OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • Host-based anomaly detection event (rootcheck).
« previous next »
  • Print
Pages: [1]

Author Topic: Host-based anomaly detection event (rootcheck).  (Read 1232 times)

sizzling~snitch

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Host-based anomaly detection event (rootcheck).
« on: March 06, 2024, 04:55:30 am »
Hello All, I found that OPNsense had a built-in Wazuh agent so I set it up and right away I am getting an alert:

Host-based anomaly detection event (rootcheck).
- Files hidden inside directory '/boot/efi'. Link count does not match number of files (3,1).

I enabled SSH temporarily and looked at that location as root (sudo su) and not seeing anything hidden. Thinking as this is also a new install (OPNsense 23.10.2-amd64) it might be some kind of false-positive.

Has anyone seen this before in their setup of Wazuh-Agent plugin?
Logged

sizzling~snitch

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Re: Host-based anomaly detection event (rootcheck).
« Reply #1 on: March 21, 2024, 05:22:00 pm »
Following up on this, turns out this is a false positive and has been documented.
Logged

sylaan

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Host-based anomaly detection event (rootcheck).
« Reply #2 on: December 02, 2024, 12:46:21 pm »
Where is this documented ?
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • Host-based anomaly detection event (rootcheck).
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2