Syscheck options are available in the the following installation types:
server
local
agent
All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
<ossec_config>
<syscheck>
<!--
Syscheck options here
-->
</syscheck>
</ossec_config>
directories
Use this option to add or remove directories to be monitored (they must be comma separated). All files and subdirectories will also be monitored.
Drive letters without directories are not valid. At a minimum the ‘.’ should be included (D:\.
). This should be set on the system you wish to
monitor (or in the agent.conf if appropriate).
Default: /etc,/usr/bin,/usr/sbin,/bin,/sbin
Attributes:
realtime: Value=yes
This will enable realtime/continuous monitoring on Linux (using the inotify system calls) and Windows systems.
report_changes: Value=yes
Report diffs of file changes. This is limited to text files at this time.
Note
This option is only available on Unix-like systems.
check_all: Value=yes
All the following check_* options are used together unless a specific option is explicitly overridden with “no”.
check_sum: Value=yes
Check the md5 and sha1 hashes of the of the files will be checked.
This is the same as using both check_sha1sum=”yes” and check_md5sum=”yes”
check_sha1sum: Value=yes
When used only the sha1 hash of the files will be checked.
check_md5sum: Value=yes
The md5 hash of the files will be checked.
check_size: Value=yes
The size of the files will be checked.
check_owner: Value=yes
Check the owner of the files selected.
check_group: Value=yes
Check the group owner of the files/directories selected.
check_perm: Value=yes
Check the UNIX permission of the files/directories selected. On windows this will only check the POSIX permissions.
restrict: Value=string
A string that will limit checks to files containing that string in the file name.
Allowed: Any directory or file name (but not a path)
no_recurse: Value=no
New in version 3.2.
Do not recurse into the defined directory.
Allowed: yes/no
ignore
List of files or directories to be ignored (one entry per element). The files and directories are still checked, but the results are ignored.
Default: /etc/mtab
Attributes:
type: Value=sregex
This is a simple regex pattern to filter out files so alerts are not generated.
Allowed: Any directory or file name
nodiff
New in version 3.0.
List of files to not attach a diff. The files are still checked, but no diff is computed. This allows to monitor sensitive files like private key or database configuration without leaking sensitive data through alerts.
Attributes:
type: Value=sregex
This is a simple regex pattern to filter out files so alerts are not generated.
Allowed: Any directory or file name
frequency
Frequency that the syscheck is going to be executed (in seconds).
The default is 6 hours or 21600 seconds
Default: 21600
Allowed: Time in seconds
scan_time
Time to run the scans (can be in the formats of 21pm, 8:30, 12am, etc).
Allowed: Time to run scan
Note
This may delay the initialization of realtime scans.
scan_day
Day of the week to run the scans (can be in the format of sunday, saturday, monday, etc)
Allowed: Day of the week
auto_ignore
Specifies if syscheck will ignore files that change too often (after the third change)
Default: yes
Allowed: yes/no
Valid: server, local
alert_new_files
Specifies if syscheck should alert on new files created.
Default: no
Allowed: yes/no
Valid: server, local
Note
New files will only be detected on a full scan, this option does not work in realtime.
scan_on_start
Specifies if syscheck should do the first scan as soon as it is started.
Default: yes
Allowed: yes/no
windows_registry
Use this option to add Windows registry entries to be monitored (Windows-only).
Default: HKEY_LOCAL_MACHINESoftware
Allowed: Any registry entry (one per element)
Note
New entries will not trigger alerts, only changes to existing entries.
registry_ignore
List of registry entries to be ignored.
Default: ..CryptographyRNG
Allowed: Any registry entry (one per element)
prefilter_cmd
Command to run to prevent prelinking from creating false positives.
Example:
<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>
Note
This option can potentially impact performance negatively. The configured command will be run for each and every file checked.
skip_nfs
New in version 2.9.0.
Specifies if syscheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.
Default: no
Allowed: yes/no
Warning
This option was added in OSSEC 2.9.