35775 Ensure audit tools mode is configured.

[Paulo Ricardo Bruck]

Hi

Using ubuntu 24.02

wazuh  4.12.0-1

At my dashboard rule 35755  Ensure audit tools mode is configured is marked as failed , but I don't understand why. Can anyone explain me what is wrong?

root@pauloric:/# ls -l /usr/sbin/auditctl /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace  /usr/sbin/auditd /usr/sbin/augenrules  
-rwxr-xr-x 1 root root  51712 Oct  2  2024 /usr/sbin/auditctl
-rwxr-xr-x 1 root root 121256 Oct  2  2024 /usr/sbin/auditd
-rwxr-xr-x 1 root root   3828 Oct  2  2024 /usr/sbin/augenrules
-rwxr-xr-x 1 root root 113056 Oct  2  2024 /usr/sbin/aureport
-rwxr-xr-x 1 root root 113104 Oct  2  2024 /usr/sbin/ausearch
-rwxr-xr-x 1 root root  18736 Oct  2  2024 /usr/sbin/autrace
root@pauloric:/# stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/aud
itd /sbin/augenrules  
/sbin/auditctl 755
/sbin/aureport 755
/sbin/ausearch 755
/sbin/autrace 755
/sbin/auditd 755
/sbin/augenrules 755

Remediation
Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules.

Description
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Check (Condition: all)
c:stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:\w+ && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755

regards

[hasitha.u...@wazuh.com]

Hi Paulo,

The failure of rule 35755 is likely due to the rule incorrectly flagging 755 as an invalid permission, despite it being secure and standard for audit tools.
For a workaround, try removing 755 from the excluded list in the rule’s condition; the rule would no longer fail for files with 755 permissions.
The modified condition would look like:

r:\w+ && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745 

Restart the Wazuh manager to apply changes: systemctl restart wazuh-manager 
By removing 755, the rule would allow files with 755 permissions to pass, as they would no longer be explicitly excluded.

I suggest you open a GitHub issue regarding this: https://github.com/wazuh/wazuh/issues/new/choose 

Let me know the update on this.

[Paulo Ricardo Bruck]

Hy Hashita

after removing 755 and restarting rule is ok now.

thanks

I open a ticket at git hub 😁

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/b0cwAISAk6I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/97ff6af6-bf92-422c-8d1b-329175657a96n%40googlegroups.com.

--

Paulo Ricardo Bruck 

011 98140-9184 (Whatsup/vivo)

011 94184-3433 (vivo)

[hasitha.u...@wazuh.com]

Hi Paulo

I am glad that your issue has been resolved after removing 755 from the condition.