[ossec-list] ossec-maild?
Sorry to be dense. I just tried to post another message and don't see it in google groups. I'm noticing that other people have an ossec-maild, but I don't: $ sudo ls -l /var/ossec/bin/ total 1164 -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh I just installed ossec for the first time over the weekend. I can't seem to get it to send mail. Am I missing an executable? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.
[ossec-list] Email configuration issue
I think my issue is my server's mail (postfix) configuration. I can send an email from the command line like so: $ sendmail -f root@localhost my.em...@company.com This is a test. . I can see it get sent in /var/log/mail.log. I get it (in my spam folder, but it's a start). I added these settings to /var/ossec/etc/ossec.conf yes my.em...@company.com localhost root@localhost Then: sudo /var/ossec/bin/ossec-control stop sudo /var/ossec/bin/ossec-control start sudo tail -F /var/ossec/logs/ossec.log It starts up fine - I can see a couple dozen new messages in the log (see the end of this email). But there is no email, and no record of even an email attempt in /var/log/mail.log I'm guessing that ossec doesn't send mail the same way I do when I test sendmail from the command line, but I don't know what it *does* do. Then I tried: $ whereis sendmail sendmail: /usr/sbin/sendmail /usr/lib/sendmail /usr/share/man/man1/sendmail.1.gz $ ls -l /usr/sbin/sendmail -rwxr-xr-x 1 root root 26776 Oct 11 2018 /usr/sbin/sendmail And changed localhost to /usr/sbin/sendmail stoped and started ossec-control: still no email. Still no errors about emails. Here is /var/ossec/logs/ossec.log from the latest attempt 2020/03/30 12:24:19 ossec-execd: INFO: Started (pid: 5337). 2020/03/30 12:24:19 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2020/03/30 12:24:19 going daemon 2020/03/30 12:24:19 starting imsg stuff 2020/03/30 12:24:19 Creating socketpair() 2020/03/30 12:24:19 agentd imsg_init() 2020/03/30 12:24:19 os_dns imsg_init() 2020/03/30 12:24:19 ossec-agentd(1410): INFO: Reading authentication keys file. 2020/03/30 12:24:19 ossec-agentd: INFO: No previous counter available for 'server1'. 2020/03/30 12:24:19 ossec-agentd: INFO: Assigning counter for agent server1: '0:0'. 2020/03/30 12:24:19 ossec-agentd: INFO: Assigning sender counter: 0:659 2020/03/30 12:24:19 rootcheck: System audit file not configured. 2020/03/30 12:24:19 ossec-agentd: INFO: Started (pid: 5341). 2020/03/30 12:24:19 ossec-agentd: INFO: Server 1: 172.24.16.158 2020/03/30 12:24:19 ossec-agentd: INFO: Trying to connect to server 172.24.16.158, port 1514. 2020/03/30 12:24:19 INFO: Connected to 172.24.16.158 at address 172.24.16.158, port 1514 2020/03/30 12:24:19 ossec-agentd: DEBUG: agt->sock: 11 2020/03/30 12:24:23 ossec-syscheckd: INFO: Started (pid: 5350). 2020/03/30 12:24:23 ossec-rootcheck: INFO: Started (pid: 5350). 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/etc', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mtab' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random.seed' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' 2020/03/30 12:24:23 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key' 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/messages' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/authlog' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/secure' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/xferlog' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/maillog' due to [(2)-(No such file or
Re: [ossec-list] ossec-maild?
I installed on Ubuntu 18.04 with according to this: https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian I installed both agent and server. Specifically: $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash $ sudo apt update $ sudo apt install ossec-hids-server $ sudo apt install ossec-hids-agent $ sudo -u ossec ssh-keygen $ sudo vim /var/ossec/etc/client.keys 001 server1 any $ sudo chown root.ossec /var/ossec/etc/client.keys Then I edited ossec.conf as I wrote in my previous mail and started the server. $ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.6.0... Started ossec-execd... 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2020/03/30 14:05:04 going daemon Started ossec-agentd... Started ossec-logcollector... Started ossec-syscheckd... Completed. On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson > wrote: > > > > Sorry to be dense. I just tried to post another message and don't see > it in google groups. I'm noticing that other people have an ossec-maild, > but I don't: > > $ sudo ls -l /var/ossec/bin/ > > total 1164 > > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth > > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents > > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd > > -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control > > -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd > > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector > > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd > > -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh > > > > I just installed ossec for the first time over the weekend. I can't > seem to get it to send mail. Am I missing an executable? > > > > This looks like an agent installation. The OSSEC server handles > sending out email. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.
