Can the "System Audit: SSH hardening" rules be modified?

[cyb3rz3us]

For example, I am seeing alerts for "System Audit: SSH Hardening - 4: No Public Key authentication" despite this being enabled, albeit indirectly, in the /etc/ssh/sshd_config file. I say indirectly because the current config appears to look for an explicit setting of PubkeyAuthentication yes and ignores the fact that the default setting is also yes. So, if the setting is commented out, as it is in the standard sshd_config, the alert will still fire despite the desired setting actually being configured.

Also, while there are other settings that exhibit the above behavior, the Port setting is different. It also has the default value of 22 within a commented out statement yet I have not seen this alert fire once in several weeks of operation.

Last, I did find SSH hardening rules in /opt/so/rules/hids/ruleset/sca/sca_unix_audit.yml.disabled but given the extension, I'm not sure if these are actually being used. I also checked in all rule files in /opt/so/rules/hids/ruleset/rules but no SSH hardening rules were found within. All other searches were unsuccessful and I did not find anything about this in the SO, Wazuh, or ossec docs.

Thanks in advance for any feedback.

[dougburks]

One option might be to remove the following line from your ossec.conf:

<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>

[cyb3rz3us]

Thanks @dougburks but because this removes the function in totality, that is a bit overkill because my goal is to keep at least some of the rules albeit with modifications. However, I have found that the rules reside in /var/ossec/etc/shared/ with the key rule file being system_audit_ssh.txt.

However, there is another issue where the <frequency> setting in ossec.conf is not being respected; probably open a new discussion on that if need be.

Thanks.