我在centos 7上安装了wazuh v3.13.3。Syscheck模块配置:
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/root</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<ignore>/dev/core</ignore>
<!-- File types to ignore -->
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
</syscheck>
添加新文件到/root目录:
[root@host ossec]# date; echo "date" > ~/newfile.txt
Sat May 7 17:01:48 UTC 2022
agent log messages:
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd: ERROR: SQL ERROR: (8)attempt to write a readonly database
2022/05/07 17:01:48 ossec-syscheckd: ERROR: SQL ERROR: (8)attempt to write a readonly database
和我在日志中没有看到关于新文件的消息。
升级到wazuh 4.x的基础设施太大
如何解决这个问题?
谢谢。
消息ERROR: SQL ERROR: (8)attempt to write a readonly database表示数据库权限存在问题或FIM数据库fim.db不存在,请检查代理中是否存在以下文件,并具有以下权限,用户和组:
[drwxr-x--- ossec ossec ] /var/ossec/queue/fim
[drwxr-x--- ossec ossec ] /var/ossec/queue/fim/db
[-rw-rw---- root ossec ] /var/ossec/queue/fim/db/fim.db
[-rw-rw---- root ossec ] /var/ossec/queue/fim/db/fim.db-journal
- 如果
fim.db文件不存在,代理重启代理时重新创建该文件。 - 如果
fim/或fim/db/目录不存在,则必须使用mkdir命令创建它们,并为它们分配上述[drwxr-x--- ossec ossec]指定的属性,然后重新启动代理。