Rootcheck - Host-based anomaly detection event (rootcheck)
1,388 views
Skip to first unread message
ShtrudelMan
Apr 10, 2024, 2:13:36 PM4/10/24
to Wazuh | Mailing List
Good afternoon, colleagues!
I'm interested in the possibility of adjusting the Rootcheck rule for end nodes. I'm testing "Wazuh" for future use. Installed it in my home development environment. And I started receiving events (rule.description - Host-based anomaly detection event (rootcheck).)
I'm interested in the possibility of adjusting the Rootcheck rule for end nodes. I'm testing "Wazuh" for future use. Installed it in my home development environment. And I started receiving events (rule.description - Host-based anomaly detection event (rootcheck).)
How can I edit "agent.conf" to minimize security event data on end nodes in the "/var/lib/kubelet/pods/*" directory?
Mauricio Ruben Santillan
Apr 10, 2024, 3:16:39 PM4/10/24
to Wazuh | Mailing List
Hello,
In order to avoid rootcheck to monitor a specific directory, you need to add the corresponding ignore option for the path you need to silence. For example:
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<ignore type="sregex">^/var/lib/kubelet/pods/</ignore>
<skip_nfs>yes</skip_nfs>
</rootcheck>
Please notice here the line <ignore type="sregex">^/var/lib/kubelet/pods/</ignore>. This will make rootcheck to ignore all activities in the specified directory.
You would just need to add a module like the previous one directly into your agents' ossec.conf file or via centralized configuration using Groups (agents.conf)
I hope this helps!
ShtrudelMan
Apr 11, 2024, 7:10:32 AM4/11/24
to Wazuh | Mailing List
Mauricio, good afternoon!
I will try to do it via "agent.conf". Thank you!!!
I'm interested in something else, on the Wazuh documentation site it says that the "Rootcheck" module has been replaced by the "SCA" module. Judging by this logic, it is not quite clear why and for what purpose the "Rootcheck" module is used?
Links to the actual documentation: "https://documentation.wazuh.com/current/user-manual/capabilities/policy-monitoring/rootcheck/index.html" - Monitoring of security policies.
It is also stated here that the "Rootcheck" module has been replaced by the new "SCA" module starting with Wazuh v3.9.0.
There is also a question related to the file "/var/ossec/logs/archives/archives.log" - what events get into it and why. At the moment it is empty. There are no archive events in it.
I will try to do it via "agent.conf". Thank you!!!
I'm interested in something else, on the Wazuh documentation site it says that the "Rootcheck" module has been replaced by the "SCA" module. Judging by this logic, it is not quite clear why and for what purpose the "Rootcheck" module is used?
Links to the actual documentation: "https://documentation.wazuh.com/current/user-manual/capabilities/policy-monitoring/rootcheck/index.html" - Monitoring of security policies.
It is also stated here that the "Rootcheck" module has been replaced by the new "SCA" module starting with Wazuh v3.9.0.
There is also a question related to the file "/var/ossec/logs/archives/archives.log" - what events get into it and why. At the moment it is empty. There are no archive events in it.
среда, 10 апреля 2024 г. в 22:16:39 UTC+3, Mauricio Ruben Santillan:
ShtrudelMan
Apr 12, 2024, 7:25:51 AM4/12/24
to Wazuh | Mailing List
Mauricio!
Good afternoon, I got it. It really works. There is one more question. The logic of the agent is interesting! If I applied directory ignore for the "rootcheck" decoder, does that mean that the agent on its side just discards decoded events on its side and thus minimizes sending data to the Wazuh server?
четверг, 11 апреля 2024 г. в 14:10:32 UTC+3, ShtrudelMan:
Reply all
Reply to author
Forward
0 new messages