Certificates added and removed from Wazuh everyday
75 views
Skip to first unread message
eowyn.w...@gmail.com
Mar 20, 2023, 2:26:55 PM3/20/23
to Wazuh mailing list
Hello, we are using Wazuh 4.3.5 revision 4306 in a docker container on linux and seeing the following files added and removed from /etc/pki/nssdb everyday on all of our servers.
type=SYSCALL msg=audit(1679301133.403:80431): arch=c000003e syscall=83 success=yes exit=0 a0=1643210 a1=1c0 a2=455e a3=64181a0d items=2 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.403:80431): cwd="/var/ossec"
type=PATH msg=audit(1679301133.403:80431): item=0 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.403:80431): item=1 name="/etc/pki/nssdb/dbTemp.vJoseG" inode=469766950 dev=fd:00 mode=040700 ouid=0 ogid=990 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1679301133.403:80431): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F79756D00636865636B2D757064617465002D2D7365637572697479
type=SYSCALL msg=audit(1679301133.436:80432): arch=c000003e syscall=84 success=yes exit=0 a0=1643210 a1=7ffe2d090a30 a2=267 a3=2e items=3 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.436:80432): cwd="/var/ossec"
type=PATH msg=audit(1679301133.436:80432): item=0 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.436:80432): item=1 name=(null) inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.436:80432): item=2 name=(null) inode=469766950 dev=fd:00 mode=040700 ouid=0 ogid=990 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1679301133.436:80432): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F79756D00636865636B2D757064617465002D2D7365637572697479
type=SYSCALL msg=audit(1679301133.438:80433): arch=c000003e syscall=2 success=yes exit=10 a0=1644020 a1=80042 a2=1a4 a3=1644020 items=2 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.438:80433): cwd="/var/ossec"
type=PATH msg=audit(1679301133.438:80433): item=0 name="/etc/pki/nssdb/cert9.db" inode=134314290 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.438:80433): item=1 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1679301133.438:80433): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F79756D00636865636B2D757064617465002D2D7365637572697479
type=SYSCALL msg=audit(1679301133.474:80434): arch=c000003e syscall=2 success=yes exit=11 a0=1656280 a1=80042 a2=1a4 a3=1656280 items=2 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.474:80434): cwd="/var/ossec"
type=PATH msg=audit(1679301133.474:80434): item=0 name="/etc/pki/nssdb/key4.db" inode=134314292 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.474:80434): item=1 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
ar 20, 2023 @ 08:03:46.652 <snip> /etc/pki/nssdb//secmod.db deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.650 <snip> /etc/pki/nssdb//pkcs11.txt deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.648 <snip> /etc/pki/nssdb//key4.db deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.645 <snip> /etc/pki/nssdb//key3.db d eleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.643 <snip> /etc/pki/nssdb//cert8.db deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.643 <snip> /etc/pki/nssdb//cert9.db deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:09.127 <snip> /etc/pki/nssdb//secmod.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.127 <snip> /etc/pki/nssdb//pkcs11.txt added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.087 <snip> /etc/pki/nssdb//key4.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.087 <snip> /etc/pki/nssdb//key3.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.086 <snip> /etc/pki/nssdb//cert9.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.082 <snip> /etc/pki/nssdb//cert8.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:46.650 <snip> /etc/pki/nssdb//pkcs11.txt deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.648 <snip> /etc/pki/nssdb//key4.db deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.645 <snip> /etc/pki/nssdb//key3.db d eleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.643 <snip> /etc/pki/nssdb//cert8.db deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:46.643 <snip> /etc/pki/nssdb//cert9.db deleted File deleted. 7 553
Mar 20, 2023 @ 08:03:09.127 <snip> /etc/pki/nssdb//secmod.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.127 <snip> /etc/pki/nssdb//pkcs11.txt added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.087 <snip> /etc/pki/nssdb//key4.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.087 <snip> /etc/pki/nssdb//key3.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.086 <snip> /etc/pki/nssdb//cert9.db added File added to the system. 5 554
Mar 20, 2023 @ 08:03:09.082 <snip> /etc/pki/nssdb//cert8.db added File added to the system. 5 554
I am pretty sure it is Wazuh making the changes because I also see this in the audit log:
