FIM realtime do not work with wazuh agent 4.7.4-1 under Ubuntu

222 views
Skip to first unread message

Carlos Lopez

unread,
May 10, 2024, 2:21:10 AM5/10/24
to wa...@googlegroups.com
Hi all,

I am suffering a strange issue with wazuh agents 4.7.x under Ubuntu LTS 22.04 and 24.04 (both releases). I have configured FIM to report file changes in realtime:

<directories report_changes="yes" realtime="yes" check_all="yes" whodata="yes">/etc,/boot</directories>

But realtime alerts never succeed. Doing a simple test (create a file in /etc dir and remove it), alert never triggers. Why? Do I need to install some specific package under Ubuntu hosts? Using same config in RHEL 9 and OEL9, all works as expected.

Any idea?

Best regards,
C. L. Martinez

Santiago David Vendramini

unread,
May 10, 2024, 8:05:52 AM5/10/24
to Wazuh | Mailing List
Hi! I hope you are doing well! Maybe the problem is that audit it's not installed on ubuntu by default. You could try intall it and retry the test. But if you only need realtime configuration you can remove whodata="yes" attribute from directories setting. To confirm this could you share the logs from this agent? 

Best Regards

Carlos Lopez

unread,
May 11, 2024, 7:39:44 AM5/11/24
to wa...@googlegroups.com
Thanks Santiago. But audit and audit-plugins are installed in all Ubuntu hosts ....

ossec.log from Ubuntu agent:
2024/05/11 11:37:13 wazuh-modulesd: INFO: Started (pid: 1239).
2024/05/11 11:37:13 wazuh-modulesd:control: INFO: Starting control thread.
2024/05/11 11:37:13 sca: INFO: Module started.
2024/05/11 11:37:13 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/05/11 11:37:13 wazuh-modulesd:oscap: INFO: Module disabled. Exiting...
2024/05/11 11:37:13 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/05/11 11:37:13 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/05/11 11:37:13 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/05/11 11:37:13 sca: INFO: Starting Security Configuration Assessment scan.
2024/05/11 11:37:13 wazuh-modulesd:syscollector: INFO: Module started.
2024/05/11 11:37:13 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/05/11 11:37:13 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/05/11 11:37:13 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/05/11 11:37:14 wazuh-syscheckd: INFO: (6000): Starting daemon...
2024/05/11 11:37:14 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2024/05/11 11:37:14 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2024/05/11 11:37:14 rootcheck: INFO: Starting rootcheck scan.
2024/05/11 11:37:15 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/05/11 11:37:15 wazuh-syscheckd: INFO: FIM sync module started.
2024/05/11 11:37:15 wazuh-syscheckd: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2024/05/11 11:37:17 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/05/11 11:37:17 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds.
2024/05/11 11:37:31 rootcheck: INFO: Ending rootcheck scan.

Santiago David Vendramini

unread,
May 13, 2024, 7:42:07 AM5/13/24
to Wazuh | Mailing List
Hi! I did the same test and seems to work!

cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

<directories report_changes="yes" realtime="yes" check_all="yes" whodata="yes">/etc,/boot</directories>

~$ sudo touch /etc/test:
{"timestamp":"2024-05-13T08:30:48.769-0300","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1715599848.30447","full_log":"File '/etc/test' added\nMode: whodata\n","syscheck":{"path":"/etc/test","mode":"whodata","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"root","mtime_after":"2024-05-13T08:30:48","inode_after":131887,"event":"added","audit":{"user":{"id":"0","name":"root"},"process":{"id":"313330","name":"/usr/bin/touch","cwd":"/home/vagrant","parent_cwd":"/home/vagrant","ppid":"313329"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

~$ sudo touch /etc/tests.txt:
{"timestamp":"2024-05-13T08:31:13.234-0300","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1715599873.32749","full_log":"File '/etc/tests.txt' added\nMode: whodata\n","syscheck":{"path":"/etc/tests.txt","mode":"whodata","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"root","mtime_after":"2024-05-13T08:31:13","inode_after":132801,"event":"added","audit":{"user":{"id":"0","name":"root"},"process":{"id":"313404","name":"/usr/bin/touch","cwd":"/home/vagrant","ppid":"313403"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}


~$ echo "1" >> /etc/tests.txt:
{"timestamp":"2024-05-13T08:34:39.359-0300","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1715600079.36381","full_log":"File '/etc/tests.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '2'\nOld modification time was: '1715599873', now it is '1715600079'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : 'b026324c6904b2a9cb4b88d6d61c81d1'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865'\n","syscheck":{"path":"/etc/tests.txt","mode":"whodata","size_before":"0","size_after":"2","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"b026324c6904b2a9cb4b88d6d61c81d1","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865","uname_after":"root","gname_after":"root","mtime_before":"2024-05-13T08:31:13","mtime_after":"2024-05-13T08:34:39","inode_after":132801,"diff":"0a1\n> 1\n","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"0","name":"root"},"process":{"id":"313566","name":"/usr/bin/bash","cwd":"/home/vagrant","parent_name":"/usr/bin/su","parent_cwd":"/","ppid":"313565"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

Have you checked the alerts in /var/ossec/logs/alerts/alerts.json? Can you set debug=2 to the wazuh-syscheckd daemon? Please share these logs and I will continue to help you.


Reply all
Reply to author
Forward
0 new messages