Password file monitoring for linux machine

[ektadhu...@gmail.com]

Hi Team,

I need to enable password file monitoring for linux machine under path /etc/lib/password_file

Use Case : Need to create rule if for user root hash is changed in the password file.

Kindly assist me how to implement this.

Regards,

Ekta

[elw...@wazuh.com]

Hello Ekta,

This requirement can be achieved as follows :

• As an example, I have the file /test/password mimicking two users entries, it has the exact following content :
  
  root hashhashaddedhashnewhaokokos
  
  vagrant hashhaseeeh
  
  
  
• First step is to monitor the file and reporting the changes (https://documentation.wazuh.com/4.0/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-reporting-file-changes). the configuration would be :
  
  <directories check_all="yes" realtime="yes" report_changes="yes" restrict="/test/password">/test</directories>
  
  
  
• Then, I define two rules 100200 and 100201, the former would alert for any changes in /test/password files and the latter would alert if the root's hash has been changed (more precisely any modification after the user root) :
  
  <group name="syscheck,">
   <rule id="100200" level="7">
     <if_sid>550</if_sid>
     <field name="file">/test/password</field>
     <description>File modified in /test/password</description>
   </rule>
   <rule id="100201" level="7">
     <if_sid>100200</if_sid>
     <field name="changed_content">root \.*</field>
     <description>root line modified</description>
   </rule>
  </group>
  
  
  
  
• Restart my Wazuh manager to apply the changes:  systemctl restart wazuh-manager or using the UI (https://documentation.wazuh.com/4.0/learning-wazuh/replace-stock-rule.html)
  
  
  
• Then once a change is performed in hash for the user root, the alert root line modified would be triggered, else the generic File modified in /test/password to be generated for any other change to the file, as shown below :
  
  
  
  

The same procedure can be applied to your file /etc/lib/password_file.


Hope this helps.


Regards,
Elwali Karkoub

[ektadhu...@gmail.com]

Thanks Elwali.

But how I can define this for any particular Linux machine rather than defining it globally.

Regards,

Ekta

[elw...@wazuh.com]

Hello Ekta,

The syscheck configuration can be shared across the agents leveraging shared centralized configuration. This blog post describes in detail how it is done https://wazuh.com/blog/agent-groups-and-centralized-configuration/#Using%20the%20Kibana%20app.

For the rules, they must be defined in the Wazuh manager. within the file `/var/ossec/etc/rules/local_rules.xml or through the UI https://documentation.wazuh.com/4.0/learning-wazuh/replace-stock-rule.html.

If that is not answering your question. Please can you elaborate on what you are referring to?

Hope it helps.

Regards,
Wali

[ektadhu...@gmail.com]

Hi Wali,

I have multiple linux devices that are monitored by wazuh.

But I want this file monitoring for machine 'X' only not for all the machines.

So how I can implement the the file monitoring only for machine 'X'.

Regards,

Ekta

[elw...@wazuh.com]

Hello Ekta,

This can be achieved in many ways, For example :

• Option 1 : Create a new group and add the machine X to it (as explained here https://wazuh.com/blog/agent-groups-and-centralized-configuration/#Using%20the%20Kibana%20app)
    then push the configuration through the group :
  
  <agent_config>
  

•     <directories check_all="yes" realtime="yes" report_changes="yes" restrict="/test/password">/test</directories>

• 
  </agent_config>
  
  
• Option 2: Access the machine X and add the configuration to the file /var/ossec/etc/ossec.conf then restart the agent to apply it systemctl restart wazuh-agent.
  

Hope this helps,
Regards,
Wali