Best Practice: don't want to syscheck default paths

[Cliftyman]

I have a centralized agent conf that only watches the following dirs on Linux:

/etc/shadow, /etc/group, /etc/password, etc/sudoers

This is a group config that I assign to agents and the agent.conf gets merged with the default ossec.conf.

The problem is that the default ossec.conf file installed with the agent watches /etc/.  In the documentation it states if paths are used... all paths are merged in the merge file.  That means instead of overwriting the paths I wish to inspect with syscheck it simply adds to them.

Am I going to have to edit all my deployed agent's ossec.conf files and remove the default syscheck directories?  Do I need to start installing agents with a custom ossec.conf that doesn't include the default paths?  What is best practice here?  Thanks.

- Cliftyman

[Daniel Ruiz]

Hi Cliftyman,

Unfortunately, currently there is no way to disable syscheck for a specific directory which is configured in the ossec.conf using the agent.conf. However, you can make use of the restrict attribute (https://documentation.wazuh.com/3.11/user-manual/reference/ossec-conf/syscheck.html#directories - scroll down to see the restrict option).

You could add this configuration to your group's agent.conf:

<directories check_all="yes" restrict="^/etc/shadow$|^/etc/group$|^/etc/password$|^/etc/sudoers$">/etc</directories>

What is going on here: your specific syscheck block is being added to the default ossec.conf and it is overwriting the settings for /etc directory applying a very restrictive pattern.

For more information about sregex syntax go to this link: https://documentation.wazuh.com/3.11/user-manual/ruleset/ruleset-xml-syntax/regex.html?highlight=sregex#sregex-os-match-syntax

I hope it helps.

Regards,

Daniel Ruiz