syscheck not detecting new executable files
224 views
Skip to first unread message
frances...@gmail.com
Jan 18, 2021, 4:41:48 AM1/18/21
to Wazuh mailing list
Hi, I made some tests installing fping package on 2 centos machines, but the executable (new file) is not detected.
This is the ossec.conf:
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
ossec.log:
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6003): Monitoring directory: '/usr/bin' (/bin), with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6003): Monitoring directory: '/usr/sbin' (/sbin), with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/krb5.keytab'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/prelink.cache'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/aliases.db'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/lvm/cache'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/webmin/system-status'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/webmin/package-updates'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/zevenet-ce-cluster.status'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/openvpn/ipp.txt'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/boot/grub2/grubenv'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6207): Ignore 'file' sregex '.css$|temp-write-test'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6000): Starting daemon...
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 14400 seconds
2021/01/18 09:43:06 ossec-syscheckd: INFO: (6008): File integrity monitoring scan started.
2021/01/18 09:43:25 ossec-syscheckd: INFO: (6009): File integrity monitoring scan ended.
One server is a centos 7.9, the other centos 8.1, fping is in /usr/sbin in the first case and /sbin int the second.
Why I don't have these alert in wazuh? Other changes in /etc folder for example are detected.
Wazuh manager and agents 13.3.2.
mauro.e...@wazuh.com
Jan 18, 2021, 6:34:04 AM1/18/21
to Wazuh mailing list
Hi Francesco,
We found a bug with the default configuration on systems that use symbolic links for /bin -> /usr/bin and /sbin -> /usr/sbin, which is what I think the problem is in your case. It has since been fixed in version 4.0.2 so upgrading your wazuh components to the latest version is advisable, if this is not possible at the time you can either remove the /bin and /sbin entries from your configuration or change them to use the follow_symbolic_link option like this:
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" follow_symbolic_link="yes">/bin,/sbin,/boot</directories>
You can verify the issue is the cause of your problem by issuing the following command on the affected server (provided sqlite3 is installed on them). If the query does not return any paths, then this bug is the cause of your issue.
sqlite3 queue/fim/db/fim.db "select path from entry_path where path like '/usr/bin%';"
sqlite3 queue/fim/db/fim.db "select path from entry_path where path like '/usr/bin%';"
Best regards,
Mauro.
frances...@gmail.com
Jan 21, 2021, 6:57:26 AM1/21/21
to Wazuh mailing list
Hi, I modified ossec.conf removing the line:
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<!--<directories check_all="yes" follow_symbolic_link="yes">/bin,/sbin,/boot</directories>-->
This is the server log:
2021/01/21 12:48:59 ossec-syscheckd: INFO: Started (pid: 32552).
2021/01/21 12:48:59 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2021/01/21 12:48:59 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2021/01/21 12:48:59 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
this is the agent log:
2021/01/21 12:45:46 ossec-syscheckd: INFO: (6003): Monitoring directory: '/usr/bin' (/bin), with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2021/01/21 12:45:46 ossec-syscheckd: INFO: (6003): Monitoring directory: '/usr/sbin' (/sbin), with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
But nothing changed, I still don't see changes.
I see that in the agent /var/ossec/ect/ossec.conf there is this line:
<directories>/bin,/sbin,/boot</directories>
should I remove this line too? Or maybe should I write something in shared centralized configuration?
The command sqlite3 queue/fim/db/fim.db "select path from entry_path where path like '/usr/bin%';" returns nothing.
Thank you.
mauro.e...@wazuh.com
Jan 21, 2021, 8:10:21 AM1/21/21
to Wazuh mailing list
Hi Francesco,
Based on the log outputs, your manager is now monitoring /usr/bin and /usr/sbin directly and your agent is monitoring them by following the corresponding /bin and /sbin symbolic links.
I see that you are using scheduled mode to monitor your directories, (which is the default), are you also using the default scan frequency? If so, have you waited for the second scan to happen? (By default the time between scans is 12 hours).
Another change you can make to see if this is working is to add realtime="yes" to the <directories> tag and create a file in the monitored directory after the initial scan is done, you should get an alert almost immediately.
Just a last couple of questions, how are you checking if the alerts are being generated? Are you using the web UI or directly on the files located under /var/ossec/logs/alerts in the manager?
You can also check out this section on our documentation to see if you find any useful information that might help you:
https://documentation.wazuh.com/3.13/user-manual/capabilities/file-integrity/index.html#file-integrity-monitoring
https://documentation.wazuh.com/3.13/user-manual/capabilities/file-integrity/index.html#file-integrity-monitoring
Best regards,
Mauro.
frances...@gmail.com
Jan 25, 2021, 3:19:14 AM1/25/21
to Wazuh mailing list
My scan frequency is 3 hours, then I tried with realtime but same result, no alert. I'm checking in web UI. I have alerts for /bin folder in other agents.
If i create a file in /etc folder is detected.
Thank you.
frances...@gmail.com
Jan 26, 2021, 2:43:28 AM1/26/21
to Wazuh mailing list
Now I see all events, I don't know why.
Thanks for support.
Reply all
Reply to author
Forward
0 new messages