impossible to enable system audit on linux ou windows endpoints

[Fl Passelerg]

Hello

I'm new on Wazuh. I installed it on a OVA machine. version 4.3.10

All is ok with wazuh

I need some help to enable system_audit on my differents endpoints besause it doesn't work.

I don't understand where is my mystake...

on my ossec.conf, I Believe that I have correctly enter the configuration.. but ?

<!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit> <!-- FB -->
    <check_winaudit>yes</check_winaudit>   <!-- FB -->
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <ignore type="sregex">^/etc/</ignore> <!-- FB -->

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>


    <skip_nfs>yes</skip_nfs>
   
    <!-- FB -->
    <system_audit>./db/system_audit_rcl.txt</system_audit>      
    <system_audit>./db/cis_debian_linux_rcl.txt</system_audit>  
    <system_audit>./db/cis_rhel_linux_rcl.txt</system_audit>    
    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
    <!-- FB -->
   
  </rootcheck>

But, I have not event AUDIT and in the configuration of my endpoints, the options

 Check UNIX audit or Check Windows audit are always on "no" 

Please, can you help me ?

(Sorry for my bad english..)

Florence

[Carlos Dams]

Hi Florence,

Make sure the configuration you shared is located on the ossec.conf or agent.conf of the endpoint where you want this feature to be used.

Check that syscheck is enabled too because rootcheck depends on the module syscheck.  

Also, please consider using SCA instead which has some advantages over the rootcheck module, in fact it is recommended on the documentation of rootcheck: "Since Wazuh v3.9.0, the new SCA module replaces Rootcheck when performing policy monitoring."

I will list below some documentation that can help you get the most out of both modules:

• Rootcheck:
  
  • Detecting suspicious binaries
    
  • Detecting hidden processes
    
• SCA:
  • Configuration assessment 
  • Index documentation for SCA

I hope this information addresses the issue you are experiencing, please let me know

On Tuesday, January 3, 2023 at 2:50:48 PM UTC-3 Carlos Dams wrote:

Hi Florence,

Make sure the configuration you shared is located on the ossec.conf or agent.conf of the endpoint where you want this feature to be used. Most likely thi is

Check that syscheck is enabled too because rootcheck depends on the module syscheck.  

Also, please consider using SCA instead which has some advantages over the rootcheck module, in fact it is recommended on the documentation of rootcheck: "Since Wazuh v3.9.0, the new SCA module replaces Rootcheck when performing policy monitoring."

I will list below some documentation that can help you get the most out of both modules:

• Rootcheck:
  
  • Detecting suspicious binaries
    
  • Detecting hidden processes
    
• SCA:
  • Configuration assessment 
  • Index documentation for SCA

I hope this information addresses the issue you are experiencing, please let me know