All, I have hundreds of machines that are (supposed to be) all configured exactly the same way via kickstarts and periodic Puppet runs. I've noticed that sometimes a Puppet push will modify a file across all of our machines, and the resulting syscheck notifications are a mixed bag - some have the report_change included (the *diff*), and others generate an alert but lack the report_change details.
I'm scratching my head trying to figure out why it's working on some and not others. Below are some details on a machine where report_change is failing: *OSSEC Agent Version:* ossec-hids-agent-2.9.0-48.el6.art.x86_64 ossec-hids-2.9.0-48.el6.art.x86_64 *inotify-tools Version:* rpm -qa | grep -i inotify inotify-tools-3.14-1.el6.x86_64 *E-mail Notification:* Received From: (removed) 1.2.3.4->syscheck Rule: 102907 fired (level 7) -> "File integrity changed, likely security relevant" Portion of the log(s): Integrity checksum changed for: '/etc/security/limits.conf' Size changed from '1885' to '1927' Old md5sum was: 'a639c5c0ea72bcb59c6a1379f6baa797' New md5sum is : '301d246e310c78c2c76ef69cdefe00d1' Old sha1sum was: '579006cf4e04899e05ff7812dc6a6c17500753fb' New sha1sum is : '714e5ffa5da1b684d0d591b5a822460b8c8ba4c3' *OSSEC Manager syscheck_control Output:* /var/ossec/bin/syscheck_control -i 2337 -f /etc/security/limits.conf Integrity changes for agent 'removed (2337) - 1.2.3.4': Detailed information for entries matching: '/etc/security/limits.conf' 2017 Jan 31 12:55:42,0 - /etc/security/limits.conf File added to the database. Integrity checking values: Size: 1885 Perm: rw-r--r-- Uid: 0 Gid: 0 Md5: a639c5c0ea72bcb59c6a1379f6baa797 Sha1: 579006cf4e04899e05ff7812dc6a6c17500753fb 2017 Feb 09 15:51:49,0 - /etc/security/limits.conf File changed. - 1st time modified. Integrity checking values: Size: >1927 Perm: rw-r--r-- Uid: 0 Gid: 0 Md5: >301d246e310c78c2c76ef69cdefe00d1 Sha1: >714e5ffa5da1b684d0d591b5a822460b8c8ba4c3 *The logs on the Agent do show that real-time monitoring was started prior to this change…* 2017/02/07 20:56:23 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). … 2017/02/07 21:30:07 ossec-syscheckd: INFO: Real time file monitoring started. *Strangely enough, the diff file does exist on the filesystem for this machine:* cat /var/ossec/queue/diff/local/etc/security/limits.conf/diff.1486673498 52a53,54 > * soft stack 10240 > * hard stack unlimited # 1486673498 converts to Thursday February 09, 2017 15:51:38 (pm) *As far as I can tell my agent.conf is correct (and remember I use this agent.conf across hundreds of nodes):* <agent_config os="Linux"> <syscheck> <auto_ignore>no</auto_ignore> <frequency>79200</frequency> <directories realtime="yes" report_changes="yes" check_all="yes">/etc</directories> </syscheck> … *Permissions of /var/ossec/tmp:* ls -ld /var/ossec/tmp/ dr-xr-x--- 2 root ossec 4096 Feb 9 16:27 /var/ossec/tmp/ Any thoughts on what could be causing this? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.