[urgent]Files hidden inside directory . Link count does not match number of files ?
727 views
Skip to first unread message
gon...@seagroup.com
Feb 4, 2018, 11:33:08 PM2/4/18
to ossec-list
Hi all ,
i came cross this issue:
Files hidden inside directory '/var/lib/docker/overlay2/xxxxxxxxxxxxx/merged/root/go/src'. Link count does not match number of files (4,1).
in many servers. However, when i checked ossec configuration file in those servers, there are no /var/lib/docker/overlay2 directory wrote in configuration file.
what i guess, since one of those server cluster, i need to monitory fire integrity of this server under /var/lib/docker/overlay2/xxxxxxxxxxxxx. However the file name is to complicated, so what i did is i generated number to link to those complicated directory. I am not really sure , is this a problem cause my above alert come out in other servers. (PS: those servers connect to same ossec manager server.)
thank you for helping guys. urgent now
best regards,
kaiwen
dan (ddp)
Feb 15, 2018, 7:19:07 AM2/15/18
to ossec...@googlegroups.com
On Sun, Feb 4, 2018 at 11:33 PM, <gon...@seagroup.com> wrote:
>
> Hi all ,
>
> i came cross this issue:
> Files hidden inside directory '/var/lib/docker/overlay2/xxxxxxxxxxxxx/merged/root/go/src'. Link count does not match number of files (4,1).
> in many servers. However, when i checked ossec configuration file in those servers, there are no /var/lib/docker/overlay2 directory wrote in configuration file.
>
>
>
>
>
>
> Hi all ,
>
> i came cross this issue:
> Files hidden inside directory '/var/lib/docker/overlay2/xxxxxxxxxxxxx/merged/root/go/src'. Link count does not match number of files (4,1).
> in many servers. However, when i checked ossec configuration file in those servers, there are no /var/lib/docker/overlay2 directory wrote in configuration file.
>
>
>
>
>
> what i guess, since one of those server cluster, i need to monitory fire integrity of this server under /var/lib/docker/overlay2/xxxxxxxxxxxxx. However the file name is to complicated, so what i did is i generated number to link to those complicated directory. I am not really sure , is this a problem cause my above alert come out in other servers. (PS: those servers connect to same ossec manager server.)
>
>
This is a rootcheck alert, not syscheck. I know rootcheck has some
>
>
issues with these overlay filesystems, but I haven't really gotten a
chance to look into it to see what can be done.
>
> thank you for helping guys. urgent now
>
>
>
> best regards,
>
> kaiwen
>
>
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Glen Peterson
Mar 31, 2020, 11:24:11 AM3/31/20
to ossec-list
This is still an issue with:
- OSSEC HIDS v3.6.0
- Docker version 19.03.6, build 369ce74a3c
- Ubuntu 18.04 amd-64 4.15.0-91-generic
OSSEC HIDS Notification.
2020 Mar 30 16:07:38
Received From: 1043003-app1->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
Files hidden inside directory '/var/lib/docker/overlay2/be359.../merged/var/lib/dpkg/alternatives'. Link count does not match number of files (2,1).
2020 Mar 30 16:07:38
Received From: 1043003-app1->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
Files hidden inside directory '/var/lib/docker/overlay2/be359.../merged/var/lib/dpkg/alternatives'. Link count does not match number of files (2,1).
I found the following which may be helpful:
Is it "fixed" in wazuh? Is that the right fix?
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages