Syscheck option <scan_day> <scan_time> multiple scans per day

[TheWizardUk]

Hi

I have an edge case when using the <frequency></frequency> variable it occasionally clashes with an overcomplicated script called hourly via a cron that the wazuh agent is running on this in turn is causing false positive alerts in FIM

I, therefore, wanted to see if I could use something like the below where I define the days and times for the scans to run

the below seems to work as expected

monday tuesday wednesday thursday friday saturday sunday 00:30

however when introducing multiple scans like this

monday tuesday wednesday thursday friday saturday sunday 00:30 01:30 02:30 03:30 04:30 05:30 06:30 07:30 08:30 09:30 10:30 11:30 12:30 13:30 14:30 15:30 16:30 17:30 18:30 19:30 20:30 21:30 22:30 23:30

and when tailing the logs I see inconsistent results with the set scan times i.e. it does not scan every hour like I want

is it possible to define the days and multiple scans per day?

Thanks

[jnasselle]

Hi @TheWizardUk ,

The frequency option might be overlapping with your cron job because it set the new timer to trigger the scan when the last scan was finished, adding a "scan" offset and starting to have a skew compared to a wall clock.

On the other hand, syscheck only allows setting one scan_time. In your case, is only picking the last definition (23:30)

Unfortunately trying to replace frequency option with multiple scan_time is not currently available. But how about ignoring those "expected" files that were created by the cron task?

In case you strictly need this feature, please feel free to mark this issue as a Feature Request and explain this in a more explicit way.

I look forward to your comments. Nico

[TheWizardUk]

Hi Nico

Thanks for getting back to me,

that's exactly what's happening, on occasion the FIM scan time defined by frequency runs the same time as the cronjob and causes the false positive alerts.

I have 40+ agents and they all run a cronjob every hour on the hour.

the script called every hour is to enable FIM from within a number of docker containers

the script finds running containers based on some criteria ( i.e. is running and the name contains foo + bar)

it then docker cp some files out of the containers and extracts some .jar files and places them into folders based on the container names.

on each run of the script, it deletes all the files and folders in the monitored DIR it gathered on the previous run

Wazuh is then configured to monitor that dir and sub dir based on frequency and sha1 sums all the files

then alerts fire if the sha1sum has changed

what I see is, if the frequency clashes with the cronjob Wazuh generates alerts for 'Delete' 'Add' and 'Modified'

I have suppressed email alerts for the add and delete, but naturally, emails are sent for the modified

also, the FIM dashboard looks a mess when this happened

so what I wanted to do was have my cronjob run on the hour and tell the Wazuh agent to scan every 30 minutes past the hour.

I look forward to your reply

Thanks Mike

[TheWizardUk]

sorry I'm not sure how to do this "mark this issue as a Feature Request "