Current location - Quotes Website - Personality signature - Wazuh use case analysis
Wazuh use case analysis
I. Overview of use cases

Wazuh is usually used to meet compliance requirements (such as PCI DSS or HIPAA) and configuration standards (CIS hardening guide). It is also very popular among IaaS users (such as Amazon AWS, Azure or Google Cloud), and deploying host-based IDS in running instances can be combined with infrastructure event analysis (extracted directly from cloud provider API).

Here are some common use cases:

(1) Log Analysis Based on Signature

(2) file integrity monitoring

(3)rootkit detection

(4) Security policy monitoring

Second, log analysis based on signature.

Automatic log analysis and management accelerates threat detection. In many cases, evidence of attacks can be found in the logs of devices, systems and applications. Wazuh can be used to automatically aggregate and analyze log data.

Wazuh agent running on the monitoring host is usually responsible for reading operating system and application log messages and forwarding these messages to Wazuh server for analysis. When no agent is deployed, the server can also receive data from network devices or applications through syslog.

Wazuh uses a decoder to identify the source application of the log message, and then uses application-specific rules to analyze the data. The following are examples of rules for detecting SSH authentication failure events:

The rule includes a matching field that defines the pattern that the rule will look for. It also has a level field that specifies the priority of generated alerts.

Manager generates an alert whenever an agent or event collected through syslog matches a rule with a level greater than zero.

The following is an example in/var/ossec/logs/alerts/alerts.json:

Once generated by the manager, the alert is sent to the elastic stack component, where it is enriched by storing and indexing geographic location information. Kibana can then be used to search, analyze and visualize data. The warning is displayed in the following interface:

Wazuh provides a default rule set that is updated regularly, providing more than 1600 rules for different applications.

Third, file integrity monitoring.

When operating system and application files are modified, the file integrity monitoring (FIM) component will detect and issue an alarm. This feature is usually used to detect access to or changes to sensitive data. If your server is within the scope of PCI DSS, the requirements of 1 1.5 indicate that you must install a file integrity monitoring solution to pass the audit.

The following is an example of generating a warning when a monitored file changes. Metadata includes MD5 and SHA 1 checksums, file size (before and after changes), file permissions, file owners, content changes and who made these changes. File integrity monitoring

The FIM dashboard provides a drill-down function to view all the details that triggered the alarm, from which a good summary of file changes can be found.

Fourthly, rootkit detection.

Wazuh agent periodically scans the monitoring system to detect the kernel and user-level rootkit. This malware usually replaces or changes existing operating system components to change the behavior of the system. Rootkit can hide other processes, files or network connections, just like itself.

Wazuh uses different detection mechanisms to find system anomalies or known intrusions. This is done periodically by the Rootcheck component:

The following is an example of an alert generated when a hidden process is found. In this example, the affected system is running a Linux kernel-level rootkit (named Diamorph):

Verb (abbreviation of verb) security policy monitoring

SCAP is a standardized compliance inspection solution for enterprise infrastructure. It is a set of specifications maintained by the National Institute of Standards and Technology (NIST), aiming at maintaining the security of enterprise systems.

OpenSCAP is an auditing tool, which makes use of Extensible Configuration Inventory Description Format (XCCDF). XCCDF is a standard method to express the contents of the checklist and define the safety checklist. It is also combined with other specifications (such as CPE, CVE, CCE and OVAL) to create a list that can be represented by scap for scap-verified products.

Wazuh agent uses OpenSCAP internally to verify whether the system meets the CIS hardening standard. The following is an example of a SCAP rule to check whether the SSH daemon is configured to allow empty passwords:

SCAP checks run regularly (once a day by default), and the results are set to the Wazuh server, where they are processed through OpenSCAP decoders and rules. The following are examples of warnings generated when the Linux Audit Policy (auditd) is not configured to monitor user actions:

In addition, Wazuh WUI can also be used to visualize and analyze the scanning results of policy monitoring. For example, the following is a screenshot of the data collected when scanning a CentOS system using a server benchmark and a PCI DSS v3 predefined profile:

Related articles
  • How to check the authenticity of electronic invoices
  • What are the good sentences of WeChat's personality signature? The signature of WeChat is a collection of good sentences.
  • 4 1 year-old Thai princess wears cheap watches and thrifty hits the queen's face. Does elegance have anything to do with price?
  • How should parents' opinions be written in the holiday notice?
  • Touching qq signature on the teacher's resignation.
  • Online name of lovers, preferably in English. There are about six letters. Second adoption. Thank you. With an interpreter.
  • Da Bing's classic inspirational quotations
  • How to solve JAVA public key encryption and private key decryption?
  • Signature verification failed, and the whole process result conversion was abnormal.
  • What does the iron powder label mean?

    • copyright 2024 Quotes Website All rights reserved