type=SYSCALL msg=audit(1679301133.403:80431): arch=c000003e syscall=83 success=yes exit=0 a0=1643210 a1=1c0 a2=455e a3=64181a0d items=2 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.403:80431): cwd="/var/ossec"
type=PATH msg=audit(1679301133.403:80431): item=0 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.403:80431): item=1 name="/etc/pki/nssdb/dbTemp.vJoseG" inode=469766950 dev=fd:00 mode=040700 ouid=0 ogid=990 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1679301133.403:80431): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F79756D00636865636B2D757064617465002D2D7365637572697479
type=SYSCALL msg=audit(1679301133.436:80432): arch=c000003e syscall=84 success=yes exit=0 a0=1643210 a1=7ffe2d090a30 a2=267 a3=2e items=3 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.436:80432): cwd="/var/ossec"
type=PATH msg=audit(1679301133.436:80432): item=0 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.436:80432): item=1 name=(null) inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.436:80432): item=2 name=(null) inode=469766950 dev=fd:00 mode=040700 ouid=0 ogid=990 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1679301133.436:80432): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F79756D00636865636B2D757064617465002D2D7365637572697479
type=SYSCALL msg=audit(1679301133.438:80433): arch=c000003e syscall=2 success=yes exit=10 a0=1644020 a1=80042 a2=1a4 a3=1644020 items=2 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.438:80433): cwd="/var/ossec"
type=PATH msg=audit(1679301133.438:80433): item=0 name="/etc/pki/nssdb/cert9.db" inode=134314290 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.438:80433): item=1 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1679301133.438:80433): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F79756D00636865636B2D757064617465002D2D7365637572697479
type=SYSCALL msg=audit(1679301133.474:80434): arch=c000003e syscall=2 success=yes exit=11 a0=1656280 a1=80042 a2=1a4 a3=1656280 items=2 ppid=1887 pid=11848 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:unconfined_service_t:s0 key="wazuh_fim"
type=CWD msg=audit(1679301133.474:80434): cwd="/var/ossec"
type=PATH msg=audit(1679301133.474:80434): item=0 name="/etc/pki/nssdb/key4.db" inode=134314292 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1679301133.474:80434): item=1 name="/etc/pki/nssdb/" inode=134314287 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Is there something I missed in the install process or is this normal behavior for Wazuh?
Thank you,
--Nicole
elw...@wazuh.com
Mar 21, 2023, 4:36:02 AM3/21/23
to Wazuh mailing list
Hello Nicole,
Can you please tell me which guide did you follow to install Wazuh? and by changes on all servers, do you mean that Wazuh manager is causing this to occur on all Wazuh agents?
It is not an expected behavior and it might be related to the behavior of NSS itself as an example https://www.reddit.com/r/linuxquestions/comments/nljj3f/nss_keeps_putting_pki_directory_in_my_home_even/.
Wazuh does not change/delete any files, you might enable `whodata` over the folder `/etc/pki/nssdb` to get more insights on which process is performing the changes.
Regards,
Wali
Can you please tell me which guide did you follow to install Wazuh? and by changes on all servers, do you mean that Wazuh manager is causing this to occur on all Wazuh agents?
It is not an expected behavior and it might be related to the behavior of NSS itself as an example https://www.reddit.com/r/linuxquestions/comments/nljj3f/nss_keeps_putting_pki_directory_in_my_home_even/.
Wazuh does not change/delete any files, you might enable `whodata` over the folder `/etc/pki/nssdb` to get more insights on which process is performing the changes.
Regards,
Wali
eowyn.w...@gmail.com
Mar 21, 2023, 1:31:19 PM3/21/23
to Wazuh mailing list
Thanks for getting back to me. For the install, I used the Deployment on Docker steps from the Wazuh site. What I am seeing when reviewing FIM events in Wazuh is these files in the
/etc/pki/nssdb/ directory always say 'deleted' and 'file added to the system' each day (see the complete list from original post). The time stamp on the files never changes but the nssdb directory does. I'll review the link you provided.
Thank you,
--Nicole
Nicole Taylor
Mar 21, 2023, 1:50:49 PM3/21/23
to Wazuh mailing list
After reading through the link you sent and reviewing the audit logs again, I think this is being triggered by yum and python, Wazuh is just detecting the changes. I will need to dig a little deeper.
Thank you for your help.
--Nicole
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/goADvxRbcRs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2fb6490e-6722-46d2-8c97-302d223a8ca6n%40googlegroups.com.
elw...@wazuh.com
Mar 22, 2023, 5:57:23 AM3/22/23
to Wazuh mailing list
You're welcome Nicole.
Do no hesitate to reach out to us whenever needed.
Regards,
Wali
Do no hesitate to reach out to us whenever needed.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages