Closed xKyzor closed 1 year ago
Please find below tests I've performed:
systemctl start ossec
to start OSSEC for the initial scan.
I waited until the initial scan to be done:
2022/01/25 15:38:23 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2022/01/25 15:38:23 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2022/01/25 15:44:59 ossec-syscheckd: WARN: Error opening directory: '/root/.ssh/authorized_keys': No such file or directory
2022/01/25 15:44:59 ossec-syscheckd: WARN: Error opening directory: '/var/www': No such file or directory
2022/01/25 15:44:59 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2022/01/25 15:45:11 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
Then, I stopped OSSEC for an apt update && apt -y upgrade
. When finished, I cleaned the database using syscheck_control -u all
After that, systemctl start ossec
which results by a new scan:
2022/01/25 15:47:23 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2022/01/25 15:47:23 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2022/01/25 15:47:59 ossec-syscheckd: WARN: Error opening directory: '/root/.ssh/authorized_keys': No such file or directory
2022/01/25 15:53:59 ossec-syscheckd: WARN: Error opening directory: '/var/www': No such file or directory
2022/01/25 15:53:59 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2022/01/25 15:53:11 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
But... it ends by sending all the alerts for new files being added in the system...
Then, I also tried by adding <scan_on_start>
tag and set it to no. But as soon as an initial scan is launched, alerts come.
We saw that a commit could be the reason of this behavior, see [1c367b9fc]. Scott, the person who made that commit, commented that he still has to debug it. I've sent him a email and I am waiting for a reply.
Finally, I tried both local and remote setup without results.
@atomicturtle any update on this? it's looks quite similar/identical to my issue here (which I'm closing) : https://github.com/ossec/ossec-hids/issues/1691 EDIT: could also be related to https://github.com/ossec/ossec-hids/issues/1986 ?
We found a solution by reverting this part: https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/src/analysisd/decoders/syscheck.c#L598-L600
The change works for us but it leads to another bug for other users. The issue is that it suppressed all changes until the DB is constructed, so it also suppresses real-time changes like "new file" which it should not.
Hi,
I'm testing OSSEC 3.7.0 on a VM running Ubuntu Server 18.04 LTS and I can't figure out how to update my system without getting thousands of alerts saying that new files have been added.
See below what I've tried:
systemctl stop ossec
apt update && apt -y upgrade
syscheck_control -u all
systemctl start ossec
, then getting all alerts from previous update...Is there a existing way to avoid this behavior?
Note that this (https://www.ossec.net/docs/faq/syscheck.html#how-do-i-stop-syscheck-alerts-during-system-updates) is not working.