Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Xenial produces ossec false posive for /usr/bin/mail #4363

Closed
emkll opened this issue Apr 23, 2019 · 4 comments
Closed

Upgrade to Xenial produces ossec false posive for /usr/bin/mail #4363

emkll opened this issue Apr 23, 2019 · 4 comments
Labels
bug OSSEC QA: Release

Comments

@emkll
Copy link
Contributor

emkll commented Apr 23, 2019

Description

Upgrade to Xenial produces a scary ossec syscheck alert:

OSSEC HIDS Notification.
2019 Apr 23 21:57:36

Received From: (app) 10.0.1.4->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/bin/mail' detected. Signature used: 'bash|file\.h|proc\.h|/dev/[^nu]' (Generic).

 --END OF NOTIFICATION

In this particular case, it seems due to the ruleset alerting on these changes https://askubuntu.com/a/605006

Steps to Reproduce

Using prod vms:

  • install 0.12.1 under trusty
  • Upgrade the base OS to Xenial
  • Observe the ossec alert above

Expected Behavior

  • ossec/syscheck alerts should not be triggered on system-provided binaries

Actual behavior

  • false-positive ossec/syscheck alert

Comments

  1. We should confirm if this is a one-time alert, or if it happens every syscheck run
  2. We should see if updating ossec (and thus the ruleset) resolves the issue (there's an older WIP branch here: https://github.com/freedomofpress/securedrop/tree/ossec-3.2)
@eloquence
Copy link
Member

eloquence commented Apr 24, 2019
edited
Loading

I can confirm that I received this alert twice, once for app and once for mon, on 2/26, during an in-place upgrade of my SecureDrop 0.12.0 instance to Ubuntu 16.04. I have not received it since then.

@redshiftzero
Copy link
Contributor

Filed ticket upstream: ossec/ossec-hids#1720

@redshiftzero
Copy link
Contributor

upstream has merged a PR fixing this: ossec/ossec-hids#1765

not yet in a release, but 3.4.0 is in preparation, once released we can update to the new version of OSSEC and close this

@redshiftzero
Copy link
Contributor

Fixed as of updating to OSSEC 3.6.0 in #5196

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug OSSEC QA: Release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eloquence @redshiftzero @emkll