Whodata stops working on +3.1 audit versions

[ncvicchi]

Wazuh version	Component	Install type	Install method	Platform
4.5.2	FIM	Agent	Any	Fedora 39

Closed by 6871

This issue is derived from #18727 as a result of tests performed.

Steps to reproduce:

• Configure FIM with the following parameter:

<directories whodata="yes">/testwhodata</directories>

• Enable debug level 2 at: /var/ossec/etc/local_internal_options.conf

syscheck.debug=2

• Audit validation (after configuring wazuh and restarting agent):

[root@fedora39 bin]# auditctl -w /etc -p wa -k wazuh_fim
[root@fedora39 bin]#

• Test execution:

[root@fedora39 bin]# touch /testwhodata/test
[root@fedora39 bin]# rm /testwhodata/test
rm: ¿borrar el fichero regular vacío '/testwhodata/test'? (s/n) s

• alerts.log

Result

** Alert 1696903437.18696: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Oct 10 02:03:57 (fedora39) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/testwhodata/test' added
Mode: realtime

Attributes:

• Size: 0
• Permissions: rw-r--r--
• Date: Tue Oct 10 02:03:57 2023
• Inode: 49960
• User: root (0)
• Group: root (0)
• MD5: d41d8cd98f00b204e9800998ecf8427e
• SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
• SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

** Alert 1696903442.19375: - ossec,syscheck,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Oct 10 02:04:02 (fedora39) any->syscheck
Rule: 553 (level 7) -> 'File deleted.'
File '/testwhodata/test' deleted
Mode: realtime

Attributes:

• Size: 0
• Permissions: rw-r--r--
• Date: Tue Oct 10 02:03:57 2023
• Inode: 49960
• User: root (0)
• Group: root (0)
• MD5: d41d8cd98f00b204e9800998ecf8427e
• SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
• SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

• Auditd service status

By executing systemctl status auditd the following output is observed:

[root@fedora39 wazuh]# systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Tue 2023-10-10 16:13:47 -03; 5min ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 899 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 904 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 901 (auditd)
      Tasks: 2 (limit: 4647)
     Memory: 1.0M
        CPU: 73ms
     CGroup: /system.slice/auditd.service
             └─901 /sbin/auditd

oct 10 16:13:47 fedora39 systemd[1]: Starting auditd.service - Security Auditing Service...
oct 10 16:13:47 fedora39 auditd[901]: Option builtin_af_unix line 3 is obsolete - using /sbin/audisp-af_unix
oct 10 16:13:47 fedora39 auditd[901]: Option builtin line 4 is obsolete - update it
oct 10 16:13:47 fedora39 auditd[901]: Unable to stat /sbin/audisp-af_unix (No such file or directory)
oct 10 16:13:47 fedora39 auditd[901]: Skipping af_wazuh.conf plugin due to errors
oct 10 16:13:47 fedora39 auditd[901]: No plugins found, not dispatching events
oct 10 16:13:47 fedora39 auditd[901]: Init complete, auditd 3.1.2 listening for events (startup state enable)
oct 10 16:13:47 fedora39 augenrules[904]: /sbin/augenrules: No change
oct 10 16:13:47 fedora39 augenrules[915]: No rules
oct 10 16:13:47 fedora39 systemd[1]: Started auditd.service - Security Auditing Service.

• ossec.log

2023/10/10 16:13:42 wazuh-syscheckd[840] syscheck_audit.c:183 at set_auditd_config(): INFO: (6023): No socket found at 'queue/sockets/audit'. Restarting Auditd service.
2023/10/10 16:13:43 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2023/10/10 16:13:43 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2023/10/10 16:13:43 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2023/10/10 16:13:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2023/10/10 16:13:43 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/10/10 16:13:43 wazuh-logcollector: INFO: Started (pid: 866).
2023/10/10 16:13:43 wazuh-modulesd: INFO: Started (pid: 881).
2023/10/10 16:13:43 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/10/10 16:13:43 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/10/10 16:13:43 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/10/10 16:13:43 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...
2023/10/10 16:13:43 sca: INFO: Module disabled. Exiting.
2023/10/10 16:13:43 wazuh-modulesd:control: INFO: Starting control thread.
2023/10/10 16:13:47 wazuh-syscheckd[840] syscheck_audit.c:200 at init_auditd_socket(): ERROR: (6636): Cannot connect to socket 'queue/sockets/audit'.
2023/10/10 16:13:47 wazuh-syscheckd[840] syscheck_audit.c:348 at audit_init(): ERROR: Can't init auditd socket in 'init_auditd_socket()'
2023/10/10 16:13:47 wazuh-syscheckd[840] main.c:286 at main(): WARNING: (6913): Who-data engine could not start. Switching who-data to real-time.

[ncvicchi]

Further analysis:

Environment	Type	Version
Wazuh OVA	Manager	4.5.4
Fedora 39	Agent	4.5.4

Wazuh agent is installed following official documentation
Wazuh manager is the official OVA 4.5.4

Configuration is default, and whodata is install following official documentation.

ossec.log file indicates some error, but it is not clear:

2023/10/24 20:16:14 wazuh-syscheckd: ERROR: (6636): Cannot connect to socket 'queue/sockets/audit'.
2023/10/24 20:16:14 wazuh-syscheckd: ERROR: Can't init auditd socket in 'init_auditd_socket()'
2023/10/24 20:16:14 wazuh-syscheckd: WARNING: (6913): Who-data engine could not start. Switching who-data to real-time.

auditd status does show more information:

auditd status
[root@fedora39 logs]# systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Tue 2023-10-24 20:16:14 -03; 1min 24s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 5365 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 5369 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 5366 (auditd)
      Tasks: 2 (limit: 2310)
     Memory: 1004.0K
        CPU: 34ms
     CGroup: /system.slice/auditd.service
             └─5366 /sbin/auditd

oct 24 20:16:14 fedora39 systemd[1]: Starting auditd.service - Security Auditing Service...
oct 24 20:16:14 fedora39 auditd[5366]: Option builtin_af_unix line 3 is obsolete  using /sbin/audisp-af_unix
oct 24 20:16:14 fedora39 auditd[5366]: Option builtin line 4 is obsolete - update it
oct 24 20:16:14 fedora39 auditd[5366]: Unable to stat /sbin/audisp-af_unix (No such file or directory)
oct 24 20:16:14 fedora39 auditd[5366]: Skipping af_wazuh.conf plugin due to errors
oct 24 20:16:14 fedora39 auditd[5366]: No plugins found, not dispatching events
oct 24 20:16:14 fedora39 auditd[5366]: Init complete, auditd 3.1.2 listening for events  (startup state enable)
oct 24 20:16:14 fedora39 augenrules[5369]: /sbin/augenrules: No change
oct 24 20:16:14 fedora39 augenrules[5380]: No rules
oct 24 20:16:14 fedora39 systemd[1]: Started auditd.service - Security Auditing Service.

It indicates that lines 3 and 4 of wazuh's rule file is using obsolete options.

wazuh pluing conf file:

active = yes
direction = out
path = builtin_af_unix
type = builtin
args = 0640 /var/ossec/queue/sockets/audit
format = string

Apparently, Fedora 39 deprecated builin_af_unix, and when Wazuh's trying to use it, it tries to use
/sbin/audisp-af_unix which belongs to audisp plugin, which is not installed by default.

Installing audispd-plugins:

yum install audispd-plugins

After rebooting, promising but still failing output is observed:

root@fedora39 wazuh]# systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Tue 2023-10-24 21:05:10 -03; 8min ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 575 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 587 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 581 (auditd)
      Tasks: 4 (limit: 2310)
     Memory: 6.5M
        CPU: 57ms
     CGroup: /system.slice/auditd.service
             ├─581 /sbin/auditd
             └─583 /sbin/audisp-af_unix 0640 /var/ossec/queue/sockets/audit

oct 24 21:05:10 fedora39 systemd[1]: Starting auditd.service - Security Auditing Service...
oct 24 21:05:10 fedora39 auditd[581]: Option builtin_af_unix line 3 is obsolete - using /sbin/audisp-af_unix
oct 24 21:05:10 fedora39 auditd[581]: Option builtin line 4 is obsolete - update it
oct 24 21:05:10 fedora39 auditd[581]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
oct 24 21:05:10 fedora39 auditd[581]: Init complete, auditd 3.1.2 listening for events (startup state enable)
oct 24 21:05:10 fedora39 audisp-af_unix[583]: audisp-af_unix plugin is listening for events
oct 24 21:05:10 fedora39 augenrules[587]: /sbin/augenrules: No change
oct 24 21:05:10 fedora39 augenrules[605]: No rules
oct 24 21:05:10 fedora39 systemd[1]: Started auditd.service - Security Auditing Service.
oct 24 21:05:14 fedora39 audisp-af_unix[583]: Client connected

oosec.log file:

but ossec.log still shows errors with audit:

2023/10/24 21:12:03 wazuh-syscheckd: ERROR: (6642): Audit health check couldn't be completed correctly.
2023/10/24 21:12:03 wazuh-syscheckd: WARNING: (6913): Who-data engine could not start. Switching who-data to real-time.

