Re: [ossec-list] Enable only syscheckd for FIM

Fri, 03 Mar 2017 14:29:43 -0800 

Thanks for the info - I'd like to explore what I can actually do with OSSEC 
and do my due diligence before exploring other options.

I've spun up the following conf file and am running ossec-analysisd and 
ossec-syscheckd only - they seem to be healthy, but I'm not getting any 
thing in /var/ossec/logs/alerts when I fiddle with stuff in /usr/bin.

Any idea what might be going on? As far as I can tell syscheckd is 
configured to realtime monitor /usr/bin (and inotify works on this system), 
so my understanding is that I should be getting _something_ logged 
somewhere - am I fundamentally misunderstanding something?
<ossec_config>
  <global>
    <email_notification>no</email_notification>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>ossec_rules.xml</include>
  </rules>

  <syscheck>
    <frequency>72000</frequency>

    <directories realtime="yes" 
check_all="yes">/usr/bin,/usr/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>
  </syscheck>

  <rootcheck>
    <disabled>yes</disabled>
  </rootcheck>

  <remote>
    <disabled>yes</disabled>
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <!-- Active Response Config -->
  <active-response>
    <disabled>yes</disabled>
  </active-response>
</ossec_config>

Analysisd and syscheckd appear to start up just fine:
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Starting ...
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Found user/group ...
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response initialized ...
2017/03/03 22:06:26 adding rule: rules_config.xml
2017/03/03 22:06:26 adding rule: ossec_rules.xml
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Read configuration ...
2017/03/03 22:06:26 ossec-analysisd: Initializing PF decoder..
2017/03/03 22:06:26 ossec-analysisd: Initializing SonicWall decoder..
2017/03/03 22:06:26 ossec-analysisd: Initializing SymantecWS decoder..
2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder.
2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder.
2017/03/03 22:06:26 ossec-analysisd: INFO: Reading local decoder file.
2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: 
'rules_config.xml'
2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied.
2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: 
'ossec_rules.xml'
2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied.
2017/03/03 22:06:26 0 : rule:1, level 0, timeout: 0
2017/03/03 22:06:26 1 : rule:600, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:601, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:602, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:603, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:604, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:605, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:606, level 3, timeout: 0
2017/03/03 22:06:26 0 : rule:2, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:3, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:4, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:5, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:6, level 0, timeout: 0
2017/03/03 22:06:26 0 : rule:7, level 0, timeout: 0
2017/03/03 22:06:26 1 : rule:500, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:530, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:531, level 7, timeout: 7200
2017/03/03 22:06:26 4 : rule:532, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:533, level 7, timeout: 0
2017/03/03 22:06:26 3 : rule:534, level 1, timeout: 0
2017/03/03 22:06:26 3 : rule:535, level 1, timeout: 0
2017/03/03 22:06:26 2 : rule:593, level 9, timeout: 0
2017/03/03 22:06:26 2 : rule:592, level 8, timeout: 0
2017/03/03 22:06:26 2 : rule:555, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:501, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:502, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:503, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:504, level 3, timeout: 0
2017/03/03 22:06:26 2 : rule:591, level 3, timeout: 0
2017/03/03 22:06:26 1 : rule:509, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:510, level 7, timeout: 0
2017/03/03 22:06:26 3 : rule:511, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:515, level 0, timeout: 0
2017/03/03 22:06:26 3 : rule:513, level 9, timeout: 0
2017/03/03 22:06:26 3 : rule:512, level 3, timeout: 0
2017/03/03 22:06:26 3 : rule:516, level 3, timeout: 0
2017/03/03 22:06:26 4 : rule:519, level 7, timeout: 0
2017/03/03 22:06:26 3 : rule:514, level 2, timeout: 0
2017/03/03 22:06:26 4 : rule:518, level 9, timeout: 0
2017/03/03 22:06:26 1 : rule:554, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:598, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:700, level 0, timeout: 0
2017/03/03 22:06:26 2 : rule:701, level 0, timeout: 0
2017/03/03 22:06:26 1 : rule:580, level 8, timeout: 0
2017/03/03 22:06:26 1 : rule:581, level 8, timeout: 0
2017/03/03 22:06:26 1 : rule:550, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:594, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:551, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:595, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:552, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:596, level 5, timeout: 0
2017/03/03 22:06:26 1 : rule:553, level 7, timeout: 0
2017/03/03 22:06:26 2 : rule:597, level 5, timeout: 0
2017/03/03 22:06:26 ossec-analysisd: INFO: Total rules enabled: '53'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: 
'/etc/mail/statistics'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2017/03/03 22:06:26 ossec-analysisd: INFO: Chrooted to directory: /var/ossec
2017/03/03 22:06:26 ossec-analysisd: INFO: Using user: ossec
2017/03/03 22:06:26 ossec-analysisd: INFO: Started (pid: 1761).
2017/03/03 22:06:26 ossec-analysisd: SyscheckInit completed.
2017/03/03 22:06:26 ossec-analysisd: RootcheckInit completed.
2017/03/03 22:06:26 ossec-analysisd: OS_CreateEventList completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: FTSInit completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Accumulator Init completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response Init completed.
2017/03/03 22:06:26 ossec-analysisd: DEBUG: Startup completed. Waiting for 
new messages..
2017/03/03 22:06:55 ossec-syscheckd: DEBUG: Starting ...
2017/03/03 22:06:55 syscheckd: Reading Configuration 
[/var/ossec/etc/ossec.conf]
2017/03/03 22:06:55 rootcheck: DEBUG: Starting ...
2017/03/03 22:06:55 rootcheck: Rootcheck disabled. Exiting.
2017/03/03 22:06:55 ossec-syscheckd: WARN: Rootcheck module disabled.
2017/03/03 22:06:59 ossec-syscheckd: INFO: (unix_domain) Maximum send 
buffer set to: '8388608'.
2017/03/03 22:06:59 ossec-syscheckd: INFO: Started (pid: 1792).
2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/bin', with options perm | size | owner | group | md5sum | sha1sum | 
realtime.
2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum | 
realtime.
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mtab'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/random-seed'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/adjtime'
2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs'
2017/03/03 22:06:59 ossec-syscheckd: INFO: No diff for file: 
'/etc/ssl/private.key'
2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time 
monitoring: '/usr/bin'.
2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time 
monitoring: '/usr/sbin'.
2017/03/03 22:07:11 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).
2017/03/03 22:08:01 ossec-syscheckd: INFO: Initializing real time file 
monitoring (not started).
2017/03/03 22:08:01 ossec-syscheckd: DEBUG: Directory added for real time 
monitoring: '/usr/bin'.
2017/03/03 22:09:28 ossec-syscheckd: DEBUG: Directory added for real time 
monitoring: '/usr/sbin'.
2017/03/03 22:10:19 ossec-syscheckd: INFO: Real time file monitoring 
started.
2017/03/03 22:10:19 ossec-syscheckd: INFO: Finished creating syscheck 
database (pre-scan completed).
2017/03/03 22:10:31 ossec-syscheckd: INFO: Ending syscheck scan (forwarding 
database).

