Realtime syscheck
106 views
Skip to first unread message
dseira
Aug 10, 2023, 4:41:12 AM8/10/23
to Wazuh mailing list
Hi,
Trying to understand how the FIM module works, I've found this post:
It is configured the realtime for some files:
<directories check_all="yes" realtime="yes">/etc/shadow</directories>
<directories check_all="yes" realtime="yes">/etc/gshadow</directories>
<directories check_all="yes" realtime="yes">/etc/passwd</directories>
<directories check_all="yes" realtime="yes">/etc/group</directories>
<directories check_all="yes" realtime="yes">/etc/login.defs</directories>
<directories check_all="yes" realtime="yes">/etc/gshadow</directories>
<directories check_all="yes" realtime="yes">/etc/passwd</directories>
<directories check_all="yes" realtime="yes">/etc/group</directories>
<directories check_all="yes" realtime="yes">/etc/login.defs</directories>
But in the doc says that realtime can be only configured for directories:
In fact, making some test, the realtime applied to a file has a strange behaviour; it detects just the first file modification and only if the scheduled scan has been executed.
Is the blog entry wrong?
Thanks.
Luis González Romero
Aug 10, 2023, 10:19:00 AM8/10/23
to Wazuh mailing list
Hello dseira, hope you’re great.
the realtime applied to a file has a strange behaviour; it detects just the first file modification and only if the scheduled scan has been executed.
What behavior are you telling about? do you mean that just the first file defined within the syscheck section works? or just the first changes made to a file?
I did some research and try this workaround:
<directories check_all="yes" realtime="yes">/tmp/testing_first.txt</directories> <directories check_all="yes" realtime="yes">/tmp/testing_second.txt</directories> <directories check_all="yes" realtime="yes">/home/vagrant/sample/</directories>Where we check one directory and two files, and they work. Here you have the alerts generated for both files:
{"timestamp":"2023-08-10T13:54:50.603+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"manager45"},"manager":{"name":"manager45"},"id":"1691675690.666341","full_log":"File '/tmp/testing_first.txt' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '10'\nOld modification time was: '1691675612', now it is '1691675690'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : 'b6fecf2b63f9f85df5f5a906b874140f'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'a339ae83ae734a11cc71fdeb2bb07e92b9d15f9c'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : 'd4154204de612e93db39dae3007ce9a0e40dee9b06221ed173a9a09fd4e53a3b'\n","syscheck":{"path":"/tmp/testing_first.txt","mode":"realtime","size_before":"0","size_after":"10","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"b6fecf2b63f9f85df5f5a906b874140f","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"a339ae83ae734a11cc71fdeb2bb07e92b9d15f9c","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"d4154204de612e93db39dae3007ce9a0e40dee9b06221ed173a9a09fd4e53a3b","uname_after":"root","gname_after":"root","mtime_before":"2023-08-10T13:53:32","mtime_after":"2023-08-10T13:54:50","inode_after":393240,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} {"timestamp":"2023-08-10T13:54:57.791+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"manager45"},"manager":{"name":"manager45"},"id":"1691675697.667566","full_log":"File '/tmp/testing_second.txt' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '10'\nOld modification time was: '1691675618', now it is '1691675697'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '4cd330580da5a88171f30e18fb08d77b'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : '84a160c8a973024a2dd2ae61808c806810ef23a1'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '33a343f7964af3f9df0b08a671c410ff2c6e749a4c7dfb35f25cd95298ce4632'\n","syscheck":{"path":"/tmp/testing_second.txt","mode":"realtime","size_before":"0","size_after":"10","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"4cd330580da5a88171f30e18fb08d77b","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"84a160c8a973024a2dd2ae61808c806810ef23a1","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"33a343f7964af3f9df0b08a671c410ff2c6e749a4c7dfb35f25cd95298ce4632","uname_after":"root","gname_after":"root","mtime_before":"2023-08-10T13:53:38","mtime_after":"2023-08-10T13:54:57","inode_after":393241,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}Also, more alerts will be generated, not just the first one:
