Mac FIM Module
161 views
Skip to first unread message
Irene Romero
Aug 15, 2024, 12:29:14 AM8/15/24
to Wazuh | Mailing List
Hello everyone,
I’m having trouble with the FIM module on a MacOS computer. I've configured it to monitor directories like /Users/*/Desktop, /Users/*/Downloads, etc. (classic Mac directories) - no alerts are being generated for syscheck rules.
The configuration I checked that has been properly applied to the agents. I also tried listing each directory separately, but the issue remains. In the Wazuh UI inventory, I can see system paths like /etc and /usr/bin, but nothing from /Users or /Library, which are specific to macOS. I am trying to test the expected behavior by creating or modifying files but no alerts are being triggered, what would be the expected behavior? Is this FIM module expected to work for MacOs systems?
Thank you :)
I’m having trouble with the FIM module on a MacOS computer. I've configured it to monitor directories like /Users/*/Desktop, /Users/*/Downloads, etc. (classic Mac directories) - no alerts are being generated for syscheck rules.
The configuration I checked that has been properly applied to the agents. I also tried listing each directory separately, but the issue remains. In the Wazuh UI inventory, I can see system paths like /etc and /usr/bin, but nothing from /Users or /Library, which are specific to macOS. I am trying to test the expected behavior by creating or modifying files but no alerts are being triggered, what would be the expected behavior? Is this FIM module expected to work for MacOs systems?
Thank you :)
Abdullah Al Rafi Fahim
Aug 15, 2024, 5:35:44 AM8/15/24
to Wazuh | Mailing List
Hello Irene,
The File Integrity Monitoring (syscheck) module has some limitations in case of agents deployed at MacOS endpoints. Currently, Wazuh File Integrity Monitoring is not supporting realtime and whodata for MacOS. Both of these features are already in our roadmap though we don't have an ETA yet.
Therefore, it supports scheduled scans only for the directories that you want to monitor at your Mac agents. The scheduled scan works in an interval based on the time value set in the frequency section of the syscheck configuration. It will not trigger real time alerts for creating or modifying files in the monitored directories, rather will generate alerts only during the next scan. The FIM module runs scans every 12 hours (43200 seconds) by default and can be set to a lower value to run the scans more frequently. Though you can set any positive number value for the frequency, it is suggested to set the frequency at least 10 minutes (600 seconds) so that all the files in the directory can be monitored properly.
Therefore, it supports scheduled scans only for the directories that you want to monitor at your Mac agents. The scheduled scan works in an interval based on the time value set in the frequency section of the syscheck configuration. It will not trigger real time alerts for creating or modifying files in the monitored directories, rather will generate alerts only during the next scan. The FIM module runs scans every 12 hours (43200 seconds) by default and can be set to a lower value to run the scans more frequently. Though you can set any positive number value for the frequency, it is suggested to set the frequency at least 10 minutes (600 seconds) so that all the files in the directory can be monitored properly.
I hope it helps you to understand the expected current behavior of FIM module in MacOS agents. If you still have any further query here, please let us know.
Irene Romero
Aug 16, 2024, 7:15:14 AM8/16/24
to Wazuh | Mailing List
Hi, Abdullah:
Thank you very much for your fast reply.
However, the scheduled scans for the files located in the mentioned paths (such as /Users/…/Desktop) are also not working. I’ve attached the agent.conf and ossec.conf files in case that helps.
Reply all
Reply to author
Forward
0 new messages