From 72a7777328695114e8b11174bbe76f7d8aa52c0b Mon Sep 17 00:00:00 2001
From: Brett Lyons <brettlyons@users.noreply.github.com>
Date: Wed, 31 Dec 2025 01:50:46 -0700
Subject: [PATCH] fix(wazuh): add LXC rootcheck exclusion to prevent false
 positives (#10436)

---
 install/wazuh-install.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/install/wazuh-install.sh b/install/wazuh-install.sh
index 4d63d7d30..97698b8ea 100644
--- a/install/wazuh-install.sh
+++ b/install/wazuh-install.sh
@@ -39,6 +39,14 @@ rm -f wazuh-*.sh
 rm -f ~/wazuh-install.output
 msg_ok "Setup Wazuh"
 
+# Fix LXC container false positives in rootcheck
+# When running Wazuh in an LXC container, /dev/.lxc/* paths trigger false alerts
+if [ -d /dev/.lxc ]; then
+  msg_info "Adding LXC rootcheck exclusion"
+  sed -i '/<\/rootcheck>/i \    <ignore>/dev/.lxc</ignore>' /var/ossec/etc/ossec.conf
+  msg_ok "Added LXC rootcheck exclusion"
+fi
+
 motd_ssh
 customize
 cleanup_lxc