wazuh | Unified XDR | Monitoring library

You should actually store it in your inventory as ansible_user either for the all group (for all host), a specific group or a specific host. You can keep a remote_user in your play which will be used in case the ansible_user is not defined for some hosts in your inventory. If you remove it, you local user on the controller will be the default, unless you use the -u flag on the command line.

You can find a good explanation of the difference between ansible_user and remote_user and how the overide works in the documentation on variable precedence

Using a var as you wrote it in your above example can actually work. But since it must be expanded before the play actually starts and any action is taken on any host, the only place you can "store" it is in an extra_var on the command line.

To be a little more practical, here is what I suggest from your above example:

inventories/dev/hosts.yml

First of all, I want to mention that there are two different status for failed installed packages:

• half-configured: The package is unpacked and configuration has been started, but not yet completed for some reason.
• half-installed: The installation of the package has been started, but not completed for some reason.

Source: https://www.man7.org/linux/man-pages/man1/dpkg.1.html

If you want a half-configured package, then the package must be unpackaged and it is the configuration step the one that should fail.

Now, if you follow the guide you shared with us, you may have missed the part where it says that the *.ex files are examples and are not introduced in the package so if you're modifying the file postinst.ex, these changes will no take effect.

You can remove all the *.ex files and create your own postinst file. For example I've used this one:

It wouldn't be correct to raise two alerts for the same event because it could be confusing (duplicated alert may seem like two different security events instead of just one).

The example proposed in Wazuh documentation overwrites ALL FIM events that match the given pattern. That means unifying all possible FIM events into a single, common, high-level alert.

That happens because the example uses the field if_group with value syscheck and that groups all FIM events.

The best solution if you want to keep the meaning of the different FIM alerts (for example, to differentiate an "Integrity checksum changed" from "File deleted" one on your custom, critical path) you need to write custom high-level alerts for each different event and make them children of the original ones using if_sid field instead of if_group.

For example, if you want "Integrity checksum changed" alerts with level 12 for /my/important/path files, you could create the custom alert:

I have done a little research about monitoring files with python and watchdog module came to my screen, using such module we could monitor if a file changes and we can perform actions over it. Take a look at this script that I made to your specific use case:

When you switch into raw mode newlines (\n) no longer move the cursor back to the first column. They only move it down a line. You have to print carriage returns (\r) to reset the column.

You could do that by disabling adding them to the end of every line with sed:

The following outputs the correct information (no duplicates) regardless of file order