Syscheck is the integrity-checking daemon within OSSEC, designed to identify and report changes within system files.
How Syscheck Works
When you first install OSSEC, it performs an initial syscheck scan. This scan captures the checksum of every file specified in your configuration file (/var/ossec/etc/ossec.conf), creating a baseline. Syscheck uses this baseline to detect changes by comparing checksums on each subsequent scan. If a file’s checksum doesn’t match the baseline, it’s reported as a change. Similarly, if new files are added, they are identified as new and reported.
OSSEC Default Syscheck Configuration
By default, the OSSEC configuration file (ossec.conf) includes the following settings:
<syscheck>
<!-- Frequency that syscheck is executed - default is every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
Key Configuration Notes:
Frequency: The frequency option is in seconds. By default, it’s set to 79,200 seconds (22 hours). You can adjust this based on your needs; for instance, setting it to 14,400 seconds (4 hours) may be more appropriate for critical systems.
Directories to Monitor: By default, not all directories are monitored. You must define which directories you want to include, separated by commas. For example, if monitoring website files, add:
xmlCopy code<directories>/var/www/html</directories>
Ignoring Files/Directories: The <ignore> tag skips specified files or directories. This is especially useful for noisy directories, like cache or upload folders, to reduce unnecessary alerts.
Configuring OSSEC Syscheck for Real-Time Monitoring
To enable real-time alerts for new files, update the ossec.conf file as follows:
<alert_new_files>yes</alert_new_files>
Additionally, update your local rules (/var/ossec/rules/local_rules.xml) with a new rule to elevate the alert level:
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck</group>
</rule>
This configuration increases the severity of rule 554 (new file detection) to a level that triggers alerts based on your settings:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>Real-Time vs. New File Alerts: Understanding the Difference
Real-time monitoring is not the same as alerting on new files. This is a common misconception.
- Real-Time Monitoring: OSSEC uses the
inotifysystem calls for real-time detection.inotifymonitors existing files for changes based on established checksums. When OSSEC is first installed, it creates a baseline by scanning the system. Only after this initial scan can real-time monitoring detect changes. - New Files: Inotify works only if a file already exists. Therefore, new files are only detected during scheduled syscheck scans. To receive alerts on new files as close to real-time as possible, you would have to set
syscheckto scan frequently (e.g., every few seconds), which is often impractical.
To enable real-time monitoring for specific directories, use the following configuration:
<directories realtime="yes" report_changes="yes">/var/www/html</directories>
Reducing Noise with the restrict Attribute
If you only want to monitor specific file types, use the restrict attribute:
<directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.js|.phtml|.html">/var/www/html</directories>
This configuration ensures you only get alerts for changes to the specified file types, reducing unnecessary noise.