Wazuh, the Watchdog adopted by WOOP
To protect against attacks, traditional firewalls are no longer sufficient. Intrusion detection systems like Wazuh are able to spot attack attempts that firewalls are unable to detect.
WOOP x Wazuh, The Story:
Before we jump into the world of computer security, allow me to introduce you to Woop.
Woop is a French startup based in Lille, north of France. Woop offers a SAAS platform for orchestrating deliveries to boost customer experience and operational efficiency of some retail leaders such as Auchan, Leroy Merlin, Carter-cash, Électro dépôt and many more. We support our customers on all product shipping methods, from warehouse, from store, drive or pick up point.
Within Woop, we take great care to ensure the security of our services and the confidentiality of our customer’s data. As the evolution of attack methods mean that new forms of attack will continue to appear. Accordingly, the ability to respond to types of attack is not anticipated.
In addition to pentests performed by companies specialized in IT security, our objective was to find an open source, extensible and above all self-hosted security monitoring solution. Our constraints were to keep costs under control, the version upgrades frequency, consolidated management of agents and control of flows between agents and the “wazuh-manager”.
“Security is our responsibility, it is everyone’s responsibility” François WATTIAUX — CTO, WOOP.
There aren’t many solutions to do that, and actually there is only one and it is called Wazuh, which is an open source, enterprise-ready security platform. It is a fork of the famous OSSEC software. This project was not sufficiently active and sufficiently maintained according to the tastes of the community. The goal of this community fork is to maintain the technology and improve the ability to detect threats through the addition and improvement of features.
Wazuh has several modules that can help you with various aspects of infrastructure safety monitoring, for example:
- Config assessment (CIS benchmarks)
- Vulnerability detection (CVE)
- File Integrity Monitoring (FIM)
- Legal compliance (RGPD, NIST, ..)
- Cloud security monitoring (Google Cloud, AWS, ..)
- Container security monitoring
Excellent, but how do you deploy it?
Wazuh offers us two ways to deploy the solution:
All-in-one: All Wazuh components are deployed on the same host. This type of deployment is suitable for testing and small work environments.
Distributed: Each component is deployed in a separate host as a single-node or multi-node cluster. This type of deployment enables high availability and product scalability and is convenient for large work environments.
Wazuh also offers Wazuh Cloud, where all components are hosted on their PCI-DSS certified SaaS solution and maintained by their team.
In the case of Woop, we opted for the first option, the All-in-one deployment, since we have about 40 hosts to supervise. This type of deployment meets our needs well, at least for the moment. Installation is fairly straightforward: the Wazuh team has set up a script and documentation for quick and efficient deployment.
Because we use GCP to host our platform and our technical stack, we decided to deploy Wazuh on a Google Cloud instance, an e2-highcpu-4 type machine, with 4 vCPU, 4 GB of memory, and up to the writing these post, we haven’t had any performance issues.
- Run the following command:
curl -so ~/all-in-one-installation.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/unattended-installation/all-in-one-installation.sh && bash ~/all-in-one-installation.sh- Once deployed, you can access the Kibana dashboard via this URL:
URL: https://<wazuh_server_ip>user: adminpassword: admin
Don’t forget to change the default password, the procedure is well described in the Wazuh documentation.
Please note that the password may need to be updated in both /etc/filebeat/filebeat.yml and /etc/kibana/kibana.yml. After modifying the configuration files, remember to restart the corresponding services.
After installation and authentication, it’s time to deploy an agent and explore the different modules, from the agents page, click Deploy new agent, and follow the instructions.
The Wazuh Agent monitors and sends relevant security events to the Wazuh Manager. It uses a set of rules to detect attacks, intrusion configuration issues, malware, system anomalies, or security policy violations. OSSEC provides a ready-to-use set of rules that Wazuh updates regularly.
The agents are controlled from the wazuh-manager, which facilitates configuration and maintenance, with the “Centralized Configuration” concept, you can configure the agents remotely, using the file / var / ossec / etc / shared / default / agent.conf.
After activating all the rules in our environment, we found that our Wazuh agents produced between 10,000 and 20,000 alerts per day. These alerts are mostly related to web attacks, authentication failures, configuration issues (detected through enhanced security checks), file integrity variations, vulnerable software, or anomalies detected in GCP audit logs.
To facilitate the work of security analysts, metadata, such as level or groups, enrich Wazuh’s alerts so that they can be filtered by priority or by type. Additionally, Wazuh’s Kibana plugin offers pre-configured dashboards that contain useful information on agent statuses, configurations, and alerts. Take a look at the screenshot below:
What about GDPR ?
The GDPR (General Data Protection Regulation) was developed to make privacy legislation consistent across Europe, with the primary objective of protecting the data of all citizens of the European Union.
As we can see, this regulation has a significant impact in today’s world, as personal data is vital for many businesses and GDPR compliance requirements must be met or significant economic penalties will be applied.
With the increase of intrusions and compliance requirements (GDPR and others), companies must be very careful to detect even the most advanced attacks. Tools exist, very simple to deploy, but the effectiveness of which often depends on the quality of the configuration (definition of the behavioral basis).
The Wazuh community had adapted the software in the best possible way to support GDPR compliance.
The use of Wazuh’s file integrity monitoring and intrusion detection tools will enable the processing and control of personal information as well as protection through threat detection, facilitating compliance with security policies.
WOOPY, can i be notified of new alerts?
Yes, you can configure Wazuh to receive alerts on Slack, PagerDuty, or any modern system with APIs.
For Slack, the integration allows you to receive alerts in a Slack channel through inbound webhooks, a simple way to post messages from third-party apps (in this case, Wazuh).
Here is an example configuration for the Slack integration:
<integration><name>slack</name><hook_url>https://hooks.slack.com/services/...</hook_url> <!-- Replace with your Slack hook URL --><alert_format>json</alert_format></integration>
Hmm, what about the cost of maintenance ?
I admit that this is the least funny part, the Dark-Side of Wazuh : as you can understand, Wazuh is a platform which brings together several components (wazuh-manager, Elastic, Filebeat, etc..), for example for the version upgrade, it is necessary to update all the components, which complicates the operation and increases the risk of errors.
The procedure is well documented on the site, but here are some tips / recommendations:
- Do not hesitate to save / copy your VM before the operation
- Test the procedure on a test environment,
- Check that the Kibana configuration (/etc/kibana/kibana.yml), has not been reset.
- Check that the Filebeat configuration (/etc/filebeat/filebeat.yml), has not been reset.
Conclusion
We have seen how at Woop we use Wazuh in monitoring the security of environments, and how it is able to provide mechanisms to trigger automatic responses and block attacks in real time, and we are not the only, our friends at Valiuz, a Lille startup specializing in DATA, have also expressed their interest in using Wazuh.
This is a good open source HIDS system available for Linux environments in particular. But there are a few caveats here, setup and maintenance will take time and effort to run in production. If you want to run Wazuh in production, be sure to test it thoroughly in a test environment.
References:
