Wazuh - Configuring Custom Rules Based on Hostname
-
We want to edit
/var/ossec/etc/rules/local_rules.xml
sudo nano /var/ossec/etc/rules/local_rules.xml
Our file should look like this:
GNU nano 2.9.3 /var/ossec/etc/rules/local_rules.xml <!-- Local rules --> <!-- Modify it at your will. --> <!-- Copyright (C) 2015-2019, Wazuh Inc. --> <!-- Example --> <group name="local,syslog,sshd,"> <!-- Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.$ --> <rule id="100001" level="5"> <if_sid>5716</if_sid> <srcip>1.1.1.1</srcip> <description>sshd: authentication failed from IP 1.1.1.1.</desc$ <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</gr$ </rule> </group>
Letβs take a look at the current rule 5402 for privilege escalation so we can create the child rule
** Alert 1555331931.323394: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2, 2019 Apr 15 12:38:51 (jupiter) 192.168.122.252->/var/log/auth.log Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' User: root Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu tty: pts/1 pwd: /home/joel command: /usr/bin/docker run -it ubuntu
This is the information we want, but the severity level is only 3. That is fine on most servers, but privilege escalation is more severe on docker containers so we actually want to make it a 12 without affecting other servers.
Add the Child Rule
sudo nano /var/ossec/etc/rules/local_rules.xml
Add this to the bottom of the file. Replace
jupiter|saturn
with your hostnames for you docker hosts.<group name="local,syslog,sshd,"> <rule id="100023" level="12"> <if_sid>5402</if_sid> <hostname>jupiter|saturn</hostname> <description>Privelege Escalation on Docker Host!!!</description> </rule> </group>
Save and exit nano.
Verify Rule is processing properly
Go to your docker host and run a command using sudo. This should generate our typical 5402 alert.
Now pull the alert from the .json file
cat /var/ossec/logs/alerts/alerts.json | grep "\"5402\"" | head -n1 | python -m json.tool | grep full_log | cut -d "\"" -f4
You should get output similar to this:
Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
Now copy that output and past it in the log test tool:
/var/ossec/bin/ossec-logtest
If executed properly, you should get this:
**Phase 1: Completed pre-decoding. full event: 'Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu' timestamp: 'Apr 15 12:38:51' hostname: 'jupiter' program_name: 'sudo' log: ' joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu' **Phase 2: Completed decoding. decoder: 'sudo' srcuser: 'joel' tty: 'pts/1' pwd: '/home/joel' dstuser: 'root' command: '/usr/bin/docker run -it ubuntu' **Phase 3: Completed filtering (rules). Rule id: '100023' Level: '12' Description: 'Privelege Escalation on Docker Host!!!' **Alert to be generated.
Restart Wazuh Manager
sudo systemctl restart wazuh-manager
Test generating the alert using any sudo command
Enjoy your new alert** Alert 1555351056.962538: mail - local,syslog,sshd, 2019 Apr 15 17:57:36 (jupiter) 192.168.122.252->/var/log/auth.log Rule: 100023 (level 12) -> 'Privelege Escalation on Docker Host!!!' User: root Apr 15 17:57:35 jupiter sudo: joel : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/nano text tty: pts/0 pwd: /home command: /bin/nano text
Testing on server not listed on the rule
I ssh into my lab server mercury and run a sudo command from there. Since it is not jupiter or saturn like we set it in our rule, it did not generate a wazuh custom rule
** Alert 1555354943.969236: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2, 2019 Apr 15 19:02:23 (mercury) 192.168.122.86->/var/log/auth.log Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' User: root Apr 15 15:02:21 mercury sudo: joel : TTY=pts/0 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/apt install glances tty: pts/0 pwd: /home/joel command: /usr/bin/apt install glances
-
It sucks that you cant create rules by group yet. The devs have submitted a feature request for it on my behalf so hopefully soon