{"id":286,"date":"2007-05-01T03:28:00","date_gmt":"2007-05-01T03:28:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=286"},"modified":"2020-07-03T03:29:19","modified_gmt":"2020-07-03T03:29:19","slug":"daily-chained-checksum-of-ossec-alerts","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/05\/daily-chained-checksum-of-ossec-alerts\/","title":{"rendered":"Daily\/Chained checksum of ossec alerts"},"content":{"rendered":"\n<p><a href=\"http:\/\/www.ossec.net\/\">OSSEC<\/a>&nbsp;v1.2 will come with support for daily\/chained checksums enabled by default. Basically, what it means is that at the end of each day, ossec will generate the md5\/sha1 sum of the currently logs plus the md5\/sha1 sum of the checksum from the logs of the previous day.<\/p>\n\n\n\n<p>To exemplify, at the end of Apr 23, ossec will create the following file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># pwd\n\/var\/ossec\/logs\/alerts\/2007\/Apr\n# cat ossec-alerts-23.log.sum\nCurrent checksum:\nMD5  (\/logs\/alerts\/2007\/Apr\/ossec-alerts-23.log) =\n7a275b2d07a5aac500c78c7af51de457\nSHA1 (\/logs\/alerts\/2007\/Apr\/ossec-alerts-23.log) =\naf560a60bfb9fde5944c4bfc36fedfb16a1956d5\n\nChained checksum:\nMD5  (\/logs\/alerts\/2007\/Apr\/ossec-alerts-22.log.sum) =\n2ab5d8637e9f63493d2f3f3a9b06b17f\nSHA1 (\/logs\/alerts\/2007\/Apr\/ossec-alerts-22.log.sum) =\n6b1f3c29abc9e37ddb6b1a53ac83b0fe20830140<\/pre>\n\n\n\n<p>If you look at the checksum of Apr 22, it will have its own plus the one from the day 21 (and the same will happen back until the first day that the chain started).<\/p>\n\n\n\n<p>What do we get from that? First, any modification on the old logs will require changing all the next checksums. Second, if you e-mail them to you every day (or post somewhere publicly), you can have a valid case to prove that they were not tampered.<\/p>\n\n\n\n<p>If you want to try this feature, please check a pre-beta version:&nbsp;<a href=\"http:\/\/www.ossec.net\/files\/snapshots\/\">snapshots<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OSSEC&nbsp;v1.2 will come with support for daily\/chained checksums enabled by default. Basically, what it means is that at the end of each day, ossec will generate the md5\/sha1 sum of the currently logs plus the md5\/sha1 sum of the checksum from the logs of the previous day. To exemplify, at the end of Apr 23, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/286"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=286"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/286\/revisions"}],"predecessor-version":[{"id":287,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/286\/revisions\/287"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}