Joined: Fri Feb 24, 2012 4:42 am Posts: 6 Location: Greece
Hello to all,
Please forgive my ignorance since this is my first time I use ASL and I am not aware of it's capabilities or issues yet. Regarding to my issue now. I installed trial ASL on a Centos up-to-date server and since it's installation I am monitoring it to see how it's working/functioning etc. I notice in the Security Events full of event IDs 550, which if this was a production server I believe I would have to have worried a lot!
"Description This rule is detects when a monitored file changes. This may be an authorized change, or an unauthorized change and these changes should be investigated further."
I get id 550 on libraries, iptables binaries, configurations and a lot. 2076 events out of 2184 are id 550 and keep growing! System is not updating currently. What do you suggest I should check first, second, third... ?
Joined: Thu Feb 07, 2008 7:49 pm Posts: 3600 Location: Chantilly, VA
Thanks for the question. That rule alerts you when a monitored file changes, which can tell you that either someone was changed without your permission (malicious) or that it was changed with your permission.
ASL will try to help you determine if this was due to a software update that was authorized, or via some other method. Just log into ASL, click on the ASL tab, then select File Integrity. If anything has changed you will it in that window (you may need to set the via farther back than today if this happened earlier). Then you will a listing of all the files that changes and when they changed. If you click on the filename it will then try to determine if its a managed piece of software, and if it is it will pull up the systems change log for that file to help you identify what it is and what package/rpm it may be part of.
From there, check your /var/log/yum.log file to see if anything was updated recently, and then see if it matches the files in the FI window. If they don't, then someone may made these changes without your permission. If they do match, then check your logs to see if you updated anything on the system.
I hope this helps, and if you have other questions please don't hesitate to ask.
Users browsing this forum: Google [Bot] and 4 guests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum