Too many 'Integrity Checksum Changed' alerts/false positives #23527
BlueAnchorNM
started this conversation in
General
Replies: 1 comment 1 reply
-
Ditto - just done my 1st install of Wazuh and had a minor panic when both my Macs (Intel and M2) gave alarms. Running codesign - (eg codesign --display --verbose=4 /usr/bin/vim ) seems to say all OK however. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I'm getting very frustrated with the hundreds of 'Integrity Checksum Changed' alerts (rule id 550) that I'm getting after bringing one of my endpoints online and the Wazuh agent kicks in. I'm using a MacOS (latest Sonoma). Here is an example of what I get:
_index
wazuh-alerts-4.x-2024.05.20
agent.id
001
agent.ip
10.0.0.143
agent.name
Maxs-Mac-Air.local
decoder.name
syscheck_integrity_changed
full_log
File '/usr/sbin/htcacheclean' modified
Mode: scheduled
Changed attributes: inode
Old inode was: '-2147483648', now it is '1152921500312528768'
id
1716218792.15754015
input.type
log
location
syscheck
manager.name
wazuh-server
rule.description
Integrity checksum changed.
rule.firedtimes
1,315
rule.gdpr
II_5.1.f
rule.gpg13
4.11
rule.groups
ossec, syscheck, syscheck_entry_modified, syscheck_file
rule.hipaa
164.312.c.1, 164.312.c.2
rule.id
550
I'd really would like a workaround to avoid these alerts if there isn't a fix. For example, how can these be omitted from the list of Events? I don't want to miss REAL alerts because they get lost in the hundreds of false positives related to 'Integrity Checksum Changed.'
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions