1

I am using wazuh and I want to monitor Linux processes more specifically I want to alert the start of any new process is that doable?

at first i tried to make a rule in wazuh that will tell me if any program started

<local_rules>
  <group name="syslog,">
    <rule id="9999" level="10">
      <program_name>.*</program_name>
      <source_name>syslog</source_name>
      <option name="description" value="Process monitoring rule." />
    </rule>
  </group>

i m not sure if the sourcename tag is correct plus i just want to alert the strat on processes and not services so i tried this bash script

#!/bin/bash

file1="$2"
file2="$1"

while IFS= read -r line; do

    grep -q "$line" "$file2" || echo "New process ID was found: $line" 

done < "$file1" 


#!/bin/bash

while true; do
    # Create new f1.txt file
    ps -e | awk '{print $1, $4}' > f1.txt
    
    # Compare f1.txt with last f2.txt file
    if [ -f f2.txt ]; then
        sh comp.sh f1.txt f2.txt >> result.txt
    fi
    
    # Rename f1.txt to f2.txt
    mv f1.txt f2.txt
    
    # Sleep for 1 second
    sleep 1
done

but when i use it it detects the processes that started because of the script itself and i don't know what to do now to solve this

Oumaima Berjane
  • 11
  • 2
  • Kudos to you for trying to solve your problem and for trying multiple approaches. I have no experience with `wazuh`, so I will focus on comments about your existing code. I'm guessing that the first `#!/bin/bash` block is the `comp.sh` command called in your 2nd `#!/bin/bash` block? (People often precede such code like `cat comp.sh`). I don't see any advantage to using `sh comp.sh f1 f2` (and only headaches later on if you continue this practice) when you can just use `./comp.sh f1 f2` (leaving out `.txt` to save space, oops!). or if it is stored in a directory already in your PATH,.... – shellter Mar 28 '23 at 16:13
  • then `comp.sh f1 f2`. But `man comm`, `man diff` and do some other research about these *nix utility `comm` and `diff` as they are designed for such problems. .... You can filter the output of `ps -e` to exclude the name of your script simply with `ps -e | grep -v 'myMonitorScript'` and if you need to exclude multiple items, you can "or" them together like `grep -v 'item1|item2|item3|...'` OR make a file that you use like `ps -e | grep -vf excludeList.txt`. And there are certainly other tools for doing this. hopefully other readers will chime in, I'm not certain of a tool to recmnd. Good Luck! – shellter Mar 28 '23 at 16:24

0 Answers0