wazuh · chemamartinez · Aug 22, 2019 · Jan 29, 2019 · Jan 29, 2019 · Jan 29, 2019
diff --git a/rules/0020-syslog_rules.xml b/rules/0020-syslog_rules.xml
@@ -356,6 +356,53 @@
     <description>Monitor ADSL line is up.</description>
   </rule>
 
+  <rule id="5132" level="11">
+    <if_sid>5100</if_sid>
+    <match>module verification failed</match>
+    <description>Unsigned kernel module was loaded</description>
+  </rule>
+
+  <rule id="5133" level="11">
+    <if_sid>5100</if_sid>
+    <match>PKCS#7 signature not signed with a trusted key</match>
+    <description>Signed but untrusted kernel module was loaded</description>
+  </rule>
+
+  <rule id="5134" level="7">
+    <program_name>^rngd</program_name>
+    <match>failure</match>
+    <description>RNGD failure</description>
+  </rule>
+
+  <rule id="5135" level="7">
+   <if_sid>5100</if_sid>
+   <match>Disk failure</match>
+   <description>RAID0/1 disk failure</description>
+  </rule>
+
+  <rule id="5136" level="2">
+   <program_name>^mdadm</program_name>
+   <description>General RAID mdadm event</description>
+  </rule>
+
+  <rule id="5137" level="7">
+   <if_sid>5136</if_sid>
+   <match>FailSpare</match>
+   <description>RAID mdadm spare disk failure</description>
+  </rule>
+
+  <rule id="5138" level="7">
+    <if_sid>5100</if_sid>
+    <match>ata.+: failed command</match>
+    <description>General SATA disk failure</description>
+  </rule>
+
+  <rule id="5139" level="7">
+    <if_sid>5100</if_sid>
+    <match>device not ready</match>
+    <description>General device failure</description>
+  </rule>
+
   <rule id="5200" level="0">
     <match>^hpiod: unable to ParDevice</match>
     <description>Ignoring hpiod for producing useless logs.</description>

diff --git a/rules/0095-sshd_rules.xml b/rules/0095-sshd_rules.xml
@@ -18,7 +18,7 @@
     <match>Bad protocol version identification</match>
     <description>sshd: Possible attack on the ssh server </description>
     <description>(or version gathering).</description>
-    <group>pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
+    <group>recon,pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
   </rule>
 
   <rule id="5702" level="5">

diff --git a/rules/log-entries/kernel b/rules/log-entries/kernel
@@ -1 +1,3 @@
 kernel: tcp_parse_options: Illegal window scaling value 200 >14 received.
+Jan 29 09:24:16 pax kernel: PKCS#7 signature not signed with a trusted key
+Jan  8 18:23:07 worker3 kernel: [  470.247608] p_lkrg: module verification failed: signature and/or required key missing - tainting kernel