Wazuh: How to Deploy for File Integrity Monitoring

As cyber-attacks keep increasing every year, it has become important to be proactive in protecting your organization’s information systems. This is why using File Integrity Monitoring (FIM) software such as Wazuh can be incredibly beneficial to your business as it allows you to overcome potential security problems.

‍

What is File Integrity Monitoring?
What are the benefits of using File Integrity Monitoring software?
What is Wazuh?
Wazuh and File Integrity Monitoring
How to deploy Wazuh
What is Wazuh Cloud?
How to connect your nodes to Wazuh with an agent
Conclusion

‍

What is File Integrity Monitoring (FIM)?

Also known as change monitoring, FIM provides a way to monitor and detect changes in files that may lead hackers to prepare a cyberattack. With File Integrity Monitoring software, you can get answers to the following questions:

When did the change occur?
How did it change?
Who changed it? Was it an unauthorized change?
What can be done to restore the original files?

‍

What are the Benefits of using File Integrity Monitoring Software?

Secure IT Infrastructure: Any File Integrity Monitoring tool will alert you for unauthorized changes to your servers, applications, databases, or cloud environment.
Rootkit and Malware Detection: with FIM in place, you can detect malicious activities done to your infrastructure.
Remain Compliant: Some companies may need to follow compliance standards depending on the industry of the business. (PCI-DSS, HIPAA, etc.)

‍

What is Wazuh?

Wazuh is an open-source, and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance.

‍

Wazuh and File Integrity Monitoring

For many businesses, File Integrity Monitoring is hard to implement as it usually means deploying a noisy monitoring solution that will alert the user for any changes with no context about these changes. But in late 2015, the team behind Wazuh decided to fork the OSSEC project due to the lack of development done to build a more reliable and comprehensive File Integrity Monitoring tool.

‍

Today with over 200 GitHub contributors, Wazuh has not only evolved rapidly but also constantly brings improvements to the solution. Furthermore, Wazuh came out with a migration plan for the people that were using OSSEC and the good news is that you can find more about the extra features you will gain using Wazuh compared to OSSEC here:

https://wazuh.com/migrating-from-ossec/

‍

How to Deploy Wazuh

The simplest way to deploy this File Integrity Monitoring software is through using their All-in-one deployment method where Wazuh’s server and Elastic Stack will reside on the same host.

If you plan to segment the deployment, you can follow the Distributed method where each component will be installed on a separate host which will provide high availability and scalability in the deployment.

Even better, and this is probably the best way to deploy Wazuh, there are three docker containers available with a docker-compose file that makes the deployment process a breeze:

https://github.com/wazuh/wazuh-docker

However, if you have a Kubernetes cluster, you might be interested in this deployment method instead.

As you can see, Wazuh has it all covered with its different deployment methods that will fit within your infrastructure.

‍

What is Wazuh Cloud?

The deployment methods mentioned above are freely available but Wazuh also offers Wazuh Cloud which is their SaaS solution.

If you don’t want to maintain the infrastructure that manages Wazuh, have a professional support plan, OR a team of engineers to check your environment continuously, this is probably the best solution for you.

Wazuh Cloud pricing starts at $500/month. Check out this link below for more pricing information: https://wazuh.com/cloud/#pricing

‍

How to Connect your Nodes to Wazuh with an Agent

For this blog post, we opted for the docker-compose instructions. Whenever the containers are up and running, the Wazuh dashboard becomes accessible at the following URL:

https://YOUR_IP/app/login

Default credentials: admin/admin

Once you’re logged in, you’ll reach a blank dashboard. This is normal as all data events are collected by the Wazuh agent that pushes it to the Wazuh manager. You will need to deploy an agent on each of the nodes that you want to monitor. In this case, a ‘deploy a new agent’ icon will be available on your dashboard where instructions for a Linux, Windows, or MacOS X node are provided:

The next step is to register the agent to a Wazuh server which can be done in different ways. the documentation for that is available here:

https://documentation.wazuh.com/current/user-manual/registering/index.html

Your dashboard will look like this:

Security Events and Integrity Monitoring

wazuh secruity events monitoring dashboard

With how sophisticated cyber threats and attacks are, this security events and integrity monitoring dashboard will help you to visually detect any misbehavior and anomalies that could interrupt your nodes.

Essentially, Wazuh scans the entire file system to look for unusual files, permissions, hidden directories, and process IDs (PID) for any discrepancies with different system calls. (getsid, getpgid)

You can also set up the agent to monitor some specific paths/files like a traditional file integrity monitoring solution, read more about it here:

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-windows-registry

Any findings you might encounter can be exported as a report in .pdf format.

Vulnerabilities

When an event is logged, every 5mn all events are verified with CVE (Common Vulnerabilities and Exposure) databases for any well-known vulnerabilities.

A list of CVE databases that Wazuh pulls from include:

This dashboard helps find any weak spots in your assets so that you can take action before trackers exploit them. Note that by default, a Wazuh agent can block network connections, stop a running process, delete a malicious file, or even block a Python/Bash/PowerShell script depending on certain conditions.

examples of vulnerabilities detected by Wazuh

Security Configuration Assessment

Security configuration assessment (SCA) can assess whether you need that particular package, disable unnecessary services, audit the TCP/IP stack configuration, and much more.

SCA runs a scan on your nodes to discover any exposures or misconfiguration that could leave your hosts vulnerable to potential attacks. This is a great feature that will help you to follow recommendations to apply to your infrastructure.

For our clients that need to be HIPAA compliant, this is a great feature that helps us to identify any flaws since all events automatically include compliance information. Other standards that are supported include:

Here’s an example of one of the recommendations you might find:

Wazuh Security Configuration Assessment Recommendations

System Inventory

All agents collect hardware and software information from your servers. This can help you to have a better understanding of packages installed or even network ports that you might have left open:

Container Security Monitoring

You can integrate Wazuh with your Docker host or Kubernetes cluster thanks to its native integration with the Docker engine. Primarily, you can deploy a Wazuh agent to a Kubernetes DaemonSet so the agent gets installed on all your Kubernetes nodes.

Some of the alerts that you can receive when Wazuh is deployed include:

A Docker image is downloaded or updated
A container is running in privileged mode
A new container or Pod is created
A user runs a command or a shell inside a container
Vulnerabilities are detected on the Docker host

Monitoring your Cloud Provider

Integration with AWS, Azure, and GCP means Wazuh can work at an API level to record configuration changes such as a new IAM user, security group, or when an EC2 instance has stopped, etc. To learn more about this module, click here.

‍

Conclusion

If you have to manage an on-prem or hybrid infrastructure, Wazuh will definitely help you to stay ahead of any security breaches and identify errors that could leave you exposed to potential attacks. The team behind Wazuh has done a great job at keeping OSSEC up to date with many new features that are valuable to any business looking for a File Integrity Monitoring tool.