Manual: Syscheck

Manual -> syscheck

 
Syscheck is the name of the integrity checking process inside OSSEC. It runs periodically (by default every 6 hours) and checks if any configured file (or registry entry on Windows) has changed.

  1. Why Integrity checking?
  2. Quick facts
  3. Configuration options
  4. Configuration examples
  5. Real time (continuous) monitoring
  6. FAQ

Why Integrity checking?

This is the explanation from the OSSEC book:

There are multiple types of attacks and many attack vectors, but there
is one thing unique about all of them: they leave traces and always change
the system in some way. From viruses that modify a few files, to kernel-level
rootkits that alters the kernel, there is always some change in the
integrity of the system.

Integrity checking is an essential part of intrusion detection, that
detects changes in the integrity of the system. OSSEC does that by
looking for changes in the MD5/SHA1 checksums of the key files in the
system and on the Windows registry.

The way it works is that the agent scans the system every few hours
(user defined) and send all the checksums to the server. The server
stores the checksums and look for modifications on them. An alert
is sent if anything changes.

Quick facts

  • How often? By default every 6 hours or at any configured time/day.
  • Where is the database stored? In the manager.
  • Where it helps me with compliance? (PCI DSS, etc) It helps with sections 11.5 (install FIM software) and 10.5 (integrity checking of log files) of PCI.
  • How much CPU it uses? The scans are performed slowly to avoid using too much CPU/memory.
  • How it deals with false positives? Files that change too often can be ignored on the configuration or using the rules.

Configuration options

All these configurations options can be specified in each agent ossec.conf file, except for the “auto_ignore” and “alert_new_file” which are manager side options. The “ignore” option if specified on the manager becomes global for all the agents.

Table 1.0: Syscheck options
Option Default value Allowed values Description
directories /etc,/usr/bin,/usr/sbin,/bin,/sbin Any directory or file name Use this option to add or remove directories to be monitored (they must be comma separated).
ignore /etc/mtab Any file or directory List of files or directories to be ignored (one entry per element).
frequency 21600 (6 hours) Time (in seconds) Frequency that the syscheck is going to be executed (in seconds).
scan_time none Time to run scan Time to run the scans (can be in the formats of 21pm, 8:30, 12am, etc)
scan_day none Day of the week Day of the week to run the scans (can be in the format of sunday, saturday, monday, etc)
auto_ignore yes yes or no Specifies if syscheck will ignore files that change too often (after the third change)
alert_new_files no yes or no Specifies if syscheck should alert on new files created.
scan_on_start yes yes or no Specifies if syscheck should do the first scan as soon as it is started.
windows_registry HKEY_LOCAL_MACHINE\Software Any registry entry (one per element) Use this option to add Windows registry entries to be monitored (Windows-only).
registry_ignore ..Cryptography\RNG Any registry entry (one per element) List of registry entries to be ignored.

Configuration examples


Configuring syscheck is very simple. First, you need to provide the files or directories to check. Note that when you specify a directory, it will monitor all its files recursively. Example:

    <syscheck>
      <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
      <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories>
    </syscheck>

To ignore a few files or directories, use the “ignore” option (or registry_ignore for Windows registry entries):

<syscheck>
<ignore>/etc/random-seed</ignore>
<ignore>/root/dir</ignore>
<ignore type=”sregex” >.log$|.tmp</ignore>
</syscheck>

You can also set the “type” attribute to sregex to specify a simplified regular expression in the ignore option.

If you want to have different severities for changes on specific directories, create a local rule for it:

<rule id=”100345″ level=”12″ >
<if_matched_group>syscheck</if_matched_group>
<description>Changes to /var/www/htdocs – Critical file!</description>
<match>/var/www/htdocs</match>
</rule>

In the above example, we created a rule to alert with high severity (12) on change to the htdocs.

Real time Monitoring

OSSEC supports realtime (continuous) file integrity monitoring on Linux (kernels 2.6) and Windows systems. It detects changes as soon
as their happen using inotify (for Linux) and the Microsoft directory notification library for Windows.

More information at: Realtime file integrity monitoring

FAQ (Frequently asked syscheck questions)

  1. How to force an immediate syscheck scan?

    2. Run agent control tool to perform a integrity checking immediately (option -a to run on all the agents and -u to specify an agent id)
    # /var/ossec/bin/agent_control -r -a
    # /var/ossec/bin/agent_control -r -u <agent_id>

    More information on the agent_control manual page.

  2. How to tell syscheck not to scan the system when OSSEC starts?

    3. Set the option <scan_on_start> to “no” on ossec.conf.

  3. How to ignore a file that changes too often?

    4. Set the file/directory name in the <ignore> option or create a simple local rule. The following one will ignore files /etc/a and /etc/b and the directory /etc/dir for agents mswin1 and ubuntu-dns:

    <rule id="100345" level="0" >
    <if_group>syscheck</if_group>
    <description>Changes ignored.</description>
    <match>/etc/a|/etc/b|/etc/dir</match>
    <hostname>mswin1|ubuntu-dns</hostname>
  </rule>
  4. How to know when the syscheck scan ran?

    5. Use the agent_control tool on the manager, to see this information. More information on the agent_control manual page.

  5. How to get detailed reporting on the changes?

    6. Use the syscheck_control tool on the manager or the web ui for that. More information on the syscheck_control manual page.