Closed iamenderst closed 1 year ago
I updated the [wazuh_socfortress_rules.sh](https://github.com/socfortress/Wazuh-Rules/blob/main/wazuh_socfortress_rules.sh)
to move the newly created auditd_decoders to the /var/ossec/etc/decoders
directory. Initial test looked good
Now getting:
2023/01/03 15:05:01 wazuh-analysisd: WARNING: (7612): Rule ID '109109' is duplicated. Only the first occurrence will be considered.
2023/01/03 15:05:01 wazuh-analysisd: WARNING: (7612): Rule ID '109110' is duplicated. Only the first occurrence will be considered.
2023/01/03 15:05:01 wazuh-analysisd: WARNING: (7612): Rule ID '109111' is duplicated. Only the first occurrence will be considered.
2023/01/03 15:05:01 wazuh-analysisd: ERROR: rules_op: Invalid root element "decoder".Only "group" is allowed
2023/01/03 15:05:01 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/auditd-config_change.xml'.
wazuh-analysisd: Configuration error. Exiting
wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
wazuh-manager.service: Failed with result 'exit-code'.
Failed to start Wazuh manager.
wazuh-manager.service: Consumed 1.456s CPU time.
what is within your auditd-config_change.xml
... that is not a file that we are providing within this repo so not sure what your contents of that maybe
Fresh install, haven't touched the rules:
<decoder name="auditd-config_change">
<prematch>^type=CONFIG_CHANGE</prematch>
</decoder>
<!--
type=CONFIG_CHANGE msg=audit(1672265894.539:138315): auid=4294967295 ses=4294967295 subj=unconfined op=add_rule key="T1497_Virtualization_Sandbox_Evasion_System_Checks" list=4 res=1AUID="unset"
-->
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<!--<prematch offset="after_parent">^SYSCALL </prematch>-->
<regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.id</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>auid=(\S+) ses=(\S+) subj=(\S+) op=(\S+) </regex>
<order>audit.auid,audit.session,audit.subj,audit.op</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>key=\((\S+)\)|key="(\S+)"|key=(\S+) </regex>
<order>audit.key</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>list=(\S+)</regex>
<order>audit.list</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>res=(\S+)</regex>
<order>audit.res</order>
</decoder>
Deleted 200110-auditd.xml as suggested to someone else on Discord with the same issue, now I get this:
ERROR: rules_op: Invalid root element "decoder".Only "group" is allowed
CRITICAL: (1220): Error loading the rules: 'etc/rules/auditd-config_change.xml'.
Grepped out the warnings, too many.
Fresh install and get the following when the script is run: