Need to suppress/ignore specific application in Auditd: process ended abnormally

[Dhruvin Shah]

Hi All

I want to stop receiving alerts for /usr/bin/zypper in under Auditd: process ended abnormally. any possibility of doing this from agent.conf ? If not then what would a better way to do it?

Best regards

[Henadence Anyam]

Hello Dhruvin!

Thank you for using Wazuh.

To suppress the rule ID: 80711 for the specific process, you can add a child rule with level 0 using the field audit.exe.
To do so, add the following block in the /var/ossec/etc/rules/local_rules.xml file of the Wazuh server:

<group name="audit, suppression,">

    <rule id="150000" level="0"> 

        <if_sid>80711</if_sid> 

        <field name="audit.exe">^/usr/bin/zypper$</field>

        <description>Suppress the $(audit.exe) application failure alert</description>

    </rule>

</group>

Note: The Wazuh server is responsible for analyzing events so perform this on the Wazuh server. The agent.conf file is used for centrally configuring Wazuh agents. 

Let me know if you find this information helpful.

Best regards.

[Dhruvin Shah]

Henadence Thank you so much, really appreciate the assistance.

By the way, Is it possible to add another application in the same rule in case another application needs to be suppressed?

Best Regards

[Henadence Anyam]

Yes, you can add other applications to the same rule by using the OR (|) operator in the <field> option. 

For example adding /usr/bin/ls to the rule looks like so:

<field name="audit.exe">/usr/bin/zypper$|/usr/bin/ls$</field>

Best regards.

[Dhruvin Shah]

Ah great, thank you so much Henadence, really helpful.

Best Regards