I received this email: OSSEC HIDS Notification. 2020 Apr 17 01:54:51
Received From: myServer->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Integrity checksum changed for: '/usr/bin/git-receive-pack' ... I got the same notification email for the following files: /usr/bin/git /usr/bin/git-upload-archive /usr/bin/git-shell /usr/bin/git-upload-pack But none of these files have been changed since April 10th (and two of them are links): $ sudo ls -l /usr/bin/git* -rwxr-xr-x 1 root root 2351792 Apr 10 11:59 /usr/bin/git lrwxrwxrwx 1 root root 3 Apr 10 11:59 /usr/bin/git-receive-pack -> git -rwxr-xr-x 1 root root 1304912 Apr 10 11:59 /usr/bin/git-shell lrwxrwxrwx 1 root root 3 Apr 10 11:59 /usr/bin/git-upload-archive -> git -rwxr-xr-x 1 root root 1317120 Apr 10 11:59 /usr/bin/git-upload-pack It looks like syscheck takes about 10 minutes to run (from /var/ossec/logs/ossec.log): 2020/04/13 17:00:33 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/13 17:10:23 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/13 20:40:23 rootcheck: INFO: Starting rootcheck scan. 2020/04/13 21:22:09 rootcheck: INFO: Ending rootcheck scan. 2020/04/14 13:12:09 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/14 13:22:00 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/14 17:27:00 rootcheck: INFO: Starting rootcheck scan. 2020/04/14 18:09:24 rootcheck: INFO: Ending rootcheck scan. 2020/04/15 09:24:24 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/15 09:34:14 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/15 14:14:14 rootcheck: INFO: Starting rootcheck scan. 2020/04/15 14:56:57 rootcheck: INFO: Ending rootcheck scan. 2020/04/16 05:36:57 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/16 05:46:47 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/16 11:01:47 rootcheck: INFO: Starting rootcheck scan. 2020/04/16 11:44:23 rootcheck: INFO: Ending rootcheck scan. 2020/04/17 01:49:23 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/17 01:55:02 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:55:02 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:55:17 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:55:17 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:55:52 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:55:52 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:56:42 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:56:42 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:59:13 ossec-syscheckd: INFO: Ending syscheck scan. So I probably need to recheck my mail setup, but everything else looks fine. I was curious what version of git I was running $ apt list |grep ^git git/bionic-updates,bionic-security,now 1:2.17.1-1ubuntu0.6 amd64 [installed] ... It looks from the dropdown here like git-receive-pack has only changed in versions Changes in the git-receive-pack manual 2.24.1 → 2.26.1 no changes 2.24.0 11/04/19 2.18.1 → 2.23.2 no changes 2.18.0 06/21/18 2.13.3 → 2.17.4 no changes 2.13.2 06/24/17 2.11.1 → 2.12.5 no changes 2.11.0 11/29/16 https://git-scm.com/docs/git-receive-pack So it doesn't immediately look like the change came from the git sources. What has apt installed recently? $ sudo less /var/log/apt/term.log ... Log started: 2020-04-16 06:22:27 (Reading database ... ... 100%^M(Reading database ... 135924 files and directories currently installed.) Preparing to unpack .../*git_*1%3a2.17.1-1ubuntu0.6_amd64.deb ... Unpacking *git (1:2.17.1-1ubuntu0.6) over (1:2.17.1-1ubuntu0.5)* ... Setting up *git* (1:2.17.1-1ubuntu0.6) ... Log ended: 2020-04-16 06:22:30 ... So I'm guessing that git was automatically updated last night by apt (the ubuntu package manager), probably for some ubuntu compatibility reason, which is probably all normal and fine. But I still wonder: - Why is the last-modified date on the files in question April 10th? Is that when they were built and tested before being promoted to the latest ubuntu packages? - Is this sort of generally what I should be doing when I receive these notifications? How would I know if something like this represents tampering vs. normal system activity? In the future, I guess I should look at /var/log/apt/term.log first. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/0ff844ec-c4cb-4324-a2b0-6f115db32d52%40googlegroups.com.
