The Linux Audit system generates numerous events for write access, read access, execute access, attribute change, or system call rule. Wazuh uses the key argument in audit rules because it is difficult to distinguish audit events using rules and decoders alone. As previously explained, each audit rule can add a descriptive key value to identify what rule generated a particular audit log entry. We use a CDB list to determine the types of audit rules fired. This list will have the following syntax:
<KEY_NAME>is the string you used in the argument -k of a file system or system call rule.
<VALUE>is one of the following values:
write: File system rules with
read: File system rules with
execute: File system rules with
attribute: File system rules with
command: System call rules.
By default, Wazuh includes an audit CDB list. This CDB list contains audit keys that map against write, read, attribute change, execution, and command events.
Run the command below to view the content of the CDB list:
# cat /var/ossec/etc/lists/audit-keysaudit-wazuh-w:write audit-wazuh-r:read audit-wazuh-a:attribute audit-wazuh-x:execute audit-wazuh-c:command
You can add your custom key with its value to the list like this:
# echo "<YOUR_KEY>:<VALUE>" >> /var/ossec/etc/lists/audit-keys
<YOUR_KEY> is the key set in the audit rule and
<VALUE> is used by Wazuh to process the event.
Restart the Wazuh manager any time you modify the CDB list:
# systemctl restart wazuh-manager
Out-of-the-box rules for Audit events are located in the
/var/ossec/ruleset/rules/0365-auditd_rules.xml file on the Wazuh server.
To use the Linux Audit system, you must install the audit package on your endpoint. If you do not have this package installed, execute the following command as the root user to install it:
# yum install -y auditd
# apt install -y auditd
If the audit package is already present on the endpoint before installing the Wazuh agent, the actions below should not be performed. This configuration will be added by default.
Add the configuration below to the Wazuh agent configuration
/var/ossec/etc/ossec.conffile. This configures Wazuh to read the audit file log to process events the Linux Audit system detects:
<localfile> <log_format>audit</log_format> <location>/var/log/audit/audit.log</location> </localfile>
Restart the Wazuh agent to apply the changes:
# systemctl restart wazuh-agent
Create proper audit rules using the
auditctlcommand or the audit rules file.
Linux audit alerts are displayed in the Security Events and System Auditing tab of the Wazuh dashboard.