One that that always annoyed me on OSSEC was that ossec-reported didn’t list the file changes (from syscheck) and that I couldn’t use the filtering options in there for them. Well, that’s solved now 🙂
On the latest OSSEC snapshot you can use the “filename” option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:
# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd .. Top entries for ‘Filenames’: ———————————————— /etc/ossec-init.conf |3 | /var/www/x/index.php |1 | /var/www/x/js.js |1 |
And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:
# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename .. Top entries for ‘Filenames’: ———————————————— /etc/ossec-init.conf |3 | /var/www/x/index.php |1 | /var/www/x/js.js |1 | Related entries for ‘Location’: ———————————————— web1->syscheck |1 | filename: ‘/etc/ossec-init.conf’ filename: ‘/var/www/x/js.js’ filename: ‘/var/www/x/index.php’ db1->syscheck filename: ‘/etc/ossec-init.conf’ obsd-fw->syscheck filename: ‘/etc/ossec-init.conf’
So the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they don’t get sent by email. Comments?