FIM module is not working in MacOS
173 views
Skip to first unread message
Angel Acevedo
Jul 30, 2024, 8:41:49 AM7/30/24
to Wazuh | Mailing List
Hello,
I have configured the FIM module to scan specific directories on a Mac computer, but no alerts are being generated regarding to syscheck (e.g 550 or 554 rules).
The specific configuration for syscheck has been included in the shared configuration file, and agents have been restarted several times. The configuration is the following one:
<agent_config>
<syscheck>
<disabled>no</disabled>
<directories check_all="yes" realtime="yes">/Users/*/Desktop,/Users/*/Downloads,/Users/*/Documents</directories>
<directories check_all="yes" realtime="yes">/Users/Shared</directories>
</syscheck>
</agent_config>
<syscheck>
<disabled>no</disabled>
<directories check_all="yes" realtime="yes">/Users/*/Desktop,/Users/*/Downloads,/Users/*/Documents</directories>
<directories check_all="yes" realtime="yes">/Users/Shared</directories>
</syscheck>
</agent_config>
I have also tried to have several lines, one for each directory, but it does not work either.
At ossec.conf file, I have tried to reduced the frecuency of scheduled scans to 60 seconds, but the problem persists.
To give you more information, I have already checked the inventory at Wazuh UI and there are paths like /etc or /usr/bin, but none regarding with /Users or /Library (those that are from MacOS).
If I enable the debug logs for syscheck, I see this:
2024-07-30T12:17:57.572457759Z 2024/07/30 12:17:57 wazuh-syscheckd[447] run_check.c:124 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"scan_start","data":{"timestamp":1722341877}}
2024-07-30T12:17:57.575413844Z 2024/07/30 12:17:57 wazuh-syscheckd[447] create_db.c:511 at fim_scan(): DEBUG: (6348): Size of 'queue/diff' folder: 0.00000 KB.
2024-07-30T12:17:57.658171810Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:581 at get_user(): DEBUG: User with uid '1000' not found.
2024-07-30T12:17:57.658204699Z
2024-07-30T12:17:57.658319563Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:613 at get_group(): DEBUG: Group with gid '1000' not found.
2024-07-30T12:17:57.658330158Z
2024-07-30T12:17:57.658435587Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:581 at get_user(): DEBUG: User with uid '1000' not found.
2024-07-30T12:17:57.658443247Z
2024-07-30T12:17:57.658447531Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:613 at get_group(): DEBUG: Group with gid '1000' not found.
2024-07-30T12:17:57.658451896Z
2024-07-30T12:17:57.981373795Z 2024/07/30 12:17:57 wazuh-integratord[359] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024-07-30T12:17:58.216816647Z 2024/07/30 12:17:58 wazuh-syscheckd[447] create_db.c:614 at fim_scan(): INFO: (6009): File integrity monitoring scan ended.
2024-07-30T12:17:58.216857295Z 2024/07/30 12:17:58 wazuh-syscheckd[447] run_check.c:124 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"scan_end","data":{"timestamp":1722341878}}
2024-07-30T12:17:58.217624658Z 2024/07/30 12:17:58 wazuh-syscheckd[447] create_db.c:1817 at fim_print_info(): DEBUG: (6330): The scan has been running during: 0.644 sec (0.642 clock sec)
2024-07-30T12:17:58.218183903Z 2024/07/30 12:17:58 wazuh-syscheckd[447] create_db.c:1832 at fim_print_info(): DEBUG: (6336): Fim inode entries: '1210', path count: '1214'
2024-07-30T12:17:57.575413844Z 2024/07/30 12:17:57 wazuh-syscheckd[447] create_db.c:511 at fim_scan(): DEBUG: (6348): Size of 'queue/diff' folder: 0.00000 KB.
2024-07-30T12:17:57.658171810Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:581 at get_user(): DEBUG: User with uid '1000' not found.
2024-07-30T12:17:57.658204699Z
2024-07-30T12:17:57.658319563Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:613 at get_group(): DEBUG: Group with gid '1000' not found.
