Auditd rules fix

[t0wb0at]

Hello, dear Wazuh team!

I found that auditd rules that wazuh-cloudformation/wazuh/cluster/wazuh_cf_worker.sh and wazuh-cloudformation/wazuh/cluster/wazuh_cf_master.sh creates are not correct because of the wrong user:

the_uid=$(id -u wazuh)

Should it be changed to this?:

the_uid=$(id -u ossec)

Thanks!

[manuasir]

Hello @t0wb0at,

In that fragment of code, we select the user whose actions and commands we want to be monitored by Audit. For this case, we use wazuh (the SSH user) so it's not very verbose.

I hope that helps, Regards

[t0wb0at]

Hi, @manuasir!

Ok, thanks for the clarification! I hope I'll be more useful for the Wazuh project next time) Thanks for your amazing job!

[manuasir]

Thanks @t0wb0at ! I appreciate your interest. Don't hesitate to open a new issue/PR whenever you may need it.

Cheers