One that that always annoyed me on OSSEC was that ossec-reported didn’t list the file changes (from syscheck) and that I couldn’t use the filtering options in there for them. Well, that’s solved now :)
On the latest OSSEC snapshot you can use the “filename” option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:
# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd
..
Top entries for ‘Filenames’:
————————————————
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |
And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:
# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename
..
Top entries for ‘Filenames’:
————————————————
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |
Related entries for ‘Location’:
————————————————
web1->syscheck |1 |
filename: ‘/etc/ossec-init.conf’
filename: ‘/var/www/x/js.js’
filename: ‘/var/www/x/index.php’
db1->syscheck
filename: ‘/etc/ossec-init.conf’
obsd-fw->syscheck
filename: ‘/etc/ossec-init.conf’
So the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they don’t get sent by email. Comments?