Running Remote Commands on Agents
57 views
Skip to first unread message
John
Jun 29, 2023, 3:23:08 PM6/29/23
to Wazuh mailing list
Hello friends. I have a question regarding running remote commands on agents.
I am close to a solution, but something still eludes me.
On my manager, I have configured the command wodle:
<wodle name="command">
<disabled>no</disabled>
<tag>find</tag>
<command> find /home -type f -newermt "$(date -d '60 minutes ago' +'%Y-%m-%d %H:%M:%S')" </command>
<interval>300s</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
<disabled>no</disabled>
<tag>find</tag>
<command> find /home -type f -newermt "$(date -d '60 minutes ago' +'%Y-%m-%d %H:%M:%S')" </command>
<interval>300s</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
In my manager's archives.log, I see an entry like:
2023 Jun 29 19:15:59 (RPI-NC) any->find /home -type f -newermt "$(date -d '60 minutes ago' +'%Y-%m-%d %H:%M:%S')" -print ossec: output: 'find /home -type f -newermt "$(date -d '60 minutes ago' +'%Y-%m-%d %H:%M:%S')" -print':
Thus, I know the remote command is executing, being sent to the manager, and stored in the archives.log file.
That said, I'm not seeing the results of the command execution (the command output) nor do I see any of this data in my manager's GUI modules.
I'm thinking, I don't see alerting because I don't have some kind of alert-matching rule/logic.
Am I on the right track?
John
Marcos Darío Buslaiman
Jun 29, 2023, 4:38:00 PM6/29/23
to Wazuh mailing list
Hi John,
Thanks for using Wazuh!
Thanks for using Wazuh!
Yes, you are right you will need to create some rule to match with that event, as you can check on this documentation:
https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-configuration.html#check-if-the-output-changed
https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-configuration.html#check-if-the-output-changed
You can create a rule that checks if there was a difference with the last check and trigger an alert according to this
Here is an example of a rule that you can add to your custom rules to test this:
<group name="find_command">
<rule id="100555" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'find /home -type f -newermt "$(date -d '60 minutes ago' +'%Y-%m-%d %H\%M\%S')"':</match>
<check_diff />
<description>Monitoring /home with new files in the last hour</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>
</group>
<group name="find_command">
<rule id="100555" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'find /home -type f -newermt "$(date -d '60 minutes ago' +'%Y-%m-%d %H\%M\%S')"':</match>
<check_diff />
<description>Monitoring /home with new files in the last hour</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>
</group>
Please let me know if this information was useful to you and if you have any questions, don't hesitate to let us know.
Regards
Marcos
Regards
Marcos
Reply all
Reply to author
Forward
0 new messages