Wazuh Custom Rule Configuration for Specific Hosts

Today we will create a custom wazuh rule by piggybacking off a built-in wazuh rule.

The scenario is that we are monitoring a docker host. This hosts runs it’s docker containers as a regular user. We must not see any privilege escalation on this box outside the maintenance window. Other servers in the environment do escalate using sudo, so we don’t want red alerts across the board.

Pre Requisites

  • Wazuh Manager already configured and installed
  • Wazuh Agent already configured and installed on Docker Host
  • Connectivity between the two

Creating the rule on the Wazuh Manager

According to Wazuh custom rule documentation, We want to edit /var/ossec/etc/rules/local_rules.xml

Let’s use nano and take a look at the original file
sudo nano /var/ossec/etc/rules/local_rules.xml

Our file should look like this:

  GNU nano 2.9.3   /var/ossec/etc/rules/local_rules.xml             

<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2019, Wazuh Inc. -->

<!-- Example -->
<group name="local,syslog,sshd,">

  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.$
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</desc$
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</gr$
  </rule>

</group>

Adding Child Rule

Let’s take a look at the current rule 5402 for privilege escalation.

** Alert 1555331931.323394: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
2019 Apr 15 12:38:51 (jupiter) 192.168.122.252->/var/log/auth.log
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: root
Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
tty: pts/1
pwd: /home/joel
command: /usr/bin/docker run -it ubuntu

This is the information we want, but the severity level is only 3. That is fine on most servers, but privilege escalation is more severe on docker containers so we actually want to make it a 12 without affecting other servers.

Add the Child Rule

sudo nano /var/ossec/etc/rules/local_rules.xml

Add this to the bottom of the file. Replace jupiter|saturn
with your hostnames for you docker hosts.

<group name="local,syslog,sshd,">

  <rule id="100023" level="12">
   <if_sid>5402</if_sid>
   <hostname>jupiter|saturn</hostname>
   <description>Privelege Escalation on Docker Host!!!</description>
 </rule>

</group>

Save and exit nano.

Verify Rule is processing properly

Go to your docker host and run a command using sudo. This should generate our typical 5402 alert.


Pull the alert information from the json file using this command

cat /var/ossec/logs/alerts/alerts.json | grep "\"5402\"" | head -n1 | python -m json.tool | grep full_log | cut -d "\"" -f4

You should get output similar to this:

Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu

Now copy that output and past it in the log test tool:

/var/ossec/bin/ossec-logtest

If executed properly you should get the following:

**Phase 1: Completed pre-decoding.
       full event: 'Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'
       timestamp: 'Apr 15 12:38:51'
       hostname: 'jupiter'
       program_name: 'sudo'
       log: '    joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'

**Phase 2: Completed decoding.
       decoder: 'sudo'
       srcuser: 'joel'
       tty: 'pts/1'
       pwd: '/home/joel'
       dstuser: 'root'
       command: '/usr/bin/docker run -it ubuntu'

**Phase 3: Completed filtering (rules).
       Rule id: '100023'
       Level: '12'
       Description: 'Privelege Escalation on Docker Host!!!'
**Alert to be generated.

Restart Wazuh Manager

sudo systemctl restart wazuh-manager

Test generating an alert by running a command via sudo

Enjoy your new alert 🙂

** Alert 1555351056.962538: mail  - local,syslog,sshd,
2019 Apr 15 17:57:36 (jupiter) 192.168.122.252->/var/log/auth.log
Rule: 100023 (level 12) -> 'Privelege Escalation on Docker Host!!!'
User: root
Apr 15 17:57:35 jupiter sudo:     joel : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/nano text
tty: pts/0
pwd: /home
command: /bin/nano text
wazuh custom rule

Testing on Mercury

I ssh into my lab server mercury and run a sudo command from there. Since it is not jupiter or saturn like we set it in our rule, it did not generate a wazuh custom rule

** Alert 1555354943.969236: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
2019 Apr 15 19:02:23 (mercury) 192.168.122.86->/var/log/auth.log
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: root
Apr 15 15:02:21 mercury sudo:     joel : TTY=pts/0 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/apt install glances
tty: pts/0
pwd: /home/joel
command: /usr/bin/apt install glances


1 Points


Leave a Reply

Your email address will not be published. Required fields are marked *