Configuring a CDB List and Rules for SSH Key Fingerprint Monitoring
Romano Ricci
I need assistance with the following task:
Goal
1. Create a CDB list containing SSH key fingerprints and their associated owners (e.g., in the format `TOuSrXFPThfBz8ntfNTFWUEbX/T3fX2kX/RmXz/CEy4:admin1`).
2. Configure Wazuh rules to:
- Check SSH key fingerprints in logs against the CDB list upon authentication.
- If a match is found, log the key owner (e.g., *"SSH login: user admin1"*).
- If no match is found, trigger a higher-severity alert (e.g., "Unauthorized SSH key usage detected!").
Questions
- Is this functionality achievable Wazuh?
- What configurations (rules, CDB setup, decoders) are required?
full_log
Jul 30 21:18:37 wazuh-siem sshd[12567]: Accepted publickey for admin1 from 10.20.30.50 port 42888 ssh2: ED25519 SHA256:TOuSrXFPThfBz8ntfNTFWUEbX/T3fX2kX/RmXz/CEy4
Thank you in advance for your guidance!
Stuti Gupta
Hi Romano
Please allow me some time; I'm looking into this.
Thank you
Stuti Gupta
Hi
Romano
After testing the log, I found that the SSH key fingerprint was not being decoded. To fix this, we first need to update the decoder to extract the key properly. Start by copying the default decoder file into the custom decoder directory using:
Next, edit the Wazuh configuration file (/var/ossec/etc/ossec.conf) to exclude the default decoder so the custom one takes precedence. Add the following inside the <ruleset> block:
<ruleset><decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude>
</ruleset>
Now open the copied decoder file:
vi /var/ossec/etc/decoders/0310-ssh_decoders.xmlReplace the existing sshd-success decoder block with the following:
<decoder name="sshd-success"><parent>sshd</parent>
<prematch>^Accepted</prematch>
<regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port (\S+) ssh2: ED25519 SHA256:(\.+)</regex>
<order>user, srcip, srcport, key</order>
<fts>name, user, location</fts>
</decoder>
Restart the wazuh-manager: systemctl restart wazuh-manager
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
Once decoding is handled, create a CDB list file:
touch /var/ossec/etc/lists/linux-serversSet the appropriate permissions:
chown wazuh:wazuh /var/ossec/etc/lists/linux-serverschmod 660 /var/ossec/etc/lists/linux-servers
Then register the list in the Wazuh configuration file under the <ruleset> block:
<ruleset>
<list>etc/lists/linux-servers</list>
</ruleset>
Add entries to the list file in this format:
"TOuSrXFPThfBz8ntfNTFWUEbX/T3fX2kX/RmXz/CEy4":"JIKOKWM_OOefmemckefled/./JKMMLMJHGHJJKL09":
Each key fingerprint should be on a separate line. You can modify the list as per your requirement
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
Now add the following rule block to /var/ossec/etc/rules/local_rules.xml:
<group name="sshd"><rule id="100003" level="3">
<if_sid>5715</if_sid>
<list field="key" lookup="match_key">etc/lists/linux-servers</list>
<description>Valid key $(dstuser):$(key)</description>
</rule>
<rule id="100004" level="8">
<if_sid>5715</if_sid>
<list field="key" lookup="not_match_key">etc/lists/linux-servers</list>
<description>Invalid key</description>
</rule>
</group>
Rule 100003 will trigger if the key from the log matches an entry in the CDB list. Rule 100004 will trigger if there's no match.
refer https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Romano Ricci
Current Setup:
- The system has a single OS user `admin`
- Multiple administrators access this account.
- Each administrator uses their unique SSH key (public keys are in ~/.ssh/authorized_keys).
- Logs show authentication as user `admin` without revealing which specific administrator connected.
Example Log Entries:
Jul 31 10:16:38 wazuh-siem sshd[139481]: Accepted publickey for admin from 10.20.30.50 port 40304 ssh2: ED25519 SHA256:QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU
Jul 31 10:20:13 wazuh-siem sshd[139448]: Accepted publickey for admin from 10.20.30.50 port 39862 ssh2: ED25519 SHA256:TOuSrXFPThfBz8ntfNTFWUEbX/T3fX2kX/RmXz/CEy4
Required Solution:
1. Create a CDB list (key:value format) where:
- Key = SSH key fingerprint (SHA256)
- Value = Actual administrator name
Example:
QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU:admin1
TOuSrXFPThfBz8ntfNTFWUEbX/T3fX2kX/RmXz/CEy4:admin2
2. Configure Wazuh rules to:
- For recognized keys: Enhance alerts with admin info (e.g., "SSH login: system user admin, actual administrator admin2")
- For unrecognized keys: Generate high-severity alerts (e.g., "Unauthorized SSH key detected")
Is this implementation feasible in Wazuh?