This is a different behaviour. Now wazuh's FIM module is connecting to auditd, but heath check fails

auditctl still shows an empty response:

[root@fedora39 wazuh]# auditctl -l | grep wazuh_fim
[root@fedora39 wazuh]#

syscheck.debug2 is set at /var/ossec/etc/local_internal_options.conf and ossec.log shows:

2023/10/24 21:22:46 wazuh-syscheckd[6630] audit_healthcheck.c:41 at audit_health_check(): DEBUG: (6279): Whodata health-check: Starting.
2023/10/24 21:22:46 wazuh-syscheckd[6630] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2023/10/24 21:22:46 wazuh-syscheckd[6630] audit_healthcheck.c:102 at audit_healthcheck_thread(): DEBUG: (6255): Whodata health-check: Reading thread active.
2023/10/24 21:22:47 wazuh-syscheckd[6630] audit_parse.c:326 at filterkey_audit_events(): DEBUG: (6251): Match audit_key: 'wazuh_hc'
2023/10/24 21:22:56 wazuh-syscheckd[6630] audit_healthcheck.c:70 at audit_health_check(): DEBUG: (6257): Whodata health-check: Failed to receive creation event.
2023/10/24 21:22:57 wazuh-syscheckd[6630] audit_parse.c:326 at filterkey_audit_events(): DEBUG: (6251): Match audit_key: 'wazuh_hc'
2023/10/24 21:22:57 wazuh-syscheckd[6630] audit_healthcheck.c:106 at audit_healthcheck_thread(): DEBUG: (6256): Whodata health-check: Reading thread finished.
2023/10/24 21:22:57 wazuh-syscheckd[6630] syscheck_audit.c:365 at audit_init(): ERROR: (6642): Audit health check couldn't be completed correctly.
2023/10/24 21:22:57 wazuh-syscheckd[6630] main.c:286 at main(): WARNING: (6913): Who-data engine could not start. Switching who-data to real-time.

[ncvicchi]

This issue seems to have become more critical and seems to be bigger than it looked at first. Will move its ETA and change its size to accommodate. Will also block 2 other issues regarding whodata on newer OSs.

[jotacarma90]

ETA delayed and on hold status due to higher priority issues coming:
wazuh/wazuh-packages#2154
#20152
#19603

[jotacarma90]

Update

Hello team,
while researching this issue in depth, at the moment we have this information:

Fedora 39, comes with auditd 3.1.2 installed. When trying to configure a directory in whodata, we found this error in the log:

2023/11/16 11:50:53 wazuh-syscheckd: ERROR: (6636): Cannot connect to socket 'queue/sockets/audit'.
2023/11/16 11:50:53 wazuh-syscheckd: ERROR: Can't init auditd socket in 'init_auditd_socket()'
2023/11/16 11:50:53 wazuh-syscheckd: WARNING: (6913): Who-data engine could not start. Switching who-data to real-time.

And this error in auditd:

Nov 17 12:07:23 fedora39 systemd[1]: Started auditd.service - Security Auditing Service.
Nov 17 12:07:23 fedora39 augenrules[679]: /sbin/augenrules: No change
Nov 17 12:07:23 fedora39 auditd[674]: Init complete, auditd 3.1.2 listening for events (startup state enable)
Nov 17 12:07:23 fedora39 auditd[674]: No plugins found, not dispatching events
Nov 17 12:07:23 fedora39 auditd[674]: Skipping af_wazuh.conf plugin due to errors
Nov 17 12:07:23 fedora39 auditd[674]: Unable to stat /sbin/audisp-af_unix (No such file or directory)
Nov 17 12:07:23 fedora39 auditd[674]: Option builtin line 4 is obsolete - update it
Nov 17 12:07:23 fedora39 auditd[674]: Option builtin_af_unix line 3 is obsolete - using /sbin/audisp-af_unix
Nov 17 12:07:23 fedora39 systemd[1]: Starting auditd.service - Security Auditing Service...

For centos 9 stream, the version that comes with auditd installed is 3.0.6 (everything works correctly here), but upgrading to version 3.1.2, we find the same error as with fedora 39.

For Ubuntu 23, the latest available version of auditd is 3.1.1, and here, although we see some similar problems in auditd, whodata works correctly without problems.

