The goal of this article is to explain how to set up a basic configuration of FIM (File Integrity Monitoring) using the syscheck component in OSSEC. After that, we will to check the files being monitored using Wazuh RESTful API.

Prerequisites

  • Wazuh HIDS v1.1
  • Wazuh RESTful API v1.2

Configure FIM in a Windows Agent

The syscheck daemon is the main process used for FIM in OSSEC, however we will need to change some options in order to configure it.

On the OSSEC agent (your Windows host), open the file ossec.conf, usually situated in the default installation folder C:\Program Files (x86)\ossec-agent, look for the section, then add the files or directories you need to monitor:

<directories check_all="yes" realtime="yes">C:\accounts</directories>
<directories check_all="yes">C:\credentials.txt</directories>

We will use the “realtime” option to monitor live changes in the accounts folder. Restart your agent to apply changes.

OSSEC will need some time to process and create the file integrity table. This time will depend on how many directories and files the syscheck component needs to scan. You can monitor the progress of the syscheck scans, by opening the ossec.log file and searching for:

2016/03/28 17:04:03 ossec-agent: INFO: Starting syscheck database (pre-scan).
2016/03/29 16:20:23 ossec-agent: INFO: Ending syscheck scan (forwarding database).

The default for the syscheck scan is set to every 20 hours(7200). You can decrease the frequency (increasing the rate of scans) by adjusting the options in the ossec.conf, see the example below for usage:

<frequency>72000</frequency>

Once the syscheck scan has ended, open and modify a file in the accounts folder or in credentials.txt file, an alert will be generated in your OSSEC Manager (alerts.json):

{
"rule": {
"level": 7,
"comment": "Integrity checksum changed.",
"PCI_DSS": [ "11.5"]
},
…
"SyscheckFile": {
"path": "C:\accounts.txt",
"md5_before": "7bf3880ad4b4cff00fc74e8623a05702",
"md5_after": "131fb740c57e46a95c72c1eb5da41d48",
"sha1_before": "76b24bd27bdf987770ed08640a865326a7098f91",
"sha1_after": "33988d7f719e08e272a5de9ea37fc541f899fa70"
},
"hostname": "vpc-agent-windows",
"agentip": "10.0.0.12",
"timestamp": "2016 Apr 01 11:28:56",
"location": "syscheck"
}

Monitor files status using the RESTful API

In this article we will use the Wazuh RESTful API version 1.2,  we will be able to review all the files which are being monitored on every agent. Taking a look into the API Documentation we have different type of requests, in this case we are using:

GET /syscheck/:agent_id/files/changed

Run the request using your preferred tool (your web browser, Powershell, Shell scripting, Python scripts, PHP…), a simple way to do this is to open your web browser and write a URL:

https://your_api_ip:55000/syscheck/your_windows_agent_id/files/changed

The files/changed request will give us an overview of every file being monitored, showing us the following information:

{
date: "2016 Apr 06 10:01:17",
file: "c:/accounts/password-user1.txt",
changes: 2
},
{
date: "2016 Apr 06 10:01:30",
file: "c:/accounts/passwords.txt",
changes: 3
},
{
date: "2016 Apr 06 10:02:45",
file: "c:/credentials.txt",
changes: 2
}

File: Name and path of the file.
Changes: How many times the file has been modified.
Date: Most recent file change (if changes=0, this is the date when OSSEC started to monitor the file)

Finally we can extend file information by running the request:

https://your_api_ip:55000/syscheck/your_windows_agent_id/files/changed?filename=credentials.txt

{
date: "2016 Apr 06 08:15:20",
file: "c:/tmp/credentials.txt",
changes: 2,
attrs: {
event: "modified",
size: "26",
mode: 0,
perm: "",
uid: "",
gid: "",
md5: "6c2477ab9b4afc088cb7978f532ae834",
sha1: "5e6f3d8a90824c3f2f63860059589ac1e8dedddb"
}
},
{
date: "2016 Apr 06 10:02:45",
file: "c:/tmp/credentials.txt",
changes: 2,
attrs: {
event: "modified",
size: "25",
mode: 0,
perm: "",
uid: "",
gid: "",
md5: "cdc7fc07b3b0d4cc36db9eb833ec61cb",
sha1: "9fa7885a2212aae3cac4e386b296acacb182aa43"
}
}

At last, remember that for these features to work you need to install Wazuh HIDS and Wazuh RESTful API.

References:

Github repository of Wazuh HIDS
Wazuh HIDS documentation
Github repository of Wazuh API
RESTful API documentation