[UPDATE] Constant /etc/asl/whitelist checksum alerts
Posted: Sat Jan 27, 2018 10:11 am
Initially posted (wrongly) in "Atomicorp Yum Repository Forums ยป General Help and Development Discussion"
Hi,
Ever since a recent reboot, I've been getting 550 alerts regarding a changing checksum on /etc/asl/whitelist. Looking at the file, seems like the access time is changing every minute. The content of the file, its size and other properties of the file do not change at all. I also checked the SHA1 sum of the file at intervall: no changes.
This problem is most probably related to another warning, coming from ossec-syscheckd:
>> 2018/01/25 06:45:54 ossec-syscheckd: WARNING: Error opening directory: '/etc/asl/whitelist.483964748': No such file or directory
ossec-syscheckd has also been complaining about yum:
>> 2018/01/24 08:18:40 ossec-syscheckd: WARNING: Error opening directory: '/etc/yum.repos.d/sedYLqvq7': No such file or directory
Looks like these temporary files are created, destroyed and then checked by ossec-syscheckd which cannot find them.
Should I be concerned?
Thanks.
[UPDATE]
Further investigation using:
Outputs:
type=SYSCALL msg=audit(1517060740.164:700479): arch=c000003e syscall=257 success=yes exit=6 a0=ffffffffffffff9c a1=c820066940 a2=80242 a3=1b6 items=2 ppid=25339 pid=25343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="validateip" exe="/var/asl/bin/validateip" key=(null)
type=PATH msg=audit(1517060740.164:700479): item=1 name="/etc/asl/whitelist" inode=263242 dev=08:00 mode=0100600 ouid=994 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1517060740.164:700479): proctitle="/var/asl/bin/validateip"
The access time is indeed changed when /var/log/audit/audit.log shows lines above (sometimes multiple times in a single minute).
The 550 alert will stop for half a day or so, then come back. Frequency is then between multiple times per minute to once every 5 minutes, always accompanied by the "No such file or directory" warnings coming from ossec-syscheckd (typically, the hourly email warning shows 30+ warnings)
The other file written randomly (by a process I have not yet identified): /etc/yum.repos.d/asl.repo
Thanks for any help you can provide.
Hi,
Ever since a recent reboot, I've been getting 550 alerts regarding a changing checksum on /etc/asl/whitelist. Looking at the file, seems like the access time is changing every minute. The content of the file, its size and other properties of the file do not change at all. I also checked the SHA1 sum of the file at intervall: no changes.
This problem is most probably related to another warning, coming from ossec-syscheckd:
>> 2018/01/25 06:45:54 ossec-syscheckd: WARNING: Error opening directory: '/etc/asl/whitelist.483964748': No such file or directory
ossec-syscheckd has also been complaining about yum:
>> 2018/01/24 08:18:40 ossec-syscheckd: WARNING: Error opening directory: '/etc/yum.repos.d/sedYLqvq7': No such file or directory
Looks like these temporary files are created, destroyed and then checked by ossec-syscheckd which cannot find them.
Should I be concerned?
Thanks.
[UPDATE]
Further investigation using:
Code: Select all
sudo auditctl -w /etc/asl/whitelist -p wa
Code: Select all
sudo tail -F /var/log/audit/audit.log | grep --line-buffered 'validateip\|whitelist'
type=PATH msg=audit(1517060740.164:700479): item=1 name="/etc/asl/whitelist" inode=263242 dev=08:00 mode=0100600 ouid=994 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1517060740.164:700479): proctitle="/var/asl/bin/validateip"
Code: Select all
watch ls -al /etc/asl/whitelist
The 550 alert will stop for half a day or so, then come back. Frequency is then between multiple times per minute to once every 5 minutes, always accompanied by the "No such file or directory" warnings coming from ossec-syscheckd (typically, the hourly email warning shows 30+ warnings)
The other file written randomly (by a process I have not yet identified): /etc/yum.repos.d/asl.repo
Thanks for any help you can provide.