Recently I have been focused on trying to make OSSEC more friendly and easier to manage. Last version (1.5) we added the agent_control tool (to manage the agents remotely), and for the v1.6, one of the new features is the syscheck_control.
Basically, it allows you to manage the integrity checking database that is stored on the server (manager) side. You can list the modified files, get detailed information from each change and even ignore a specific file or zero its auto-ignore counter.
*To test it, you will need to get the latest development package (snapshot) available at: //www.ossec.net/files/snapshots/ossec-hids-080807.tar.gz
How to use it? Let’s look at some examples:
Example 1: Getting help and listing all available agents
Exactly like the agent_control, you can use the “-l” (or -lc) flag to list the agents and the “-h” flag to get the command line help.
# /var/ossec/bin/syscheck_control -h
OSSEC HIDS syscheck_control: Manages the integrity checking database.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List only active agents.
-u <id> Updates (clear) the database for the agent.
-u all Updates (clear) the database for all agents.
-i <id> List modified files for the agent.
-r -i <id> List modified registry entries for the agent (Windows only).
-f <file> Prints information about a modified file.
-z Used with the -f, zeroes the auto-ignore counter.
-d Used with the -f, ignores that file.
-s Changes the output to CSV (comma delimited).
# /var/ossec/bin/syscheck_control -lc
OSSEC HIDS syscheck_control. List of available agents:
ID: 000, Name: enigma.ossec.net (server), IP: 127.0.0.1, Active/Local
ID: 165, Name: esqueleto2, IP: 192.168.2.99, Active
ID: 174, Name: lili3win, IP: 192.168.2.0/24, Active
ID: 185, Name: winhome2, IP: 192.168.2.0/24, Active
Example 2: Getting a list of modified files
To get a list of the modified files, just run the command with the “-i” flag followed by the agent id you want:
# /var/ossec/bin/syscheck_control -i 165
Integrity changes for agent ‘esqueleto2 (165) – 192.168.2.190′:
Changes for 2007 Sep 12:
2007 Sep 12 21:54:37,0 – /var/ossec/etc/ossec.conf
2007 Sep 12 21:54:37,0 – /var/ossec/etc/internal_options.conf
2007 Sep 12 22:01:36,0 – /etc/group-
2007 Sep 12 22:01:40,0 – /etc/ld.so.cache
2007 Sep 12 22:01:47,0 – /etc/passwd-
2007 Sep 12 22:01:48,0 – /etc/syslog.conf
Changes for 2007 Sep 13:
2007 Sep 13 00:15:17,0 – /etc/postgresql/8.1/main/log
..
Changes for 2008 Jul 24:
2008 Jul 24 12:47:55,0 – /etc/syslog.conf
2008 Jul 24 12:47:57,0 – /etc/resolv.conf
2008 Jul 24 15:03:27,3 – /etc/ld.so.cache
Example 3: Getting more information about a file change
To get a more detailed view of the changes on a specific file, run the same command as above plus the “-f” flag. In the following example we are looking at the resolv.conf file changes:
# /var/ossec/bin/syscheck_control -i 165 -f resolv
Integrity changes for agent ‘esqueleto2 (165) – 192.168.2.190′:
Detailed information for entries matching: ‘resolv’
2007 Sep 12 22:01:48,0 – /etc/resolv.conf
File added to the database.
Integrity checking values:
Size: 53
Perm: rw-r–r–
Uid: 0
Gid: 0
Md5: 14f49f5a229b80d555100ddab80e42ab
Sha1: 0aa08a3fba0b0b8bb926cdb8ee5f2af27c947cbf
2008 Jul 24 12:47:57,0 – /etc/resolv.conf
File changed. – 1st time modified.
Integrity checking values:
Size: >54
Perm: rw-r–r–
Uid: 0
Gid: 0
Md5: >ba9ce771e9d760f58ffd30e4ecda669a
Sha1: >ce9dbec2368e8e35dea76df9b623824628045dcb
Example 4: Ignoring or clearing the auto-ignore flags
OSSEC by default will ignore files that change too often. You can disable this feature by setting <auto_ignore> to “no” in the main config, but sometimes you may want to keep this feature on and deal with each file separately.
In this example, the file squid.conf is being auto-ignored. To remote this flag, just run the same command as above with the “-z” flag:
# /var/ossec/bin/syscheck_control -i 165 -f “/squid.conf”
2008 Jun 26 22:48:26,4 – /etc/squid/squid.conf
File changed. – Being ignored (3 or more changes).
Integrity checking values:
Size: 120362
Perm: rw——-
Uid: 0
Gid: 0
Md5: >a0038eaf46f13cdbbc09c4c1e4994374
Sha1: >3e732bcee538f20f02a602b0aec36bbe2fd3617b
# /var/ossec/bin/syscheck_control -i 165 -f “/squid.conf” -z
Integrity changes for agent ‘esqueleto2 (165) – 192.168.2.190′:
Detailed information for entries matching: ‘/squid.conf’
**Counter updated for file ‘/etc/squid/squid.conf’
# /var/ossec/bin/syscheck_control -i 165 -f “/squid.conf”
2008 Jun 26 22:48:26,0 – /etc/squid/squid.conf
File changed. – 1st time modified.
Integrity checking values:
Size: 120362
Perm: rw——-
Uid: 0
Gid: 0
Md5: >a0038eaf46f13cdbbc09c4c1e4994374
Sha1: >3e732bcee538f20f02a602b0aec36bbe2fd3617b
If you are dealing with the registry files on Windows, make sure to add the “-r” flag to all these commands.
As always, suggestions, bug reports and comments are more than welcome!
Thanks,