FIM Module isn't working
408 views
Skip to first unread message
Aman Srivastava
May 17, 2023, 4:47:33 AM5/17/23
to Wazuh mailing list
Hi,
I have enabled real-time file monitoring on one agent, but it is not working. Directory which is to be monitored is of zfs filesystem, is that causing this issue...? because in other agents FIM is working fine.
Thanks
I have enabled real-time file monitoring on one agent, but it is not working. Directory which is to be monitored is of zfs filesystem, is that causing this issue...? because in other agents FIM is working fine.
Thanks
Jose Luis Carreras Marin
May 17, 2023, 9:23:23 AM5/17/23
to Wazuh mailing list
Hello Aman
Unfortunately realtime/whodata modes are not available on Solaris at all.
If you look in the ossec.log file, you will probably find this warning:
"(6908): Ignoring flag for real time monitoring on directory: '...'."
Here you can see in the documentation the description of realtime:
This will enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems.
Real time only works with directories, not individual files.
Documentation FIM
We are also aware of this need, and there is an open issue to work on it in the future, in case you want to follow it up:
https://github.com/wazuh/wazuh/issues/8192
However, FIM can work in its scheduled mode on Solaris, setting a frequency that will trigger a scan and report all alerts.
I will be happy to answer any other questions you may have.
Best regards,
Jose
Unfortunately realtime/whodata modes are not available on Solaris at all.
If you look in the ossec.log file, you will probably find this warning:
"(6908): Ignoring flag for real time monitoring on directory: '...'."
Here you can see in the documentation the description of realtime:
This will enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems.
Real time only works with directories, not individual files.
Documentation FIM
We are also aware of this need, and there is an open issue to work on it in the future, in case you want to follow it up:
https://github.com/wazuh/wazuh/issues/8192
However, FIM can work in its scheduled mode on Solaris, setting a frequency that will trigger a scan and report all alerts.
I will be happy to answer any other questions you may have.
Best regards,
Jose
Aman Srivastava
May 18, 2023, 3:11:40 AM5/18/23
to Wazuh mailing list
Hi Jose,
</syscheck>
<syscheck>
<alert_new_files>yes</alert_new_files>
</syscheck>
Thanks for your response. But my agent is installed on Ubuntu ("22.04.2 LTS (Jammy Jellyfish)") and my ossec.conf for FIM looks like this:
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</direct>
<directories>/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/dirname</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>no</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>no</skip_proc>
<skip_sys>no</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</direct>
<directories>/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/dirname</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>no</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>no</skip_proc>
<skip_sys>no</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization></syscheck>
<syscheck>
<alert_new_files>yes</alert_new_files>
</syscheck>
/dirname is actually a directory where an external drive of zfs filesystem is mounted, after some debugging I found that directories which are a part of ext4 filesystem are working fine for FIM Module, but in case of modern filesystems such as zfs, FIM is not generating any alert.
And when I restarted the agent, I found this log in ossec.log: 2023/05/18 06:48:52 wazuh-syscheckd: INFO: (6012): Real-time file integrity monitoring started.
And when I restarted the agent, I found this log in ossec.log: 2023/05/18 06:48:52 wazuh-syscheckd: INFO: (6012): Real-time file integrity monitoring started.
And no error log in ossec.log related to FIM.
So, my question is- Can FIM module not monitor directories which are of modern filesystems (zfs in my case)?
So, my question is- Can FIM module not monitor directories which are of modern filesystems (zfs in my case)?
Thank You & Best Regards,
Aman
Aman Srivastava
May 23, 2023, 1:24:52 AM5/23/23
to Wazuh mailing list
Hello Jose,
Please share some insights into this issue.
Thanks & Regards,
Please share some insights into this issue.
Thanks & Regards,
Aman
Jose Luis Carreras Marin
May 25, 2023, 1:02:54 PM5/25/23
to Wazuh mailing list
Hello Aman
Sorry for the delay, I have been reading about that kind of filesystem, in a first instance I understood that you were working on Solaris OS. The realtime mode uses internally a system library called inotify, and this is not compatible with some filesystems. Here you can see an example we are working on:
https://github.com/wazuh/wazuh/issues/15231
If you want you can open an issue for us to evaluate the available options!!!
Thank you very much
Regards, Jose
Sorry for the delay, I have been reading about that kind of filesystem, in a first instance I understood that you were working on Solaris OS. The realtime mode uses internally a system library called inotify, and this is not compatible with some filesystems. Here you can see an example we are working on:
https://github.com/wazuh/wazuh/issues/15231
If you want you can open an issue for us to evaluate the available options!!!
Thank you very much
Regards, Jose
Reply all
Reply to author
Forward
0 new messages