Open s1nlol opened 6 months ago
We got the same issue
I'm not seeing the overflow on the old inode, but I'm seeing every entry have the exact same old inode:
File '/usr/sbin/apachectl' modified Mode: scheduled Changed attributes: inode Old inode was: '2147483647', now it is '1152921500312513152'
In most cases, the new inode is one of a handfull of values.
'1152921500312513152' '1152921500312513536' '1152921500312513280'
Makes this module pretty useless on the Mac.
Same here
Wazuh version | Component | Install type | Install method | Platform |
---|---|---|---|---|
v4.7.2-1.arm64 | FIM | Agent | Packages | MacOS 14.3 (23D56) |
I'm not seeing the overflow on the old inode, but I'm seeing every entry have the exact same old inode:
File '/usr/sbin/apachectl' modified Mode: scheduled Changed attributes: inode Old inode was: '2147483647', now it is '1152921500312513152'
In most cases, the new inode is one of a handfull of values.
'1152921500312513152' '1152921500312513536' '1152921500312513280'
Makes this module pretty useless on the Mac.
Same issue here.
I'm not seeing the overflow on the old inode, but I'm seeing every entry have the exact same old inode:
File '/usr/sbin/apachectl' modified Mode: scheduled Changed attributes: inode Old inode was: '2147483647', now it is '1152921500312513152'
In most cases, the new inode is one of a handfull of values.
'1152921500312513152' '1152921500312513536' '1152921500312513280'
Makes this module pretty useless on the Mac.
Same pattern here. macOS 12.7.1 x86_64 Wazuh Agent v4.7.2
Hello, same issue here with version: Agent: wazuh-agent-4.7.3-1.x86_64 Rocky Linux release 8.9 (Green Obsidian)
Manager: wazuh-manager-4.7.3-1.x86_64 CentOS Linux release 7.9.2009 (Core)
Wazuh Notification.
2024 Mar 12 04:18:24
Received From: server) 1.1.1.1->syscheck
Rule: 550 fired (level 10) -> "Integrity checksum changed."
Portion of the log(s):
File '/usr/bin/xgettext' modified
Mode: scheduled
Changed attributes: inode
Old inode was: '-134064946', now it is '4160902350'
Attributes:
- Size: 280960
- Permissions: rwxr-xr-x
- Date: Mon Apr 12 01:41:05 2021
- Inode: 4160902350
- User: root (0)
- Group: root (0)
- MD5: 9ac61569967928715ba9bee76a46a457
- SHA1: 37529c1dad405b8463ad18cef55655b35b84952f
- SHA256: 7795fd76da686e058577e49f55f57ef51e6cff7efe0cb1fbce2cf5fa4634dff7
Wazuh Notification.
2024 Mar 12 18:15:23
Received From: (server) 1.1.1.1->syscheck
Rule: 550 fired (level 10) -> "Integrity checksum changed."
Portion of the log(s):
File '/usr/bin/xgettext' modified
Mode: scheduled
Changed attributes: inode
Old inode was: '-134064946', now it is '4160902350'
Attributes:
- Size: 280960
- Permissions: rwxr-xr-x
- Date: Mon Apr 12 01:41:05 2021
- Inode: 4160902350
- User: root (0)
- Group: root (0)
- MD5: 9ac61569967928715ba9bee76a46a457
- SHA1: 37529c1dad405b8463ad18cef55655b35b84952f
- SHA256: 7795fd76da686e058577e49f55f57ef51e6cff7efe0cb1fbce2cf5fa4634dff7
Hi! Sad to report that this is an issue happening with the latest Wazuh AWS deployment too. I'm getting dozens of alerts titled: "Integrity Checksum Changed" with log output looking like this:
File '/usr/sbin/htcacheclean' modified Mode: scheduled Changed attributes: inode Old inode was: '-2147003648', now it is '115292000002528768'
Please provide a way to mitigate these false positives. Thank you!
Experiencing the same issue. Thousands of alerts and all the old values seem to be 2147483647 and all new values 1152921500312520000 regardless of which file it pertains.
Apple M1 Macbook Air running Sonoma 14.5 and Wazuh v4.7.4
Hi, I saw the issue 12583 but I'm still having problems. I'm using a MacMini with MacOS version:
Agent installed:
wazuh-agent-4.6.0-1.intel64.pkg
Wazuh-manager also version 4.6
Each check results in similar messages: