SysmonForLinux
SysmonForLinux copied to clipboard
Sysinternals
Disable auto rewriting of files
Describe the bug
sysmon regularly rewrites file in /opt/sysmon and systemd unit file. It triggers changes in Host IDS like aide like: d =.... mc.. .. . : /etc/systemd/system f =.... mc..... . : /etc/systemd/system/sysmon.service d =.... mc.. .. . : /opt/sysmon f =.... mc..H.. . : /opt/sysmon/eventId f =.... mc..... . : /opt/sysmon/rules.bin f =.... mci.... . : /opt/sysmon/sysmon f =.... mc..... . : /opt/sysmon/sysmonEBPFkern4.15.o f =b... mc..... . : /opt/sysmon/sysmonEBPFkern4.15_core.o f =.... mc..... . : /opt/sysmon/sysmonEBPFkern4.16.o f =b... mc..... . : /opt/sysmon/sysmonEBPFkern4.16_core.o f =.... mc..... . : /opt/sysmon/sysmonEBPFkern4.17-5.1.o f =.... mc..... . : /opt/sysmon/sysmonEBPFkern4.17-5.1_core.o f =b... mc..... . : /opt/sysmon/sysmonEBPFkern5.2.o f =.... mc..... . : /opt/sysmon/sysmonEBPFkern5.2_core.o f =.... mc..... . : /opt/sysmon/sysmonEBPFkern5.3-5.5.o f =.... mc..... . : /opt/sysmon/sysmonEBPFkern5.3-5.5_core.o f =b... mc..... . : /opt/sysmon/sysmonEBPFkern5.6-.o f =.... mc..... . : /opt/sysmon/sysmonEBPFkern5.6-_core.o f =.... mc..... . : /opt/sysmon/sysmonLogView
from aide.conf man o A b means that the block count has changed. o A m means that the modification time has changed. o A c means that the change time has changed. o An i means that the inode has changed. o A H means that one or more message digests have changed.
is there any way to disable this behaviour especially as files are unchanged most of the time? I can mark files as immutable but prefer fixing at source and only have changes when package is updated (or kernel).
To Reproduce Install sysmon and hids like aide. Aide Debian (or Ubuntu) has a daily check task by default.
Sysmon version 1.3.3 (upstream package)
Distro/kernel version
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
# uname -a
Linux HOST 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Sysmon configuration Irrelevant
Logs Irrelevant
Expected behavior files including all binaries and kernel modules should not be changed without a defined action, typically package update of sysmon or kernel updates. In its current form, it happens by itself even if no sysmon or kernel update and without configuration options.
Additional context No change should happen to system without a controlled change operated by administrator or delegated systems, especially more on binaries and kernel modules. Likely create issues for immutable systems.
Sysmon uses /opt/sysmon as an installation directory. When its first installed (using -i) it writes a bunch of files into that directory (such as the .o files, config etc). During other Sysmon operations, like updating the configuration, parts of those files will once again be updated, which is by design. For example, when a user runs: sysmon -c ~/newschema.xml that schema file will be written to the directory (as well as a binary representation of the schema).
It seems to be way more often than just initial install and binary/config update and as said above, outside of administrator actions and expected auto updates.
If you are able to identify the scenarios under this the changes occur, that would be helpful in determining root cause.
It seems all .o and binaries files are touched every day at midnight UTC but no matching cron or systemd timer. On past week, I have rewrite 9 times for binaries/.o/systemd unit (parent systemd), 8 times for rules.bin, and once for argc/config.xml/eventId/argv (parent is sysmonforlinux) At least, it should not affect file that are the same. The config update comes from recent package update to 1.3.7. As this an automated deployment, I can't be sure if there was any notification, but I would expect minor updates to not affect local config. Note that the changes as shown by Aide above are mostly modification and change time and sometimes block count but not hashes. So why touching those files?