Open xufengnian opened 5 years ago
And this rule looks like check NTFS ADS on Windows,why my linux server receive this warning?
Hi @xufengnian,
Let's see what's happening here:
read_sys_file
function, as you pointed, contains a section for Win systems that checks for malicious alternate data streams. Depending on the environment, this section can generate false positive for Wazuh. It is triggered by files which show up in a call to readdir
but not to a follow-up stat
call. Any file that gets deleted between the two calls can cause this warning. Temp files that vanish quickly are the culprit here.
What you are seeing probably are short-lived temp files that hadoop
and other software are using, removed when they are no longer needed.
I hope it helps. Please let me know if you think it's another problem or there's something else we need to investigate.
Best regards, JP Sáez
Thanks for your reply! I think check hide file rootkit is a difficult thing.
So if we only check the result of readdir
and stat
, maybe led to lots of warning like hadoop and other application.Because they have this situation: create a temp file and delete it in short time.
And lots of kernel rootkit will modify call to readdir
not only stat
,for example https://github.com/ivyl/rootkit.
I think check rootkit is always difficult.chkrootkit
is a nice tool although it's not update any more.But this tool has a lot of methods.Such as check kernel link table、/etc/ld.so.preload and import linux commands...
I feel very sorry because I am not good at using C language.If we can use some ideas of chkrootkit in rootcheck module,I think it is useful
Hi again @xufengnian,
I also think that rootkit detection is a really hard task. We should include more methods to cover as many as possible stealth techniques and chrootkit
can be a pretty cool tool for gathering ideas for Rootcheck
.
Let's save this issue as a reminder of the new Rootcheck
needed features and capabilities. Do not hesitate to open a PR if you find something useful and want to contribute to the project with some code.
Best regards, JP Sáez
I have this issue as well although mine are temporary files related to pip. Is there a workaround that doesn't involve disabling the check altogether.
There's also happening with docker and some kubernetes related files.
|Wazuh version:3.9.4 |Component: Wazuh-manager |Install type:Manager |Install method:Packages |Platform|CentOS 7.5
hello,when I use wazuh in my servers,I find a question, I always receive a lot of warning,data.title is "Anomaly detected in file 'xxxx'"
These files' name look like different:
The full.log is
Anomaly detected in file '/tmp/hadoop-unjar7117464466664653198/scala/Function2$mcIDI$sp$class.class'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
but those files always create by hadoop or normal applications,not rootkitAnd I try to find which rule or code define this warning
I find it in src/rootcheck/check_rc_sys.c,this file define a function named "read_sys_file"
just use lstat function to judge if this file is exist
And I find some code reference the "read_sys_file",in ads_dump.c
this code just use for check NTFS ADS rookit,so I feel very puzzled,Why did my normal file trigger the warning?