wazuh 文件完整性功能使用
文件完整性配置
Wazuh 文件完整性监控 (FIM) 系统监视选定的文件并在这些文件被修改时触发警报。负责此任务的组件称为syscheck。此组件存储文件或 Windows 注册表项的加密校验和和其他属性,并定期将它们与系统正在使用的当前文件进行比较,以观察更改。
配置 syscheck - 基本用法
要配置 syscheck,必须确定文件和目录的列表。目录选项的check_all属性允许检查文件大小、权限、所有者、最后修改日期、inode 和所有散列和(MD5、SHA1 和 SHA256)。默认情况下,syscheck 会扫描选定的目录,其列表取决于主机操作系统的[默认配置
<syscheck>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories>
</syscheck>
4.3.0 版中的新功能。
可以使用*和?通配符配置 FIM 目录,就像在 shell 或 cmd 终端中使用它们来列出文件一样。
<syscheck>
<directories check_all="yes">/home/*/Downloads</directories>
</syscheck>
配置计划扫描
对于计划的扫描,syscheck 有一个配置系统扫描[频率的选项。在此示例中,syscheck 配置为每 10 小时运行一次:
<syscheck>
<frequency>36000</frequency>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin</directories>
</syscheck>
配置实时监控
实时监控配置了[目录]选项的realtime属性。此属性仅适用于目录,而不适用于单个文件。实时更改检测在定期 syscheck 扫描期间暂停,并在这些扫描完成后立即重新激活:
<syscheck>
<directories check_all="yes" realtime="yes">c:/tmp</directories>
</syscheck>
配置报告新文件
要报告添加到系统的新文件,可以使用alert_new_files选项配置 syscheck。默认情况下,在受监控的 Wazuh 代理上启用此功能,但配置的 syscheck 部分中不存在该选项:
<syscheck>
<alert_new_files>yes</alert_new_files>
</syscheck>
例子
在agent端/var/ossec/etc/ossec.conf,添加/media/user/software,并修改扫描时间为30s
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>30</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories>/axing,/etc,/usr/bin,/usr/sbin,/media/user/software</directories>
<directories>/axingtest</directories>
<directories>/bin,/sbin,/boot</directories>
<directories>/axing1</directories>
修改完成后重启agent端
在此目录新建文件,告警如下
{
"_index": "wazuh-alerts-4.x-2022.08.23",
"_type": "_doc",
"_id": "03A-y4IBjsjmrQAmTp-R",
"_version": 1,
"_score": null,
"_source": {
"syscheck": {
"uname_after": "root",
"mtime_after": "2022-08-23T23:06:36",
"size_after": "6",
"gid_after": "0",
"mode": "scheduled",
"path": "/media/user/software/a.txt",
"sha1_after": "f572d396fae9206628714fb2ce00f72e94f2258f",
"gname_after": "root",
"uid_after": "0",
"perm_after": "rw-r--r--",
"event": "added",
"md5_after": "b1946ac92492d2347c6235b4d2611184",
"sha256_after": "5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03",
"inode_after": 134410976
},
"input": {
"type": "log"
},
"agent": {
"ip": "192.168.192.26",
"name": "pabupgradetest01",
"id": "001"
},
"manager": {
"name": "sz-standalone-test-1"
},
"rule": {
"firedtimes": 2,
"mail": false,
"level": 5,
"pci_dss": [
"11.5"
],
"hipaa": [
"164.312.c.1",
"164.312.c.2"
],
"tsc": [
"PI1.4",
"PI1.5",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "File added to the system.",
"groups": [
"ossec",
"syscheck",
"syscheck_entry_added",
"syscheck_file"
],
"id": "554",
"nist_800_53": [
"SI.7"
],
"gpg13": [
"4.11"
],
"gdpr": [
"II_5.1.f"
]
},
"location": "syscheck",
"decoder": {
"name": "syscheck_new_entry"
},
"id": "1661267227.1519319",
"full_log": "File '/media/user/software/a.txt' added\nMode: scheduled\n",
"timestamp": "2022-08-23T23:07:07.587+0800"
},
"fields": {
"syscheck.mtime_after": [
"2022-08-23T23:06:36.000Z"
],
"timestamp": [
"2022-08-23T15:07:07.587Z"
]
},
"highlight": {
"agent.id": [
"@opensearch-dashboards-highlighted-field@001@/opensearch-dashboards-highlighted-field@"
],
"manager.name": [
"@opensearch-dashboards-highlighted-field@sz-standalone-test-1@/opensearch-dashboards-highlighted-field@"
],
"full_log": [
"File '/@opensearch-dashboards-highlighted-field@media@/opensearch-dashboards-highlighted-field@/user/software/a.txt' added\nMode: scheduled"
]
},
"sort": [
1661267227587
]
}
文件删除
