On Mon, Mar 16, 2020 at 12:33 PM llehirgen <[email protected]> wrote: > > I use dokku in a Ubuntu 18.04 LTS machine. > I received the following alerts concerning files hidden in a long list of > directories: > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." > Portion of the log(s): > > Files hidden inside directory > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man'. > Link count does not match number of files (26,1). > > Then again: > Files hidden inside directory > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg'. > Link count does not match number of files (2,1). > > And so on for a list of 104 directories, like > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin' > or > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/bin' > etc etc > > How am I expected to interpret these alerts? What am I expected to do? >
rootcheck doesn't understand overlay filesystem stuff yet. There is at least 1 issue open on the topic (at https://github.com/ossec/ossec-hids/issues). > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqGhsDC3cgscHgSsvRG%2BmmmcEzSuehzuROJbcmHOuLy2Q%40mail.gmail.com.
