claudeseedbox
commented
5 months ago We got the same issue
Open s1nlol opened 6 months ago
claudeseedbox
commented
5 months ago We got the same issue
MaxDiOrio
commented
3 months ago I'm not seeing the overflow on the old inode, but I'm seeing every entry have the exact same old inode:
File '/usr/sbin/apachectl' modified Mode: scheduled Changed attributes: inode Old inode was: '2147483647', now it is '1152921500312513152'
In most cases, the new inode is one of a handfull of values.
'1152921500312513152' '1152921500312513536' '1152921500312513280'
Makes this module pretty useless on the Mac.
n4l5u0r
commented
3 months ago Same here
| Wazuh version | Component | Install type | Install method | Platform |
|---|---|---|---|---|
| v4.7.2-1.arm64 | FIM | Agent | Packages | MacOS 14.3 (23D56) |
0xTides
commented
3 months ago I'm not seeing the overflow on the old inode, but I'm seeing every entry have the exact same old inode:
File '/usr/sbin/apachectl' modified Mode: scheduled Changed attributes: inode Old inode was: '2147483647', now it is '1152921500312513152'
In most cases, the new inode is one of a handfull of values.
'1152921500312513152' '1152921500312513536' '1152921500312513280'
Makes this module pretty useless on the Mac.
Same issue here.
jonbe242
commented
3 months ago I'm not seeing the overflow on the old inode, but I'm seeing every entry have the exact same old inode:
File '/usr/sbin/apachectl' modified Mode: scheduled Changed attributes: inode Old inode was: '2147483647', now it is '1152921500312513152'
In most cases, the new inode is one of a handfull of values.
'1152921500312513152' '1152921500312513536' '1152921500312513280'
Makes this module pretty useless on the Mac.
Same pattern here. macOS 12.7.1 x86_64 Wazuh Agent v4.7.2
marinovgit
commented
2 months ago Hello, same issue here with version: Agent: wazuh-agent-4.7.3-1.x86_64 Rocky Linux release 8.9 (Green Obsidian)
Manager: wazuh-manager-4.7.3-1.x86_64 CentOS Linux release 7.9.2009 (Core)
Wazuh Notification.
2024 Mar 12 04:18:24
Received From: server) 1.1.1.1->syscheck
Rule: 550 fired (level 10) -> "Integrity checksum changed."
Portion of the log(s):
File '/usr/bin/xgettext' modified
Mode: scheduled
Changed attributes: inode
Old inode was: '-134064946', now it is '4160902350'
Attributes:
- Size: 280960
- Permissions: rwxr-xr-x
- Date: Mon Apr 12 01:41:05 2021
- Inode: 4160902350
- User: root (0)
- Group: root (0)
- MD5: 9ac61569967928715ba9bee76a46a457
- SHA1: 37529c1dad405b8463ad18cef55655b35b84952f
- SHA256: 7795fd76da686e058577e49f55f57ef51e6cff7efe0cb1fbce2cf5fa4634dff7
Wazuh Notification.
2024 Mar 12 18:15:23
Received From: (server) 1.1.1.1->syscheck
Rule: 550 fired (level 10) -> "Integrity checksum changed."
Portion of the log(s):
File '/usr/bin/xgettext' modified
Mode: scheduled
Changed attributes: inode
Old inode was: '-134064946', now it is '4160902350'
Attributes:
- Size: 280960
- Permissions: rwxr-xr-x
- Date: Mon Apr 12 01:41:05 2021
- Inode: 4160902350
- User: root (0)
- Group: root (0)
- MD5: 9ac61569967928715ba9bee76a46a457
- SHA1: 37529c1dad405b8463ad18cef55655b35b84952f
- SHA256: 7795fd76da686e058577e49f55f57ef51e6cff7efe0cb1fbce2cf5fa4634dff7
BlueAnchorNM
commented
1 week ago Hi! Sad to report that this is an issue happening with the latest Wazuh AWS deployment too. I'm getting dozens of alerts titled: "Integrity Checksum Changed" with log output looking like this:
File '/usr/sbin/htcacheclean' modified Mode: scheduled Changed attributes: inode Old inode was: '-2147003648', now it is '115292000002528768'
Please provide a way to mitigate these false positives. Thank you!
spmvoss
commented
14 hours ago Experiencing the same issue. Thousands of alerts and all the old values seem to be 2147483647 and all new values 1152921500312520000 regardless of which file it pertains.
Apple M1 Macbook Air running Sonoma 14.5 and Wazuh v4.7.4
Hi, I saw the issue 12583 but I'm still having problems. I'm using a MacMini with MacOS version:
Agent installed:
wazuh-agent-4.6.0-1.intel64.pkgWazuh-manager also version 4.6
Each check results in similar messages: