OSSEC 101: Tuning Syscheck:¶
Alert on new files:¶
By default syscheck does not alert on new files. This is done in an attemp to stop a flood of alerts on installation. Changing this behavior is very easy.
First, add the following to the <syscheck> section of the OSSEC server’s ossec.conf:
<alert_new_files>yes</alert_new_files>
For example, my <syscheck> section now starts like this:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" report_changes="yes">/etc,/var/named/etc,/var/www/conf,/var/ossec/etc,/var/ossec/rules</directories>
<directories check_all="yes">/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- More files and directories to check or ignore -->
</syscheck>
OSSEC has a default rule to alert on new files, but the level is set to 0. To change this, add the following rule to your local_rules.xml:
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
This overwrites the default rule 554. Set the level to a number that fits your organization’s policies.
After making these changes, restart the server’s OSSEC processes.
Customizing this a bit more is also possible. For instance we set 554 to level 2 so it is logged but will not send an email alert:
<rule id="554" level="2" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
Next, we create a rule to alert at a level 10 for new files being created in /var/www/htdocs/CEO/files:
<rule id="111554" level="10">
<if_sid>554</if_sid>
<match>/var/www/htdocs/CEO/files</match>
<description>New file in the CEO's personal stash.</description>
</rule>
Now if a new file is created in /var/www/htdocs/CEO/files you will be alerted.
Ignore a directory:¶
Sometimes it’s necessary to ignore a directory or file so the syscheck alerts are not overwhelming.
Ignoring a directory or file is another easy task in OSSEC. In the <syscheck> section of an OSSEC system’s ossec.conf you should see a number of examples:
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
Adding individual files is as simple as listing them inside of the <ignore> tags. In the following example we’re ignoring /var/lib/ntp/drift which is a file that may change frequently.
<ignore>/var/lib/ntp/drift</ignore>
One of my systems has a backup directory in /var/backups. The contents of this directory can change frequently, so I would like to ignore these alerts. I can use the following sregex to ignore all changes in that directory:
<ignore type="sregex">^/var/backups</ignore>
Changes to files in /var/www/var/backups or any other monitored directory will still cause alerts. This sregex only limits the ignore to files in /var/backups.
Configure realtime syscheck:¶
Syscheck’s realtime option can be quite useful for very important directories. By default the realtime option is not used, and it is only available on Linux and Windows.
To enable this option, add realtime="yes" to an appropriate <directories entry. This :
<directories check_all="yes">/bin</directories>
becomes this:
<directories check_all="yes" realtime="yes">/bin</directories>
Scenarios:¶
Scenario 1: Ignore a file on 1 host:
Crazy Carl has written an application that stores its logs in /usr/bin/logs/crazy_abels_crazy_app.log, and admin Abel is tired of seeing alerts for that file changing. Abel has decided to ignore the file instead of fixing the application since Carl is the CEO’s nephew. He adds the following in the <syscheck> section of the agent’s ossec.conf:
<ignore>/usr/bin/logs/crazy_abels_crazy_app.log</ignore>
He then restarts the OSSEC processes on the agent and goes out for a margarita.
Scenario 2: Universally ignore a file:
Crazy Carl has installed his crazy application on all of the servers, so now Abel’s getting syscheck alerts again. He decides to put a stop to it once and for all. He adds the <ignore> option to the OSSEC server’s ossec.conf in the <syscheck> section:
<ignore>/usr/bin/logs/crazy_abels_crazy_app.log</ignore>
He then restarts the OSSEC processes on the OSSEC server starts season 2 of The IT Crowd.
Scenario 3: Ignore a directory:
Crazy Carl has developed a few more applications, and continues to write their logs to /usr/bin/logs. Abel is yet again tired of seeing the alerts, and decides to ignore the entire directory by adding the following to the OSSEC server’s ossec.conf:
<ignore type="sregex">^/usr/bin/logs</ignore>
He then resarts the OSSEC processes on the OSSEC server and laughs maniacly as he waits for Carl to strike again.