syscheck_control¶
syscheck_control provides an interface for managing and viewing the integrity checking database.
syscheck_control argument options¶
- -h¶
Display the help message.
- -l¶
List available agents.
- -lc¶
List only currently connected agents.
- -u <agent_id>¶
Updates (clear) the database for the agent.
- -u all¶
Updates (clear) the database for all agents.
- -i <agent_id>¶
Prints database for the agent.
- -r -i¶
List modified registry entries for the agent (Windows only).
- -f <file>¶
Used with -i. Prints information about a modified file.
- -z¶
Used with -f, zeroes the auto-ignore counter.
- -d¶
Used with -f, ignores that file.
- -s¶
Changes the output to CSV (comma delimited).
syscheck_control example usage¶
Example 1: Getting a list of modified files for an agent¶
To retrieve information about files that were monitored by OSPatrol and modified after OSPatrol was deployed, run syscheck_control -i.
# /var/ospatrol/bin/syscheck_control -i 002
Integrity changes for agent 'ospatrol-agent (002) - 192.168.1.86':
Changes for 2009 Dec 21:
2009 Dec 21 13:52:40,0 - /etc/authorization
2009 Dec 21 13:52:42,0 - /etc/cups/printers.conf
2009 Dec 21 13:52:42,0 - /etc/cups/printers.conf.O
2009 Dec 21 13:52:58,0 - /etc/postfix/main.cf.default
Changes for 2010 Jan 04:
2010 Jan 04 10:13:58,0 - /etc/authorization
Changes for 2010 Jan 06:
2010 Jan 06 09:45:43,0 - /etc/postfix/main.cf.default
Changes for 2010 Jan 18:
2010 Jan 18 09:18:51,0 - /etc/cups/printers.conf
2010 Jan 18 09:18:51,0 - /etc/cups/printers.conf.O
Changes for 2010 Feb 23:
2010 Feb 23 09:17:22,2 - /etc/cups/printers.conf
2010 Feb 23 09:17:22,2 - /etc/cups/printers.conf.O
Changes for 2010 Mar 24:
2010 Mar 24 08:42:52,3 - /etc/cups/printers.conf
2010 Mar 24 08:42:52,3 - /etc/cups/printers.conf.O
As you can see this command provides an overview about file modifications.
Example 2: Getting more detailed information about a modified file¶
If you need to get more detailed information about a file that was modified you can use syscheck_control to view
- the time stamp when the file was added to the syscheck database
- the integrity checking values when the file was added to the syscheck database
- the time stamps when OSPatrol detected a modification
- the integrity checking values for every time OSPatrol detected a modification.
The integrity checking values include
- how often the file has changed
- file size
- file permissions
- owner and group id of the file
- MD5 and SHA1 hashes of the file.
To retrieve this information, run syscheck_control -i:
# /var/ospatrol/bin/syscheck_control -i 002 -f /etc/authorization
Integrity changes for agent 'ospatrol-agent (002) - 192.168.1.86':
Detailed information for entries matching: '/etc/authorization'
2009 Dec 21 13:52:40,0 - /etc/authorization
File added to the database.
Integrity checking values:
Size: 27771
Perm: rw-r--r--
Uid: 0
Gid: 0
Md5: dd62912576ae05d611d7469be809cf1d
Sha1: 530df0283df52f0152b9e7ce1a518119b06ceebc
2010 Jan 04 10:13:58,0 - /etc/authorization
File changed. - 1st time modified.
Integrity checking values:
Size: >28050
Perm: rw-r--r--
Uid: 0
Gid: 0
Md5: >50da55def41bcede7d42ac5ee8fe12c9
Sha1: >97f4b2b48a97321a3e245221e0ea4353cf4fa8ef
Example 3: Clearing the syscheck database¶
To clear the syscheck database for a certain agent run the following command:
# /var/ospatrol/bin/syscheck_control -u 002
** Integrity check database updated.
syscheck_control -i 002 will now show that no modified files for that agent are in the database:
# /var/ospatrol/bin/syscheck_control -i 002
Integrity changes for agent 'ospatrol-agent (002) - 192.168.1.86':
** No entries found.
To clear the database for all agents and the server run the following command:
# /var/ospatrol/bin/syscheck_control -u all
** Integrity check database updated.
The next time syscheck is run, the database will be populated again.