fix(wazuh): add LXC rootcheck exclusion to prevent false positives (#10436)

2026-02-03 20:03:25 +01:00 · 2025-12-31 01:50:46 -07:00
parent 8dbc4161c7
commit 72a7777328
1 changed files with 8 additions and 0 deletions
--- a/install/wazuh-install.sh
+++ b/install/wazuh-install.sh
@@ -39,6 +39,14 @@ rm -f wazuh-*.sh
 rm -f ~/wazuh-install.output
 msg_ok "Setup Wazuh"

+# Fix LXC container false positives in rootcheck
+# When running Wazuh in an LXC container, /dev/.lxc/* paths trigger false alerts
+if [ -d /dev/.lxc ]; then
+  msg_info "Adding LXC rootcheck exclusion"
+  sed -i '/<\/rootcheck>/i \    <ignore>/dev/.lxc</ignore>' /var/ossec/etc/ossec.conf
+  msg_ok "Added LXC rootcheck exclusion"
+fi
+
 motd_ssh
 customize
 cleanup_lxc