search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.34k stars 1.02k forks source link

How to update a system without getting thousands of alerts? #2036

Closed xKyzor closed 1 year ago

xKyzor commented 2 years ago

Hi,

I'm testing OSSEC 3.7.0 on a VM running Ubuntu Server 18.04 LTS and I can't figure out how to update my system without getting thousands of alerts saying that new files have been added.

See below what I've tried:

Is there a existing way to avoid this behavior?

Note that this (https://www.ossec.net/docs/faq/syscheck.html#how-do-i-stop-syscheck-alerts-during-system-updates) is not working.

xKyzor commented 2 years ago

Please find below tests I've performed:

systemctl start ossec to start OSSEC for the initial scan. I waited until the initial scan to be done:

2022/01/25 15:38:23 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2022/01/25 15:38:23 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2022/01/25 15:44:59 ossec-syscheckd: WARN: Error opening directory: '/root/.ssh/authorized_keys': No such file or directory
2022/01/25 15:44:59 ossec-syscheckd: WARN: Error opening directory: '/var/www': No such file or directory
2022/01/25 15:44:59 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2022/01/25 15:45:11 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).

Then, I stopped OSSEC for an apt update && apt -y upgrade. When finished, I cleaned the database using syscheck_control -u all

After that, systemctl start ossec which results by a new scan:

2022/01/25 15:47:23 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2022/01/25 15:47:23 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2022/01/25 15:47:59 ossec-syscheckd: WARN: Error opening directory: '/root/.ssh/authorized_keys': No such file or directory
2022/01/25 15:53:59 ossec-syscheckd: WARN: Error opening directory: '/var/www': No such file or directory
2022/01/25 15:53:59 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2022/01/25 15:53:11 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).

But... it ends by sending all the alerts for new files being added in the system...

Then, I also tried by adding <scan_on_start> tag and set it to no. But as soon as an initial scan is launched, alerts come.

We saw that a commit could be the reason of this behavior, see [1c367b9fc]. Scott, the person who made that commit, commented that he still has to debug it. I've sent him a email and I am waiting for a reply.

Finally, I tried both local and remote setup without results.

Nono-m0le commented 2 years ago

@atomicturtle any update on this? it's looks quite similar/identical to my issue here (which I'm closing) : https://github.com/ossec/ossec-hids/issues/1691 EDIT: could also be related to https://github.com/ossec/ossec-hids/issues/1986 ?

xKyzor commented 2 years ago

We found a solution by reverting this part: https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/src/analysisd/decoders/syscheck.c#L598-L600

The change works for us but it leads to another bug for other users. The issue is that it suppressed all changes until the DB is constructed, so it also suppresses real-time changes like "new file" which it should not.