Vaultwarden (Bitwarden) Integration
520 views
Skip to first unread message
ppilti...@gmail.com
Aug 7, 2023, 5:07:19 PM8/7/23
to Wazuh mailing list
Vaultwarden is a free, self-hosted Bitwarden server. Let's make it so Wazuh can read logins to this system.
First, you need a working Vaultwarden with a log file that the Wazuh agent can find. Whatever Docker config you use, make sure it includes the following (formatted here for docker-compose.yml):
environment:
- LOG_FILE=/data/vaultwarden.log
- LOG_LEVEL=info
volumes:
- /opt/vaultwarden:/data/
Please be aware: native Vaultwarden does not support SSL, and the built-in implementation leaves a lot to be desired. A reverse proxy, such as Nginx Proxy Manager, is a fairly quick and easy solution.
1. Once Vaultwarden is up an running, install the Wazuh agent if you haven't already.
2. On this agent, open /var/ossec/etc/ossec.conf and add this to the list of localfile statements:
2. On this agent, open /var/ossec/etc/ossec.conf and add this to the list of localfile statements:
<localfile>
<log_format>syslog</log_format>
<location>/opt/vaultwarden/vaultwarden.log</location>
</localfile>
<log_format>syslog</log_format>
<location>/opt/vaultwarden/vaultwarden.log</location>
</localfile>
3. Run systemctl restart wazuh-agent
4. On your Wazuh server, add this to /var/ossec/etc/decoders/local_decoder.xml:
<decoder name="vaultwarden-login-failure">
<prematch>vaultwarden::api::identity][ERROR</prematch>
<regex>IP: (\S+)\. Username: (\S+).$</regex>
<order>srcip,user</order>
</decoder>
<decoder name="vaultwarden-login-success">
<prematch>vaultwarden::api::identity][INFO</prematch>
<regex>User (\S+) logged in successfully. IP: (\S+)</regex>
<order>user,srcip</order>
</decoder>
<prematch>vaultwarden::api::identity][ERROR</prematch>
<regex>IP: (\S+)\. Username: (\S+).$</regex>
<order>srcip,user</order>
</decoder>
<decoder name="vaultwarden-login-success">
<prematch>vaultwarden::api::identity][INFO</prematch>
<regex>User (\S+) logged in successfully. IP: (\S+)</regex>
<order>user,srcip</order>
</decoder>
5. On your Wazuh server, add this to /var/ossec/etc/rules/local_rules.xml:
<group name="vaultwarden_rules,">
<rule id="100200" level="10">
<if_sid>1002</if_sid>
<match>vaultwarden::api::identity][ERROR</match>
<description>Vaultwarden login failure</description>
</rule>
<rule id="100201" level="3">
<decoded_as>vaultwarden-login-success</decoded_as>
<match>vaultwarden::api::identity][INFO</match>
<description>Vaultwarden login success</description>
</rule>
</group>
<rule id="100200" level="10">
<if_sid>1002</if_sid>
<match>vaultwarden::api::identity][ERROR</match>
<description>Vaultwarden login failure</description>
</rule>
<rule id="100201" level="3">
<decoded_as>vaultwarden-login-success</decoded_as>
<match>vaultwarden::api::identity][INFO</match>
<description>Vaultwarden login success</description>
</rule>
</group>
6. If you want to test, do some successful and unsuccessful logins to your Vaultwarden web interface. Look in /opt/vaultwarden/vaultwarden.log for those entries.
7. On the Wazuh manager, run /var/ossec/bin/wazuh-logtest
8. One at a time, paste in log entries. You should see rules 100200 and 100201 triggering.
9. Run systemctl restart wazuh-manager
10. Generate some more logins, both successful and not.
10. Now in Wazuh you should see rule.id 100200 and 100201 events.
If you use active response, you can now write a response that bans source IPs that fail login to your Vaultwarden server. This works for web as well as app connections.
Mauricio Ruben Santillan
Aug 7, 2023, 5:38:36 PM8/7/23
to Wazuh mailing list
Thanks for this
ppilti...@gmail.com!
I'm sure our community will find it very useful.
You can also propose enhancements in Wazuh's Github repository here: https://github.com/wazuh/wazuh/issues/
Let me know any doubt.
Reply all
Reply to author
Forward
0 new messages