Configuration

ThreatLockDown server

By default, ThreatLockDown includes an audit CDB list. This CDB list contains audit keys that map against write, read, attribute change, execution, and command events.

Run the command below to view the content of the CDB list:

# cat /var/ossec/etc/lists/audit-keys

audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command

You can add your custom key with its value to the list like this:

# echo "<YOUR_KEY>:<VALUE>" >> /var/ossec/etc/lists/audit-keys

Where <YOUR_KEY> is the key set in the audit rule and <VALUE> is used by ThreatLockDown to process the event.

Restart the ThreatLockDown manager any time you modify the CDB list:

# systemctl restart wazuh-manager

Out-of-the-box rules for Audit events are located in the /var/ossec/ruleset/rules/0365-auditd_rules.xml file on the ThreatLockDown server.

Monitored endpoint

1. To use the Linux Audit system, you must install the audit package on your endpoint. If you do not have this package installed, execute the following command as the root user to install it:

   YumAPT

   # yum install -y auditd
   

   Note

   If the audit package is already present on the endpoint before installing the ThreatLockDown agent, the actions below should not be performed. This configuration will be added by default.

2. Add the configuration below to the ThreatLockDown agent configuration /var/ossec/etc/ossec.conf file. This configures ThreatLockDown to read the audit file log to process events the Linux Audit system detects:

   <localfile>
     <log_format>audit</log_format>
     <location>/var/log/audit/audit.log</location>
   </localfile>
   

3. Restart the ThreatLockDown agent to apply the changes:

   # systemctl restart wazuh-agent
   

4. Create proper audit rules using the auditctl command or the audit rules file.

Linux audit alerts are displayed in the Threat Hunting module of the ThreatLockDown dashboard.