{"id":162,"date":"2008-08-07T22:02:00","date_gmt":"2008-08-07T22:02:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=162"},"modified":"2020-07-02T22:03:38","modified_gmt":"2020-07-02T22:03:38","slug":"new-tool-syscheck_control","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2008\/08\/new-tool-syscheck_control\/","title":{"rendered":"New tool: syscheck_control"},"content":{"rendered":"\n

Recently I have been focused on trying to make OSSEC<\/a> more friendly and easier to manage. Last version (1.5) we added the agent_control<\/a> tool (to manage the agents remotely), and for the v1.6, one of the new features is the syscheck_control<\/strong>.<\/p>\n\n\n\n

Basically, it allows you to manage the integrity checking database that is stored on the server (manager) side. You can list the modified files, get detailed information from each change and even ignore a specific file or zero its auto-ignore counter.<\/p>\n\n\n\n

*To test it, you will need to get the latest development package (snapshot) available at: \/\/www.ossec.net\/files\/snapshots\/ossec-hids-080807.tar.gz<\/a><\/em><\/p>\n\n\n\n

How to use it? Let\u2019s look at some examples:<\/p>\n\n\n\n

Example 1: Getting help and listing all available agents<\/strong><\/p>\n\n\n\n

Exactly like the agent_control<\/em>, you can use the \u201c-l\u201d<\/em> (or -lc<\/em>) flag to list the agents and the \u201c-h\u201d<\/em> flag to get the command line help.<\/p>\n\n\n\n

\/var\/ossec\/bin\/syscheck_control -h<\/strong><\/p>

OSSEC HIDS syscheck_control: Manages the integrity checking database.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List only active agents.
-u <id> Updates (clear) the database for the agent.
-u all Updates (clear) the database for all agents.
-i <id> List modified files for the agent.
-r -i <id> List modified registry entries for the agent (Windows only).
-f <file> Prints information about a modified file.
-z Used with the -f, zeroes the auto-ignore counter.
-d Used with the -f, ignores that file.
-s Changes the output to CSV (comma delimited).<\/p>

\/var\/ossec\/bin\/syscheck_control -lc<\/strong><\/p>

OSSEC HIDS syscheck_control. List of available agents:
ID: 000, Name: enigma.ossec.net (server), IP: 127.0.0.1, Active\/Local
ID: 165, Name: esqueleto2, IP: 192.168.2.99, Active
ID: 174, Name: lili3win, IP: 192.168.2.0\/24, Active
ID: 185, Name: winhome2, IP: 192.168.2.0\/24, Active<\/p><\/blockquote>\n\n\n\n

Example 2: Getting a list of modified files<\/strong><\/p>\n\n\n\n

To get a list of the modified files, just run the command with the \u201c-i\u201d flag followed by the agent id you want:<\/p>\n\n\n\n

\/var\/ossec\/bin\/syscheck_control -i 165<\/strong><\/p>

Integrity changes for agent \u2018esqueleto2 (165) \u2013 192.168.2.190\u2032:<\/p>

Changes for 2007 Sep 12:
2007 Sep 12 21:54:37,0 \u2013 \/var\/ossec\/etc\/ossec.conf
2007 Sep 12 21:54:37,0 \u2013 \/var\/ossec\/etc\/internal_options.conf
2007 Sep 12 22:01:36,0 \u2013 \/etc\/group-
2007 Sep 12 22:01:40,0 \u2013 \/etc\/ld.so.cache
2007 Sep 12 22:01:47,0 \u2013 \/etc\/passwd-
2007 Sep 12 22:01:48,0 \u2013 \/etc\/syslog.conf<\/p>

Changes for 2007 Sep 13:
2007 Sep 13 00:15:17,0 \u2013 \/etc\/postgresql\/8.1\/main\/log<\/p>

..<\/p>

Changes for 2008 Jul 24:
2008 Jul 24 12:47:55,0 \u2013 \/etc\/syslog.conf
2008 Jul 24 12:47:57,0 \u2013 \/etc\/resolv.conf
2008 Jul 24 15:03:27,3 \u2013 \/etc\/ld.so.cache<\/p><\/blockquote>\n\n\n\n

