Regulatory compliance
95 views
Skip to first unread message
Raúl Rodríguez Macías
Apr 19, 2022, 5:12:54 PM4/19/22
to Wazuh mailing list
Hi all:
Please advise how I can extend the regulatory compliance module to include a particular one not listed in Wazuh. Is a national standard from Mexico.
Regards
--
Raúl Rodríguez Macías
Jesus Linares
Apr 20, 2022, 4:47:48 AM4/20/22
to Wazuh mailing list
Hi Raúl,
I would follow the next steps:
1. Create a document similar to the Wazuh PCI DSS guide.
It is a simple table with at least 3 columns:
- Control name/requirement
- Wazuh component that can help with the requirement (file integrity monitoring, SCA, file monitoring, etc)
- How it helps: A brief description of how Wazuh can help with that requirement
This document will help you to understand the number of requirements that can be met with Wazuh. Also, you can add a column to indicate that it is something that Wazuh doesn't do yet but it should be "easy" to achieve. For these cases, you can open us an issue to request the feature.
2. Tagging the ruleset
You can create a dashboard for your regulatory compliance but you will need information about the requirement in the alert. Let me show you an example of PCI DSS:
Requirement
10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to
creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root
or administrative privileges
creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root
or administrative privileges
Wazuh rule for SSH access
<rule id="5715" level="3">
<if_sid>5700</if_sid>
<match>^Accepted|authenticated.$</match>
<description>sshd: authentication success.</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<if_sid>5700</if_sid>
<match>^Accepted|authenticated.$</match>
<description>sshd: authentication success.</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
As you can see, we add in the group of the rule the requirement number. In this way, you can create visualizations filtering by "rule.group: pci_dss_10.2.5".
Tagging each rule is a hard task. You can start with the most important ones (usually authentication rules). Also, sometimes you can find tables that include the equivalence between compliance regulations (PCI DSS 10.2.5 -> gdpr_IV_32.2). If it exists for your regulation, it will help a lot.
Feel free to send us a pull request.
3. Integrating it with the Wazuh product
This part is not needed since you can create your own dashboards, but if you want to fully integrate the regulation with Wazuh you can add the proper endpoints to the Wazuh API, and create new tabs in the Wazuh interface, etc.
Finally, check out our compliance documentation: https://documentation.wazuh.com/current/compliance.html.
I hope this provides you with a starting point to meet your requirements.
Regards.
Reply all
Reply to author
Forward
0 new messages