106c206087
* Perform more checks before enable agentlessd, authd a csyslog output. * Add a rule and active-respose action to restart agents after successfully retrieve agent.conf file from the Wazuh manager.
31 lines
780 B
Django/Jinja
31 lines
780 B
Django/Jinja
<!-- Local rules -->
|
|
|
|
<!--
|
|
Used with active-response to restart an agent when agent.conf file
|
|
is successfully retrieved.
|
|
-->
|
|
<group name="local,ossec,">
|
|
<rule id="710001" level="1">
|
|
<if_group>syscheck</if_group>
|
|
<match>/var/ossec/etc/shared/agent.conf</match>
|
|
<description>agent.conf was modified</description>
|
|
</rule>
|
|
</group>
|
|
|
|
<!-- Modify it at your will. -->
|
|
|
|
<!-- Example -->
|
|
<group name="local,syslog,sshd,">
|
|
|
|
<!--
|
|
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
|
|
-->
|
|
<rule id="100001" level="5">
|
|
<if_sid>5716</if_sid>
|
|
<srcip>1.1.1.1</srcip>
|
|
<description>sshd: authentication failed from IP 1.1.1.1.</description>
|
|
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
|
|
</rule>
|
|
|
|
</group>
|