If I shuffle stuff around in /usr/bin, I don't see any logs anywhere. How 
can I verify that the FIM monitoring is actually working? I see there are 
various entries in the syscheck queue for the existing files, but nothing 
else.

On Friday, March 3, 2017 at 12:54:10 PM UTC-6, dan (ddpbsd) wrote:
>
> On Fri, Mar 3, 2017 at 7:17 AM, Noilson Caio <caio...@gmail.com 
> <javascript:>> wrote: 
> > @dan - is there problems if Mr. @Gardner deactivate "ossec-monitord, 
> > ossec-logcollector, ossec-analysisd and ossec-execd" in ossec-control 
> > startup script ? maybe he asking for that. i did try this in the past 
> but i 
> > remember that ossec-syscheckd log showed "queue not accessible erro", i 
> > guess =] 
> > 
>
> Yes, there will be issues. ossec-analysisd does the analysis, 
> including checking the syscheck hashes. I've been thinking about 
> pushing the syscheck hash checking to its own daemon, but haven't done 
> any actual work on it. It's basically in the "shower thoughts" stage. 
>
> I can't remember off hand whether syscheckd communicates with 
> logcollector or some other daemon, but that one is probably necessary. 
> You can find out easily by killing logcollector and seeing if syscheck 
> complains. 
>
> ossec-monitord does stuff. What stuff? I can't remember off hand, but 
> basically various tasks required by OSSEC. I'd be wary of disabling 
> that one. 
>
> execd is safe to remove. 
>
> I think if someone only wants FIM capabilities and an extremely 
> minimal footprint, OSSEC may not be the package for them. Projects 
> like Aide are great at what they do without the fluff. 
> But that kind of decision is very project/requirement specific, so 
> don't consider this a professional opinion. :-) 
>
> > On Thu, Mar 2, 2017 at 4:44 PM, dan (ddp) <ddp...@gmail.com 
> <javascript:>> wrote: 
> >> 
> >> On Thu, Mar 2, 2017 at 2:33 PM, Sam Gardner <lwne...@gmail.com 
> <javascript:>> wrote: 
> >> > Hi All - 
> >> > 
> >> > I'd like to run only the syscheck subsystem in order to provide FIM. 
> >> > 
> >> > I don't see anything in the docs that immediately appears to do what 
> I 
> >> > want 
> >> > - is there any way to run syscheckd in "standalone" mode or only 
> >> > alongside 
> >> > analysisd? 
> >> > 
> >> 
> >> Remove the localfile configurations. Disable active response. Disable 
> >> rootcheck (if that's not something you want). 
> >> 
> >> > Thanks, 
> >> > Sam Gardner 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com <javascript:>. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> Groups 
> >> "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to ossec-list+...@googlegroups.com <javascript:>. 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > 
> > 
> > 
> > -- 
> > Noilson Caio Teixeira de Araújo 
> > https://ncaio.wordpress.com 
> > https://br.linkedin.com/in/ncaio 
> > https://twitter.com/noilsoncaio 
> > https://jammer4.wordpress.com/ 
> > http://8bit.academy 
> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to