store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Nov 11, 2019 8:45 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Sat Jan 27, 2018 10:11 am 
Offline
Forum User
Forum User

Joined: Sun Mar 23, 2014 6:56 pm
Posts: 7
Location: New York
Initially posted (wrongly) in "Atomicorp Yum Repository Forums ยป General Help and Development Discussion"

Hi,

Ever since a recent reboot, I've been getting 550 alerts regarding a changing checksum on /etc/asl/whitelist. Looking at the file, seems like the access time is changing every minute. The content of the file, its size and other properties of the file do not change at all. I also checked the SHA1 sum of the file at intervall: no changes.

This problem is most probably related to another warning, coming from ossec-syscheckd:

>> 2018/01/25 06:45:54 ossec-syscheckd: WARNING: Error opening directory: '/etc/asl/whitelist.483964748': No such file or directory

ossec-syscheckd has also been complaining about yum:

>> 2018/01/24 08:18:40 ossec-syscheckd: WARNING: Error opening directory: '/etc/yum.repos.d/sedYLqvq7': No such file or directory

Looks like these temporary files are created, destroyed and then checked by ossec-syscheckd which cannot find them.

Should I be concerned?

Thanks.

[UPDATE]

Further investigation using:
Code:
sudo auditctl -w /etc/asl/whitelist -p wa

Outputs:
Code:
sudo tail -F /var/log/audit/audit.log | grep --line-buffered 'validateip\|whitelist'

type=SYSCALL msg=audit(1517060740.164:700479): arch=c000003e syscall=257 success=yes exit=6 a0=ffffffffffffff9c a1=c820066940 a2=80242 a3=1b6 items=2 ppid=25339 pid=25343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="validateip" exe="/var/asl/bin/validateip" key=(null)
type=PATH msg=audit(1517060740.164:700479): item=1 name="/etc/asl/whitelist" inode=263242 dev=08:00 mode=0100600 ouid=994 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1517060740.164:700479): proctitle="/var/asl/bin/validateip"
Code:
watch ls -al /etc/asl/whitelist

The access time is indeed changed when /var/log/audit/audit.log shows lines above (sometimes multiple times in a single minute).

The 550 alert will stop for half a day or so, then come back. Frequency is then between multiple times per minute to once every 5 minutes, always accompanied by the "No such file or directory" warnings coming from ossec-syscheckd (typically, the hourly email warning shows 30+ warnings)

The other file written randomly (by a process I have not yet identified): /etc/yum.repos.d/asl.repo

Thanks for any help you can provide.


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Mon Jan 29, 2018 6:17 pm 
Offline
Atomicorp Support Staff
Atomicorp Support Staff

Joined: Mon Sep 14, 2009 12:15 pm
Posts: 39
They're actually distinct issues, and neither of them are cause for concern.

The file/directory not found messages will be addressed in a future update to Ossec.

For the events being generated for /etc/asl/whitelist, adding an ignore rule for this file in the file integrity settings is suggested. That will be the default with the next update to ASL.


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Thu Feb 08, 2018 11:34 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 321
jgodwin:

What's the ETA on the update to ossec to deal with the file not found messages?

They can get quite voluminous. Any mitigations until the update is released (other than turning off alerts for rule 1002 which we wouldn't want to do since it is a rule that catches other potentially legitimate issues)?

Thanks.


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Tue Feb 20, 2018 5:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 321
Bump. Any update?

Thanks.


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Thu Feb 22, 2018 2:05 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
We're still seeing this happen on some platforms but not all and are working to isolate why this is happening on some systems but not others. We will have another update available in a few days.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Thu Feb 22, 2018 6:19 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
Just out of curiosity do you have any duplicate ossec-syscheckd processes running? There should only be one, and in those cases we definitely see this happen.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Thu Feb 22, 2018 6:48 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 321
Just the one syscheckd process on the boxes I just checked.


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Thu Mar 01, 2018 5:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 321
What's the current status of the next update?

Thanks.


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Mon Mar 05, 2018 4:31 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
1st half of addressing this is out already, that eliminate these alerts. The second half removes the debug message from ossec.log, that should be available this week.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts
Unread postPosted: Tue Mar 06, 2018 2:03 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 321
Thanks.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group