{"timestamp":"2023-08-10T14:10:28.728+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"manager45"},"manager":{"name":"manager45"},"id":"1691676628.670019","full_log":"File '/tmp/testing_first.txt' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '10' to '18'\nOld modification time was: '1691675690', now it is '1691676628'\nOld md5sum was: 'b6fecf2b63f9f85df5f5a906b874140f'\nNew md5sum is : 'a6f0a429da49c8e3325442c023e4ea37'\nOld sha1sum was: 'a339ae83ae734a11cc71fdeb2bb07e92b9d15f9c'\nNew sha1sum is : '73e1a89b9017d8bc8ff79164ec3fb1544c19ee5c'\nOld sha256sum was: 'd4154204de612e93db39dae3007ce9a0e40dee9b06221ed173a9a09fd4e53a3b'\nNew sha256sum is : '25cfecba10c3fc6a1b81763b2c36556454c6ef2b86ca674b1905e9dbb0d084d0'\n","syscheck":{"path":"/tmp/testing_first.txt","mode":"realtime","size_before":"10","size_after":"18","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"b6fecf2b63f9f85df5f5a906b874140f","md5_after":"a6f0a429da49c8e3325442c023e4ea37","sha1_before":"a339ae83ae734a11cc71fdeb2bb07e92b9d15f9c","sha1_after":"73e1a89b9017d8bc8ff79164ec3fb1544c19ee5c","sha256_before":"d4154204de612e93db39dae3007ce9a0e40dee9b06221ed173a9a09fd4e53a3b","sha256_after":"25cfecba10c3fc6a1b81763b2c36556454c6ef2b86ca674b1905e9dbb0d084d0","uname_after":"root","gname_after":"root","mtime_before":"2023-08-10T13:54:50","mtime_after":"2023-08-10T14:10:28","inode_after":393240,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} {"timestamp":"2023-08-10T14:11:10.502+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":3,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"manager45"},"manager":{"name":"manager45"},"id":"1691676670.671245","full_log":"File '/tmp/testing_first.txt' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '18' to '26'\nOld modification time was: '1691676628', now it is '1691676670'\nOld md5sum was: 'a6f0a429da49c8e3325442c023e4ea37'\nNew md5sum is : '76d2092a502f5db95a8e71668d0c92f9'\nOld sha1sum was: '73e1a89b9017d8bc8ff79164ec3fb1544c19ee5c'\nNew sha1sum is : 'c269909ce4fab248cefaf6e76d7b813ddddb901c'\nOld sha256sum was: '25cfecba10c3fc6a1b81763b2c36556454c6ef2b86ca674b1905e9dbb0d084d0'\nNew sha256sum is : '862a28a24f3874ce017f98a4f8ee3b511dd1b59118ea907b5af0e22e60e2f6f3'\n","syscheck":{"path":"/tmp/testing_first.txt","mode":"realtime","size_before":"18","size_after":"26","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"a6f0a429da49c8e3325442c023e4ea37","md5_after":"76d2092a502f5db95a8e71668d0c92f9","sha1_before":"73e1a89b9017d8bc8ff79164ec3fb1544c19ee5c","sha1_after":"c269909ce4fab248cefaf6e76d7b813ddddb901c","sha256_before":"25cfecba10c3fc6a1b81763b2c36556454c6ef2b86ca674b1905e9dbb0d084d0","sha256_after":"862a28a24f3874ce017f98a4f8ee3b511dd1b59118ea907b5af0e22e60e2f6f3","uname_after":"root","gname_after":"root","mtime_before":"2023-08-10T14:10:28","mtime_after":"2023-08-10T14:11:10","inode_after":393240,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}If you are not able to see the changes alert within your /var/ossec/logs/alerts/alerts.json, please share your ossec.conf‘s syscheck section (avoid sharing sensitive info) and the logs/alerts related to syscheck.
You can check in realtime the changes alerts by using tail -f /var/ossec/logs/alerts/alerts.json | grep syscheck
To gather the logs/alerts related to syscheck, you can do the same but using cat:
cat /var/ossec/logs/alerts/alerts.json | grep syscheck
cat /var/ossec/logs/ossec.log | grep syscheck
About the documentation, as you said, it should not work for files. I will make some research about this and reach to you with any update about that.
