Trying to use wazuh on sles12

389 views
Skip to first unread message

Stephan Joerrens

unread,
Sep 2, 2016, 12:21:21 PM9/2/16
to Wazuh mailing list
Hello

I have build me an working rpm-packet. But I stuck at the point to activate the wazuh module for oscap.

Also I have build me some cis-rootkit files for sles11 and sles12.
But I got thousands of alterts with btrfs that the number of links are wrong....

Stephan Joerrens

unread,
Sep 2, 2016, 2:38:54 PM9/2/16
to Wazuh mailing list
These are the alerts wich i mean:

** Alert 1472837895.1036628: mail  - ossec,rootcheck
2016 Sep 02 19:38:15 linux-9p27->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Files hidden inside directory '/var/tmp'. Link count does not match number of files (3,1).

Jesus Linares

unread,
Sep 5, 2016, 7:58:30 AM9/5/16
to Wazuh mailing list
Hi Stephan,

could you describe in detail your issue with oscap?. OpenSCAP is still in development and it will be released very soon. Meanwhile, you can check out the in-progress documentation: https://github.com/wazuh/wazuh-documentation/blob/in-progress/source/wazuh_modules_openscap.rst

Regarding to the rootcheck issue:
Files hidden inside directory '/var/tmp'. Link count does not match number of files (3,1)

The alert means that rootcheck found 3 subdirectories with the call readdir() but only 1 with the call stat. It could be a false positive. Please, run the following commands and paste here the output:
ls -la /var/tmp | grep ^d | wc -l

stat /var/tmp


So, you are creating packages for Suse, right?. We are creating wazuh packages for Redhat, Centos, Debian, etc. Let us know if you need help with the Suse package.

Regards.

Stephan Joerrens

unread,
Sep 5, 2016, 8:52:46 AM9/5/16
to Wazuh mailing list
Thanks.

The Oscap Doku will help. I will try it out these days..

Here the output from the tow commands:

sles12test:/var/tmp # ls -la /var/tmp | grep ^d | wc -l
8

sles12test:/var/tmp # stat /var/tmp
  Datei: „/var/tmp“
  Größe: 718       Blöcke: 0          EA Block: 4096   Verzeichnis
Gerät: 29h/41d Inode: 256         Verknüpfungen: 1
Zugriff: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Zugriff    : 2016-09-05 10:18:51.899837496 +0200
Modifiziert: 2016-09-05 10:04:31.097393192 +0200
Geändert   : 2016-09-05 10:04:31.097393192 +0200
 Geburt    : -

Regards.

Jesus Linares

unread,
Sep 5, 2016, 11:07:53 AM9/5/16
to Wazuh mailing list
Theoretically, OSSEC runs stat and readdir(). When stat is run on a directory the link count will show how many files the directory contains. The rootcheck module will also use the readdir() system call to determine the link count of a directory. If there is a discrepancy it is flagged as a possible rootkit.

A malware could modify readdir in order to hide files, but you have 8 directories with ls, and 1 with stat. If it was a malware, you would see 1 directory with ls and 8 with stat. Let us to take a deeper look into it, and please, share here more examples of the following comands:
  • ls -la "directory"
  • ls -la "directory" | grep ^d | wc -l
  • stat "directory"
If it is a false positive or a bug, we can ignore it with a rule.

I hope it helps.
Regards.

Stephan Joerrens

unread,
Sep 5, 2016, 12:51:34 PM9/5/16
to Wazuh mailing list
Ok, it is an btrfs problem, or feature :)


