One that that always annoyed me on OSSEC was that ossec-reported didnโt list the file changes (from syscheck) and that I couldnโt use the filtering options in there for them. Well, thatโs solved now ๐
On the latest OSSEC snapshot you can use the โfilenameโ option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:
# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd
..
Top entries for โFilenamesโ:
โโโโโโโโโโโโโโโโ
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:
# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename
..
Top entries for โFilenamesโ:
โโโโโโโโโโโโโโโโ
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |
Related entries for โLocationโ:
โโโโโโโโโโโโโโโโ
web1->syscheck |1 |
filename: โ/etc/ossec-init.confโ
filename: โ/var/www/x/js.jsโ
filename: โ/var/www/x/index.phpโ
db1->syscheck
filename: โ/etc/ossec-init.confโ
obsd-fw->syscheck
filename: โ/etc/ossec-init.confโSo the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they donโt get sent by email. Comments?