Re: [ossec-list] ossec-maild?
group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mtab' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random.seed' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' 2020/03/30 15:38:29 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key' 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/messages' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/authlog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/secure' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/xferlog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/access_log' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/access_log'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/error_log' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/error_log'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/exim_mainlog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/exim_mainlog'. 2020/03/30 15:38:30 ossec-logcollector: INFO: Started (pid: 17657). 2020/03/30 15:38:35 ossec-monitord: WARN: Process locked. Waiting for permission... 2020/03/30 15:38:44 ossec-logcollector: WARN: Process locked. Waiting for permission... 2020/03/30 15:39:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2020/03/30 15:39:31 ossec-syscheckd: WARN: Process locked. Waiting for permission... On Monday, March 30, 2020 at 2:50:58 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson > wrote: > > > > I installed on Ubuntu 18.04 with according to this: > > > https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian > > > > > I installed both agent and server. Specifically: > > $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo > bash > > > > $ sudo apt update > > > > $ sudo apt install ossec-hids-server > > $ sudo apt install ossec-hids-agent > > > > They should be mutually exclusive, so I'm guessing the agent removed the > server. > > > $ sudo -u ossec ssh-keygen > > > > $ sudo vim /var/ossec/etc/client.keys > > 001 server1 any > > > > $ sudo chown root.ossec /var/ossec/etc/client.keys > > > > Then I edited ossec.conf as I wrote in my previous mail and started the > server. > >
Re: [ossec-list] ossec-maild?
I did that all again, but added: $ sudo rm -rf /var/ossec/ Between the uninstall and reinstall. Then created my keygen and client.key files from scratch. and... Oh... Now I'm getting email alerts!!! Wohoo! Thanks so much for your help! On Monday, March 30, 2020 at 3:49:42 PM UTC-4, Glen Peterson wrote: > > This is progress, I now have ossec-maild running, but still no email and > nothing from ossec in /var/log/mail.log. Here's what I did: > > $ sudo /var/ossec/bin/ossec-control stop > $ sudo apt purge ossec-hids-agent > $ sudo apt purge ossec-hids-server > $ sudo apt install ossec-hids-server > > My olds keygen file was still there, as was the client.key file. > > $ sudo vim /var/ossec/etc/ossec.conf > > > yes > my.em...@company.com > localhost > root@localhost > > > > $ sudo /var/ossec/bin/ossec-control start > Starting OSSEC HIDS v3.6.0... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > > > No email. Then I tried with: > /usr/sbin/sendmail > > Still no email. > > $ sudo cat /var/ossec/logs/ossec.log > ... > 2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file. > 2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631). > 2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644). > 2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649). > 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661). > 2020/03/30 15:38:24 IPv6: :: on port 1514 > 2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514 > 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663). > 2020/03/30 15:38:24 rootcheck: System audit file not configured. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pure-ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'web_appsec_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: &
Re: [ossec-list] [urgent]Files hidden inside directory . Link count does not match number of files ?
This is still an issue with: - OSSEC HIDS v3.6.0 - Docker version 19.03.6, build 369ce74a3c - Ubuntu 18.04 amd-64 4.15.0-91-generic OSSEC HIDS Notification. 2020 Mar 30 16:07:38 Received From: 1043003-app1->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Files hidden inside directory '/var/lib/docker/overlay2/be359.../merged/var/lib/dpkg/alternatives'. Link count does not match number of files (2,1). I found the following which may be helpful: https://github.com/ossec/ossec-hids/issues/1528 Is it "fixed" in wazuh? Is that the right fix? https://github.com/wazuh/wazuh/issues/561 https://github.com/docker/hub-feedback/issues/1228 https://forums.docker.com/t/some-way-to-clean-up-identify-contents-of-var-lib-docker-overlay/30604/21 On Thursday, February 15, 2018 at 7:19:07 AM UTC-5, dan (ddpbsd) wrote: > > On Sun, Feb 4, 2018 at 11:33 PM, > > wrote: > > > > Hi all , > > > > i came cross this issue: > > Files hidden inside directory > '/var/lib/docker/overlay2/x/merged/root/go/src'. Link count > does not match number of files (4,1). > > in many servers. However, when i checked ossec configuration file in > those servers, there are no /var/lib/docker/overlay2 directory wrote in > configuration file. > > > > > > > > > > > > what i guess, since one of those server cluster, i need to monitory fire > integrity of this server under /var/lib/docker/overlay2/x. > However the file name is to complicated, so what i did is i generated > number to link to those complicated directory. I am not really sure , is > this a problem cause my above alert come out in other servers. (PS: those > servers connect to same ossec manager server.) > > > > > > This is a rootcheck alert, not syscheck. I know rootcheck has some > issues with these overlay filesystems, but I haven't really gotten a > chance to look into it to see what can be done. > > > > > thank you for helping guys. urgent now > > > > > > > > best regards, > > > > kaiwen > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/db093ef1-4a3a-46df-8ee4-538d56dc9482%40googlegroups.com.
