Back to Home

Wazuh Syscheck: Linux file monitoring

Guide to configuring Syscheck in Wazuh for monitoring key Linux files with whodata. Centralized configuration, criticality 12 rules, change testing. auditd integration provides attribution.

Wazuh Linux Files Protection: whodata and alerts
Advertisement 728x90

Monitoring Linux Critical File Integrity with Wazuh Syscheck and Whodata

Wazuh Syscheck tracks changes to key Linux files like /etc/passwd, /etc/shadow, /etc/sudoers, and /etc/ssh/sshd_config. Whodata mode captures the user and process making changes via auditd. This setup applies centrally to a Linux agent group, generating alerts at level 12.

Wazuh Architecture and Syscheck Role

Wazuh consists of a manager for event processing, agents on hosts, and a Kibana-based dashboard. Syscheck scans files on schedule or real-time, verifying hashes, permissions, and ownership. In whodata mode, it integrates with auditd to attribute changes.

Key features:

Google AdInline article slot
  • Periodic scans every 300 seconds.
  • Diffs of changes sent.
  • Detection of new files in directories.
  • Exclusion of temp files to cut noise.

Preparing Agents

Install auditd on all Linux agents in the linux group.

For RHEL-like systems:

sudo dnf install audit audispd-plugins -y
sudo systemctl enable --now auditd

For Debian/Ubuntu:

Google AdInline article slot
sudo apt install auditd audispd-plugins -y
sudo systemctl enable --now auditd

Check status: sudo auditctl -l.

Verify linux group exists: ls -la /var/ossec/etc/shared/. Create it in the UI if missing.

Centralized agent.conf Configuration

Edit /var/ossec/etc/shared/linux/agent.conf on the manager:

Google AdInline article slot
<agent_config>
  <syscheck>
    <frequency>300</frequency>
    <whodata>yes</whodata>
    <diff>yes</diff>
    <directories check_all="yes" whodata="yes" report_changes="yes">/etc/passwd</directories>
    <directories check_all="yes" whodata="yes" report_changes="yes">/etc/shadow</directories>
    <directories check_all="yes" whodata="yes" report_changes="yes">/etc/sudoers</directories>
    <directories check_all="yes" whodata="yes" report_changes="yes">/etc/ssh/sshd_config</directories>
    <ignore>/etc/passwd-</ignore>
    <ignore>/etc/shadow-</ignore>
    <ignore>/etc/sudoers.tmp</ignore>
    <ignore>/etc/.pwd.lock</ignore>
    <alert_new_files>yes</alert_new_files>
    <scan_on_start>yes</scan_on_start>
    <auto_ignore>no</auto_ignore>
  </syscheck>
</agent_config>

Restart: sudo systemctl restart wazuh-manager.

Key parameters:

  • check_all="yes" — Full attribute checks.
  • whodata="yes" — Attribution via auditd.
  • report_changes="yes" — Diffs in alerts.
  • alert_new_files="yes" — Alerts for new files.

High-Priority Alert Rules

Add to /var/ossec/etc/rules/local_rules.xml:

<group name="syscheck,">
  <rule id="100100" level="12">
    <if_sid>550</if_sid>
    <field name="file">/etc/passwd</field>
    <description>CRITICAL CHANGE: /etc/passwd modified</description>
    <mitre>
      <id>T1078</id>
      <id>T1136</id>
    </mitre>
  </rule>
  <rule id="100101" level="12">
    <if_sid>550</if_sid>
    <field name="file">/etc/shadow</field>
    <description>CRITICAL CHANGE: /etc/shadow modified (passwords)</description>
    <mitre>
      <id>T1003</id>
      <id>T1078</id>
    </mitre>
  </rule>
  <rule id="100102" level="12">
    <if_sid>550</if_sid>
    <field name="file">/etc/sudoers</field>
    <description>CRITICAL CHANGE: /etc/sudoers modified</description>
    <mitre>
      <id>T1078</id>
      <id>T1548</id>
    </mitre>
  </rule>
  <rule id="100104" level="12">
    <if_sid>550</if_sid>
    <field name="file">/etc/ssh/sshd_config</field>
    <description>CRITICAL CHANGE: /etc/ssh/sshd_config modified</description>
    <mitre>
      <id>T1078</id>
      <id>T1548</id>
    </mitre>
  </rule>
  <rule id="100103" level="10">
    <if_sid>554</if_sid>
    <field name="file">/etc/passwd</field>
    <field name="file">/etc/shadow</field>
    <field name="file">/etc/sudoers</field>
    <options>alert_by_email</options>
    <description>User detected modifying critical file: $(file) - $(audit.user.name)</description>
    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>
</group>

Restart the manager. Rules trigger on if_sid 550 (file change), level 12 for priority.

Testing the Configuration

On an agent, verify: sudo cat /var/ossec/etc/shared/agent.conf | grep -A5 "syscheck".

Simulate a change:

sudo cp /etc/passwd /etc/passwd.backup.test
echo "testuser:x:9999:9999:Test User:/home/testuser:/bin/bash" | sudo tee -a /etc/passwd

Alerts will show JSON with rule.level=12, syscheck.path, audit.user.name (root), process.name (tee), and diff.

Revert: sudo cp /etc/passwd.backup.test /etc/passwd && sudo rm /etc/passwd.backup.test.

Key Takeaways

  • Syscheck with whodata tracks change authors via auditd.
  • Centralized config for linux group cuts manual work.
  • Level 12 rules with MITRE tags for /etc/passwd, /etc/shadow, etc.
  • Diffs and attribution in alerts for forensics.
  • Temp file exclusions reduce false positives.

Scaling Monitoring

Expand to /etc/hosts.allow, nginx/apache configs, SSH keys. Add active response for blocks and integrations with external notification systems.

— Editorial Team

Advertisement 728x90

Read Next