I'm monitoring my servers using Wazuh 4.1.x. My servers are Ubuntu and CentOS. They are also monitored using Icinga2 and NRPE agent. Wazuh is logging all sudo authentications or commands ran with sudo (which is fine). But since some of the nrpe commands need to be executed with sudo I would like to ignore all the sudo request from the nagios user. What I've tried so far is this:
I've added a custom group and a custom rule in /var/ossec/etc/rules/local_rules.xml like this:
<group name="exceptions,">
<rule id="101101" level="0">
<if_sid>5402</if_sid>
<match>sudo: nagios</match>
<description>Ignore sudo auth for nagios user</description>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="101102" level="0">
<if_sid>5402</if_sid>
<match>sudo: nrpe</match>
<description>Ignore sudo auth for nagios user</description>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
5402 is the default sudo rule from Wazuh.
In alerts.log I can see this for sudo:
Aug 19 23:05:25 reports sudo: nrpe : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/check_procs -c 1: -C nrpe
Aug 19 23:05:25 reports sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 20 00:51:27 transfer sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 20 00:51:27 transfer sudo: pam_unix(sudo:session): session closed for user root
** Alert 1629414327.485693326: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed.'
Aug 20 00:51:27 transfer sudo: nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib/nagios/plugins/check_procs -c 1: --ereg-argument-array=SERVER
I'm unable to figure out why the rules are not applied or what I'm doing wrong. I've also searched the logs for rules 101101 or 101102 and nothing so I assume they're not actually applied.
UPDATE: Also tried with this kind of rules:
<group name="exceptions,">
<rule id="101101" level="0" frequency="5" timeframe="60">
<if_matched_sid>5407</if_matched_sid>
<match> nrpe :</match>
<description>Ignore sudo auth for nagios user.</description>
<options>no_log</options>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="101102" level="0" frequency="5" timeframe="60">
<if_matched_sid>5407</if_matched_sid>
<match> nrpe : </match>
<description>Ignore sudo auth for nrpe user.</description>
<options>no_log</options>
<group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Apparently rule 5402 is for sudo executed by root and 5407 is for sudo executed by a regular user. Anyway, still not working...
The same rule matches if I use <hostname>hostname</hostname>
for but that implies that it will ignore all sudo from that host and not only for the nagios/nrpe user.