From 72557b79cb48cb3af1e9b024c1bde18fbbb35cab Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Tue, 21 Nov 2023 16:15:56 +0000 Subject: [PATCH 01/15] Add Wazuh repository and initial code. --- wazuh/README.md | 19 +++ wazuh/agent/windows/anti_flooding_config.MD | 23 +++ .../Extending_The_SSH_Logger.MD | 142 ++++++++++++++++++ 3 files changed, 184 insertions(+) create mode 100644 wazuh/README.md create mode 100644 wazuh/agent/windows/anti_flooding_config.MD create mode 100644 wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD diff --git a/wazuh/README.md b/wazuh/README.md new file mode 100644 index 0000000000..f344b181df --- /dev/null +++ b/wazuh/README.md @@ -0,0 +1,19 @@ +# Wazuh + +## Overview Of This Repository + +The aim of this repository is to collate, and store configuration and code snippets used to customise a default Wazuh installation for use within the Adoptium project. + +## Useful Information + +Currently we are using Wazuh 4.5.3 + +Documentation for which can be found: https://documentation.wazuh.com/4.5/user-manual/index.html + +## Repository Structure + +At the top level, this repository has a folder for each of the two main components, server, which will contain any configuration changes that are applied to files hosted on the physical server, which will include changes to the shared agent configuration, which is located on the Wazuh server, and then applied to all agents connected. + +The agents folder will contain only configuration changes required to individual agents, platforms or groups of agents, that should not be applied via the global shared agent configuration. + +## Contributing Guidelines diff --git a/wazuh/agent/windows/anti_flooding_config.MD b/wazuh/agent/windows/anti_flooding_config.MD new file mode 100644 index 0000000000..5377c2b625 --- /dev/null +++ b/wazuh/agent/windows/anti_flooding_config.MD @@ -0,0 +1,23 @@ +# Wazuh Agent flooding + +## Requirement + +The Adoptium public infrastructure windows hosts, receive significantly more intrusion attempts than any other platform, and as such, Wazuh will issue anti-flooding alerts & warnings. The best solution to this, is to improve the volume of logging requests permitted on windows hosts. + +## How + +To achieve this, a simple configuration change can be made specifically on the windows hosts by amending the client buffer section of the agent configuration on each windows machine. This change could be made in the centralised configuration, but given we have only encountered flooding issues on windows, globally increasing the amount of logging available for all agents across all platforms, could potentially cause disk space issues, and a loss of visibility of an period where an increased number of attacks on a specific machine or platform are occurring. + +Assuming a default installation, the file agent.conf can be found in "C:\Program Files (x86)\ossec-agent\ossec.conf" , and the client buffer section should be altered to match the below. + +``` + + no + 100000 + 1000 + +``` + +## References + +Wazuh Agent Anti-Flooding Reference : https://documentation.wazuh.com/current/user-manual/agents/antiflooding.html diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD new file mode 100644 index 0000000000..99d78678ad --- /dev/null +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -0,0 +1,142 @@ +# Wazuh - How To Extend The SSH Logging decoder + +## Requirement + +Implementing A Mechanism For Tracing Direct Logins : https://github.com/adoptium/infrastructure/issues/3212 + +## How + +Wazuh uses elements called decoders for processing the log files shipped from the agents to the servers, the standard set of decoders can both extended and customised, the official documentation from Wazuh is linked in the references section below, but this document will detail the specific process used to extend the SSH logger to capture the checksum of the SSH keys used to login. + +A pre-requisite of this, is of course to ensure the auditd/sshd/system logs being captured contain the relevant information for Wazuh to capture and process. Wazuh also provide a very useful testing tool (detailed here: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html) + +In order to capture the Checksum of an SSH key, it was necessary to extend the following standard decoder : /var/ossec/ruleset/decoders/0310-ssh_decoders.xml. + +The standard decoder file that needs customising was identified by running a grep for the program name/item (sshd), in the /var/ossec/ruleset/decoders directory. + +## Implementation Steps + +* Copy the default decoder file /var/ossec/ruleset/decoders/0310-ssh_decoders.xml to the user folder /var/ossec/etc/decoders. The reasons for doing this are twofold, firstly the default decoders file (0310-ssh_decoders.xml) will be excluded and instead Wazuh will use the new copy, which will be edited and extended to capture the ssh key checksum. Secondly, by following this process, any changes made will be preserved during upgrades and also easier to revert should any issues occur. + +* Next edit the /var/ossec/etc/ossec.conf configuration file. Set the tag to exclude the original ruleset/decoders/0310-ssh_decoders.xml