Page 1 of 1

[UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Sat Jan 27, 2018 10:11 am
by kontiki
Initially posted (wrongly) in "Atomicorp Yum Repository Forums ยป General Help and Development Discussion"

Hi,

Ever since a recent reboot, I've been getting 550 alerts regarding a changing checksum on /etc/asl/whitelist. Looking at the file, seems like the access time is changing every minute. The content of the file, its size and other properties of the file do not change at all. I also checked the SHA1 sum of the file at intervall: no changes.

This problem is most probably related to another warning, coming from ossec-syscheckd:

>> 2018/01/25 06:45:54 ossec-syscheckd: WARNING: Error opening directory: '/etc/asl/whitelist.483964748': No such file or directory

ossec-syscheckd has also been complaining about yum:

>> 2018/01/24 08:18:40 ossec-syscheckd: WARNING: Error opening directory: '/etc/yum.repos.d/sedYLqvq7': No such file or directory

Looks like these temporary files are created, destroyed and then checked by ossec-syscheckd which cannot find them.

Should I be concerned?

Thanks.

[UPDATE]

Further investigation using:

Code: Select all

sudo auditctl -w /etc/asl/whitelist -p wa
Outputs:

Code: Select all

sudo tail -F /var/log/audit/audit.log | grep --line-buffered 'validateip\|whitelist'
type=SYSCALL msg=audit(1517060740.164:700479): arch=c000003e syscall=257 success=yes exit=6 a0=ffffffffffffff9c a1=c820066940 a2=80242 a3=1b6 items=2 ppid=25339 pid=25343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="validateip" exe="/var/asl/bin/validateip" key=(null)
type=PATH msg=audit(1517060740.164:700479): item=1 name="/etc/asl/whitelist" inode=263242 dev=08:00 mode=0100600 ouid=994 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1517060740.164:700479): proctitle="/var/asl/bin/validateip"

Code: Select all

watch ls -al /etc/asl/whitelist
The access time is indeed changed when /var/log/audit/audit.log shows lines above (sometimes multiple times in a single minute).

The 550 alert will stop for half a day or so, then come back. Frequency is then between multiple times per minute to once every 5 minutes, always accompanied by the "No such file or directory" warnings coming from ossec-syscheckd (typically, the hourly email warning shows 30+ warnings)

The other file written randomly (by a process I have not yet identified): /etc/yum.repos.d/asl.repo

Thanks for any help you can provide.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Mon Jan 29, 2018 6:17 pm
by jgodwin
They're actually distinct issues, and neither of them are cause for concern.

The file/directory not found messages will be addressed in a future update to Ossec.

For the events being generated for /etc/asl/whitelist, adding an ignore rule for this file in the file integrity settings is suggested. That will be the default with the next update to ASL.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Thu Feb 08, 2018 11:34 am
by Imaging
jgodwin:

What's the ETA on the update to ossec to deal with the file not found messages?

They can get quite voluminous. Any mitigations until the update is released (other than turning off alerts for rule 1002 which we wouldn't want to do since it is a rule that catches other potentially legitimate issues)?

Thanks.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Tue Feb 20, 2018 5:32 pm
by Imaging
Bump. Any update?

Thanks.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Thu Feb 22, 2018 2:05 pm
by mikeshinn
We're still seeing this happen on some platforms but not all and are working to isolate why this is happening on some systems but not others. We will have another update available in a few days.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Thu Feb 22, 2018 6:19 pm
by mikeshinn
Just out of curiosity do you have any duplicate ossec-syscheckd processes running? There should only be one, and in those cases we definitely see this happen.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Thu Feb 22, 2018 6:48 pm
by Imaging
Just the one syscheckd process on the boxes I just checked.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Thu Mar 01, 2018 5:32 pm
by Imaging
What's the current status of the next update?

Thanks.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Mon Mar 05, 2018 4:31 pm
by mikeshinn
1st half of addressing this is out already, that eliminate these alerts. The second half removes the debug message from ossec.log, that should be available this week.

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Posted: Tue Mar 06, 2018 2:03 pm
by Imaging
Thanks.