"integrity-checker" error in syslog related to nsx-netopa / nsx-sha
search cancel

"integrity-checker" error in syslog related to nsx-netopa / nsx-sha

book

Article ID: 393623

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • When reviewing syslog file in NSX-T Manager or Edge nodes, the below "file integrity-checker" log messages may be seen.  
    • integrity-checker error - Found in (var/log/syslog):
      2025-03-08T00:00:11.833Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : SYMBOLIC LINK ADDED, Name : "/usr/lib/python3/dist-packages/OpenSSL/OpenSSL" at 2025-03-07 23:23:04.024000169 +0000
2025-03-08T00:00:11.834Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : SYMBOLIC LINK ADDED, Name : "/usr/lib/python3/dist-packages/cryptography/cryptography" at 2025-03-07 23:23:04.040000169 +0000
2025-03-08T00:00:12.104Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : REGULAR FILE MODIFIED, Name : "/opt/vmware/nsx-netopa/bin/nsx-sha" at 2025-03-07 23:23:04.000000168 +0000
2025-03-08T00:00:12.104Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : REGULAR FILE MODIFIED, Name : "/opt/vmware/nsx-netopa/bin/sha_watchdog.sh" at 2025-03-07 23:23:04.000000168 +0000
2025-03-08T00:00:12.105Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : DIRECTORY MODIFIED, Name : "/opt/vmware/nsx-netopa/lib/python" at 2025-03-07 23:23:04.032000169 +0000
2025-03-08T00:00:12.105Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : REGULAR FILE MODIFIED, Name : "/opt/vmware/nsx-opsagent/bin/watchdog.sh" at 2025-03-07 23:24:07.355747402 +0000
2025-03-08T00:00:12.105Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : DIRECTORY MODIFIED, Name : "/usr/lib/python3/dist-packages/OpenSSL" at 2025-03-07 23:23:04.024000169 +0000
2025-03-08T00:00:12.105Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING"] [FILE_INTEGRITY_CHECK_FAILED] Reason : DIRECTORY MODIFIED, Name : "/usr/lib/python3/dist-packages/cryptography" at 2025-03-07 23:23:04.040000169 +0000
2025-03-08T00:00:12.106Z <Edge or MGR_name> NSX 26707 - [nsx@6876 comp="nsx-edge" subcomp="integrity-checker" username="root" level="WARNING" invalid="true"] [FILE_INTEGRITY_CHECK] Overall status : FAILED. RESULTS: TOTAL: 55876 VERIFIED: 55878 [ADDED: 2 DELETED: 0 MODIFIED: 6]

Environment

NSX 4.1.1

Cause

netopa/nsx-sha modifies permissions of some files on appliances after deployment. The "file-integrity" checker uses a baseline created during appliance deployment. This baseline is used to compare against current file state. Due to changes made by netopa/nsx-sha the "file-integrity checker" script incorrectly marks certain files as "failed". 

Resolution

Enhancements to NSX code will be made so that the integrity-checker script does not incorrectly mark these files as "failed"

Additional Information

No impact on NSX functionality - these netopa/nsx-sha modifications are by design.

Powered by Wolken Software