Commits on Dec 16, 2020

1. Naive solution for ossec#314 - Write md5 and sha1 checksums for newly… …

   … added files.
   
   Summary:
   OSSEC records checksums (both old and new) for files it is configured to monitor via syscheck.
   
   Example:
   ```** Alert 1589082701.1481730: mail  - ossec,syscheck,
   2020 May 09 23:51:41 localhost->syscheck
   Rule: 550 (level 7) -> 'Integrity checksum changed.'
   Integrity checksum changed for: '/etc/yum.conf'
   Size changed from '978' to '970'
   Old md5sum was: 'c9db7a8874a8d889fa9b6336a4a7ea04'
   New md5sum is : 'a7dc0d7b8902e9c8c096c93eb431d19e'
   Old sha1sum was: 'b02997d3c3fa9322132c8cf1e42f4462ddcda362'
   New sha1sum is : 'e0637e631f4ab0aaebef1a6b8822a36f031f332e'```
   
   When configured to alert on new file creation, it does not record similar checksums. We would like these so we can record them in our SIEM and attempt to determine if they are known malicious via threat intelligence systems.
   
   Example before this change:
   
   ```** Alert 1589082690.1481191: - ossec,syscheck,
   2020 May 09 23:51:30 localhost->syscheck
   Rule: 554 (level 5) -> 'File added to the system.'
   New file '/etc/.yum.conf.swp' added to the file system.```
   
   Example after this change:
   
   ```** Alert 1589082690.1481191: - ossec,syscheck,
   2020 May 09 23:51:30 localhost->syscheck
   Rule: 554 (level 5) -> 'File added to the system.'
   New file '/etc/.yum.conf.swp' added to the file system.
   New sha1sum is : '1cf120af022f6acc955a5ef70e74f1f7eb604c3f'
   New md5sum is : 'bd00d635ca6302c622968688760993d8'```
   
   Test Plan: Confirmed that new file alerts include sha1 and md5 checksums both in OSSEC's alerts.log and also in syslog data OSSEC can be optionally configured to generate.

   sterling committed Dec 16, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for a6739d6
   • Browse repository at this point

   Copy the full SHA

   a6739d6 View commit details

   Browse the repository at this point in the history