Thank you for your assistance!
Stuti Gupta
During SSH logins, the system checks whether the public key used (specifically its fingerprint) matches the one that is expected for the username being logged in. For example, if a fingerprint belongs to the user admin, but someone logs in using that key under the username admin1, then Wazuh should recognize this mismatch and generate a high alert. and in case the key is not present, it should generate higher severity alert.
Then you can create the rule like:
<rule id="100003" level="3">
<if_sid>5715</if_sid>
<description>SSH login: system user $(dstuser), actual administrator admin1</description>
</rule>
<rule id="100004" level="3">
<if_sid>5715</if_sid>
<list field="key" lookup="match_key_value" check_value="admin2">etc/lists/user</list>
<description>SSH login: system user $(dstuser), actual administrator admin2</description>
</rule>
<rule id="100005" level="8">
<if_sid>5715</if_sid>
<list field="key" lookup="not_match_key">etc/lists/user</list>
<description>Unauthorized SSH key detected</description>
</rule>
</group>
If the key belongs to the admin1 key, then the default rule 5715 will trigger. However, if the admin access with the key belongs to admin1, then rule 100003 will trigger
The cdb list is:
QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU:admin1
TOuSrXFPThfBz8ntfNTFWUEbX/T3fX2kX/RmXz/CEy4:admin2
When you test the following log
Jul 31 10:16:38 wazuh-siem sshd[139481]: Accepted publickey for admin from 10.20.30.50 port 40304 ssh2: ED25519 SHA256:QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU
When the key is not present in the cdb list, the rule 100005 will trigger, as you can in the image:
To know more about the usage of cdb list in rules, please refer to https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
Romano Ricci
Let me rephrase this differently to clarify the use case.
When an administrator connects via SSH to a server using their unique key, the host logs show an entry like this:
Jul 31 10:16:38 wazuh-siem sshd[139481]: Accepted publickey for admin from 10.20.30.50 port 40304 ssh2: ED25519 SHA256:QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU
rule.description: sshd: authentication success"
However, this log entry doesn’t reveal which specific administrator logged in. Currently, we manually copy the key fingerprint and search for it in a shared database that lists all administrator keys to identify the owner. The database follows this format:
QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU:t.ashford
TOuSrXFPThfBz8ntfNTFWUEbX/T3fX2kX/RmXz/CEy4:b.crowley
(There are over 100 such entries.)
Desired Solution in Wazuh:
When an administrator logs into the server, Wazuh should:
Match the SSH key fingerprint from the log against the CDB database.
Display the administrator’s name (the value field from CDB) in the alert.
Example Alert Output:
rule.description: "sshd: authentication success – key owner: t.ashford"
If another admin logs in, it should show their name (e.g., "key owner: b.crowley").
If an administrator connects and their key fingerprint is not found in the CDB list, the system should:
Trigger a higher severity alert (e.g., level 12)
Generate a warning message: "Unauthorized SSH key detected: Fingerprint SHA256 not found in approved keys database"
Is it possible to extract the value field from a CDB list and insert it into the alert description in Wazuh?
Implementation Example:
For a CDB entry:
QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU:t.ashford
Desired alert output:
"sshd: authentication success - key owner: t.ashford"
Stuti Gupta
Please correct me if I’m wrong — your logs contain the key 'admin' instead of the actual username. You’d like the rule description to display the correct username by looking it up in a CDB list using the corresponding key.
For example, if your CDB list contains an entry like:
QAy+QC8qA+FiugXuCv4x+DEoR9g3PQpdxWyABk6VGU:user1
And the logs contain the different key, but show the username as 'admin', you want the description to display 'user1' instead, and currently have over 100 such entries.
Unfortunately, Wazuh’s rules engine doesn’t support extracting the value from a matched key-value pair in a CDB list and dynamically inserting it into the alert message. The description can only include fields already extracted from the log ($(dstuser), $(srcip), etc.), not values from a CDB lookup.
The common workaround is to write one rule per administrator, hardcoding the expected value into both the <list> match and the <description>, as suggested previously. For example:
<group name="sshd">
<rule id="100003" level="3">
<if_sid>5715</if_sid>
<description>>sshd: authentication success – key owner: t.ashford<</description>
</rule>
<rule id="100004" level="3">
<if_sid>5715</if_sid>
<description>sshd: authentication success – key owner: b.crowley</description>
</rule>
</group>
Each rule matches a specific key fingerprint that maps to a known admin, and the admin's name is hardcoded into the alert text. You’d have to do this for all 100+ users.
To catch unknown keys (ones not present in the list), you can add the following rule:
<rule id="100005" level="8">
<if_sid>5715</if_sid>
<list field="key" lookup="not_match_key">etc/lists/user</list>
<description>Unauthorized SSH key detected</description>
</rule>