Block unroll agent?
82 views
Skip to first unread message
Facu Basgall
Jul 27, 2023, 8:09:23 AM7/27/23
to Wazuh mailing list
Hi
I would like to know if Wazuh supports the possibility to block agent deletion?
For example, if someone get access to the device and want to unroll the agent block it by password or some other method.
In other tools I have seen it as anti tampering.
I would like to know if Wazuh supports the possibility to block agent deletion?
For example, if someone get access to the device and want to unroll the agent block it by password or some other method.
In other tools I have seen it as anti tampering.
Thanks.
Fabian Ruiz
Jul 27, 2023, 9:00:01 AM7/27/23
to Wazuh mailing list
Hi
Facu Basgall
One of the strongest approaches to safeguarding your endpoints is to configure user permissions appropriately, ensuring that only essential users possess sudo/root/administrator privileges. In addition, steps should be taken to prevent privilege escalation. Unauthorized access to root or administrative privileges by a user with limited permissions can circumvent restrictions and facilitate the uninstallation of protected software.
To ensure proper configuration of the endpoints, I recommend following the configuration guidelines and best practices provided by the CIS benchmarks for each specific operating system. These benchmarks provide comprehensive recommendations tailored to different endpoint operating systems. Using Wazuh's Security Configuration Assessment can be helpful in effectively implementing these guidelines, thereby significantly reducing the vulnerability surface of both your endpoints and management system, ultimately improving overall security.
Thanks for using Wazuh.
Tamper protection mechanisms are a fundamental defense against unauthorized alterations to a system by restricting access and thwarting tampering attempts by unauthorized users or malicious actors. However, the effectiveness of these mechanisms can be compromised when administrative permissions or elevated privileges are granted.
Once administrative permissions are granted, users gain the authority to modify system files, configurations and settings, even going so far as to disable or bypass tamper protection measures. Consequently, relying solely on tamper protection in such situations may be inappropriate, as users with administrative privileges can potentially manipulate or override these protection measures.
Once administrative permissions are granted, users gain the authority to modify system files, configurations and settings, even going so far as to disable or bypass tamper protection measures. Consequently, relying solely on tamper protection in such situations may be inappropriate, as users with administrative privileges can potentially manipulate or override these protection measures.
One of the strongest approaches to safeguarding your endpoints is to configure user permissions appropriately, ensuring that only essential users possess sudo/root/administrator privileges. In addition, steps should be taken to prevent privilege escalation. Unauthorized access to root or administrative privileges by a user with limited permissions can circumvent restrictions and facilitate the uninstallation of protected software.
To ensure proper configuration of the endpoints, I recommend following the configuration guidelines and best practices provided by the CIS benchmarks for each specific operating system. These benchmarks provide comprehensive recommendations tailored to different endpoint operating systems. Using Wazuh's Security Configuration Assessment can be helpful in effectively implementing these guidelines, thereby significantly reducing the vulnerability surface of both your endpoints and management system, ultimately improving overall security.
Thanks for using Wazuh.
Regards.
Reply all
Reply to author
Forward
0 new messages