I'am trying to modify a rule into 0015-ossec_rules.xml
<rule id="10550" level="10">
<if_sid>550</if_sid>
<regex>/home/.*/\.ssh/</regex>
<description>Integrity checksum changed in /home/*/.ssh/</description>
</rule>
but when i do a modification on the .ssh of any user the rule alert coming from
<rule id="550" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<description>Integrity checksum changed.</description>
<mitre>
<id>T1565.001</id>
</mitre>
<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c>
</rule>
any ideas? thank
It looks like you're trying to increase the alert level for changes in the .ssh
directories by creating a child rule derived from rule 550. To ensure the new rule triggers correctly, you should specify that the regex applies to the file
field, which contains the path of the changed file. Here's how you can modify your rule:
<rule id="100002" level="8">
<if_sid>550</if_sid>
<field name="file" type="pcre2">^/home/.*/\.ssh/</field>
<description>Integrity checksum changed in /home/*/.ssh/</description>
</rule>
This should ensure that any integrity changes within /home/.*/.ssh/
directories trigger a higher-level alert. For more detailed guidance on working with File Integrity Monitoring (FIM) alerts, refer to our documentation on creating custom FIM rules.
I hope this helps