linux-9p27:/var/tmp # df -hT
Filesystem              Type      Size  Used Avail Use% Mounted on
devtmpfs                devtmpfs  7.9G     0  7.9G   0% /dev
tmpfs                   tmpfs     7.9G     0  7.9G   0% /dev/shm
tmpfs                   tmpfs     7.9G  1.7M  7.9G   1% /run
tmpfs                   tmpfs     7.9G     0  7.9G   0% /sys/fs/cgroup
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/spool
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/lib/mysql
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /srv
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /boot/grub2/i386-pc
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /.snapshots
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/lib/pgsql
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/lib/mailman
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /usr/local
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /tmp
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /opt
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/log
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/crash
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /boot/grub2/x86_64-efi
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/lib/mariadb
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/opt
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/lib/libvirt/images
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/tmp
/dev/mapper/system-root btrfs      24G  3.0G   21G  14% /var/lib/named
/dev/mapper/system-home xfs        36G   33M   36G   1% /home
linux-9p27:~ # ls -la /var/tmp/
total 0
drwxrwxrwt 1 root root 164 Sep  5 18:43 .
drwxr-xr-x 1 root root  96 Jul 28 20:28 ..
drwx------ 1 root root   6 Sep  5 18:40 systemd-private-7d9f1af055764f40a45c6330621413ea-ntpd.service-VSw2vs
drwxr-xr-x 1 root root  54 Sep  5 18:44 ts
drwxr-xr-x 1 root root   0 Sep  5 18:43 tswr
drwxr-xr-x 1 root root   0 Sep  5 18:43 tswrwsef
linux-9p27:~ # stat /var/tmp/
  File: ‘/var/tmp/’
  Size: 164             Blocks: 0          IO Block: 4096   directory
Device: 38h/56d Inode: 256         Links: 1
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-09-05 18:43:53.545161213 +0200
Modify: 2016-09-05 18:43:51.026421122 +0200
Change: 2016-09-05 18:43:51.026421122 +0200
 Birth: -
linux-9p27:~ # mkdir /var/tmp/tests
linux-9p27:~ # stat /var/tmp/
  File: ‘/var/tmp/’
  Size: 174             Blocks: 0          IO Block: 4096   directory
Device: 38h/56d Inode: 256         Links: 1
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-09-05 18:43:53.545161213 +0200
Modify: 2016-09-05 18:47:53.249252999 +0200
Change: 2016-09-05 18:47:53.249252999 +0200
 Birth: -

The link count has nothing todo with the count of directories when used on an btrfs filesystem.
At XFS/ext4, everything works fine.

linux-9p27:~ # stat /home
  File: ‘/home’
  Size: 6               Blocks: 0          IO Block: 4096   directory
Device: fe02h/65026d    Inode: 64          Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-07-28 20:29:39.532889000 +0200
Modify: 2015-09-30 12:59:27.000000000 +0200
Change: 2016-07-28 20:27:38.228889000 +0200
 Birth: -
linux-9p27:~ # ls -la /home
total 0
drwxr-xr-x 2 root root   6 Sep 30  2015 .
drwxr-xr-x 1 root root 166 Jul 28 20:29 ..
linux-9p27:~ # mkdir /home/test
linux-9p27:~ # stat /home
  File: ‘/home’
  Size: 18              Blocks: 0          IO Block: 4096   directory
Device: fe02h/65026d    Inode: 64          Links: 3
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-09-05 18:50:52.167748999 +0200
Modify: 2016-09-05 18:50:59.124268999 +0200
Change: 2016-09-05 18:50:59.124268999 +0200
 Birth: -



Jesus Linares

unread,
Sep 6, 2016, 6:39:55 AM9/6/16
to Wazuh mailing list
Hi,

everything seems to indicate that it is an issue with btrfs filesystem. We will try to fix it. Meanwhile, you can create a rule to ignore the events:

local_rules.xml
<group name="rootcheck,">


  <rule id="100002" level="0">
    <if_sid>510</if_sid>
    <match>Link count does not match number of files</match>
    <description>Ignore Link count (rootcheck)</description>
  </rule>


</group>

Also, you can improve the rule to match only with btrfs files.

Let me know if it works.

Regards.

Stephan Joerrens

unread,
Sep 6, 2016, 7:53:40 AM9/6/16
to Wazuh mailing list
Thanks, that rule works.

Stephan Joerrens

unread,
Sep 7, 2016, 9:15:42 AM9/7/16
to Wazuh mailing list
I created an pull request at github

https://github.com/ossec/ossec-hids/pull/950

Let's see....

Reply all
Reply to author
Forward
0 new messages