Wazuh ignore a specifc user from sudo notifications

Question

I'm monitoring my servers using Wazuh 4.1.x. My servers are Ubuntu and CentOS. They are also monitored using Icinga2 and NRPE agent. Wazuh is logging all sudo authentications or commands ran with sudo (which is fine). But since some of the nrpe commands need to be executed with sudo I would like to ignore all the sudo request from the nagios user. What I've tried so far is this:

I've added a custom group and a custom rule in /var/ossec/etc/rules/local_rules.xml like this:

<group name="exceptions,">
  <rule id="101101" level="0">
    <if_sid>5402</if_sid>
    <match>sudo:   nagios</match>
    <description>Ignore sudo auth for nagios user</description>
    <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
  <rule id="101102" level="0">
    <if_sid>5402</if_sid>
    <match>sudo:    nrpe</match>
    <description>Ignore sudo auth for nagios user</description>
    <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

5402 is the default sudo rule from Wazuh.

In alerts.log I can see this for sudo:

Aug 19 23:05:25 reports sudo:    nrpe : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib64/nagios/plugins/check_procs -c 1: -C nrpe
Aug 19 23:05:25 reports sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 20 00:51:27 transfer sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 20 00:51:27 transfer sudo: pam_unix(sudo:session): session closed for user root
** Alert 1629414327.485693326: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed.'
Aug 20 00:51:27 transfer sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib/nagios/plugins/check_procs -c 1: --ereg-argument-array=SERVER

I'm unable to figure out why the rules are not applied or what I'm doing wrong. I've also searched the logs for rules 101101 or 101102 and nothing so I assume they're not actually applied.

UPDATE: Also tried with this kind of rules:

<group name="exceptions,">
  <rule id="101101" level="0" frequency="5" timeframe="60">
    <if_matched_sid>5407</if_matched_sid>
    <match>   nrpe :</match>
    <description>Ignore sudo auth for nagios user.</description>
    <options>no_log</options>
    <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
  <rule id="101102" level="0" frequency="5" timeframe="60">
    <if_matched_sid>5407</if_matched_sid>
    <match>   nrpe : </match>
    <description>Ignore sudo auth for nrpe user.</description>
    <options>no_log</options>
    <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Apparently rule 5402 is for sudo executed by root and 5407 is for sudo executed by a regular user. Anyway, still not working...

The same rule matches if I use <hostname>hostname</hostname> for but that implies that it will ignore all sudo from that host and not only for the nagios/nrpe user.

Answer 1

In the end I've came up with a mixed solution: Wazuh + Linux PAM settings

For WAZUH-Manager, I've added the rule bellow in /var/oseec/etc/rules/local_rules.xml

<group name="exceptions,">
  <rule id="101101" level="0">
    <if_sid>5402</if_sid>
    <regex>^  nagios|^   nrpe</regex>
    <description>Ignore sudo auth for nagios|nrpe user.</description>
    <options>no_log</options>
    <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

What it does, it ignores logging sudo commands exectuted by users nagios|nrpe

As for getting rid of the messages generated after a sudo command executed by nagios/nrpe (session opened|closed for user root), you can supress this messages from appearing to /var/log/auth.log (Ubuntu/Debian) or /var/log/secure (CentOS/Fedora/RedHat) like this:

For Ubuntu/Debian:

Edit /etc/pam.d/sudo and make it look like this:

...
@include common-account
session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = nagios
@include common-session-noninteractive

For CentOS/Fedora/RedHat:

Edit /etc/pam.d/system-auth and make it look like this:

...
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = nrpe
session     required      pam_unix.so

This way all the commands executed with sudo by users nagios|nrpe are not logged anymore. If any other users executes commands with sudo, those will be logged.

As for WAZUH, the alerts.log is not polluted anymore and the actions like sudo: nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib/nagios/plugins/check_blabla are ignored and not logged.

Alternatively, you could ignore only some specific commands like:

<group name="exceptions,">
  <rule id="101102" level="0">
    <if_sid>5402</if_sid>
    <field name="command">/usr/lib/nagios/plugins/check_procs|/usr/lib64/nagios/plugins/check_procs</field>
    <description>Rule to ignore sudo command check_procs from nagios|nrpe</description>
    <options>no_log</options>
    <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Probably the seem could have been achieved simply with Wazuh custom rules or in a more elegant manner. For what its worth, it's work just fine.

I hope it helps!