2024-07-30T12:17:57.658330158Z
2024-07-30T12:17:57.658435587Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:581 at get_user(): DEBUG: User with uid '1000' not found.
2024-07-30T12:17:57.658443247Z
2024-07-30T12:17:57.658447531Z 2024/07/30 12:17:57 wazuh-syscheckd[447] syscheck_op.c:613 at get_group(): DEBUG: Group with gid '1000' not found.
2024-07-30T12:17:57.658451896Z
2024-07-30T12:17:57.981373795Z 2024/07/30 12:17:57 wazuh-integratord[359] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2024-07-30T12:17:58.216816647Z 2024/07/30 12:17:58 wazuh-syscheckd[447] create_db.c:614 at fim_scan(): INFO: (6009): File integrity monitoring scan ended.
2024-07-30T12:17:58.216857295Z 2024/07/30 12:17:58 wazuh-syscheckd[447] run_check.c:124 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"scan_end","data":{"timestamp":1722341878}}
2024-07-30T12:17:58.217624658Z 2024/07/30 12:17:58 wazuh-syscheckd[447] create_db.c:1817 at fim_print_info(): DEBUG: (6330): The scan has been running during: 0.644 sec (0.642 clock sec)
2024-07-30T12:17:58.218183903Z 2024/07/30 12:17:58 wazuh-syscheckd[447] create_db.c:1832 at fim_print_info(): DEBUG: (6336): Fim inode entries: '1210', path count: '1214'
More info:
Agent and Manager version: v4.7.2
Agent OS: MacOS Sonoma 14.5 (Chip M3)
Thank you.
Gonzalo Acuña
Jul 31, 2024, 11:40:14 AM7/31/24
to Wazuh | Mailing List
Hi,
I'm working on a response. I'll get back to you soon.
Regards.
Gonzalo.
I'm working on a response. I'll get back to you soon.
Regards.
Gonzalo.
Gonzalo Acuña
Jul 31, 2024, 1:45:06 PM7/31/24
to Wazuh | Mailing List
Hi,
Have you added the agent to the corresponding group?
Do you see the shared configurations in the agent.conf file in the macOS server?
Have you tested adding the configuration directly to the agent's ossec.conf file?
Regards.
Have you added the agent to the corresponding group?
Do you see the shared configurations in the agent.conf file in the macOS server?
Have you tested adding the configuration directly to the agent's ossec.conf file?
Regards.
Gonzalo.
Angel Acevedo
Aug 1, 2024, 2:39:03 AM8/1/24
to Wazuh | Mailing List
Hi,
Yes, the agent is added to the "employees" group. The shared configuration at macOs agent is present (see image attached). And I have just tested your last suggestion about adding the configuration directly to the agent's ossec.conf file but the issue is the same and logs I see about syscheck are the same as I mentioned in the first post.
Thanks,
Regards.
Angel Acevedo
Aug 5, 2024, 10:15:00 AM8/5/24
to Wazuh | Mailing List
Hi Gonzalo,
Any update on this issue ? If you need more information, please tell me.
Thanks.
Regards.
Gonzalo Acuña
Aug 5, 2024, 1:42:36 PM8/5/24
to Wazuh | Mailing List
Hi.
Analyzing the logs, I see that the files/directories are being scanned. How are you modifying the files?
Can you look for the following message in the logs?
`WARNING: (6332): Realtime monitoring request on unsupported system.`
macOS does not support real-time nor whodata, so, the previous message should appear in the logs.
Analyzing the logs, I see that the files/directories are being scanned. How are you modifying the files?
Can you look for the following message in the logs?
`WARNING: (6332): Realtime monitoring request on unsupported system.`
macOS does not support real-time nor whodata, so, the previous message should appear in the logs.
Angel Acevedo
Aug 6, 2024, 10:59:38 AM8/6/24
to Wazuh | Mailing List
Hi,
I am not just modifying them but also adding new files and none of these two events (modify or add) are raising any alert for MacOS endpoints. The way I am modifying the files by opening the file change the content and the save.