decoder file from the loading list. With this configuration, Wazuh loads the decoder file located in the user folder and not the file in the default folder. Below is an example of this change made. + +``` + +... +ruleset/decoders/0310-ssh_decoders.xml + +``` + +* Now the edits and customisations to the new customised version of the ssh decoder is made, at this point its worth identifying a log entry that you would like to be captured, the sample used for extending ssh logins was extracted from the auth.log file and is detailed below: + +``` +Nov 19 21:33:32 xxxxxx sshd[1914646]: Accepted publickey for xxxxxx from xxx.xx.xxx.xxx port xxxxx ssh2: RSA SHA256:XXXXXXXXX +``` + +The following changes are being made to the new custom/copied decoder file (/var/ossec/etc/decoders/0310-ssh_decoders.xml) +The decoder works by using a regex to parse logfile entries for matches, and then an offset to capture data. Captured fields are shown by the (\S+) strings in the decoder, with the order element of the xml assigning those strings to variables + +The default decoder for ssh successful ssh login is detailed below, and as you can see from the example log line, the first string after "for" is allocated to the name the second string element from (\S+) is recorded into the srcip field and the port (\S+) is recorded into the srcport variable. + +``` + + sshd + ^Accepted + ^ \S+ for (\S+) from (\S+) port (\S+) + user, srcip, srcport + name, user, location + +``` + +In order to update this to capture the SSH key checksum you can see the "regex offset" element gets updated to look for the RSA SHA256 string before assigning that string to a new custom field called "keysum". This field will become available in Wazuh without any further configuration. + +``` + + sshd + ^Accepted + ^ \S+ for (\S+) from (\S+) port (\S+) ssh2: RSA SHA256:(\S+) + user, srcip, srcport, keysum + name, user, location + +``` + +* Once these changes have been made, it is necessary to restart the Wazuh manager so the changes take effect: + +``` +systemctl restart wazuh-manager +``` + +If there are any issues with restarting the server, which can be caused by syntax errors in either the config or decoder files, these can be identified by running a status on the Wazuh manager service. + +``` +systemctl status wazuh-manager.service +``` + +## Testing The New Decoder/Changes + +Wazuh provide a useful tool for checking whether decoder and rule changes are being parsed properly, this can be used prior to any changes to see what rules etc are being parsed, and what data is being captured. Below is the output of the test of the ssh decoder test detailed above: + +To launch the log test utility, on the wazuh server + +``` +/var/ossec/bin/wazuh-logtest +``` + +Which will then prompt: + +``` +Starting wazuh-logtest v4.5.3 +Type one log per line +``` + +At this point, paste in a sample log line extracted from a log, e.g + +Nov 19 21:33:32 xxxxxx sshd[1914646]: Accepted publickey for xxxxxx from xxx.xx.xxx.xxx port xxxxx ssh2: RSA SHA256:XXXXXXXXX + +The following output is then displayed, which shows the new field being capture: + +``` +**Phase 1: Completed pre-decoding. + full event: 'Nov 19 21:33:32 xxxxxx sshd[1914646]: Accepted publickey for xxxxxx from xxx.xx.xxx.xxx port xxxxx ssh2: RSA SHA256:XXXXXXXXX' + timestamp: 'Nov 19 21:33:32' + hostname: 'xxxxxx' + program_name: 'sshd' + +**Phase 2: Completed decoding. + name: 'sshd' + parent: 'sshd' + dstuser: 'xxxxxx' + keysum: 'XXXXXXXXX' + srcip: 'xxx.xx.xxx.xxx' + srcport: 'xxxxx' + +**Phase 3: Completed filtering (rules). + id: '5715' + level: '3' + description: 'sshd: authentication success.' + groups: '['syslog', 'sshd', 'authentication_success']' + firedtimes: '1' + gdpr: '['IV_32.2']' + gpg13: '['7.1', '7.2']' + hipaa: '['164.312.b']' + mail: 'False' + mitre.id: '['T1078', 'T1021']' + mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access', 'Lateral Movement']' + mitre.technique: '['Valid Accounts', 'Remote Services']' + nist_800_53: '['AU.14', 'AC.7']' + pci_dss: '['10.2.5']' + tsc: '['CC6.8', 'CC7.2', 'CC7.3']' +**Alert to be generated. +``` + +## Notes + +* It is important to note, that custom decoders WILL NOT over ride existing ones, so in order to amend an existing one, it must be removed from the standard rules, and replaced with a custom ruleset for all elements. + +* Custom rules, decoders and configuration files should be backed up prior to running an upgrade. + +## References + +The following guides from the official documentation are very +Wazuh Decoder Reference: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html +Wazuh Ruleset Testing Reference: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html From 7c8ab1abbadc0eae84d7ca518a83fe05cfe99992 Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Tue, 21 Nov 2023 16:27:29 +0000 Subject: [PATCH 02/15] Documentation updates --- wazuh/README.md | 2 -- wazuh/agent/windows/agent.snippet.conf | 5 +++++ wazuh/server/ssh-key-logging/0310-ssh_decoders.snippet.xml | 7 +++++++ 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 wazuh/agent/windows/agent.snippet.conf create mode 100644 