ossec.conf: Syscheck Options

Overview

Supported types

Syscheck options are available in the the following installation types:

  • server
  • local
  • agent

Location

All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <syscheck>
        <!--
        Syscheck options here
        -->
    </syscheck>
</ossec_config>

Options

directories

Use this option to add or remove directories to be monitored (they must be comma separated). All files and subdirectories will also be monitored. Drive letters without directories are not valid. At a minimum the ‘.’ should be included (D:\.). This should be set on the system you wish to monitor (or in the agent.conf if appropriate).

Default: /etc,/usr/bin,/usr/sbin,/bin,/sbin

Attributes:

  • realtime: Value=yes

    • This will enable realtime/continuous monitoring on Linux (using the inotify system calls) and Windows systems.
  • report_changes: Value=yes

    • Report diffs of file changes. This is limited to text files at this time.

    Note

    This option is only available on Unix-like systems.

  • check_all: Value=yes

    • All the following check_* options are used together.
  • check_sum: Value=yes

    • Check the md5 and sha1 hashes of the of the files will be checked.

      This is the same as using both check_sha1sum=”yes” and check_md5sum=”yes”

  • check_sha1sum: Value=yes

    • When used only the sha1 hash of the files will be checked.
  • check_md5sum: Value=yes

    • The md5 hash of the files will be checked.
  • check_size: Value=yes

    • The size of the files will be checked.
  • check_owner: Value=yes

    • Check the owner of the files selected.
  • check_group: Value=yes

    • Check the group owner of the files/directories selected.
  • check_perm: Value=yes

    • Check the UNIX permission of the files/directories selected. On windows this will only check the POSIX permissions.
  • restrict: Value=string

    • A string that will limit checks to files containing that string in the file name.

    Allowed: Any directory or file name (but not a path)

ignore

List of files or directories to be ignored (one entry per element). The files and directories are still checked, but the results are ignored.

Default: /etc/mtab

Attributes:

  • type: Value=sregex

    • This is a simple regex pattern to filter out files so alerts are not generated.

Allowed: Any directory or file name

frequency

Frequency that the syscheck is going to be executed (in seconds).

The default is 6 hours or 21600 seconds

Default: 21600

Allowed: Time in seconds

scan_time

Time to run the scans (can be in the formats of 21pm, 8:30, 12am, etc)

Allowed: Time to run scan

scan_day

Day of the week to run the scans (can be in the format of sunday, saturday, monday, etc)

Allowed: Day of the week

auto_ignore

Specifies if syscheck will ignore files that change too often (after the third change)

Default: yes

Allowed: yes/no

Valid: server, local

alert_new_files

Specifies if syscheck should alert on new files created.

Default: no

Allowed: yes/no

Valid: server, local

Note

New files will only be detected on a full scan, this option does not work in realtime.

scan_on_start

Specifies if syscheck should do the first scan as soon as it is started.

Default: yes

Allowed: yes/no

windows_registry

Use this option to add Windows registry entries to be monitored (Windows-only).

Default: HKEY_LOCAL_MACHINESoftware

Allowed: Any registry entry (one per element)

Note

New entries will not trigger alerts, only changes to existing entries.

registry_ignore

List of registry entries to be ignored.

Default: ..CryptographyRNG

Allowed: Any registry entry (one per element)

refilter_cmd

Command to run to prevent prelinking from creating false positives.

Example:

<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>

Note

This option can potentially impact performance negatively. The configured command will be run for each and every file checked.

skip_nfs

Specifies if syscheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.

Default: no

Allowed: yes/no