How to enable FIM on C:\Windows, C:\Program Files and C:\Program Files (x86) directory.

[Prajapati Hitesh]

Hi,

Can someone help how to enable FIM for  "C:\Windows, C:\Program Files and C:\Program Files (x86)" directory. 

I have tried to add below entry in agent config file but data data modification not found.

<directories check_all="yes" report_changes="yes" realtime="yes" whodata="yes">%Windows%</directories>

<directories check_all="yes" report_changes="yes" realtime="yes" whodata="yes">C:\Program Files (x86)</directories>


I am getting below directory data successfully.

<directories check_all="yes" report_changes="yes" realtime="yes" whodata="yes">C:\Users\hprajapati-admin\Desktop</directories>

Can some one help to resolve this issue. 

[Raul Del Pozo Moreno]

Hello Prajapati Hitesh,

It would be necessary to know the version of the Wazuh agent and Wazuh manager that you are using, as well as the Windows system used. I will initially assume that you are using the latest version (Wazuh v4.3.10)

Regarding the options, keep in mind that the use of whodata already implies the use of realtime, so it is not necessary to add it.

• https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html

Who-data monitoring is configured with the whodata attribute of the directories option. This attribute replaces the realtime attribute, which means that whodata implies real-time monitoring but adds the who-data information.

So the configuration would be as follow:

<directories check_all="yes" report_changes="yes" whodata="yes">C:\Windows</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">C:\Program Files (x86)</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">C:\Users\hprajapati-admin\Desktop</directories>

Note that it is not a good idea to monitor these folders in their entirety, as, for example, you would be monitoring the agent's own folder (ossec-agent) in Program Files (x86), generating messages like the following:

2022/12/27 09:40:22 wazuh-agent: ERROR: (6715): The path of the file monitored 'c:\program files (x86)\ossec-agent\queue\diff\local\c\program files (x86)\ossec-agent\queue\diff\local\c\program files (x86)\ossec-agent\queue\diff\local\c\program files (x86)\ossec-agent\profile-2019.template\last-entry.gz\last-entry.gz\last-entry.gz' is too long to compute differences.

This error is specifically due to the limitation of Windows in the length of the paths, this has been fixed for the future version of Wazuh 4.5.0: https://github.com/wazuh/wazuh/pull/13588

Also, this will add a lot of load to the system since certain files are constantly changing. So, I recommend that you establish localized monitoring, or if you still want to monitor the entire folder, use the ignore option to avoid certain directories, for example:

<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

According to the configuration you have shared, you should have messages in the ossec.log file like the following, indicating that the directory is being monitored, please check if you see this message:

2022/12/27 09:39:41 wazuh-agent: INFO: (6003): Monitoring path: 'c:\program files (x86)', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | report_changes | whodata'.

Keep in mind that after adding the configuration and restarting the agent, depending on the system load it may take more or less time to detect the changes. Additionally, check the ossec.log file for messages listed as "ERROR", "CRITICAL", "WARNING", and "FATAL"

Regarding C:\Windows, this directory generates a lot of load on the system, affecting the rest of the functionalities, please modify the path to monitor a specific file or directory and check if you receive alerts, for example, to C:\Windows\mydir\myfile

Regards, Raúl. 

Raúl Del Pozo Moreno IT Security Engineer - CICD

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/61b5cd8f-4731-4773-b39b-ec99ab473355n%40googlegroups.com.

[Prajapati Hitesh]

Thanks Raul for your help. I will check change my directory path as you explained and let you know. 

Currently, i am getting  below error on that server after implement directory %windir% in FIM,

Rule: 233 fired (level 12) -> "The file limit set for this agent is 100000. Now, 100000 files are being monitored and no more files will be monitored. Change this setting in centralized configuration or locally on the agent."

Portion of the log(s):

 

wazuh: FIM DB: {"file_limit":100000,"file_count":100000,"alert_type":"full"}

file_limit: 100000

file_count: 100000

alert_type: full

[Raul Del Pozo Moreno]

Hello Prajapati Hitesh

Currently, that message is not an error, but an informational message displayed by a triggered rule, by default, the value is 100000 files, but that can be changed using the syscheck option: file_limit, see more in the following documentation:

• https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit

An example configuration would be the following:
<!-- Maximum number of files to be monitored -->
<file_limit>
  <enabled>yes</enabled>
  <entries>100000</entries>
</file_limit>

Allowed values in the entries (number of files to be monitored) option allow numbers between 1 and 2147483647.

Keep in mind that as I have mentioned before, certain folders, especially the system ones, have a large number of files.