[ossec-list] How to respond to "Integrity checksum changed" event?
I received this email: OSSEC HIDS Notification. 2020 Apr 17 01:54:51 Received From: myServer->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Integrity checksum changed for: '/usr/bin/git-receive-pack' ... I got the same notification email for the following files: /usr/bin/git /usr/bin/git-upload-archive /usr/bin/git-shell /usr/bin/git-upload-pack But none of these files have been changed since April 10th (and two of them are links): $ sudo ls -l /usr/bin/git* -rwxr-xr-x 1 root root 2351792 Apr 10 11:59 /usr/bin/git lrwxrwxrwx 1 root root 3 Apr 10 11:59 /usr/bin/git-receive-pack -> git -rwxr-xr-x 1 root root 1304912 Apr 10 11:59 /usr/bin/git-shell lrwxrwxrwx 1 root root 3 Apr 10 11:59 /usr/bin/git-upload-archive -> git -rwxr-xr-x 1 root root 1317120 Apr 10 11:59 /usr/bin/git-upload-pack It looks like syscheck takes about 10 minutes to run (from /var/ossec/logs/ossec.log): 2020/04/13 17:00:33 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/13 17:10:23 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/13 20:40:23 rootcheck: INFO: Starting rootcheck scan. 2020/04/13 21:22:09 rootcheck: INFO: Ending rootcheck scan. 2020/04/14 13:12:09 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/14 13:22:00 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/14 17:27:00 rootcheck: INFO: Starting rootcheck scan. 2020/04/14 18:09:24 rootcheck: INFO: Ending rootcheck scan. 2020/04/15 09:24:24 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/15 09:34:14 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/15 14:14:14 rootcheck: INFO: Starting rootcheck scan. 2020/04/15 14:56:57 rootcheck: INFO: Ending rootcheck scan. 2020/04/16 05:36:57 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/16 05:46:47 ossec-syscheckd: INFO: Ending syscheck scan. 2020/04/16 11:01:47 rootcheck: INFO: Starting rootcheck scan. 2020/04/16 11:44:23 rootcheck: INFO: Ending rootcheck scan. 2020/04/17 01:49:23 ossec-syscheckd: INFO: Starting syscheck scan. 2020/04/17 01:55:02 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:55:02 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:55:17 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:55:17 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:55:52 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:55:52 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:56:42 ossec-maild: DEBUG: Running OS_Sendmail() 2020/04/17 01:56:42 ossec-maild [dns]: ERROR: connect() failed. 2020/04/17 01:59:13 ossec-syscheckd: INFO: Ending syscheck scan. So I probably need to recheck my mail setup, but everything else looks fine. I was curious what version of git I was running $ apt list |grep ^git git/bionic-updates,bionic-security,now 1:2.17.1-1ubuntu0.6 amd64 [installed] ... It looks from the dropdown here like git-receive-pack has only changed in versions Changes in the git-receive-pack manual 2.24.1 → 2.26.1 no changes 2.24.0 11/04/19 2.18.1 → 2.23.2 no changes 2.18.0 06/21/18 2.13.3 → 2.17.4 no changes 2.13.2 06/24/17 2.11.1 → 2.12.5 no changes 2.11.0 11/29/16 https://git-scm.com/docs/git-receive-pack So it doesn't immediately look like the change came from the git sources. What has apt installed recently? $ sudo less /var/log/apt/term.log ... Log started: 2020-04-16 06:22:27 (Reading database ... ... 100%^M(Reading database ... 135924 files and directories currently installed.) Preparing to unpack .../*git_*1%3a2.17.1-1ubuntu0.6_amd64.deb ... Unpacking *git (1:2.17.1-1ubuntu0.6) over (1:2.17.1-1ubuntu0.5)* ... Setting up *git* (1:2.17.1-1ubuntu0.6) ... Log ended: 2020-04-16 06:22:30 ... So I'm guessing that git was automatically updated last night by apt (the ubuntu package manager), probably for some ubuntu compatibility reason, which is probably all normal and fine. But I still wonder: - Why is the last-modified date on the files in question April 10th? Is that when they were built and tested before being promoted to the latest ubuntu packages? - Is this sort of generally what I should be doing when I receive these notifications? How would I know if something like this represents tampering vs. normal system activity? In the future, I guess I should look at /var/log/apt/term.log first. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/0ff844ec-c4cb-4324-a2b0-6f115db32d52%40googlegroups.com.