OSSEC – What Causes Integrity Checksum Alert?

linuxossec

Recently installed OSSEC on Linux machine to test.

Most results are expected, however yesterday I received emails with a number of notifications about Integrity checksum changing on files such as
/usr/bin/whoami
/usr/bin/md5sum
/usr/bin/ls
and about another 50 similar files

Since I didn't install any new versions of these files, how do I find out what caused the integrity checksum to change 2 days after I installed the OSSEC program?

Eureka

Best Answer

Two reasons are:

You've actually been hacked
Prelinking is enabled

You can disable prelinking by editing /etc/sysconfig/prelink from:

PRELINKING=yes

to:

PRELINKING=no

And running:

prelink -ua

Source: http://www.ossec.net/wiki/Know_How:Check_Sums

Related Solutions

Linux – What Do the Colors in htop Status Bars Mean

Hitting F1 or h will show you the key. But for reference, the default colors are:

CPU:

Blue = Low priority threads
Green = Normal priority threads
Red = Kernel threads

Memory:

Green = Used memory
Blue = Buffers
Yellow/Orange = Cache

There are a couple of different color-schemes available, you can see them through hitting F2.

Just installed OSSEC, what next

My question now: what are some common tasks I should try next?

OSSEC has default rules to perform log analysis, file integrity checking, rootkit detection, ...

You can try some common tasks such as:

monitoring kernel log by adding the below config to ossec.conf:

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
</localfile>

Adding some exclude words which you don't want to getting alert to /var/ossec/rules/local_rules.xml:

RRD_update|getaddrinfo|does not represent a number in line|error.class.php|Bind to port|errorsign.jpg|error.gif|error retrieving information about user

and overwrite some rules:

  <rule id="5703" level="10" frequency="4" timeframe="360" overwrite="yes">
    <if_matched_sid>5702</if_matched_sid>
    <options>no_email_alert</options>
    <description>Possible breakin attempt </description>
    <description>(high number of reverse lookup errors).</description>
  </rule>

write several shell scripts for active response
integrate OSSEC with Splunk

I would like to go in and change some file that OSSEC is monitoring to see if it alerts on that, but I don't know what the default rules are monitoring.

You can search the keyword integrity in rules folder:

# grep -lir "integrity" /var/ossec/rules/
/var/ossec/rules/msauth_rules.xml
/var/ossec/rules/syslog_rules.xml
/var/ossec/rules/ossec_rules.xml

It's rule ID 550:

  <rule id="550" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed</decoded_as>
    <description>Integrity checksum changed.</description>
    <group>syscheck,</group>
  </rule>

Best Answer

Related Solutions

Linux – What Do the Colors in htop Status Bars Mean

Just installed OSSEC, what next

Related Topic