Thanks for the info - I'd like to explore what I can actually do with OSSEC and do my due diligence before exploring other options.
I've spun up the following conf file and am running ossec-analysisd and ossec-syscheckd only - they seem to be healthy, but I'm not getting any thing in /var/ossec/logs/alerts when I fiddle with stuff in /usr/bin. Any idea what might be going on? As far as I can tell syscheckd is configured to realtime monitor /usr/bin (and inotify works on this system), so my understanding is that I should be getting _something_ logged somewhere - am I fundamentally misunderstanding something? <ossec_config> <global> <email_notification>no</email_notification> </global> <rules> <include>rules_config.xml</include> <include>ossec_rules.xml</include> </rules> <syscheck> <frequency>72000</frequency> <directories realtime="yes" check_all="yes">/usr/bin,/usr/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <!-- Check the file, but never compute the diff --> <nodiff>/etc/ssl/private.key</nodiff> </syscheck> <rootcheck> <disabled>yes</disabled> </rootcheck> <remote> <disabled>yes</disabled> </remote> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> <!-- Active Response Config --> <active-response> <disabled>yes</disabled> </active-response> </ossec_config> Analysisd and syscheckd appear to start up just fine: 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Starting ... 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Found user/group ... 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response initialized ... 2017/03/03 22:06:26 adding rule: rules_config.xml 2017/03/03 22:06:26 adding rule: ossec_rules.xml 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Read configuration ... 2017/03/03 22:06:26 ossec-analysisd: Initializing PF decoder.. 2017/03/03 22:06:26 ossec-analysisd: Initializing SonicWall decoder.. 2017/03/03 22:06:26 ossec-analysisd: Initializing SymantecWS decoder.. 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading local decoder file. 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. 2017/03/03 22:06:26 0 : rule:1, level 0, timeout: 0 2017/03/03 22:06:26 1 : rule:600, level 0, timeout: 0 2017/03/03 22:06:26 2 : rule:601, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:602, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:603, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:604, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:605, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:606, level 3, timeout: 0 2017/03/03 22:06:26 0 : rule:2, level 0, timeout: 0 2017/03/03 22:06:26 0 : rule:3, level 0, timeout: 0 2017/03/03 22:06:26 0 : rule:4, level 0, timeout: 0 2017/03/03 22:06:26 0 : rule:5, level 0, timeout: 0 2017/03/03 22:06:26 0 : rule:6, level 0, timeout: 0 2017/03/03 22:06:26 0 : rule:7, level 0, timeout: 0 2017/03/03 22:06:26 1 : rule:500, level 0, timeout: 0 2017/03/03 22:06:26 2 : rule:530, level 0, timeout: 0 2017/03/03 22:06:26 3 : rule:531, level 7, timeout: 7200 2017/03/03 22:06:26 4 : rule:532, level 0, timeout: 0 2017/03/03 22:06:26 3 : rule:533, level 7, timeout: 0 2017/03/03 22:06:26 3 : rule:534, level 1, timeout: 0 2017/03/03 22:06:26 3 : rule:535, level 1, timeout: 0 2017/03/03 22:06:26 2 : rule:593, level 9, timeout: 0 2017/03/03 22:06:26 2 : rule:592, level 8, timeout: 0 2017/03/03 22:06:26 2 : rule:555, level 7, timeout: 0 2017/03/03 22:06:26 2 : rule:501, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:502, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:503, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:504, level 3, timeout: 0 2017/03/03 22:06:26 2 : rule:591, level 3, timeout: 0 2017/03/03 22:06:26 1 : rule:509, level 0, timeout: 0 2017/03/03 22:06:26 2 : rule:510, level 7, timeout: 0 2017/03/03 22:06:26 3 : rule:511, level 0, timeout: 0 2017/03/03 22:06:26 3 : rule:515, level 0, timeout: 0 2017/03/03 22:06:26 3 : rule:513, level 9, timeout: 0 2017/03/03 22:06:26 3 : rule:512, level 3, timeout: 0 2017/03/03 22:06:26 3 : rule:516, level 3, timeout: 0 2017/03/03 22:06:26 4 : rule:519, level 7, timeout: 0 2017/03/03 22:06:26 3 : rule:514, level 2, timeout: 0 2017/03/03 22:06:26 4 : rule:518, level 9, timeout: 0 2017/03/03 22:06:26 1 : rule:554, level 0, timeout: 0 2017/03/03 22:06:26 2 : rule:598, level 5, timeout: 0 2017/03/03 22:06:26 1 : rule:700, level 0, timeout: 0 2017/03/03 22:06:26 2 : rule:701, level 0, timeout: 0 2017/03/03 22:06:26 1 : rule:580, level 8, timeout: 0 2017/03/03 22:06:26 1 : rule:581, level 8, timeout: 0 2017/03/03 22:06:26 1 : rule:550, level 7, timeout: 0 2017/03/03 22:06:26 2 : rule:594, level 5, timeout: 0 2017/03/03 22:06:26 1 : rule:551, level 7, timeout: 0 2017/03/03 22:06:26 2 : rule:595, level 5, timeout: 0 2017/03/03 22:06:26 1 : rule:552, level 7, timeout: 0 2017/03/03 22:06:26 2 : rule:596, level 5, timeout: 0 2017/03/03 22:06:26 1 : rule:553, level 7, timeout: 0 2017/03/03 22:06:26 2 : rule:597, level 5, timeout: 0 2017/03/03 22:06:26 ossec-analysisd: INFO: Total rules enabled: '53' 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2017/03/03 22:06:26 ossec-analysisd: INFO: Chrooted to directory: /var/ossec 2017/03/03 22:06:26 ossec-analysisd: INFO: Using user: ossec 2017/03/03 22:06:26 ossec-analysisd: INFO: Started (pid: 1761). 