syscheck_control provides an interface for managing and viewing the integrity checking database.
Display the help message.
List available agents.
List only currently connected agents.
Updates (clear) the database for the agent.
Updates (clear) the database for all agents.
Prints database for the agent.
List modified registry entries for the agent (Windows only).
Used with -i. Prints information about a modified file.
Used with -f, zeroes the auto-ignore counter.
Used with -f, ignores that file.
Changes the output to CSV (comma delimited).
To retrieve information about files that were monitored by OSSEC and modified after OSSEC was deployed, run
# /var/ossec/bin/syscheck_control -i 002 Integrity changes for agent 'ossec-agent (002) - 192.168.1.86': Changes for 2009 Dec 21: 2009 Dec 21 13:52:40,0 - /etc/authorization 2009 Dec 21 13:52:42,0 - /etc/cups/printers.conf 2009 Dec 21 13:52:42,0 - /etc/cups/printers.conf.O 2009 Dec 21 13:52:58,0 - /etc/postfix/main.cf.default Changes for 2010 Jan 04: 2010 Jan 04 10:13:58,0 - /etc/authorization Changes for 2010 Jan 06: 2010 Jan 06 09:45:43,0 - /etc/postfix/main.cf.default Changes for 2010 Jan 18: 2010 Jan 18 09:18:51,0 - /etc/cups/printers.conf 2010 Jan 18 09:18:51,0 - /etc/cups/printers.conf.O Changes for 2010 Feb 23: 2010 Feb 23 09:17:22,2 - /etc/cups/printers.conf 2010 Feb 23 09:17:22,2 - /etc/cups/printers.conf.O Changes for 2010 Mar 24: 2010 Mar 24 08:42:52,3 - /etc/cups/printers.conf 2010 Mar 24 08:42:52,3 - /etc/cups/printers.conf.O
As you can see this command provides an overview about file modifications.
If you need to get more detailed information about a file that was modified you can use syscheck_control to view
The integrity checking values include
To retrieve this information, run
# /var/ossec/bin/syscheck_control -i 002 -f /etc/authorization Integrity changes for agent 'ossec-agent (002) - 192.168.1.86': Detailed information for entries matching: '/etc/authorization' 2009 Dec 21 13:52:40,0 - /etc/authorization File added to the database. Integrity checking values: Size: 27771 Perm: rw-r--r-- Uid: 0 Gid: 0 Md5: dd62912576ae05d611d7469be809cf1d Sha1: 530df0283df52f0152b9e7ce1a518119b06ceebc 2010 Jan 04 10:13:58,0 - /etc/authorization File changed. - 1st time modified. Integrity checking values: Size: >28050 Perm: rw-r--r-- Uid: 0 Gid: 0 Md5: >50da55def41bcede7d42ac5ee8fe12c9 Sha1: >97f4b2b48a97321a3e245221e0ea4353cf4fa8ef
To clear the syscheck database for a certain agent run the following command:
# /var/ossec/bin/syscheck_control -u 002 ** Integrity check database updated.
syscheck_control -i 002 will now show that no modified files for that agent are in the database:
# /var/ossec/bin/syscheck_control -i 002 Integrity changes for agent 'ossec-agent (002) - 192.168.1.86': ** No entries found.
To clear the database for all agents and the server run the following command:
# /var/ossec/bin/syscheck_control -u all ** Integrity check database updated.
The next time syscheck is run, the database will be populated again.