Hi,
here is an example of an Auditd rule that makes use of a dynamic field
named "audit.type".
<!--
type=MAC_STATUS msg=audit(1336836093.835:406): enforcing=1 old_enforcing=0
auid=0 ses=2
-->
<rule id="80731" level="10">
<if_sid>80700</if_sid>
<field name="audit.type">MAC_STATUS</field>
<description>Auditd: SELinux mode (enforcing, permissive, off) is
changed</description>
<group>audit_selinux,pci_dss_10.6.1,</group>
</rule>
This name of this field is defined in the decoder xml file, and values are
assigned using regular expressions. See here an example of a decoder using
dynamic fields.
https://github.com/wazuh/wazuh/blob/master/etc/decoders/0040-auditd_decoders.xml#L120
I believe the best thing of this implementation is that it allows you to
use as many fields as you need (limit is set in the internal_options.conf
file), name those fields however you want, and see the fields printed in
the alerts output in JSON format. See below an example of an alert:
"agent": {
"id": "003",
"ip": "10.0.0.121",
"name": "vpc-agent-debian"
},
"audit": {
"auid": "0",
"enforcing": "1",
"id": "406",
"old_enforcing": "0",
"session": "2",
"type": "MAC_STATUS"
},
"decoder": {
"name": "auditd",
"parent": "auditd"
},
"full_log": "type=MAC_STATUS msg=audit(1336836093.835:406): enforcing=1
old_enforcing=0 auid=0 ses=2",
"location": "/var/log/audit/audit.log",
"manager": {
"name": "vpc-ossec-manager"
},
"rule": {
"description": "Auditd: SELinux mode (enforcing, permissive, off) is
changed",
"firedtimes": 1,
"groups": [
"audit",
"audit_selinux"
],
"id": 80731,
"level": 10,
"pci_dss": [
"10.6.1"
]
},
"timestamp": "2017-02-01T17:33:29-0800"
Regarding Wazuh differences with OSSEC, the Wazuh team is working on
updating the documentation to explain those better (and on a new release
and installers).
Wazuh new version (2.0, currently found under the master branch) highlights
are:
- OpenSCAP integrated as part of the agent, allowing users to run OVAL
checks.
- New WUI on top of Kibana 5, and integrated with the RESTful API to
monitor configuration of the manager, rules and status of the agents.
- Improved log analysis and FIM capabilities.
- Ruleset with compliance mapping.
- Agent-manager communications over TCP supported.
- A modules manager that will allow future integration of other tools
(in the roadmap is OSquery and Threat Intelligence sources)
Complete changelog can be found here:
https://github.com/wazuh/wazuh/blob/master/CHANGELOG.md
If you are curious, here are some screenshots of the WUI.
https://github.com/wazuh/wazuh-documentation/blob/new_template/source/index.rst
As well it is worth mentioning that Wazuh project, as a fork, is based on
the work done by OSSEC developers and contributors to which we are
thankful. Wazuh plans to continue contributing to OSSEC Github repository
with bug fixes, but we also have our own roadmap so, most likely, both
projects will evolve in different ways.
Please, for future Wazuh related questions use our mailing list
at: [email protected]
Santiago.
On Wednesday, February 1, 2017 at 5:59:23 AM UTC-8, [email protected] wrote:
>
> where i can find information on the dynamic fields ?
> thanks
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
