 2:31 PM
> To: ossec-list
> Subject: RE: [ossec-list] Deletion of log data
>
> Yeah, I found that info on google a few weeks back and
> re-tested with nano. Still didn't get an alert on the rule.
>
> > -----Original Message-----
> > From: dan (ddp) [mailto:ddp...@gmail.com]
> > Sent: Monday, March 28, 2011 2:22 PM
> > To: ossec-list@googlegroups.com
> > Subject: Re: [ossec-list] Deletion of log data
> >
> > vim typically saves the file to a new inode. In this instance OSSEC
> > generally detects that the log file was rotated, and may
> re-check all
> > of the log messages in the log file.
> >
> > On Fri, Mar 4, 2011 at 11:08 AM, Nate Woodward
> > <nate.woodw...@the-connection.com> wrote:
> > > Hi,
> > >
> > > I'm trying to get OSSEC to detect data deletion in log
> > files. The page
> > > at http://www.ossec.net/doc/manual/monitoring/index.html
> indicates
> > > that log monitoring is done in real time, and ossec_rules.xml has
> > > these
> > > rules:
> > >
> > >
> > > <!-- File rotation/reducded rules -->
> > > <rule id="591" level="3">
> > > <if_sid>500</if_sid>
> > > <match>^ossec: File rotated </match>
> > > <description>Log file rotated.</description>
> > > </rule>
> > >
> > > <rule id="592" level="8">
> > > <if_sid>500</if_sid>
> > > <match>^ossec: File size reduced</match>
> > > <description>Log file size reduced.</description>
> > > <group>attacks,</group>
> > > </rule>
> > >
> > > <rule id="593" level="9">
> > > <if_sid>500</if_sid>
> > > <match>^ossec: Event log cleared</match>
> > > <description>Microsoft Event log cleared.</description>
> > > <group>logs_cleared,</group>
> > > </rule>
> > >
> > >
> > > When I open up a log file in vim, delete a few lines and
> > save it, rule
> > > 592 doesn't trigger. Am I doing something wrong? Does
> real-time log
> > > monitoring include the rules above, or do those rules
> only trigger
> > > when syscheck is run (at which time the log would have
> grown bigger
> > > than what it was before, despite my deletions)?
> > >
> > > How can I ensure log file integrity?
> > >
> > > -Nate
> > >
> >
> >
>
>