2017/03/03 22:06:26 ossec-analysisd: SyscheckInit completed. 2017/03/03 22:06:26 ossec-analysisd: RootcheckInit completed. 2017/03/03 22:06:26 ossec-analysisd: OS_CreateEventList completed. 2017/03/03 22:06:26 ossec-analysisd: DEBUG: FTSInit completed. 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Accumulator Init completed. 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response Init completed. 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Startup completed. Waiting for new messages.. 2017/03/03 22:06:55 ossec-syscheckd: DEBUG: Starting ... 2017/03/03 22:06:55 syscheckd: Reading Configuration [/var/ossec/etc/ossec.conf] 2017/03/03 22:06:55 rootcheck: DEBUG: Starting ... 2017/03/03 22:06:55 rootcheck: Rootcheck disabled. Exiting. 2017/03/03 22:06:55 ossec-syscheckd: WARN: Rootcheck module disabled. 2017/03/03 22:06:59 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '8388608'. 2017/03/03 22:06:59 ossec-syscheckd: INFO: Started (pid: 1792). 2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum | realtime. 2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum | realtime. 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mtab' 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' 2017/03/03 22:06:59 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key' 2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/bin'. 2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/sbin'. 2017/03/03 22:07:11 ossec-syscheckd: Setting SCHED_BATCH returned: 0 2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2017/03/03 22:08:01 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). 2017/03/03 22:08:01 ossec-syscheckd: DEBUG: Directory added for real time monitoring: '/usr/bin'. 2017/03/03 22:09:28 ossec-syscheckd: DEBUG: Directory added for real time monitoring: '/usr/sbin'. 2017/03/03 22:10:19 ossec-syscheckd: INFO: Real time file monitoring started. 2017/03/03 22:10:19 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2017/03/03 22:10:31 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). If I shuffle stuff around in /usr/bin, I don't see any logs anywhere. How can I verify that the FIM monitoring is actually working? I see there are various entries in the syscheck queue for the existing files, but nothing else. On Friday, March 3, 2017 at 12:54:10 PM UTC-6, dan (ddpbsd) wrote: > > On Fri, Mar 3, 2017 at 7:17 AM, Noilson Caio <caio...@gmail.com > <javascript:>> wrote: > > @dan - is there problems if Mr. @Gardner deactivate "ossec-monitord, > > ossec-logcollector, ossec-analysisd and ossec-execd" in ossec-control > > startup script ? maybe he asking for that. i did try this in the past > but i > > remember that ossec-syscheckd log showed "queue not accessible erro", i > > guess =] > > > > Yes, there will be issues. ossec-analysisd does the analysis, > including checking the syscheck hashes. I've been thinking about > pushing the syscheck hash checking to its own daemon, but haven't done > any actual work on it. It's basically in the "shower thoughts" stage. > > I can't remember off hand whether syscheckd communicates with > logcollector or some other daemon, but that one is probably necessary. > You can find out easily by killing logcollector and seeing if syscheck > complains. > > ossec-monitord does stuff. What stuff? I can't remember off hand, but > basically various tasks required by OSSEC. I'd be wary of disabling > that one. > > execd is safe to remove. > > I think if someone only wants FIM capabilities and an extremely > minimal footprint, OSSEC may not be the package for them. Projects > like Aide are great at what they do without the fluff. > But that kind of decision is very project/requirement specific, so > don't consider this a professional opinion. :-) > > > On Thu, Mar 2, 2017 at 4:44 PM, dan (ddp) <ddp...@gmail.com > <javascript:>> wrote: > >> > >> On Thu, Mar 2, 2017 at 2:33 PM, Sam Gardner <lwne...@gmail.com > <javascript:>> wrote: > >> > Hi All - > >> > > >> > I'd like to run only the syscheck subsystem in order to provide FIM. > >> > > >> > I don't see anything in the docs that immediately appears to do what > I > >> > want > >> > - is there any way to run syscheckd in "standalone" mode or only > >> > alongside > >> > analysisd? > >> > > >> > >> Remove the localfile configurations. Disable active response. Disable > >> rootcheck (if that's not something you want). > >> > >> > Thanks, > >> > Sam Gardner > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com <javascript:>. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+...@googlegroups.com <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > -- > > Noilson Caio Teixeira de Araújo > > https://ncaio.wordpress.com > > https://br.linkedin.com/in/ncaio > > https://twitter.com/noilsoncaio > > https://jammer4.wordpress.com/ > > http://8bit.academy > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.