syscheck_control provides an interface for managing and viewing the integrity checking database.
-h
¶Display the help message.
-l
¶List available agents.
-lc
¶List only currently connected agents.
-u
AGENT_ID
¶Updates (clear) the database for the agent. If all is used as the AGENT_ID, the syscheck databases for all agents are cleared.
-i
AGENT_ID
¶Prints database for the agent.
-r
-i
¶List modified registry entries for the agent (Windows only).
-f
<file>
¶Used with -i. Prints information about a modified file.
-z
¶Used with -f, zeroes the auto-ignore counter.
-d
¶Used with -f, ignores that file.
-s
¶Changes the output to CSV (comma delimited).
To retrieve information about files that were monitored by OSSEC and modified after OSSEC was deployed, run syscheck_control -i AGENT_ID.
# /var/ossec/bin/syscheck_control -i 002
Integrity changes for agent 'ossec-agent (002) - 192.168.1.86':
Changes for 2009 Dec 21:
2009 Dec 21 13:52:40,0 - /etc/authorization
2009 Dec 21 13:52:42,0 - /etc/cups/printers.conf
2009 Dec 21 13:52:42,0 - /etc/cups/printers.conf.O
2009 Dec 21 13:52:58,0 - /etc/postfix/main.cf.default
Changes for 2010 Jan 04:
2010 Jan 04 10:13:58,0 - /etc/authorization
Changes for 2010 Jan 06:
2010 Jan 06 09:45:43,0 - /etc/postfix/main.cf.default
Changes for 2010 Jan 18:
2010 Jan 18 09:18:51,0 - /etc/cups/printers.conf
2010 Jan 18 09:18:51,0 - /etc/cups/printers.conf.O
Changes for 2010 Feb 23:
2010 Feb 23 09:17:22,2 - /etc/cups/printers.conf
2010 Feb 23 09:17:22,2 - /etc/cups/printers.conf.O
Changes for 2010 Mar 24:
2010 Mar 24 08:42:52,3 - /etc/cups/printers.conf
2010 Mar 24 08:42:52,3 - /etc/cups/printers.conf.O
As you can see this command provides an overview about file modifications.
If you need to get more detailed information about a file that was modified you can use syscheck_control to view
The integrity checking values include
To retrieve this information, run syscheck_control -i AGENT_ID -f FILENAME:
# /var/ossec/bin/syscheck_control -i 002 -f /etc/authorization
Integrity changes for agent 'ossec-agent (002) - 192.168.1.86':
Detailed information for entries matching: '/etc/authorization'
2009 Dec 21 13:52:40,0 - /etc/authorization
File added to the database.
Integrity checking values:
Size: 27771
Perm: rw-r--r--
Uid: 0
Gid: 0
Md5: dd62912576ae05d611d7469be809cf1d
Sha1: 530df0283df52f0152b9e7ce1a518119b06ceebc
2010 Jan 04 10:13:58,0 - /etc/authorization
File changed. - 1st time modified.
Integrity checking values:
Size: >28050
Perm: rw-r--r--
Uid: 0
Gid: 0
Md5: >50da55def41bcede7d42ac5ee8fe12c9
Sha1: >97f4b2b48a97321a3e245221e0ea4353cf4fa8ef
To clear the syscheck database for a certain agent run the following command:
# /var/ossec/bin/syscheck_control -u 002
** Integrity check database updated.
syscheck_control -i 002 will now show that no modified files for that agent are in the database:
# /var/ossec/bin/syscheck_control -i 002
Integrity changes for agent 'ossec-agent (002) - 192.168.1.86':
** No entries found.
To clear the database for all agents and the server run the following command:
# /var/ossec/bin/syscheck_control -u all
** Integrity check database updated.
The next time syscheck is run, the database will be populated again.