search

joshnguyen08 / cybersecurity-homelab

1 stars 0 forks source link

Configure Wazuh to detect file changes in various Windows directories on Domain User #41

Closed joshnguyen08 closed 1 day ago

joshnguyen08 commented 2 days ago

make it so any changes to temp folders in our windows machines will be monitor like file creation, modifications, etc.

joshnguyen08 commented 2 days ago 
heem-wazuh@heem-wazuh-VirtualBox:~$ sudo cat /var/ossec/etc/ossec.conf
<!--
  Wazuh - Manager - Default configuration for ubuntu 24.04
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>wazuh@example.wazuh.com</email_from>
    <email_to>recipient@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>

    <ignore>/var/lib/containerd</ignore>
    <ignore>/var/lib/docker/overlay2</ignore>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://127.0.0.1:9200</host>;
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
      <key>/etc/filebeat/certs/wazuh-server-key.pem</key>
    </ssl>
  </indexer>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>127.0.0.53</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    active-response options here
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>

  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>NODE_IP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>journald</log_format>
    <location>journald</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

</ossec_config>
joshnguyen08 commented 2 days ago

Testing changes to include windows direectories

<!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>
     <!-- Windows-specific directories -->
     <directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows</directories>
     <directories check_all="yes" report_changes="yes" realtime="yes">C:\Program Files</directories>
     <directories check_all="yes" report_changes="yes" realtime="yes">C:\Users</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>
joshnguyen08 commented 2 days ago

Scratch the above, we don't update the conf file of the server. We need to adjust on the conf file of the agents.

sudo nano /var/ossec/etc/shared/agent-template.conf

add this

<agent_config>
    <syscheck>
        <disabled>no</disabled>
        <frequency>43200</frequency>
        <scan_on_start>yes</scan_on_start>
        <alert_new_files>yes</alert_new_files>

        <!-- Windows-specific directories -->
        <directories check_all="yes">C:\Windows</directories>
        <directories check_all="yes">C:\Program Files</directories>
        <directories check_all="yes">C:\Users</directories>
    </syscheck>
</agent_config>
joshnguyen08 commented 2 days ago

Also go into Windows > Program Files > ossec agent > change the ossec.conf file in the windows agent as well

joshnguyen08 commented 2 days ago

Change frequency from 43200 to 5

joshnguyen08 commented 1 day ago 
<!--
  Wazuh - Agent - Default configuration for Windows
  More info at: https://documentation.wazuh.com/
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>

  <client>
    <server>
      <address>192.168.2.150</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <config-profile>windows, windows10</config-profile>
    <crypto_method>aes</crypto_method>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
    <enrollment>
      <enabled>yes</enabled>
      <groups>default</groups>
    </enrollment>
  </client>

  <!-- Agent buffer options -->
  <client_buffer>
    <disabled>no</disabled>
    <queue_size>5000</queue_size>
    <events_per_second>500</events_per_second>
  </client_buffer>

  <!-- Log analysis -->
  <localfile>
    <location>Application</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>active-response\active-responses.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  </rootcheck>

  <!-- Security Configuration Assessment -->
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <!-- File integrity monitoring -->
  <syscheck>

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>5</frequency>

    <!-- Default files to be monitored. -->
    <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

    <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
    <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
    <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
    <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
    <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>

    <!-- 32-bit programs. -->
    <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
    <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
    <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
    <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
    <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
    <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">C:\Users</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows\System32</directories>

    <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>

    <!-- Frequency for ACL checking (seconds) -->
    <windows_audit_interval>60</windows_audit_interval>

    <!-- Nice value for Syscheck module -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <!-- CIS policies evaluation -->
  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>\\server\jre\bin\java.exe</java_path>
    <ciscat_path>C:\cis-cat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <bin_path>C:\Program Files\osquery\osqueryd</bin_path>
    <log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
    <config_path>C:\Program Files\osquery\osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- Active response -->
  <active-response>
    <disabled>no</disabled>
    <ca_store>wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>

  <!-- Choose between plain or json format (or both) for internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

