[UPDATE] Constant /etc/asl/whitelist checksum alerts

Support/Development for OSSEC
kontiki
Forum User
Forum User
Posts: 7
Joined: Sun Mar 23, 2014 6:56 pm
Location: New York

[UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by kontiki »

Initially posted (wrongly) in "Atomicorp Yum Repository Forums » General Help and Development Discussion"

Hi,

Ever since a recent reboot, I've been getting 550 alerts regarding a changing checksum on /etc/asl/whitelist. Looking at the file, seems like the access time is changing every minute. The content of the file, its size and other properties of the file do not change at all. I also checked the SHA1 sum of the file at intervall: no changes.

This problem is most probably related to another warning, coming from ossec-syscheckd:

>> 2018/01/25 06:45:54 ossec-syscheckd: WARNING: Error opening directory: '/etc/asl/whitelist.483964748': No such file or directory

ossec-syscheckd has also been complaining about yum:

>> 2018/01/24 08:18:40 ossec-syscheckd: WARNING: Error opening directory: '/etc/yum.repos.d/sedYLqvq7': No such file or directory

Looks like these temporary files are created, destroyed and then checked by ossec-syscheckd which cannot find them.

Should I be concerned?

Thanks.

[UPDATE]

Further investigation using:

Code: Select all

sudo auditctl -w /etc/asl/whitelist -p wa
Outputs:

Code: Select all

sudo tail -F /var/log/audit/audit.log | grep --line-buffered 'validateip\|whitelist'
type=SYSCALL msg=audit(1517060740.164:700479): arch=c000003e syscall=257 success=yes exit=6 a0=ffffffffffffff9c a1=c820066940 a2=80242 a3=1b6 items=2 ppid=25339 pid=25343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="validateip" exe="/var/asl/bin/validateip" key=(null)
type=PATH msg=audit(1517060740.164:700479): item=1 name="/etc/asl/whitelist" inode=263242 dev=08:00 mode=0100600 ouid=994 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1517060740.164:700479): proctitle="/var/asl/bin/validateip"

Code: Select all

watch ls -al /etc/asl/whitelist
The access time is indeed changed when /var/log/audit/audit.log shows lines above (sometimes multiple times in a single minute).

The 550 alert will stop for half a day or so, then come back. Frequency is then between multiple times per minute to once every 5 minutes, always accompanied by the "No such file or directory" warnings coming from ossec-syscheckd (typically, the hourly email warning shows 30+ warnings)

The other file written randomly (by a process I have not yet identified): /etc/yum.repos.d/asl.repo

Thanks for any help you can provide.
jgodwin
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 39
Joined: Mon Sep 14, 2009 12:15 pm

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by jgodwin »

They're actually distinct issues, and neither of them are cause for concern.

The file/directory not found messages will be addressed in a future update to Ossec.

For the events being generated for /etc/asl/whitelist, adding an ignore rule for this file in the file integrity settings is suggested. That will be the default with the next update to ASL.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by Imaging »

jgodwin:

What's the ETA on the update to ossec to deal with the file not found messages?

They can get quite voluminous. Any mitigations until the update is released (other than turning off alerts for rule 1002 which we wouldn't want to do since it is a rule that catches other potentially legitimate issues)?

Thanks.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by Imaging »

Bump. Any update?

Thanks.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by mikeshinn »

We're still seeing this happen on some platforms but not all and are working to isolate why this is happening on some systems but not others. We will have another update available in a few days.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by mikeshinn »

Just out of curiosity do you have any duplicate ossec-syscheckd processes running? There should only be one, and in those cases we definitely see this happen.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by Imaging »

Just the one syscheckd process on the boxes I just checked.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by Imaging »

What's the current status of the next update?

Thanks.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by mikeshinn »

1st half of addressing this is out already, that eliminate these alerts. The second half removes the debug message from ossec.log, that should be available this week.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: [UPDATE] Constant /etc/asl/whitelist checksum alerts

Unread post by Imaging »

Thanks.
Post Reply