Syscheck is the integrity checking daemon within OSSEC. It has a simple purpose, identify and report on changes within the system files.
The way it works is simple. When you first install OSSEC it runs an initial syscheck scan. This scan will go through and capture the check sum of every file on the system (every file you have identified in your configuration file – /var/ossec/etc/ossec.conf). This creates a baseline. Syscheck then uses this baseline to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it.
By default when you first install OSSEC your configuration file will look something like this:
<syscheck>
<!-- Frequency that syscheck is executed - default set to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories</etc,/usr/bin,/usr/sbin</directories>
<directories</bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
There are a couple of things to note here.
First, the frequency option is in seconds and is defaulted to 22 hours (or 79,200 seconds). I configure this to 4 hours (14,400 seconds) in my configurations.
Second, syscheck by default doesn’t scan the entire box, you have to define your directories and you separate using a comma – “,”. Note that you don’t have to monitor al your directories, which is why it’s designed like this.
Third, if you’re going to try to use this on your website directories then you have to add it to your ossec.conf file:
<directories>/var/www/html</directories>
Lastly, Ignore does exactly as it implies, it'll skip over a specified directory. If you're using this for websites this is especially helpful if you have a cache folder or an uploads folder, this can get a bit crazy in terms of the amount of noise it will generate.
First, You want to enable a few things, so within the syscheck section of the ossec.conf configuration file you want to set the following:
<alert_new_files>yes</alert_new_files>
Then you want to update your local rules, local_rules.xml file, usually located here /var/ossec/rules/local_rules.xml, with a new rule:
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
This rule is elevating the existing severity level for rule 554, which is the rule that captures those additions, from 0 to 10 or any severity level which you have set to alert on here in your configuration file:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
Real time is not synonymous with new file and is not an attribute to new files; this where folks go wrong.
Real-time works great, but it only works against established check sums in the environment. So, think back to the beginning of this article. On install it’ll create a scan on the environment and create a baseline of the files. This is a prerequisite, so it’s not until the next scan that I’ll know what is new in the environment. It also leverages the inotify system calls as its detection engine.
inotify is a file change notification system. It is a kernel feature that allows applications to request the monitoring of a set of files against a list of events. When the event occurs, the application is notified.
What this really means is a New File doesn’t fall into this category. Inotify works only if the file exists, so with a New File, it’ll only be reported when the syscheck runs at your interval. So to really get a real-time report of new files being add you’d have to set your syscheck to scan every second, and that’s highly impractical.
Once that baseline is created, if you were to go and modify the file, then, and only then, would it report in real-time that there had been a change. This is very important distinction that everyone should be making. So no, it will not report, in real time, that a new file was added, only on the scan will it report a change and only after that initial scan will it report real-time changes. But do realize that to get it in real-time you’ll need to add a few attributes and will need to defined which directories real time applies to.
For example:
<directories realtime="yes" report_changes="yes">/var/www/html</directories>
The report_changes attribute, if possible it will not only notify you of the change, but also give you an example of the change. This could be really helpful if you want to quickly understand what happened and decide how to respond.
There is also another attribute I like that helps reduce noise, that's the restrict attribute. This allows you to specify which file types you're specifically interested in. For instance, for websites I like to configure it like this:
<directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.js|.phtml|.html>[path]</directories>