search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.42k stars 183 forks source link

possible kernel level rootkit detected from HIDS #6349

Open LordKackroellchen opened 1 year ago

LordKackroellchen commented 1 year ago

Describe the bug

I test the ocis wopi docker setup on my testing lab. In this testing lab is also a ossec HIDS installed. This call me a security anomaly, expect there is a possible kernel rootkit installed

Steps to reproduce

Steps to reproduce the behavior:

  1. Install debian 11.6.0 (x64)
  2. Install docker 23.0.6 and docker-compose 1.29.2 (both latest)
  3. Download ocis from git, edit config file and start the containers
  4. install wazuh-agent 4.4.2 and check the security events

Expected behavior

HIDS send alert about possible rootkit detected.

Anomaly detected in file '/var/lib/docker/overlay2/e282b5d445a0265472cb0015af17528f068d4121d045e27280ba3b45cdb151b9/merged/start-collabora-online.sh'.

Anomaly detected in file '/var/lib/docker/overlay2/e282b5d445a0265472cb0015af17528f068d4121d045e27280ba3b45cdb151b9/merged/start-collabora-online.sh'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

see attached file for detailed information

Actual behavior

System stopped and report a bug on ocis github

Setup

https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_wopi

Additional context

The Interface from the virtual maschine start and stop in promiscuous mode. Details see attached file

Additional Information:

I added clamav and rkhunter to this virtual mashine to check the filesystem. Running the test one time without running ocis and onet ime with running ocis:

2023-05-19 09_48_35-Window 2023-05-19 09_42_51-Window

rhafer commented 1 year ago

The Interface from the virtual maschine start and stop in promiscuous mode.

This is actually pretty normal behavior for interfaces being plugged into a bridge device (which happens when starting the docker service or when starting any container in docker) and most likely no indication of anything bad happening.

Anomaly detected in file '/var/lib/docker/overlay2/e282b5d445a0265472cb0015af17528f068d4121d045e27280ba3b45cdb151b9/merged/start-collabora-online.sh'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

Hm, this also smells a lot like a false positive. What this check does, is a readdir to list the contents of a directory and then calling lstat on every single entry in that directory. This check is at least racy (. The file might just have disappeared between those two calls (e.g. because the container was stopped). And since the check in wazuh seems to dive into the directory recursively the race window seems to be reasonably big.

mmattel commented 1 year ago

@rhafer lets have a dicussion how we can improve the admin documentation if this turns out to be a false positive making the behavior transparent.