Btrfs #102
Comments
|
I will revert to the September 24, 2016 ossec-wazuh-master until this is resolved. Dennis |
|
Hi @DLGolden, this is actually a feature inherited from OSSEC, discussed at this pull request: ossec/ossec-hids#950. The thing is that the BTRFS file system does not perform directory counting like other file systems such ext4, so that checks were always resulting in alerts (false positives). This is why BTRFS was excluded from system directories checks. Best regards. |
|
Yes, I fully understand; however, I tried the wazuh 2.0 branch and then
the master branch and they both give false positives for btrfs.
The last one that I have tried that works, is from the old
ossec-wazuh-master that I pulled on September 24, 2016. That one works
as expected. I tried over the last couple of days, both the wazuh 2.0
branch and the master. Both of the flag all the directories with link
count errors.
I had to go back to the 'ossec-wazuh-master' that I pulled September 24,
2016 to get a working configuration. I don't know how these could have
gotten lost, but it fails on my system.
Regards,
Dennis
…On 04/11/2017 01:02 PM, Vikman Fdez-Castro wrote:
Hi @DLGolden <https://github.com/DLGolden>,
this is actually a feature inherited from OSSEC, discussed at this
pull request: ossec/ossec-hids#950
<ossec/ossec-hids#950>.
The thing is that the BTRFS file system does not perform directory
counting like other file systems such ext4, so that checking was
always resulting in errors (false positives). This is why BTRFS was
excluded from system directories checks.
Best regards.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#102 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/ATMyS6dif_TWVOTiq1kfz09A7VQ02e3cks5ru8BGgaJpZM4M6acZ>.
--
Dennis Golden
Golden Consulting Services, Inc.
|
|
Hi, I re-checked it again, you are absolutely right. The problem was that Rootcheck did a comparison between a signed and an unsigned integer to decide whether skip or not the directory, this made the function to fail in any case. It was produced when fixing another issue for i386: e48713e Solved at Master branch: ee49f12 Thank you very much for notifying us. I hope it work for you. Please test it and close this issue if it works as expected. Best regards, and thank you again. |
|
Yes it works as expected. I turned on syscheck debug and all BTRFS
directories were skipped.
I do have one last question though. Will this be committed to the 2.0
branch as well? Or should I just stay with the master. I'm okay either way.
Regards,
Dennis
…On 04/12/2017 05:35 AM, Vikman Fdez-Castro wrote:
Hi,
I re-checked it again, you are absolutely right. The problem was that
Rootcheck did a comparison between a signed and an unsigned integer to
decide whether skip or not the directory, this made the function to
fail in any case.
It was produced when fixing another issue for i386: e48713e
<e48713e>
Solved at Master branch: ee49f12
<ee49f12>
Thank you very much for notifying us. I hope it work for you. Please
test it and close this issue if it works as expected.
Best regards, and thank you again.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#102 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/ATMyS22lHzBKL4_NENoPLv1NA2QgwoHBks5rvKjcgaJpZM4M6acZ>.
--
Dennis Golden
Golden Consulting Services, Inc.
|
|
The branch 2.0 is the release candidate, we are doing some testing and will decide whether update this branch for the release 2.0 or leave these changes for the next version (maybe 2.0.1). Best regards. |
|
I'll just stay with master then. Thanks for your quick response. Dennis |
It would appear that at some point, btrfs support got lost. Yesterday I tried the 2.0 wazuh branch and root check was alerting "Link count does not match number of files". Today I went back to the master branch and I'm getting the same thing. This is on openSUSE Leap 42.2.
The last one that I have working is the old ossec-wazuh-master dated September 24, 2016.
The text was updated successfully, but these errors were encountered: