Add good practices manual

[mikykeane]

The aim is to add a good practices guide to the documentation, making it easier for users to know how to handle their systems, what files should they pay more attention to and which files need regular back-ups.

Paying special attention to the files and folders they should back-up when making important changes, like a kernel upgrade:

/var/ossec/api/configuration
/var/ossec/etc
/var/ossec/logs
/var/ossec/queue/rootcheck
/var/ossec/queue/agent-groups
/var/ossec/queue/agent-info
/var/ossec/queue/agents-timestamp
/var/ossec/queue/agentless
/var/ossec/queue/cluster
/var/ossec/queue/rids
/var/ossec/queue/fts
/var/ossec/var/multigroups

These other 2 while the Wazuh service is stopped:

/var/ossec/var/db/global.db
/var/ossec/queue/db

And also consider making regular back-ups of the client.keys file.

To know how to check that all of wazuh services are running correctly. For example:

[root@master ~]# ps aux | grep ossec
ossec     2561  0.0  1.0 926524 41668 ?        Ssl  13:38   0:00 /bin/node /var/ossec/api/app.js
root      3127  0.0  0.0 178072  3596 ?        Sl   13:38   0:01 /var/ossec/bin/ossec-authd
ossec     3141  0.0  0.1 636768  4392 ?        Sl   13:38   0:17 /var/ossec/bin/wazuh-db
root      3161  0.0  0.0  30476  1432 ?        Sl   13:38   0:00 /var/ossec/bin/ossec-execd
ossec     3175  0.0  0.8 780188 32252 ?        Sl   13:38   0:13 /var/ossec/bin/ossec-analysisd
root      3182  0.0  0.1 179936  4272 ?        Sl   13:38   0:08 /var/ossec/bin/ossec-syscheckd
ossecr    3196  0.2  0.0 442052  2964 ?        Sl   13:38   0:49 /var/ossec/bin/ossec-remoted
root      3207  0.1  0.0 399132  1964 ?        Sl   13:38   0:27 /var/ossec/bin/ossec-logcollector
ossec     3236  0.0  0.0  30448  1428 ?        Sl   13:38   0:01 /var/ossec/bin/ossec-monitord
root      3270  0.1  0.4 573292 17044 ?        Sl   13:38   0:35 /var/ossec/bin/wazuh-modulesd
ossec     3332  0.1  0.5 209320 20120 ?        S    13:38   0:18 /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/wazuh-clusterd.py
root     31797  0.0  0.0 112712   964 pts/0    R+   18:44   0:00 grep --color=auto ossec

And what to do if any of these services are down.

[mikykeane]

The language is not consistently rigorous. This is a guide that is likely to be very popular so it should be very clean since it will be considered authoritative.

So for example (there are more) the following phrases need work:

• human error proved
• we will lay some of
  • is leaving the option

Missing items:

• It doesn't mention the default command monitoring running the df -h that will generate an alert when disk space reaches 90%+ usage.
• How to perform log lifecycle in the Wazuh logs (cronjob to remove old logs) Recomendations on security: links to securing the Wazuh API and securing your data on elasticsearch
• Agent registration service should be configured to have use password or certificate.
  • Good practices on syscheck configurations that don't consume too many resources (avoiding constantly changing files like logs or temporary files, folders with too many files, etc).
  • A mention on configuration management via centralized configuration

[mikykeane]

https://github.com/wazuh/wazuh-documentation/tree/3.11-good-practices

[jctello]

Another set of suggestions:

• Custom rules and decoders
  • They should always be placed in their respective /var/ossec/etc/{decoders,rules}/ folders
  • Custom Rules should have IDs between 100,000 and 119,999
  • They should not be overreaching (regex should not capture logs not related to the events we are trying to capture).