Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host-based anomaly detection event (rootcheck) #1855

Closed
knzudgt opened this issue Mar 18, 2020 · 5 comments
Closed

Host-based anomaly detection event (rootcheck) #1855

knzudgt opened this issue Mar 18, 2020 · 5 comments

Comments

@knzudgt
Copy link

knzudgt commented Mar 18, 2020

I use dokku in a Ubuntu 18.04 LTS machine.
I received the following alerts concerning files hidden in a long list of directories:

Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man'. Link count does not match number of files (26,1).

Then again:

Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg'. Link count does not match number of files (2,1).

And so on for a list of 104 directories, like /var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin or /var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/bin etc etc

How am I expected to interpret these alerts? What am I expected to do?
@ddpbsd
Copy link
Member

ddpbsd commented Mar 27, 2020

rootcheck doesn't understand about overlays yet.

@knzudgt
Copy link
Author

knzudgt commented Mar 28, 2020

@ddpbsd what does it mean that rootcheck doesn't understand about overlays? Sorry, but I do not know what an overlay is. Are you saying that probably these are false positives?

@ddpbsd
Copy link
Member

ddpbsd commented Mar 30, 2020

@knzudgt I don't understand overlays very well myself. Anyone with more/better knowledge than me should feel free to comment, correct, and educate us all.
From the little I do understand I've gathered that they change the way applications on the host system see those parts of the filesystem. So something that exists inside of a container's filesystem might not be visible outside of that container in the same way. So OSSEC, using older techniques sees a discrepancy between how many files should be there and how many files are actually there (outside of the container) and this triggers the alert.

@mlissner
Copy link

Wazuh has a one-line fix for this, here: wazuh/wazuh@460a2d2

Also, this is a dup of: #1528.

Until we can get that fix in place, is there a way to snuff out these false positives?

@mlissner mlissner mentioned this issue Feb 19, 2021
Closed
@atomicturtle
Copy link
Member

Thanks for the followup and the duplicate identification. Im going to merge this into 1528 before the PR

Duplicate of: #1528

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mlissner @atomicturtle @ddpbsd @knzudgt