update who data monitoring on linux

CHANGELOG.md

@@ -20,7 +20,7 @@ All notable changes to this project will be documented in this file.
 - Updated Microsoft Entra ID SSO setup steps for the administrator role. ([#8399](https://github.com/wazuh/wazuh-documentation/pull/8399)) ([#8424](https://github.com/wazuh/wazuh-documentation/pull/8424))
 - Updated filebeat installation commands. ([#8410](https://github.com/wazuh/wazuh-documentation/pull/8410))
 - Updated the *Profiles* section in *Configuring AWS credentials*. ([#8426](https://github.com/wazuh/wazuh-documentation/pull/8426)) ([#8429](https://github.com/wazuh/wazuh-documentation/pull/8429))
-- Updated the *Who-data monitoring on Linux* section. ([#8435](https://github.com/wazuh/wazuh-documentation/pull/8435))
+- Updated the *Who-data monitoring on Linux* section. ([#8435](https://github.com/wazuh/wazuh-documentation/pull/8435)), ([#8492](https://github.com/wazuh/wazuh-documentation/pull/8492))
 - Updated the *Agents* sub-section in *Deployment on Kubernetes*. ([#8475](https://github.com/wazuh/wazuh-documentation/pull/8475))
 
 ## [v4.11.2]

source/user-manual/capabilities/file-integrity/advanced-settings.rst

@@ -58,7 +58,7 @@ You need to install the ``audit`` daemon if you don’t have it already installe
 
          # apt-get install auditd
 
-      For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service.
+      For Audit 3.1.1 and later, install the ``audispd af_unix`` plugin and restart the Audit service.
 
       .. code-block:: console
 
@@ -389,14 +389,14 @@ Alert fields
 Who-data monitoring alerts generated using the eBPF mode preserve the same structure as the audit mode :ref:`alert fields <audit_mode_alert_fields>`.
 
 Example: Monitoring changes in configuration files
-''''''''''''''''''''''''''''''''''''''''''''''''''
+..................................................
 
 Monitoring configuration files such as the ``../sshd_config`` file on Linux endpoints can help detect unauthorized changes. This approach ensures the integrity of configuration files are not tempered and provides early detection of suspicious behavior.
 
 Perform the steps below to monitor changes made to the ``/etc/ssh/sshd_config`` configuration file on an Ubuntu endpoint using who-data in eBPF mode.
 
 Configuration
-,,,,,,,,,,,,,
+'''''''''''''
 
 #. Append the configuration below to the ``/var/ossec/etc/ossec.conf`` configuration file on the Ubuntu endpoint:
 
@@ -420,7 +420,7 @@ Configuration
       # systemctl restart wazuh-agent
 
 Test the configuration
-,,,,,,,,,,,,,,,,,,,,,,
+''''''''''''''''''''''
 
 While logged in as the ``root`` user, append a new line of text to the ``/etc/ssh/sshd_config`` file on the Ubuntu endpoint:
 
@@ -429,7 +429,7 @@ While logged in as the ``root`` user, append a new line of text to the ``/etc/ss
    # echo "eBPF test" >> /etc/ssh/sshd_config
 
 Visualize the alert
-,,,,,,,,,,,,,,,,,,,
+'''''''''''''''''''
 
 Navigate to **Endpoint security** > **File Integrity Monitoring** > **Events** on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the monitored file.
 

source/user-manual/reference/ossec-conf/syscheck.rst

@@ -940,6 +940,7 @@ The Whodata options will be configured inside this tag.
 
     <!-- Whodata options -->
     <whodata>
+        <provider>audit</provider>
         <restart_audit>yes</restart_audit>
         <audit_key>auditkey1,auditkey2</audit_key>
         <startup_healthcheck>yes</startup_healthcheck>
@@ -953,7 +954,7 @@ The Whodata options will be configured inside this tag.
 Specifies the who-data mode used by the FIM module. If the ``<provider>`` tag is not configured, the FIM module defaults to the ``audit`` mode. If the provider is set to ``ebpf`` but unavailable due to kernel version incompatibility, it also falls back to the ``audit`` mode. This option is only available for Linux endpoints.
 
 +--------------------+---------------------+
-| **Default value**  | N/A                 |
+| **Default value**  | ``audit``           |
 +--------------------+---------------------+
 | **Allowed values** | ``audit``, ``ebpf`` |
 +--------------------+---------------------+