FIM syscheck difference monitoring on shared file

[Simon]

Hi there,

I'm struggling all day with one case of monitoring changes with FIM module on shared file.

What i have is shared file somewhere in my network. I'd like to use my windows wazuh agent to see changes in content in this file. I'm using option "report_change" but when i look at results i don't see "syscheck.diff" field.

Here is my configuration agent ossec.conf:

Here is screen:

I am using version 3.13. Is difference monitoring in network files supported from WIndows Wazuh agent?

Kind regards

Simon

[Jose Luis Carreras Marin]

Hello Simon,
First of all, I have to say that Wazuh version 3.13 is nowadays a bit outdated, there have been many improvements in FIM, and in general in Wazuh during version 4.

To analyze the problem, I will try to reproduce it to see what could be happening. In the meantime, it would be very helpful to access the debug logs of that agent if possible.

• To do this, you must modify the file:
  C:\Program Files (x86)\ossec-agent_internal_options.conf

• Line:
  syscheck.debug=0  to syscheck.debug=2.

• After restarting the agent, and reproducing the same behavior again, you can find the logs in the file:
  C:\Program Files (x86)\ossec-agentossec.log

You can send me the result, or check if there is any error or warning related to the file.
I hope I can help as much as possible,
best regards

[Simon]

Hi,

Thank you for your help. It is appreciated.

Yeah, I know that 3.13 is pretty old. I am planning to switch to newest version but i have to hold to this version for a while longer.

I'd be surprised if this problem is related strictly to a Wazuh version tough.

Setting up debug was one of first things that i did when i knew there will be trouble ;)

Sadly i couldn't find any valuable information regarding this issue. I did at some point had message "Unable to add directory to real time monitoring", but it was due to the fact that at the time i was pointing directly to the file rather than directory. Documentation is pretty clear about that not being valid option in syscheck.

I will run it again and let you know if i find something.

Kind regards

Simon

[Simon]

Hi there,

I've repeated tests and I've extracted agent debug log.

Test procedure was:

1. Prepare agent configuration to monitor directories

2. Restart agent

3. Change file content in remote file and then local file.

Here is debug:

2022/02/14 08:50:55 ossec-agent[7128] state.c:67 at write_state(): DEBUG: Updating state file.
2022/02/14 08:50:56 ossec-agent[7128] notify.c:115 at run_notify(): DEBUG: Sending agent notification.
2022/02/14 08:50:56 ossec-agent[7128] notify.c:171 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows 10 Pro [Ver: 10.0.19043] - Wazuh v3.12.3 / ab73af41699f13fdd81903b5f23d8d00
fd756ba04d9c32c8848d4608bec41251 merged.mg
#"_agent_ip":x.x.x.x
2022/02/14 08:50:56 ossec-agent[7128] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-agent ack '
2022/02/14 08:50:56 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/02/14 08:50:56 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/02/14 08:50:56 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/02/14 08:50:58 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/02/14 08:51:00 ossec-agent[7128] state.c:67 at write_state(): DEBUG: Updating state file.
2022/02/14 08:51:00 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/02/14 08:51:00 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/02/14 08:51:02 ossec-agent[7128] create_db.c:60 at fim_scan(): INFO: (6008): File integrity monitoring scan started.
2022/02/14 08:51:02 ossec-agent[7128] run_check.c:110 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"scan_start","data":{"timestamp":1644825062}}
2022/02/14 08:51:02 ossec-agent[7128] syscheck_op.c:863 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2022/02/14 08:51:02 ossec-agent[7128] syscheck_op.c:863 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2022/02/14 08:51:02 ossec-agent[7128] syscheck_op.c:741 at get_user(): DEBUG: Account owner not found for file '\\x.x.x.x\public\testdir\test.txt'
2022/02/14 08:51:02 ossec-agent[7128] fim_db.c:472 at fim_db_check_transaction(): DEBUG: Database transaction completed.
2022/02/14 08:51:02 ossec-agent[7128] win-registry.c:318 at os_winreg_check(): DEBUG: (6031): Registry integrity monitoring scan started
2022/02/14 08:51:02 ossec-agent[7128] win-registry.c:346 at os_winreg_check(): DEBUG: (6032): Registry integrity monitoring scan ended
2022/02/14 08:51:02 ossec-agent[7128] create_db.c:95 at fim_scan(): INFO: (6009): File integrity monitoring scan ended.
2022/02/14 08:51:02 ossec-agent[7128] run_check.c:110 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"scan_end","data":{"timestamp":1644825062}}
2022/02/14 08:51:02 ossec-agent[7128] create_db.c:1090 at fim_print_info(): DEBUG: (6330): The scan has been running during: 0.025 sec (0.026 clock sec)
2022/02/14 08:51:02 ossec-agent[7128] create_db.c:1093 at fim_print_info(): DEBUG: (6335): Fim entries: 2
2022/02/14 08:51:02 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/02/14 08:51:02 ossec-agent[7128] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log

2022/02/14 08:51:03 ossec-agent[7128] run_check.c:110 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"c:\\users\\myuser\\documents\\tempdir\\test.txt","mode":"real-time","type":"modified","timestamp":1644825063,"attributes":{"type":"file","size":63,"perm":"SYSTEM (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes, Administrators (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes, myuser (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes","uid":"S-1-5-21-1681356104-1403487445-178136569-1005","user_name":"myuser","inode":0,"mtime":1644825063,"hash_md5":"d6dc5dd257aa5dbfed2317820dd7ae3f","hash_sha1":"203f10c38789448c9d4853fdfa5c7f6676177e7a","hash_sha256":"3d369deaae74dc94ba01c6ddf996a16815135d00ab65836df03950d7b1c9f59b","attributes":"ARCHIVE","checksum":"114fe8c2463f83694a5fca47a61f46d94c5f1087"},"changed_attributes":["size","mtime","md5","sha1","sha256"],"old_attributes":{"type":"file","size":51,"perm":"SYSTEM (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes, Administrators (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes, myuser (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes","uid":"S-1-5-21-1681356104-1403487445-178136569-1005","user_name":"myuser","inode":0,"mtime":1644824888,"hash_md5":"7941958e81f541d1516f358e3ffea73f","hash_sha1":"37e9be882405efa82e2a7edc10bf0586c5dac111","hash_sha256":"db1ed14b0522a372cc0e4cc586991b02814ba9e1f2a93be799855100373fff45","attributes":"ARCHIVE","checksum":"af48bff1dc3c823de61a95a98373e6f78fc006a7"},"content_changes":"---\n> added 8:50\n"}}

The only element that for me is unusual is in line 16 and 17, but i'm not sure if this impacts "report_changes" option.

syscheck_op.c:863 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.

Kind regards
Simon

[Jose Luis Carreras Marin]

Hello Simon
A couple of things about the debug data, here starts the FIM scan, which corresponds to the schedule mode:
Sending FIM event: {"type": "scan_start"....

During these scans, the realtime module does not produce any alert, so for this kind of tests, you should always wait for it to finish. Since I only see a modification alert, I don't see the one for the remote file.

Thanks for all the info, it is indeed a problem with the report_changes operation regarding remote files over networks. I have been testing, and I have seen that we use the fc (file compare) command, in windows, which is not able to process the differences between a local and a remote directory. You can read about it here:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/how-to-use-windiff-utility

As you guessed, it is not something that has been fixed in later versions, so I will proceed to open an issue with this problem to propose a fix in the future.
Sorry for the inconvenience, and thanks for the information.