Secure Storage of Checksum in Wazuh
79 views
Skip to first unread message
alankrit shrivastava
May 23, 2024, 12:55:32 AM5/23/24
to Wazuh | Mailing List
Hello All,
I was in a Audit where the auditor is asking how the checksum values calculated for files are stored within wazuh. Is there any article referring to secure storage of checksum from the wazuh support team.
Regards
Alankrit Shrivastava
Emiliano Zorn
May 23, 2024, 3:52:15 AM5/23/24
to Wazuh | Mailing List
Hello Alankrit!
I'm not sure if I'm understanding your question correctly, but as far as Wazuh Cloud is concerned, for secure data storage, we leverage AWS’s robust infrastructure which includes encrypted storage solutions like Amazon S3 and EBS (Elastic Block Store), ensuring data at rest is protected against unauthorized access.
Regarding data transfer, we employ secure transfer protocols such as HTTPS and TLSv1.2 for encrypting data in transit.
In Wazuh, checksum values for files are primarily handled through its File Integrity Monitoring (FIM) feature.
Database Storage: Once calculated, these checksums (hashes) are stored in a database on the Wazuh manager. This database maintains the integrity status of the monitored files across all the agents.
Real-Time Monitoring: Wazuh can be configured to monitor files in real-time. When a monitored file is modified, Wazuh recalculates its checksum and compares it with the previously stored value. If there is a difference, an alert is generated indicating a change.
Alerts and Reports: Any change detected, such as a modification in the checksum, triggers alerts. These alerts can include detailed information about the file and its new and previous checksum values.
I'm not sure if I'm understanding your question correctly, but as far as Wazuh Cloud is concerned, for secure data storage, we leverage AWS’s robust infrastructure which includes encrypted storage solutions like Amazon S3 and EBS (Elastic Block Store), ensuring data at rest is protected against unauthorized access.
Regarding data transfer, we employ secure transfer protocols such as HTTPS and TLSv1.2 for encrypting data in transit.
In Wazuh, checksum values for files are primarily handled through its File Integrity Monitoring (FIM) feature.
Checksum Calculation: Wazuh uses cryptographic hash functions (like SHA-1, SHA-256, or MD5, depending on configuration) to compute the checksum of monitored files. These functions generate a unique string of characters (the hash) that serves as the file’s fingerprint.
Database Storage: Once calculated, these checksums (hashes) are stored in a database on the Wazuh manager. This database maintains the integrity status of the monitored files across all the agents.
Real-Time Monitoring: Wazuh can be configured to monitor files in real-time. When a monitored file is modified, Wazuh recalculates its checksum and compares it with the previously stored value. If there is a difference, an alert is generated indicating a change.
Alerts and Reports: Any change detected, such as a modification in the checksum, triggers alerts. These alerts can include detailed information about the file and its new and previous checksum values.
Hope this information helps.
Regards.
alankrit shrivastava
May 23, 2024, 6:33:55 AM5/23/24
to Wazuh | Mailing List
Hello Emiliano,
My Wazuh deployment is on-premises, not cloud-based. During the audit, the auditor inquired about how Wazuh calculates and stores FIM (File Integrity Monitoring) checksums securely.
alankrit shrivastava
May 23, 2024, 6:38:46 AM5/23/24
to Wazuh | Mailing List
My Wazuh deployment is on-premises, not cloud-based. The auditor query is not specifically around algorithm used for generation of the checksums calculated. we have already demosntrated that as SHA256. Their query is around how these checksums , once calculated, are safely and securely stored in our file systems.
alankrit shrivastava
May 24, 2024, 8:59:28 AM5/24/24
to Wazuh | Mailing List
Hello Emiliano,
Any updates on this query.
Regards,
Alankrit
Emiliano Zorn
May 27, 2024, 12:16:54 AM5/27/24
to Wazuh | Mailing List
Hello Alankrit!
Database Security
Don't forget that the checksum database is updated every time a monitored file is modified and that the Wazuh Manager is itself an agent, so if you want an additional layer of security, you can also monitor the database activity with FIM.
Regards.
For On-Premises Deployments, Wazuh stores the checksums and other metadata associated with the files it monitors in a database.
This database is typically located within the Wazuh manager's file system in the /var/ossec/queue/db directory. For Wazuh agents, the equivalent data is stored locally on the agent in a similar path.
Database Security
- Encryption: While Wazuh does not encrypt the database by default, it supports running on encrypted file systems to enhance security. This means you can use file system-level encryption, such as dm-crypt with LUKS (Linux Unified Key Setup) or any other applicable disk encryption technology, to secure the storage location.
- Access Controls: Wazuh ensures that the databases storing checksums and other FIM details are accessible only to the Wazuh processes and not exposed to unauthorized users. Proper file permissions are set to restrict access.
Don't forget that the checksum database is updated every time a monitored file is modified and that the Wazuh Manager is itself an agent, so if you want an additional layer of security, you can also monitor the database activity with FIM.
Regards.
Reply all
Reply to author
Forward
0 new messages