search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
9.44k stars 1.49k forks source link

GET /syscheck doesn't properly report size for 2GB+ files #17184

Closed mjcr99 closed 1 week ago

mjcr99 commented 1 year ago
Wazuh version Component Install type Install method Platform
4.4.1 FIM Manager Packages/Sources OS version

Description

Querying the Wazuh API under version 4.4.1 about the size of files larger than 2147483647 bytes returns an incorrect value.

root@manager:/home/wazuh-poc# fallocate -l 2147484000 bigfile.test

root@manager:/home/wazuh-poc# curl -s -k -X GET "https://localhost:55000/syscheck/000?search=bigfile.test&select=file,size" -H "Authorization: Bearer $TOKEN" | jq '.data.affected_items[]'
{
  "file": "/home/wazuh-poc/bigfile.test",
  "size": 2147483647
}

The problem seems to be related with the structure fim_file_data. The attribute size in this structure is declared as an unsigned int and the maximum size that this variable can represent is 2GB so, the problem is probably related to this variable in the mentioned data structure.

mjcr99 commented 2 weeks ago

Update:

(17/05/2024) Added IT test cases for large files. (21/05/2024) Researching some failing tests. (22/05/2024) Solved corrupted test cases, now working fine.