Monitoring Linux Critical File Integrity with Wazuh Syscheck and Whodata
Wazuh Syscheck tracks changes to key Linux files like /etc/passwd, /etc/shadow, /etc/sudoers, and /etc/ssh/sshd_config. Whodata mode captures the user and process making changes via auditd. This setup applies centrally to a Linux agent group, generating alerts at level 12.
Wazuh Architecture and Syscheck Role
Wazuh consists of a manager for event processing, agents on hosts, and a Kibana-based dashboard. Syscheck scans files on schedule or real-time, verifying hashes, permissions, and ownership. In whodata mode, it integrates with auditd to attribute changes.
Key features:
- Periodic scans every 300 seconds.
- Diffs of changes sent.
- Detection of new files in directories.
- Exclusion of temp files to cut noise.
Preparing Agents
Install auditd on all Linux agents in the linux group.
For RHEL-like systems:
sudo dnf install audit audispd-plugins -y
sudo systemctl enable --now auditd
For Debian/Ubuntu:
sudo apt install auditd audispd-plugins -y
sudo systemctl enable --now auditd
Check status: sudo auditctl -l.
Verify linux group exists: ls -la /var/ossec/etc/shared/. Create it in the UI if missing.
Centralized agent.conf Configuration
Edit /var/ossec/etc/shared/linux/agent.conf on the manager:
<agent_config>
<syscheck>
<frequency>300</frequency>
<whodata>yes</whodata>
<diff>yes</diff>
<directories check_all="yes" whodata="yes" report_changes="yes">/etc/passwd</directories>
<directories check_all="yes" whodata="yes" report_changes="yes">/etc/shadow</directories>
<directories check_all="yes" whodata="yes" report_changes="yes">/etc/sudoers</directories>
<directories check_all="yes" whodata="yes" report_changes="yes">/etc/ssh/sshd_config</directories>
<ignore>/etc/passwd-</ignore>
<ignore>/etc/shadow-</ignore>
<ignore>/etc/sudoers.tmp</ignore>
<ignore>/etc/.pwd.lock</ignore>
<alert_new_files>yes</alert_new_files>
<scan_on_start>yes</scan_on_start>
<auto_ignore>no</auto_ignore>
</syscheck>
</agent_config>
Restart: sudo systemctl restart wazuh-manager.
Key parameters:
check_all="yes"— Full attribute checks.whodata="yes"— Attribution via auditd.report_changes="yes"— Diffs in alerts.alert_new_files="yes"— Alerts for new files.
High-Priority Alert Rules
Add to /var/ossec/etc/rules/local_rules.xml:
<group name="syscheck,">
<rule id="100100" level="12">
<if_sid>550</if_sid>
<field name="file">/etc/passwd</field>
<description>CRITICAL CHANGE: /etc/passwd modified</description>
<mitre>
<id>T1078</id>
<id>T1136</id>
</mitre>
</rule>
<rule id="100101" level="12">
<if_sid>550</if_sid>
<field name="file">/etc/shadow</field>
<description>CRITICAL CHANGE: /etc/shadow modified (passwords)</description>
<mitre>
<id>T1003</id>
<id>T1078</id>
</mitre>
</rule>
<rule id="100102" level="12">
<if_sid>550</if_sid>
<field name="file">/etc/sudoers</field>
<description>CRITICAL CHANGE: /etc/sudoers modified</description>
<mitre>
<id>T1078</id>
<id>T1548</id>
</mitre>
</rule>
<rule id="100104" level="12">
<if_sid>550</if_sid>
<field name="file">/etc/ssh/sshd_config</field>
<description>CRITICAL CHANGE: /etc/ssh/sshd_config modified</description>
<mitre>
<id>T1078</id>
<id>T1548</id>
</mitre>
</rule>
<rule id="100103" level="10">
<if_sid>554</if_sid>
<field name="file">/etc/passwd</field>
<field name="file">/etc/shadow</field>
<field name="file">/etc/sudoers</field>
<options>alert_by_email</options>
<description>User detected modifying critical file: $(file) - $(audit.user.name)</description>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
Restart the manager. Rules trigger on if_sid 550 (file change), level 12 for priority.
Testing the Configuration
On an agent, verify: sudo cat /var/ossec/etc/shared/agent.conf | grep -A5 "syscheck".
Simulate a change:
sudo cp /etc/passwd /etc/passwd.backup.test
echo "testuser:x:9999:9999:Test User:/home/testuser:/bin/bash" | sudo tee -a /etc/passwd
Alerts will show JSON with rule.level=12, syscheck.path, audit.user.name (root), process.name (tee), and diff.
Revert: sudo cp /etc/passwd.backup.test /etc/passwd && sudo rm /etc/passwd.backup.test.
Key Takeaways
- Syscheck with whodata tracks change authors via auditd.
- Centralized config for linux group cuts manual work.
- Level 12 rules with MITRE tags for /etc/passwd, /etc/shadow, etc.
- Diffs and attribution in alerts for forensics.
- Temp file exclusions reduce false positives.
Scaling Monitoring
Expand to /etc/hosts.allow, nginx/apache configs, SSH keys. Add active response for blocks and integrations with external notification systems.
— Editorial Team
No comments yet.