Hi,
Ever since a recent reboot, I've been getting 550 alerts regarding a changing checksum on /etc/asl/whitelist. Looking at the file, seems like the access time is changing every minute. The content of the file, its size and other properties of the file do not change at all. I also checked the SHA1 sum of the file at intervall: no changes.
This problem is most probably related to another warning, coming from ossec-syscheckd:
>> 2018/01/25 06:45:54 ossec-syscheckd: WARNING: Error opening directory: '/etc/asl/whitelist.483964748': No such file or directory
ossec-syscheckd has also been complaining about yum:
>> 2018/01/24 08:18:40 ossec-syscheckd: WARNING: Error opening directory: '/etc/yum.repos.d/sedYLqvq7': No such file or directory
Looks like these temporary files are created, destroyed and then checked by ossec-syscheckd which cannot find them.
Should I be concerned?
Thanks.
[UPDATE]
Further investigation using:
Code: Select all
sudo auditctl -w /etc/asl/whitelist -p wa
Code: Select all
sudo tail -F /var/log/audit/audit.log | grep --line-buffered 'validateip\|whitelist'
type=PATH msg=audit(1517060740.164:700479): item=1 name="/etc/asl/whitelist" inode=263242 dev=08:00 mode=0100600 ouid=994 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1517060740.164:700479): proctitle="/var/asl/bin/validateip"
Code: Select all
watch ls -al /etc/asl/whitelist
The 550 alert will stop for half a day or so, then come back. Frequency is then between multiple times per minute to once every 5 minutes, always accompanied by the "No such file or directory" warnings coming from ossec-syscheckd (typically, the hourly email warning shows 30+ warnings)
The other file written randomly (by a process I have not yet identified): /etc/yum.repos.d/asl.repo
Thanks for any help you can provide.