Host-based anomaly detection event (rootcheck)

[llehirgen]

I use dokku in a Ubuntu 18.04 LTS machine.

I received the following alerts concerning files hidden in a long list of directories:

Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man'. Link count does not match number of files (26,1).

Then again:

Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg'. Link count does not match number of files (2,1).

And so on for a list of 104 directories, like '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin' or '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/bin' etc etc

How am I expected to interpret these alerts? What am I expected to do?

[dan (ddp)]

rootcheck doesn't understand overlay filesystem stuff yet. There is at
least 1 issue open on the topic (at
https://github.com/ossec/ossec-hids/issues).


>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com.