With all this, reviewing the changelog of auditd, between version 3.1.1 and 3.1.2 we find:

3.1.2
- When processing a run level change, make auditd exit
- In auditd, fix return code when rules added in immutable mode
- In auparse, when files are given, also consider EUID for access
- Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya)
- Disable Python bindings from setting rules due to swig bug (S. Trofimovich)
- Update all lookup tables for the 6.5 kernel
- Don't be as paranoid about auditctl -R file permissions
- In ausearch, correct subject/object search to be an and if both are given
- Adjust formats for 64 bit time_t
- Fix segfault in python bindings around the feed API
- Add feed_has_data, get_record_num, and get/goto_field_num to python bindings

3.1.1
- Add user friendly keywords for signals to auditctl
- In ausearch, parse up URINGOP and DM_CTRL records
- Harden auparse to better handle corrupt logs
- Fix a CFLAGS propagation problem in the common directory
- Move the audispd af_unix plugin to a standalone program

Additional problem

In addition, we have detected a problem that was already reported a long time ago, and that seems that it could be a problem again. Some systems have a rule in auditd that prevents the monitoring of certain syscall events, and makes the whodata function impossible:
-a never,task

This rule must be removed for use.
PR from fix (currently non-existent): #1929

We will delay the ETA for another week for further investigation.

[jotacarma90]

Changing the status to on hold due to a higher priority issue:
#20342

[jotacarma90]

-a never,task

Hello team, on the subject of the audit -a never,task rule, I can confirm that it is present by default in some operating systems like:

• Fedora 39:

[vagrant@fedora39 ~]$ sudo auditctl -l
-a never,task

• Opensuse 15:

vagrant@opensuse15:~> sudo cat /etc/audit/rules.d/audit.rules
## This set of rules is to suppress the performance effects of the
## audit system. The result is that you only get hardwired events.
-D

## This suppresses syscall auditing for all tasks started
## with this rule in effect.  Remove it if you need syscall
## auditing.
-a task,never

This prevents the whodata healthcheck from proceeding as it should, and therefore whodata is disabled by default on these systems (there may be more).
We must decide how to deal with this problem. One option would be to simply warn in the documentation and in a warning log explaining the reasons for the whodata crash, as well as how to disable this rule.
Another option is to directly allow whodata to disable this rule as it was done in the past.

[vikman90]

Problem Summary

FIM uses an integration with Audit to capture who-data on Linux. From version 3.1 of Audit, FIM/who-data stops working, switching to real-time.

Cause

This version of Audit introduces a default rule:

-a never,task 

Which completely disables the system call auditing.

History and context

In 3.4.0 we introduced who-data in FIM (#756). However, when were reported that a customer installed it on their systems, nothing worked and we set up a troubleshooting meeting. @albertomn86 found the cause: they had the -a never,task rule applied. This was in direct conflict with the agent. We recommended them to remove it and problem solved. 👌

In the following days, we did a development to solve this problem: remove the damn rule (47bc125). However, we then regretted it: we considered that FIM should not modify a rule set by the user, and PR #1929 did not reach a release. Instead, in 3.7.0 we implemented a health-check (#2057) that would check if who-data works well and would act accordingly: continue or switch to real-time.

Now, the -a never,task rule comes by default, which gives a twist to the consideration: it is no longer that who-data works on a clean system and only fails if the user adds the rule, but it will fail by default unless that rule is removed.

Solutions (to discuss)

1. Do nothing in the code. Add to the documentation [Detect changes in a file] that, in addition to installing auditd, you have to clean the Audit ruleset.
   a. If auditd is not installed or the ruleset is not compatible, FIM already produces an error and switches to real-time.
2. Reimplement Add some improvements and fixes in whodata #1929: Search for that rule in the ruleset and remove it, so that who-data works without user intervention. Extras:
   a. Make it optional.
   b. Do it only if -a never,task is the only Audit rule.

Status

This issue will remain blocked until the management team approves a solution.

[jotacarma90]

We have divided the problems encountered with auditd into two different issues, on the one hand, this issue will correspond to the error related to the creation of the af_unix socket.

For the problems related to the task,never rule, we will use this issue:
#19399
We are extending the ETA of this issue for one more week because we have not yet found how to fix it.

[jotacarma90]

Conclusions

We have finally detected that to fix this type of error when the audit version is 3.1.1 or higher, it is necessary to make sure that audispd-plugins is installed correctly as well. To do this:

apt/yum install audispd-plugins
service auditd restart

[jotacarma90]

Entending ETA due to blocked until management decissions

[ncvicchi]

Entending ETA due to blocked until management decissions

[ncvicchi]

This issue is closed by 6871

[ncvicchi]

Merged!