All,
I have hundreds of machines that are (supposed to be) all configured
exactly the same way via kickstarts and periodic Puppet runs. I've noticed
that sometimes a Puppet push will modify a file across all of our machines,
and the resulting syscheck notifications are a mixed bag - some have the
report_change included (the *diff*), and others generate an alert but lack
the report_change details.
I'm scratching my head trying to figure out why it's working on some and
not others. Below are some details on a machine where report_change is
failing:
*OSSEC Agent Version:*
ossec-hids-agent-2.9.0-48.el6.art.x86_64
ossec-hids-2.9.0-48.el6.art.x86_64
*inotify-tools Version:*
rpm -qa | grep -i inotify
inotify-tools-3.14-1.el6.x86_64
*E-mail Notification:*
Received From: (removed) 1.2.3.4->syscheck
Rule: 102907 fired (level 7) -> "File integrity changed, likely security
relevant"
Portion of the log(s):
Integrity checksum changed for: '/etc/security/limits.conf'
Size changed from '1885' to '1927'
Old md5sum was: 'a639c5c0ea72bcb59c6a1379f6baa797'
New md5sum is : '301d246e310c78c2c76ef69cdefe00d1'
Old sha1sum was: '579006cf4e04899e05ff7812dc6a6c17500753fb'
New sha1sum is : '714e5ffa5da1b684d0d591b5a822460b8c8ba4c3'
*OSSEC Manager syscheck_control Output:*
/var/ossec/bin/syscheck_control -i 2337 -f /etc/security/limits.conf
Integrity changes for agent 'removed (2337) - 1.2.3.4':
Detailed information for entries matching: '/etc/security/limits.conf'
2017 Jan 31 12:55:42,0 - /etc/security/limits.conf
File added to the database.
Integrity checking values:
Size: 1885
Perm: rw-r--r--
Uid: 0
Gid: 0
Md5: a639c5c0ea72bcb59c6a1379f6baa797
Sha1: 579006cf4e04899e05ff7812dc6a6c17500753fb
2017 Feb 09 15:51:49,0 - /etc/security/limits.conf
File changed. - 1st time modified.
Integrity checking values:
Size: >1927
Perm: rw-r--r--
Uid: 0
Gid: 0
Md5: >301d246e310c78c2c76ef69cdefe00d1
Sha1: >714e5ffa5da1b684d0d591b5a822460b8c8ba4c3
*The logs on the Agent do show that real-time monitoring was started prior
to this change…*
2017/02/07 20:56:23 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
…
2017/02/07 21:30:07 ossec-syscheckd: INFO: Real time file monitoring
started.
*Strangely enough, the diff file does exist on the filesystem for this
machine:*
cat /var/ossec/queue/diff/local/etc/security/limits.conf/diff.1486673498
52a53,54
> * soft stack 10240
> * hard stack unlimited
# 1486673498 converts to Thursday February 09, 2017 15:51:38 (pm)
*As far as I can tell my agent.conf is correct (and remember I use this
agent.conf across hundreds of nodes):*
<agent_config os="Linux">
<syscheck>
<auto_ignore>no</auto_ignore>
<frequency>79200</frequency>
<directories realtime="yes" report_changes="yes"
check_all="yes">/etc</directories>
</syscheck>
…
*Permissions of /var/ossec/tmp:*
ls -ld /var/ossec/tmp/
dr-xr-x--- 2 root ossec 4096 Feb 9 16:27 /var/ossec/tmp/
Any thoughts on what could be causing this?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
