Wazuh Custom Rule Configuration for Specific Hosts
Today we will create a custom wazuh rule by piggybacking off a built-in wazuh rule.
The scenario is that we are monitoring a docker host. This hosts runs it’s docker containers as a regular user. We must not see any privilege escalation on this box outside the maintenance window. Other servers in the environment do escalate using sudo, so we don’t want red alerts across the board.
Pre Requisites
- Wazuh Manager already configured and installed
- Wazuh Agent already configured and installed on Docker Host
- Connectivity between the two
Creating the rule on the Wazuh Manager
According to Wazuh custom rule documentation, We want to edit /var/ossec/etc/rules/local_rules.xml
Let’s use nano and take a look at the original filesudo nano /var/ossec/etc/rules/local_rules.xml
Our file should look like this:
GNU nano 2.9.3 /var/ossec/etc/rules/local_rules.xml <!-- Local rules --> <!-- Modify it at your will. --> <!-- Copyright (C) 2015-2019, Wazuh Inc. --> <!-- Example --> <group name="local,syslog,sshd,"> <!-- Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.$ --> <rule id="100001" level="5"> <if_sid>5716</if_sid> <srcip>1.1.1.1</srcip> <description>sshd: authentication failed from IP 1.1.1.1.</desc$ <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</gr$ </rule> </group>
Adding Child Rule
Let’s take a look at the current rule 5402 for privilege escalation.
** Alert 1555331931.323394: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2, 2019 Apr 15 12:38:51 (jupiter) 192.168.122.252->/var/log/auth.log Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' User: root Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu tty: pts/1 pwd: /home/joel command: /usr/bin/docker run -it ubuntu
This is the information we want, but the severity level is only 3. That is fine on most servers, but privilege escalation is more severe on docker containers so we actually want to make it a 12 without affecting other servers.
Add the Child Rule
sudo nano /var/ossec/etc/rules/local_rules.xml
Add this to the bottom of the file. Replace jupiter|saturn
with your hostnames for you docker hosts.
<group name="local,syslog,sshd,"> <rule id="100023" level="12"> <if_sid>5402</if_sid> <hostname>jupiter|saturn</hostname> <description>Privelege Escalation on Docker Host!!!</description> </rule> </group>
Save and exit nano.
Verify Rule is processing properly
Go to your docker host and run a command using sudo. This should generate our typical 5402 alert.
Pull the alert information from the json file using this command
cat /var/ossec/logs/alerts/alerts.json | grep "\"5402\"" | head -n1 | python -m json.tool | grep full_log | cut -d "\"" -f4
You should get output similar to this:
Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
Now copy that output and past it in the log test tool:
/var/ossec/bin/ossec-logtest
If executed properly you should get the following:
**Phase 1: Completed pre-decoding. full event: 'Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu' timestamp: 'Apr 15 12:38:51' hostname: 'jupiter' program_name: 'sudo' log: ' joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu' **Phase 2: Completed decoding. decoder: 'sudo' srcuser: 'joel' tty: 'pts/1' pwd: '/home/joel' dstuser: 'root' command: '/usr/bin/docker run -it ubuntu' **Phase 3: Completed filtering (rules). Rule id: '100023' Level: '12' Description: 'Privelege Escalation on Docker Host!!!' **Alert to be generated.
Restart Wazuh Manager
sudo systemctl restart wazuh-manager
Test generating an alert by running a command via sudo
Enjoy your new alert 🙂
** Alert 1555351056.962538: mail - local,syslog,sshd, 2019 Apr 15 17:57:36 (jupiter) 192.168.122.252->/var/log/auth.log Rule: 100023 (level 12) -> 'Privelege Escalation on Docker Host!!!' User: root Apr 15 17:57:35 jupiter sudo: joel : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/nano text tty: pts/0 pwd: /home command: /bin/nano text

Testing on Mercury
I ssh into my lab server mercury and run a sudo command from there. Since it is not jupiter or saturn like we set it in our rule, it did not generate a wazuh custom rule
** Alert 1555354943.969236: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2, 2019 Apr 15 19:02:23 (mercury) 192.168.122.86->/var/log/auth.log Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' User: root Apr 15 15:02:21 mercury sudo: joel : TTY=pts/0 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/apt install glances tty: pts/0 pwd: /home/joel command: /usr/bin/apt install glances
