This is the documentation for Wazuh 3.8. Check out the docs for the latest version of Wazuh!

How it works

Rootcheck allows to define policies in order to check if the agents meet the requirement specified.

The rootcheck engine can perform the following checks:

  • check if a process is running
  • check if a file is present
  • check if the content of a file contains a pattern, or if a Windows registry key contains a string or is simply present.

Using these checks, the following policies have been developed:

Policy Description
cis_debian_linux_rcl.txt Based on CIS Benchmark for Debian Linux v1.0.
cis_rhel5_linux_rcl.txt Based on CIS Benchmark for Red Hat Enterprise Linux 5 v2.1.0.
cis_rhel6_linux_rcl.txt Based on CIS Benchmark for Red Hat Enterprise Linux 6 v1.3.0.
cis_rhel7_linux_rcl.txt Based on CIS Benchmark for Red Hat Enterprise Linux 7 v1.1.0.
cis_rhel_linux_rcl.txt Based on CIS Benchmark for Red Hat Enterprise Linux v1.0.5.
cis_sles11_linux_rcl.txt Based on CIS Benchmark for SUSE Linux Enterprise Server 11 v1.1.0.
cis_sles12_linux_rcl.txt Based on CIS Benchmark for SUSE Linux Enterprise Server 12 v1.0.0.
system_audit_rcl.txt Web vulnerabilities and exploits.
win_audit_rcl.txt Check registry values.
system_audit_ssh.txt SSH Hardening.
win_applications_rcl.txt Check if malicious applications are installed.

Alerts related to policy monitoring:

  • 512: Windows Audit
  • 514: Windows Application
  • 516: Unix Audit

The policy and compliance monitoring databases are normally maintained on the manager, which distributes them to all the agents.

Example of an existing policy rule:

# PermitRootLogin not allowed
# PermitRootLogin indicates if the root user can log in via ssh.
$sshd_file=/etc/ssh/sshd_config;

[SSH Configuration - 1: Root can log in] [any] [1]
f:$sshd_file -> !r:^# && r:PermitRootLogin\.+yes;
f:$sshd_file -> r:^#\s*PermitRootLogin;

Alert example:

** Alert 1487185712.51190: - ossec,rootcheck,
2017 Feb 15 11:08:32 localhost->rootcheck
Rule: 516 (level 3) -> 'System Audit event.'
System Audit: CIS - RHEL7 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL7} {PCI_DSS: 4.1}. File: /etc/ssh/sshd_config. Reference: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf .
title: CIS - RHEL7 - 6.2.9 - SSH Configuration - Empty passwords permitted
file: /etc/ssh/sshd_config