I recently saw some discussion in the OSSEC distribution list of someone having an issue with getting OSSEC syscheck to work right in real-time. It reminded me of a similar issue I had with my own configuration and others I have read about, so I figured I’d write something to shed light on how OSSEC’s syscheck works in real-time. Thanks ofcourse to Dani for the assist.
Syscheck – Integrity Checking Daemon
If you’re familiar with OSSEC, then you know syscheck, if you’re not then this section will get you caught up – I hope.
Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. The way it works is simple, when you first install OSSEC it runs an initial syscheck scan, this scan will go through and capture the check sum of every file on the system (every file you have identified in your configuration file – /var/ossec/etc/ossec.conf). Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it.
Simple, right? Right…