Integrity checksum changed - Unusual or Usual 550 rule alert?

[Gal Akavia]

Hi all. I tried to find any explanation for this but unfortunately i didnt found asnwers.

I get a lot of Wazuh alerts about rule 550 syscheck_integrity_changed, Both on Windows and Linux machines.

1. On windows, I made few days ago a test file on the startup folder and i didnt delete it, so i got that alert today (No one from my team touch it)>> 

 'File c:/programdata/microsoft/windows/start menu/programs/startup/test_wazuh2.txt modified Mode: realtime Changed attributes: permission Permissions changed. '

There is nothing in that .txt file, i didnt find any explenation about that..not in Microsoft support\forums or other.

  2. Just one example on Ubuntu machine, 

I know the type of the file and i dont have any schedualde tasks in my crontab about that, how is that scheduled task?  >>

 'File /usr/bin/cpio modified Mode: scheduled Changed attributes: size,mtime,inode,md5,sha1,sha256 Size changed from 165504 to 140928 Old modification time was: 1600341378 , now it is 1629888647 Old inode was: 131663 , now it is 131927 Old md5sum was: ae7d0cc3c8f720d21ce8721281a0a4d0 New md5sum is : edeccdb10332fab2e0be9eb87477be0b Old sha1sum was: 9dcbffa1798e9fa1de6be7ac43bcb74b71609b8e New sha1sum is : cf2815a51a1c7452ae145d8273371b2da3f93c9d Old sha256sum was: fa0f282e7a32050483a44655f0ba1ac739c4e6db3495afd1115381a13ec6892b New sha256sum is : 4b7ed2951c779b4a8151044a4c74fed424d3a4e7ebe5704eb687b2e8a4d07bcb '  

Is that normal activity both Windows & Linux machines?

Thank you !

[antonio....@wazuh.com]

Hello @gulguly64

FIM can produce a lot of noise when it's not configured properly.  In order to debug this, we will need more information:

- Wazuh Version.

- Syscheck configuration stanza.

- OS

If you take a look at the Windows alert, FIM found that the permissions of the file changed. Take a look at the alert to check the new permissions of that file to see if they are correct or not.

In the case of Linux, the binary that changed was `cpio`. This alert may be triggered by a system update. Have you updated your system recently?

[Gal Akavia]

Hi antonio,

Wazuh version 4.1.5

OS - Windows server 2008

About Syscheck configuration stanza - the default ossec.conf both Agent & Managment, I didnt edited the syscheck.

about Windows - it was dummy file i created, my quetion is that normal that files on Startup folder delegate system permissions automaticlly ?

Linux - I didnt made any updates, is Linux machine get system updates automaticlly to ? 

[antonio....@wazuh.com]

Hello.

I think that is normal, as windows will need the SYSTEM user to run the applications on startup.

If you want, you can try to monitor the folders using whodata. With this mode, you will be able to see who made the changes in the file if there is any new change. You can take a look at this page to get more info

Also, it will be helpful to share the full alerts.

[Gal Akavia]

Thank you  antonio.

will do.