syscheck and daylight saving time
182 views
Skip to first unread message
Francesco Mazzi
Oct 29, 2018, 6:40:15 AM10/29/18
to Wazuh mailing list
Hi, I have 19 agents, 5 of them are Windows (2003 and 2008).
Last sunday on Windows servers (4 of them except one) I got tons of notifications about rule 550 "Integrity checksum changed." I think for every file monitored, included the default system one.
Looking at the logs, I see a difference of one hour due to change of time (DST):
syscheck.mtime_after January 26th 2010, 13:37:39.000
syscheck.mtime_before January 26th 2010, 14:37:39.000
Why mtime changed? it should not change with DST. In this example, if I check on filesystem the creation date I see:
January 26th 2010, 12:37:39.000
I'm in Italy, Rome timezone. Last sunday DST changed.
I think it's a bug which affects only windows agents, I got no notification from Linux servers, but I don't understand why I didn't receive notifications from one Windows server, same version of other.
Wazuh manager and all agents are 3.6.1
Thank you
Cristóbal López
Oct 31, 2018, 6:36:25 AM10/31/18
to Wazuh mailing list
Hi Francesco,
In Windows, time zone changes alter the date files were modified. When a Syscheck scan is run, Wazuh detects that the modification date has changed and therefore the alerts are triggered.
The reason you don't see similar alerts in the rest of your agents may be due to:
- They do not have the option check_mtime activated. This causes changes in files modification not to be taken into account for triggering alerts.
- The Linux agents, and the Windows agent, do not have the automatic time zone activated.
- Linux agents do not alter the files modification date when changing the time zone.
Can you check this?
Best regards,
Cristobal Lopez.
In Windows, time zone changes alter the date files were modified. When a Syscheck scan is run, Wazuh detects that the modification date has changed and therefore the alerts are triggered.
The reason you don't see similar alerts in the rest of your agents may be due to:
- They do not have the option check_mtime activated. This causes changes in files modification not to be taken into account for triggering alerts.
- The Linux agents, and the Windows agent, do not have the automatic time zone activated.
- Linux agents do not alter the files modification date when changing the time zone.
Can you check this?
Best regards,
Cristobal Lopez.
Francesco Mazzi
Nov 12, 2018, 8:36:55 AM11/12/18
to Wazuh mailing list
Sorry for missing reply, I didn't see your answer.
Today it happened again on the remaining server (the one which didn't send notification at DST change time like others), I don't know why sent notifications today.
Anyway, in my environment, all servers (both Linux and Windows) have the same options check_all="yes" and automatic DST changing time in the operating system.
Is it normal this behaviour? How can avoid it?
Cristóbal López
Nov 20, 2018, 4:34:57 AM11/20/18
to Wazuh mailing list
Hi Francesco,
Yes, it is a normal behavior because Windows changes the modification date of the files with each time change. Currently Wazuh does not differentiate between voluntary and involuntary (like this) changes in the modification timestamp of the files. The only way to avoid these alerts is to prevent the 2 time changes of the year.
One way to do this is to disable the check_all option of the agents, enable all options except check_mtime, and restart. This should be done a few hours or days before the time change. After this, restore the options.
This change can easily be made if the syscheck configuration in your agents is done through the centralized configuration.
However, doing this the manager will detect changes when the agent resends events with check_mtime. Therefore, you should delete the FIM databases of the target agents before activating check_mtime (or check_all) again, while the agents are disconnected.
Best regards,
Cristobal Lopez.
Yes, it is a normal behavior because Windows changes the modification date of the files with each time change. Currently Wazuh does not differentiate between voluntary and involuntary (like this) changes in the modification timestamp of the files. The only way to avoid these alerts is to prevent the 2 time changes of the year.
One way to do this is to disable the check_all option of the agents, enable all options except check_mtime, and restart. This should be done a few hours or days before the time change. After this, restore the options.
This change can easily be made if the syscheck configuration in your agents is done through the centralized configuration.
However, doing this the manager will detect changes when the agent resends events with check_mtime. Therefore, you should delete the FIM databases of the target agents before activating check_mtime (or check_all) again, while the agents are disconnected.
Best regards,
Cristobal Lopez.
Reply all
Reply to author
Forward
0 new messages