How it works

  1. The Wazuh agent scans the system and sends the checksums and attributes of monitored files and Windows registry keys to the Wazuh manager. The following options are configurable:

  • Frequency: By default, syscheck runs every 6 hours.

  • Real-time monitoring: Wazuh supports real-time file integrity monitoring on servers running Windows or Linux. Note that the real-time option can only be used for directories and not for individual files.

  1. The Wazuh manager stores the checksums and attributes of the monitored files and looks for modifications by comparing the new values to the old values.

Note

Syscheck can be configured to report a diff summary of the actual changes made to text files.

  1. An alert is generated any time that modifications are detected in the monitored files and/or registry keys.

False positives can be addressed using the ignore configuraiton option or by creating rules that list files to be excluded from FIM alerts.

Alert example, generated by syscheck:

** Alert 1460948255.25442: mail  - ossec,syscheck,pci_dss_11.5,
2016 Apr 17 19:57:35 (ubuntu) 10.0.0.144->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/test/hello'
Size changed from '12' to '17'
Old md5sum was: 'e59ff97941044f85df5297e1c302d260'
New md5sum is : '7947eba5d9cc58d440fb06912e302949'
Old sha1sum was: '648a6a6ffffdaa0badb23b8baf90b6168dd16b3a'
New sha1sum is : '379b74ac9b2d2b09ff6ad7fa876c79f914a755e1'