Hope this helps you,
Luis.
dseira
Aug 10, 2023, 12:29:40 PM8/10/23
to Wazuh mailing list
Hi Luis,
The wazuh versions are:
Thanks for the answer.
I'll try to explain it better.
Having the following syscheck config:
<directories check_all="yes" realtime="yes">/etc/shadow</directories>
<directories check_all="yes" realtime="yes">/etc/gshadow</directories>
<directories check_all="yes" realtime="yes">/etc/passwd</directories>
<directories check_all="yes" realtime="yes">/etc/group</directories>
<directories check_all="yes" realtime="yes">/etc/login.defs</directories>
<directories check_all="yes" realtime="yes">/etc/gshadow</directories>
<directories check_all="yes" realtime="yes">/etc/passwd</directories>
<directories check_all="yes" realtime="yes">/etc/group</directories>
<directories check_all="yes" realtime="yes">/etc/login.defs</directories>
With wazuh-agent restarted (to apply those changes), if /etc/login.defs (for example) is modified (adding "#test1" string), I receive the alert:
{"timestamp":"2023-08-10T16:15:42.524+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"testvm","ip":"1.1.1.1","labels":{"group":"test"}},"manager":{"name":"wazuh-test"},"id":"1691684142.124826","full_log":"File '/etc/login.defs' modified\nMode: realtime\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '2029' to '2027'\nOld modification time was: '1691683706', now it is '1691684142'\nOld inode was: '16840651', now it is '16822498'\nOld md5sum was: '13b541462ab86c076a1300b6ff90cfa3'\nNew md5sum is : '871bc72fe80572425a9529c6d39166d1'\nOld sha1sum was: 'c96bf93d5b5b16554104d5918712aacd7cd5fc8c'\nNew sha1sum is : 'e7653ff73925910d04bf04287a2ecd36a20883e1'\nOld sha256sum was: '3158739c4db5e7436b597606acdf3f073e81679e00d173b3a498fbace07e5098'\nNew sha256sum is : '6a0bdce3ba6298a5a7979d80b4a31ea1c68c22cc6736df3b6e1467997f5377c8'\n","syscheck":{"path":"/etc/login.defs","mode":"realtime","size_before":"2029","size_after":"2027","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"13b541462ab86c076a1300b6ff90cfa3","md5_after":"871bc72fe80572425a9529c6d39166d1","sha1_before":"c96bf93d5b5b16554104d5918712aacd7cd5fc8c","sha1_after":"e7653ff73925910d04bf04287a2ecd36a20883e1","sha256_before":"3158739c4db5e7436b597606acdf3f073e81679e00d173b3a498fbace07e5098","sha256_after":"6a0bdce3ba6298a5a7979d80b4a31ea1c68c22cc6736df3b6e1467997f5377c8","uname_after":"root","gname_after":"root","mtime_before":"2023-08-10T16:08:26","mtime_after":"2023-08-10T16:15:42","inode_before":16840651,"inode_after":16822498,"diff":"73d72\n< #\test1n","changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}
After that, if I modify again the /etc/login.defs file (adding "#test2" string), it doesn't alert with that change. But if I restart wazuh-agent and modify something else in /etc/login.defs (adding "#test3" string), the alert is generated again (but just with the last change "#test3"):
{"timestamp":"2023-08-10T16:20:01.321+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"testvm","ip":"1.1.1.1","labels":{"group":"test"}},"manager":{"name":"wazuh-test"},"id":"1691684401.126817","full_log":"File '/etc/login.defs' modified\nMode: realtime\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '2035' to '2043'\nOld modification time was: '1691684259', now it is '1691684401'\nOld inode was: '16840651', now it is '16840658'\nOld md5sum was: 'beb9160609511d5e904bcd62bd75b3af'\nNew md5sum is : '0935dde1df6c9c469f0371265982a72d'\nOld sha1sum was: 'f58b8ffb8cd29ac39fe0b81576ecdec349516e0c'\nNew sha1sum is : 'ae6b8fe7929e94e3774f4d16092df8be952a24fa'\nOld sha256sum was: 