Hi Friends! Its nice to meet you all with this another blog in our blue team series. As our two previous blogs focus on Overview and Installation of wazuh, Now we are ready to explore the capabilities of wazuh to utilize wazuh at its max.
Blog Index:
content : Technical
Sub category: Exploring the capabilities of wazuh — Part 3
Proficiency : Beginner
Target audience : Blue teamers and InfoSec analyst who needs exposure in blue team activities
Series : Blue team Series
Reference: wazuh overview — PART 1 & wazuh Installation — PART 2
So what we have now, We have an idea about “what is wazuh and how to install the wazuh” in a test environment.
Do we agree on the above statement?
If yes, Then what are we waiting for, lets get our hands dirty on trying what wazuh can do. So as usual come on…..Lets do what we are good at!!!!
If no, Do refer our “Reference” section above to refer our two writeups.
First, Lets revisit what are the capabilities of wazuh. Then we try to understand each capabilities one by one. let me list the capabilities of wazuh.
with no hurry!!! we will start exploring each capabilities one by one in our blogs. So lets take the first capability which is “File Integrity Monitoring”.
*?* So what is File Integrity Monitoring?
you are right, you guessed it right🥳. As the name says, FIM is a security monitoring process in wazuh to scan and check the integrity of system and application files.
*?* Ok. I got it what is FIM. So tell me, how it will be useful to me🤔?
Good question dude🔥. FIM module will be useful in places, where you want to monitor sensitive files for integrity checks. For example, Lets say we have a configuration file for a server which has sensitive information in it. We can use the FIM module to monitor a specific server configuration file in a specific path. It will alert you when there are changes to the configuration file made
*?* That's great!! I am eager to know how it performs the integrity checks?
To give a overview, FIM module stores a cryptographic checksum and attributes of the monitored files. It frequently checks for the checksum and attributes to detect if there are any changes in the file
*?* Hey I have to interrupt for a question. Will agent frequently sends updates to the server regarding the monitoring file?
That's a very interesting question! To answer the question. No it will not frequently sync with the server to update the details of the monitored file. The wazuh agent has a FIM DB, as shown in the workflow. It updates the DB with the metrics of the files like cheksum, permission and other attributes. If there are any changes to the stored file attributes, then it sends a alert to the server regarding the integrity changes happened to the monitored files.
I can understand, you will have many doubts regarding the working and configuration of FIM module. Lets do it in our style. Lets see how to configure the FIM module.
Configuring the FIM module in the wazuh agent:
- As a first step, lets login to our agent machine, we have ubuntu 20.x LTS as a agent machine
- Lets create a test file to make wazuh monitor it using the FIM module as shown below
3. Now we have created a test file for wazuh to monitor using FIM module, But as of now, wazuh was not instructed/configured to monitor this FIMtestfile.txt
4. Lets do the configuration now.
5. Under OSSEC.CONF file, under the <syscheck> tag add a <directories> tag with the filepath of the file to be monitored.
6. Now, here comes the important step. We have made the configuration changes, to make the changes applied we need to restart the agent service.
Our next plan is to check whether the configuration is working fine. To do that, we need to make some changes to the existing file to check, if wazuh agent is triggering any alerts in the dashboard.
Lets confirm the configuration once in dashboard, as shown below
Wazuh dashboard → Agents → <agent name> → configuration → integrity monitoring
Also, don't forget to do this below configuration, as it is the main configuration which decides on what interval the scan should be performed. In the ossec.config file, change the frequency value to your desired value. For testing i have configured it to 60 and the frequency is measured in seconds, so it is 60 seconds now(Default value is 43200 seconds) and restart the agent.
Now perform from changes to the FIMtestfile.txt, as shown below
We will see the integrity changed alert in dashboard under
Wazuh → Agents → <Agent name> → integrity Monitoring → Events
Hooray!!!… Please collect the below badge on successfully configuring the FIM Module basic settings to identify the integrity changes of a test file.
Now, we have successfully explored and performed a POC on how to configure the FIM module to monitor the changes in the file. The capability is not limited to find the integrity changes happened in a file, Wazuh is capable of doing more than this.
Advanced Configuration:
The advance capabilities are as below:
- We can make wazuh FIM module to monitor a directory in a real time/continuous monitoring, but this feature only applies to monitor the directories not on the files as shown below
2. We can also configure the FIM module to record some metadata and ignore some metadata. The available metadata are
we are configuring the FIM Module to record all the attributes of the file FIMtestfile.txt
We can also make the configuration to report the exact file changes in the directories. Also if you are concerned about the data leakage of exposing the contents of the file. We can add an exception to prevent exposing the exact content of the file. The configuration will look like below
<syscheck>
<directories check_all="yes" report_changes="yes">/home/wazuh-agentone/Desktop</directories>
<nodiff>/home/wazuh-agentone/Desktop/credentials.txt</nodiff>
</syscheck>The above example says, check and report all the attributes of the files in the Desktop directory. But we have a credentials.txt file which is sensitive, so i have added a exception with the <nodiff> saying, don't report changes of the credentials.txt files in the alert as it has sensitive content.
3. We can also configure the FIM module to fetch the user data who made the changes to the files, as shown below
Don't forget to restart the wazuh agent service to get the configurations applied.
4. Using the same configuration settings, we can also use the FIM module to identify changes in the registry on windows agents.
<syscheck>
<frequency>300</frequency>
<windows_registry report_changes="yes">HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry>
</syscheck>For more informations on the registry monitoring on windows agents using Wazuh, refer this documentation
I am very excited to announce that, we have successfully explored the FIM module on wazuh and how to efficiently configure the wazuh to monitor the Files/Directories/Registry.
Don't forget to claim your badge on successfully completing the writeup on FIM module on wazuh.
We will try to unpack the next capability which is SCA(Security Configuration Assessment) in our upcoming blog.
Tip of the blog: Whatever configuration changes you make, do restart the wazuh agent service and check the configuration in the dashboard under Wazuh → Agents → <Agent name> → configuration(in the top right).
If you find this blog informative and if you had successfully configured the FIM module by following up this writeup, Do follow and hit the clap button as a sign of support.
Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=jayaraman-m-358425166