</ossec_config>

<!-- END of Default Configuration. -->
joshnguyen08 commented 1 day ago

Error logs in the ossec of windows agent

2024/11/23 18:03:00 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 5 seconds 2024/11/23 18:03:00 wazuh-agent: INFO: (6008): File integrity monitoring scan started. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/453df2c033d0855bbcd94a5dcb8774bdc4aad0d4/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/453df2c033d0855bbcd94a5dcb8774bdc4aad0d4/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/b989e9ef49e15d82e6445fda5e6b9b8d7caee6aa/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/b989e9ef49e15d82e6445fda5e6b9b8d7caee6aa/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/2283cfa7c5b13dcb588ff0679d618940ac17ab7e/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/2283cfa7c5b13dcb588ff0679d618940ac17ab7e/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/0739273d54fbbaa82f32c289cb35821cd0725c97/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/0739273d54fbbaa82f32c289cb35821cd0725c97/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/a68205c643895c621d5d0874efdbca281a3b8be6/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/a68205c643895c621d5d0874efdbca281a3b8be6/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/38020d609ba5809383306a0c3ca9a44c22d25c0a/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/38020d609ba5809383306a0c3ca9a44c22d25c0a/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/66e3087717e9802db5373bdce0395a790c998459/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/66e3087717e9802db5373bdce0395a790c998459/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/559a8ea4836d6e934294e11d9057a27a8ada1f9e/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/559a8ea4836d6e934294e11d9057a27a8ada1f9e/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/041aeb8a99b85807c919db7a8fc67c2100301083/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/041aeb8a99b85807c919db7a8fc67c2100301083/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/e3caaa709214fad3d13e15d4eedc04971777cefa/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/e3caaa709214fad3d13e15d4eedc04971777cefa/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/4352f4fecd175fc65692d221cbcdeb114a809699/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/4352f4fecd175fc65692d221cbcdeb114a809699/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/21f82a172122c023ce71cf3348f55c1db8433add/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/21f82a172122c023ce71cf3348f55c1db8433add/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/cd43facd3f48245e0fa7bfcf6cc3e8d3911b2852/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/cd43facd3f48245e0fa7bfcf6cc3e8d3911b2852/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/eaf4f8ab1e8e37d05a4d978ea4131b3d0ff05513/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/eaf4f8ab1e8e37d05a4d978ea4131b3d0ff05513/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/985a4187cb56a434c164658d76b882e01a9450a2/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/985a4187cb56a434c164658d76b882e01a9450a2/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:03 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/ce7f92a4349cdf9489b4617dbcee9eab84a1d953/last-entry.gz) which returned (32) 2024/11/23 18:03:03 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/ce7f92a4349cdf9489b4617dbcee9eab84a1d953/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:04 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/3b30c4b0e41a51e6cc607c770832e95333e10c18/last-entry.gz) which returned (32) 2024/11/23 18:03:04 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/3b30c4b0e41a51e6cc607c770832e95333e10c18/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:04 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/4d35d35bedde96abb7d70c8cc26f910ec8caf544/last-entry.gz) which returned (32) 2024/11/23 18:03:04 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/4d35d35bedde96abb7d70c8cc26f910ec8caf544/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:04 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/88bd1c0241139205c9324df4985b200b85bd12cd/last-entry.gz) which returned (32) 2024/11/23 18:03:04 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/88bd1c0241139205c9324df4985b200b85bd12cd/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:04 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/093b2eef1b96170a79b0c5f31a721b4f0351a726/last-entry.gz) which returned (32) 2024/11/23 18:03:04 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/093b2eef1b96170a79b0c5f31a721b4f0351a726/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:04 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/72df5dad45b32fcb3ec1eb444511031953bbeb89/last-entry.gz) which returned (32) 2024/11/23 18:03:04 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/72df5dad45b32fcb3ec1eb444511031953bbeb89/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:04 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/401f15461a40591ca2357e5568d91c05d47e9d3c/last-entry.gz) which returned (32) 2024/11/23 18:03:04 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/401f15461a40591ca2357e5568d91c05d47e9d3c/last-entry.gz' due to [(17)-(File exists)]. 2024/11/23 18:03:07 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win11_enterprise.yml' 2024/11/23 18:03:07 sca: INFO: Security Configuration Assessment scan finished. Duration: 21 seconds. 2024/11/23 18:03:17 wazuh-agent: ERROR: (6716): Could not open handle for 'c:\users\all users\microsoft\windows\lfsvc\geofence\geofenceapplicationid.dat'. Error code: 32

joshnguyen08 commented 1 day ago

It works now

joshnguyen08 commented 1 day ago

whenever it start the file integrity monitoring scan and ends, it says FIM sync module started. how can we get it to say that again so it updates my Wazuh manager

joshnguyen08 commented 1 day ago

I've concluded that eveyrthing all works. The scan seems to take long by backlogging the logs and it took about 30+ minutes to finish I reduced the lists of directories to scan such as:

 <!-- Default files to be monitored. -->
    <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

    <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
    <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
    <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
    <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
    <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>

    <!-- 32-bit programs. -->

    <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">C:\Users</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows\System32</directories>

    <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
joshnguyen08 commented 19 hours ago

Officially fixed and implemented

joshnguyen08 commented 19 hours ago 
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows\System32\drivers</directories>

<!-- Specific system files in System32 -->
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows\System32</directories>

<!-- Shared user data -->
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Public</directories>

<!-- Program files - potential tampering -->
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Program Files</directories>

<!-- Application data - common malware target -->
<directories check_all="yes" report_changes="yes" realtime="yes">C:\ProgramData</directories>

<!-- Windows Temp folder -->
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Windows\Temp</directories>

<!-- Per-user Temp folders -->
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\*\AppData\Local\Temp</directories>