'd01fa7be7406e25f682787f5bae6a8402dd875905ed4d3cb0d18a322aedd077f'\nNew sha256sum is : '4048970ef268a3522f8af8b359ee38dc4fe5e94adbe7c812df315b5f309f2c27'\n","syscheck":{"path":"/etc/login.defs","mode":"realtime","size_before":"2035","size_after":"2043","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"beb9160609511d5e904bcd62bd75b3af","md5_after":"0935dde1df6c9c469f0371265982a72d","sha1_before":"f58b8ffb8cd29ac39fe0b81576ecdec349516e0c","sha1_after":"ae6b8fe7929e94e3774f4d16092df8be952a24fa","sha256_before":"d01fa7be7406e25f682787f5bae6a8402dd875905ed4d3cb0d18a322aedd077f","sha256_after":"4048970ef268a3522f8af8b359ee38dc4fe5e94adbe7c812df315b5f309f2c27","uname_after":"root","gname_after":"root","mtime_before":"2023-08-10T16:17:39","mtime_after":"2023-08-10T16:20:01","inode_before":16840651,"inode_after":16840658,"diff":"73a74\n> # test3\n","changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}
I just would like to know if this behaviour is produced do to the fact that syscheck can't be used with files or it is something misconfigured.
The wazuh versions are:
wazuh-indexer-4.3.10-1.x86_64
wazuh-manager-4.3.10-1.x86_64
wazuh-dashboard-4.3.10-1.x86_64
wazuh-manager-4.3.10-1.x86_64
wazuh-dashboard-4.3.10-1.x86_64
wazuh-agent-4.3.10-1.x86_64
Thanks.
Luis González Romero
Aug 22, 2023, 7:33:55 AM8/22/23
to Wazuh mailing list
Hello again, dseira.
How did you add the string? If you use vi/vim it won’t work because the inotify watch is deleted.
If that not the case, how do you add the string? If it still not working, please enable the syscheck debug mode by setting the syscheck.debug to 2 in your /var/ossec/etc/internal_options.conf and then restart the manager. Then, add the string using echo "#test" >> /etc/login.defs and obtain the logs with cat /var/ossec/logs/ossec.log | grep syscheck >> syscheck.log so you can attach them in case we need to research them.
If you want to check with vi/vim anyways, you should do a workaround like this:
- Configure the /etc directory with realtime
- Use ignore/restrict to fiter the files you dont need to monitor
dseira
Aug 22, 2023, 11:10:39 AM8/22/23
to Wazuh mailing list
Thanks Luis.
I understand.
Doing it with a echo "test" >> /etc/login.defs it always detects the change:
Mode: realtime
Changed attributes: size,mtime,md5,sha1,sha256
Changed attributes: size,mtime,md5,sha1,sha256
Doing it with vi/vim just the first one because it changes the inode:
Mode: realtime
Changed attributes: size,mtime,inode,md5,sha1,sha256
Changed attributes: size,mtime,inode,md5,sha1,sha256
In that case, I would like to check modifications with vi/vim manually; I've tested the following config:
<syscheck>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" realtime="yes" report_changes="yes" restrict="passwd|shadow|login.defs">/etc</directories>
</syscheck>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" realtime="yes" report_changes="yes" restrict="passwd|shadow|login.defs">/etc</directories>
</syscheck>
Because some of the /etc files would like to be realtime monitored (even with vi/vim edition) and the other /etc files would like to be in scheduled mode.
The above configuration doesn't work, it just detects the realtime changes, not the scheduled.
Is that possible?
Thanks again.
Luis González Romero
Aug 24, 2023, 8:31:37 AM8/24/23
to Wazuh | Mailing List
You should be able to use restrict to limit the checks within the directories in realtime, and then add another one for the schedules ones.
Here you have the section that describes this field: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
Reply all
Reply to author
Forward
0 new messages