Example 3: Getting more information about a file change<\/strong><\/p>\n\n\n\n

To get a more detailed view of the changes on a specific file, run the same command as above plus the \u201c-f\u201d<\/em> flag. In the following example we are looking at the resolv.conf file changes:<\/p>\n\n\n\n

\/var\/ossec\/bin\/syscheck_control -i 165 -f resolv<\/strong><\/p>

Integrity changes for agent \u2018esqueleto2 (165) \u2013 192.168.2.190\u2032:
Detailed information for entries matching: \u2018resolv\u2019<\/p>

2007 Sep 12 22:01:48,0 \u2013 \/etc\/resolv.conf
File added to the database.
Integrity checking values:
Size: 53
Perm: rw-r\u2013r\u2013
Uid: 0
Gid: 0
Md5: 14f49f5a229b80d555100ddab80e42ab
Sha1: 0aa08a3fba0b0b8bb926cdb8ee5f2af27c947cbf<\/p>

2008 Jul 24 12:47:57,0 \u2013 \/etc\/resolv.conf
File changed. \u2013 1st time modified.
Integrity checking values:
Size: >54
Perm: rw-r\u2013r\u2013
Uid: 0
Gid: 0
Md5: >ba9ce771e9d760f58ffd30e4ecda669a
Sha1: >ce9dbec2368e8e35dea76df9b623824628045dcb<\/p><\/blockquote>\n\n\n\n

Example 4: Ignoring or clearing the auto-ignore flags<\/strong><\/p>\n\n\n\n

OSSEC by default will ignore files that change too often. You can disable this feature by setting <auto_ignore> to \u201cno\u201d<\/em> in the main config, but sometimes you may want to keep this feature on and deal with each file separately.<\/p>\n\n\n\n

In this example, the file squid.conf is being auto-ignored. To remote this flag, just run the same command as above with the \u201c-z\u201d<\/em> flag:<\/p>\n\n\n\n

\/var\/ossec\/bin\/syscheck_control -i 165 -f \u201c\/squid.conf\u201d<\/strong><\/p>

2008 Jun 26 22:48:26,4 \u2013 \/etc\/squid\/squid.conf
File changed. \u2013 Being ignored (3 or more changes).
Integrity checking values:
Size: 120362
Perm: rw\u2014\u2014-
Uid: 0
Gid: 0
Md5: >a0038eaf46f13cdbbc09c4c1e4994374
Sha1: >3e732bcee538f20f02a602b0aec36bbe2fd3617b<\/p>

\/var\/ossec\/bin\/syscheck_control -i 165 -f \u201c\/squid.conf\u201d -z<\/strong><\/p>

Integrity changes for agent \u2018esqueleto2 (165) \u2013 192.168.2.190\u2032:
Detailed information for entries matching: \u2018\/squid.conf\u2019<\/p>

**Counter updated for file \u2018\/etc\/squid\/squid.conf\u2019<\/p>

# \/var\/ossec\/bin\/syscheck_control -i 165 -f \u201c\/squid.conf\u201d<\/p>

2008 Jun 26 22:48:26,0 \u2013 \/etc\/squid\/squid.conf
File changed. \u2013 1st time modified.
Integrity checking values:
Size: 120362
Perm: rw\u2014\u2014-
Uid: 0
Gid: 0
Md5: >a0038eaf46f13cdbbc09c4c1e4994374
Sha1: >3e732bcee538f20f02a602b0aec36bbe2fd3617b<\/p><\/blockquote>\n\n\n\n

If you are dealing with the registry files on Windows, make sure to add the \u201c-r\u201d<\/em> flag to all these commands.<\/p>\n\n\n\n

As always, suggestions, bug reports and comments are more than welcome!<\/p>\n\n\n\n

Thanks,<\/p>\n","protected":false},"excerpt":{"rendered":"

Recently I have been focused on trying to make OSSEC more friendly and easier to manage. Last version (1.5) we added the agent_control tool (to manage the agents remotely), and for the v1.6, one of the new features is the syscheck_control. Basically, it allows you to manage the integrity checking database that is stored on the server (manager) side. You […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/162"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=162"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/162\/revisions"}],"predecessor-version":[{"id":163,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/162\/revisions\/163"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}