difference between integrity monitoring and system auditing
739 views
Skip to first unread message
mauro....@cmcc.it
May 20, 2021, 6:18:58 AM5/20/21
to Wazuh mailing list
Dear Users,
I'm a newbie and I'm trying to start using Wazuh for the first time.
I configured almost all available capabilities and it seems they are working as expected.
I would like to monitor added, delete or changed files saved in multiple directories (for example /etc/bin/ and so on). So, I just activated "Integrity Monitoring" capability and I can see FIM events in the Wazuh dashboard.
I noticed that there is a "System auditing" tab in Wazuh GUI.
So, I decided to start studying and activating also this check but I'm not understanding the difference between FIM and System Auditing.
Could you please explain the difference?
If it can help, I would like to notify that:
- I installed audit service on each agent;
Could you please explain the difference?
If it can help, I would like to notify that:
- I installed audit service on each agent;
- I added this block on ossec.conf file (on manager)
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot,/root</directories>
<directories check_all="yes" whodata="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin,/boot,/root</directories>
<directories check_all="yes" realtime="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin,/boot,/root</directories>
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot,/root</directories>
<directories check_all="yes" whodata="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin,/boot,/root</directories>
<directories check_all="yes" realtime="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin,/boot,/root</directories>
</syscheck>
- I added these rules to audit config:
auditctl -w /etc -p wa -k wazuh_fim
auditctl -w /usr/bin -p wa -k wazuh_fim
auditctl -w /usr/sbin -p wa -k wazuh_fim
auditctl -w /sbin -p wa -k wazuh_fim
auditctl -w /boot -p wa -k wazuh_fim
auditctl -w /root -p wa -k wazuh_fim
auditctl -w /etc -p w -k audit-wazuh-w
auditctl -w /usr/bin -p w -k audit-wazuh-w
auditctl -w /usr/sbin -p w -k audit-wazuh-w
auditctl -w /sbin -p w -k audit-wazuh-w
auditctl -w /boot -p w -k audit-wazuh-w
auditctl -w /root -p w -k audit-wazuh-w
auditctl -w /usr/bin -p wa -k wazuh_fim
auditctl -w /usr/sbin -p wa -k wazuh_fim
auditctl -w /sbin -p wa -k wazuh_fim
auditctl -w /boot -p wa -k wazuh_fim
auditctl -w /root -p wa -k wazuh_fim
auditctl -w /etc -p w -k audit-wazuh-w
auditctl -w /usr/bin -p w -k audit-wazuh-w
auditctl -w /usr/sbin -p w -k audit-wazuh-w
auditctl -w /sbin -p w -k audit-wazuh-w
auditctl -w /boot -p w -k audit-wazuh-w
auditctl -w /root -p w -k audit-wazuh-w
P.S.: what is the difference between wazuh_fim and audit-wazuh-* ?
Thank you in advance,
Mauro
Jose Luis Carreras Marin
May 20, 2021, 10:59:59 AM5/20/21
to Wazuh mailing list
Hi Mauro
Let me tell you the difference between FIM (File Integrity Monitoring), and localfile using audit. Both options use audit service.
- FIM has 3 different configuration modes:
- Scheduled: A scheduled scan that sweeps the configured directories.
- Realtime: Generates real-time events using the inotify tool.
- Whodata: Generates real-time events using audit service. This mode includes all the data generated in realtime mode, and adds data related to the user who generated the event. So it is not necessary to complement realtime + whodata.
You can read more about the configuration modes in the docu:
Using whodata mode, you don't need to write the audit rules yourself, just configure the syscheck module as you set it up:
<directories check_all="yes" whodata="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin,/boot,/root</directories>
But be careful!
The ossec.conf file of the manager, only affects the manager itself. You need to configure also the agents, which have their own ossec.conf.
There is a way to make a centralized configuration, making use of the agent.conf file in manager side. You can read more about centralised configuration here:
On the other hand, localfile allows you to directly configure the monitoring of the audit.log file in this way:
<localfile>
<location>/var/log/log/audit/audit.log</location>
<log_format>audit</log_format>
</localfile>
But here you will have to manage the audit rules yourself, it is a good idea to for example monitor system calls or even root actions. For monitoring directories, it is more efficient to use FIM.
You can see in this blog, how to configure the whole localfile process with audit:
https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/
And the related documentation of configuration localfile:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile
And the related documentation of configuration localfile:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile
I hope all your doubts have been solved, if you have any other questions, don't hesitate to ask.
Greetings, Jose.
Greetings, Jose.
Mauro Tridici
May 20, 2021, 11:31:23 AM5/20/21
to Jose Luis Carreras Marin, Wazuh mailing list
Hello Jose,
fantastic explanation, thank you very much!
Now everything is clear! I really appreciated your support.
I just fixed my configuration and now everything is ok! And I’m happy :)
My last question:
I also tried to activate the root actions following the page you suggested ( https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/ ).
It works, but it is saving the logs of a lot of root actions performed by the “operating system services”.
Do you know if I can change something in these lines to reduce the number of unuseful logs?
-a exit,always -F arch=b64 -F euid=0 -S execve -k audit-wazuh-c
-a exit,always -F arch=b32 -F euid=0 -S execve -k audit-wazuh-c
Thank you very much in advance.
Kind Regards,
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/5fQnJrwQ2uM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e8fea149-583e-42d5-bcb4-5416c4091820n%40googlegroups.com.
Simone Bonetti
May 21, 2021, 1:41:13 AM5/21/21
to Wazuh mailing list
try this:
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=-1 -k audit-wazuh-c
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid!=-1 -k audit-wazuh-c
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid!=-1 -k audit-wazuh-c
It's an "issue" of auditd.
Mauro Tridici
May 21, 2021, 3:01:27 AM5/21/21
to Simone Bonetti, Wazuh mailing list
Great! It works!
Thank you very much, Simone.
Have a great day.
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1375a4a4-292c-4608-856e-c7cb8b7d1523n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages