Print Page - Host-based anomaly detection event (rootcheck).

Title: Host-based anomaly detection event (rootcheck).
Post by: sizzling~snitch on March 06, 2024, 04:55:30 AM

Hello All, I found that OPNsense had a built-in Wazuh agent so I set it up and right away I am getting an alert:

Host-based anomaly detection event (rootcheck).
- Files hidden inside directory '/boot/efi'. Link count does not match number of files (3,1).

I enabled SSH temporarily and looked at that location as root (sudo su) and not seeing anything hidden. Thinking as this is also a new install (OPNsense 23.10.2-amd64) it might be some kind of false-positive.

Has anyone seen this before in their setup of Wazuh-Agent plugin?

Title: Re: Host-based anomaly detection event (rootcheck).
Post by: sizzling~snitch on March 21, 2024, 05:22:00 PM

Following up on this, turns out this is a false positive and has been documented.

Title: Re: Host-based anomaly detection event (rootcheck).
Post by: sylaan on December 02, 2024, 12:46:21 PM

Where is this documented ?

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: sizzling~snitch on March 06, 2024, 04:55:30 AM