Skip to content

Commit

Permalink
Merge pull request #7291 from wazuh/add/7283-audit-never-task-rule
Browse files Browse the repository at this point in the history
Add note related to 'never,task' rule in auditd
  • Loading branch information
javimed authored May 10, 2024
2 parents 7739edc + 50d9425 commit ee732aa
Showing 1 changed file with 24 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,30 @@ You need to install the audit daemon if you don’t have it already installed on
# cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix
# rc-service auditd restart
Perform the following steps to enable who-data monitoring. In this example, you configure who-data monitoring for ``/etc`` directory.
In most systems, auditd includes a rule to skip processing of every audit rule by default. This setting prevents the reporting of any whodata-related information. To ensure that auditd is not `DISABLED BY DEFAULT <https://man7.org/linux/man-pages/man8/auditctl.8.html#DISABLED_BY_DEFAULT>`__, follow these steps.

#. Check the output of this command to find out if the auditd rules include the ``-a never,task`` rule.

.. code-block:: console
# auditctl -l | grep task
#. If the output displays the ``-a never,task`` rule, add the following filter rule in ``/etc/audit/rules.d/audit.rules``. Make sure to place it before the mentioned rule.

.. code-block:: none
:emphasize-lines: 1
-a always,task -F exe=‘/var/ossec/bin/wazuh-syscheckd’
-a never,task
#. After that, restart auditd and Wazuh agent to apply the changes:

.. code-block:: console
# systemctl restart auditd
# systemctl restart wazuh-agent
Next, perform the following steps to enable who-data monitoring. In this example, you configure who-data monitoring for the ``/etc/`` directory.

#. Edit the Wazuh agent ``/var/ossec/etc/ossec.conf`` configuration file and add the configuration below:

Expand Down

0 comments on commit ee732aa

Please sign in to comment.