who-data doesn't work under RHEL 8.1 and wazuh-agent 3.11.2
Carlos Lopez
Hi all,
There seems to be some problem with the latest version (3.11.2) on the agent side for RHEL 8.1 (I can't check it with another version or flavor of linux at this moment). With who-data enabled in these agents, the following error appears:
2020/01/25 18:05:53 ossec-syscheckd: ERROR: (6620): Audit support not built. Whodata is not available.
Syscheck’s config for these agents:
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<directories report_changes="yes" realtime="yes" check_all="yes" whodata="yes">/etc,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes" whodata="yes">/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<ignore>/dev/core</ignore>
<ignore>/etc/ld.so.cache</ignore>
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">.log$|.swp$</ignore>
<skip_nfs>yes</skip_nfs>
</syscheck>
And “auditctl -l” command returns:
root@rhelelas025:/var/ossec/logs# auditctl -l
No rules
On other RHEL 8.1 servers and agent versions 3.10.2/3.11.0, this problem does not exist.
Any idea? Something have changed about the options for who-data?
--
Regards,
C. L. Martinez
Victor Fernandez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8DD275E2-8F75-4285-91FE-81AC3813DDF6%40outlook.com.