About the log "WARNING: (6332): Realtime monitoring...." the thing is that I do not see this log entry at /var/ossec/logs/ossec.log.
I have already tested without real monitoring, and the logs are the same that I attached to my first post. It seems that wazuh agent is not checking the /Users/ directory....
Thanks,
Regards.
Angel Acevedo
Aug 14, 2024, 2:36:07 AM8/14/24
to Wazuh | Mailing List
Hi Gonzalo,
Do you have any new suggestion about how to solve this issue ?
Thanks in advance.
Gonzalo Acuña
Aug 15, 2024, 1:17:58 PM8/15/24
to Wazuh | Mailing List
Hi.
Can you share the agent ossec.conf and agent.conf, please?
Regards.
Gonzalo.
Can you share the agent ossec.conf and agent.conf, please?
Regards.
Gonzalo.
Gonzalo Acuña
Aug 19, 2024, 12:24:15 PM8/19/24
to Wazuh | Mailing List
Hi.
Can you run the following test, please?
1. Remove the following configuration:
Can you run the following test, please?
1. Remove the following configuration:
<directories check_all="yes">/Users/*/Desktop,/Users/*/Downloads,/Users/*/Documents</directories>
2. Make sure the configuration is removed, and then restart the macOS Agent.
3. Manually add, modify, and delete a file under the /Users/Shared directory
3. Manually add, modify, and delete a file under the /Users/Shared directory
4. Check if an alert was generated. If no alert was generated, share the screenshot of the Wazuh dashboard.
Regards.
Gonzalo.
Angel Acevedo
Aug 21, 2024, 7:42:35 AM8/21/24
to Wazuh | Mailing List
Hi,
During these days we have performed more tests in at least 5 MacOS endpoints with the same Apple Silicon Chip and same OS versions from 14.3 to 14.6.1. The results are quite confusing because we have realized that:
- Some MacOS endpoints need to have the option "Access to Full Disk (FDA)" enabled for at least Terminal.app and wazuh-syscheckd process. With that option enabled the FIM module works for /Users/ directories.
- Some others, do not need to have either FDA enabled or "Access to Files and Folders" enabled for Terminal.app / wazuh-syscheckd , the FIM module is working fine.
- Others, when restarting the agent, a window pop-up opens to ask for permissions to access the Users directories. Once you select "OK", then the wazuh-syscheckd process is automatically granted for FDA. Unfortunately, we do not have any screenshot of this window pop-pup but it was similar to image2.png taken from the Internet).
For those who FIM module was not working unless FDA is activated we realized that some errors appears on the ossec.log file ("WARNING: (6922): Cannot open '/Users/angel/Desktop': Operation not permitted").
I attach the images where FDA is activated in some endpoints for Terminal.app and wazuh-syscheckd and the agent logs when FIM was not working.
The issue seems to have a different behaviour depends on the agent and since Wazuh does not have these issue documented, I would like to know if this is a new bug or ir you have any more details of this necessity of enabling FDA for Terminal.app and wazuh-syscheckd.
Thanks in advance.
Gonzalo Acuña
Aug 27, 2024, 2:00:49 PM8/27/24
to Wazuh | Mailing List
Hi,
This happens because the Wazuh agent is not recognized as an app itself. However, the Wazuh Agent is identified as an app.
The Agent is a set of executables and some macOS components do not know how to handle it. Because of this, if you started the Agent from the Terminal, you will be asked to enable FDA. This should not happen if the OS is rebooted, because the Agent would have been started autonomously.
Please, let me know if you have started the Agent from the Terminal. If so, then it is an expected behavior.
Regards.
Gonzalo.
This happens because the Wazuh agent is not recognized as an app itself. However, the Wazuh Agent is identified as an app.
The Agent is a set of executables and some macOS components do not know how to handle it. Because of this, if you started the Agent from the Terminal, you will be asked to enable FDA. This should not happen if the OS is rebooted, because the Agent would have been started autonomously.
Please, let me know if you have started the Agent from the Terminal. If so, then it is an expected behavior.
Regards.
Gonzalo.
Reply all
Reply to author
Forward
0 new messages