Hi Chris,
It's really curious that Syscheck creates the diff file but doesn't send
it. There should be no difference between configuring it in real-time or
not.
I see that the diff file matches the actual change by the size difference.
However, did you see any error at the /var/ossec/logs/ossec.log file that
could be related to this issue? Anything like:
ERROR: Unable to generate diff alert.
Best regards.
On Thu, Feb 9, 2017 at 1:51 PM, Chris Decker wrote:
> All,
>
> I have hundreds of machines that are (supposed to be) all configured
> exactly the same way via kickstarts and periodic Puppet runs. I've noticed
> that sometimes a Puppet push will modify a file across all of our machines,
> and the resulting syscheck notifications are a mixed bag - some have the
> report_change included (the *diff*), and others generate an alert but
> lack the report_change details.
>
> I'm scratching my head trying to figure out why it's working on some and
> not others. Below are some details on a machine where report_change is
> failing:
>
> *OSSEC Agent Version:*
>
> ossec-hids-agent-2.9.0-48.el6.art.x86_64
> ossec-hids-2.9.0-48.el6.art.x86_64
>
>
> *inotify-tools Version:*
>
> rpm -qa | grep -i inotify
> inotify-tools-3.14-1.el6.x86_64
>
>
> *E-mail Notification:*
>
> Received From: (removed) 1.2.3.4->syscheck
> Rule: 102907 fired (level 7) -> "File integrity changed, likely security
> relevant"
> Portion of the log(s):
>
> Integrity checksum changed for: '/etc/security/limits.conf'
> Size changed from '1885' to '1927'
> Old md5sum was: 'a639c5c0ea72bcb59c6a1379f6baa797'
> New md5sum is : '301d246e310c78c2c76ef69cdefe00d1'
> Old sha1sum was: '579006cf4e04899e05ff7812dc6a6c17500753fb'
> New sha1sum is : '714e5ffa5da1b684d0d591b5a822460b8c8ba4c3'
>
>
> *OSSEC Manager syscheck_control Output:*
>
> /var/ossec/bin/syscheck_control -i 2337 -f /etc/security/limits.conf
>
> Integrity changes for agent 'removed (2337) - 1.2.3.4':
> Detailed information for entries matching: '/etc/security/limits.conf'
>
> 2017 Jan 31 12:55:42,0 - /etc/security/limits.conf
> File added to the database.
> Integrity checking values:
>Size: 1885
>Perm: rw-r--r--
>Uid: 0
>Gid: 0
>Md5: a639c5c0ea72bcb59c6a1379f6baa797
>Sha1: 579006cf4e04899e05ff7812dc6a6c17500753fb
>
> 2017 Feb 09 15:51:49,0 - /etc/security/limits.conf
> File changed. - 1st time modified.
> Integrity checking values:
>Size: >1927
>Perm: rw-r--r--
>Uid: 0
>Gid: 0
>Md5: >301d246e310c78c2c76ef69cdefe00d1
>Sha1: >714e5ffa5da1b684d0d591b5a822460b8c8ba4c3
>
>
> *The logs on the Agent do show that real-time monitoring was started prior
> to this change…*
>
> 2017/02/07 20:56:23 ossec-syscheckd: INFO: Initializing real time file
> monitoring (not started).
> …
> 2017/02/07 21:30:07 ossec-syscheckd: INFO: Real time file monitoring
> started.
>
>
> *Strangely enough, the diff file does exist on the filesystem for this
> machine:*
>
> cat /var/ossec/queue/diff/local/etc/security/limits.conf/diff.1486673498
> 52a53,54
> > * soft stack 10240
> > * hard stack unlimited
>
>
> # 1486673498 converts to Thursday February 09, 2017 15:51:38 (pm)
>
>
> *As far as I can tell my agent.conf is correct (and remember I use this
> agent.conf across hundreds of nodes):*
>
>
>
> no
> 79200
>
> /etc directories>
>
> …
>
>
> *Permissions of /var/ossec/tmp:*
>
> ls -ld /var/ossec/tmp/
> dr-xr-x--- 2 root ossec 4096 Feb 9 16:27 /var/ossec/tmp/
>
>
>
>
> Any thoughts on what could be causing this?
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