wazuh/server/ssh-key-logging/0310-ssh_decoders.snippet.xml diff --git a/wazuh/README.md b/wazuh/README.md index f344b181df..4db0b38a2f 100644 --- a/wazuh/README.md +++ b/wazuh/README.md @@ -15,5 +15,3 @@ Documentation for which can be found: https://documentation.wazuh.com/4.5/user-m At the top level, this repository has a folder for each of the two main components, server, which will contain any configuration changes that are applied to files hosted on the physical server, which will include changes to the shared agent configuration, which is located on the Wazuh server, and then applied to all agents connected. The agents folder will contain only configuration changes required to individual agents, platforms or groups of agents, that should not be applied via the global shared agent configuration. - -## Contributing Guidelines diff --git a/wazuh/agent/windows/agent.snippet.conf b/wazuh/agent/windows/agent.snippet.conf new file mode 100644 index 0000000000..cc8f8b51a7 --- /dev/null +++ b/wazuh/agent/windows/agent.snippet.conf @@ -0,0 +1,5 @@ + + no + 100000 + 1000 + diff --git a/wazuh/server/ssh-key-logging/0310-ssh_decoders.snippet.xml b/wazuh/server/ssh-key-logging/0310-ssh_decoders.snippet.xml new file mode 100644 index 0000000000..99a1c885e8 --- /dev/null +++ b/wazuh/server/ssh-key-logging/0310-ssh_decoders.snippet.xml @@ -0,0 +1,7 @@ + + sshd + ^Accepted + ^ \S+ for (\S+) from (\S+) port (\S+) ssh2: RSA SHA256:(\S+) + user, srcip, srcport, keysum + name, user, location + From e13c043aa6eae60af7920b03ea02823e6b509d9e Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Wed, 22 Nov 2023 09:01:33 +0000 Subject: [PATCH 03/15] Formatting updates Formatting Update --- .../server/ssh-key-logging/Extending_The_SSH_Logger.MD | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index 99d78678ad..e57261ce83 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -91,7 +91,9 @@ Type one log per line At this point, paste in a sample log line extracted from a log, e.g +``` Nov 19 21:33:32 xxxxxx sshd[1914646]: Accepted publickey for xxxxxx from xxx.xx.xxx.xxx port xxxxx ssh2: RSA SHA256:XXXXXXXXX +``` The following output is then displayed, which shows the new field being capture: @@ -137,6 +139,8 @@ The following output is then displayed, which shows the new field being capture: ## References -The following guides from the official documentation are very -Wazuh Decoder Reference: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html -Wazuh Ruleset Testing Reference: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html +Useful sections from the Wazuh documentation + +* Wazuh Decoder Reference: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html + +* Wazuh Ruleset Testing Reference: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html From cc0bdb16b5dd344c37d81cecdb2b85ae72b2ac8d Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Wed, 22 Nov 2023 09:04:39 +0000 Subject: [PATCH 04/15] Update documentation --- CONTRIBUTING.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index edd2bab540..5115bda997 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -126,7 +126,7 @@ playbooks: - [gmake role](https://github.com/adoptium/infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/gmake/tasks/main.yml) (GPG verification using [package_signature_verification.sh](https://github.com/adoptium/infrastructure/blob/master/ansible/playbooks/Supporting_Scripts/package_signature_verification.sh) - [NVidia_Cuda_Toolkit role](https://github.com/adoptium/infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/NVidia_Cuda_Toolkit/tasks/main.yml) which performs a SHA256 check of the download - The [gcc_11 role](https://github.com/adoptium/infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/gcc_11/tasks/main.yml) is an example of SHA checks when there are multiple downloads for each architecture. It uses checksums stored in a [separate variables file](https://github.com/adoptium/infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/gcc_11/vars/main.yml) - + Where possible, if you are modifying a playbook to add something new, please also add information saying what it is needed for (it may be useful to link back to a related PR or issue) ## Using Vagrant to test your Ansible scripts @@ -173,6 +173,8 @@ Wherever possible, prefix the commit message with the area which you are changin - inventory: - github: - tools: +- nagios: +- wazuh: ## Further Docs From 2def5d963432aa4c15cfcfa65c14e4979944fb09 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:00:44 +0000 Subject: [PATCH 05/15] Update wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD Updates Co-authored-by: Adam Farley --- wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index e57261ce83..a034aa7fc4 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -133,7 +133,7 @@ The following output is then displayed, which shows the new field being capture: ## Notes -* It is important to note, that custom decoders WILL NOT over ride existing ones, so in order to amend an existing one, it must be removed from the standard rules, and replaced with a custom ruleset for all elements. +* It is important to note that custom decoders WILL NOT override existing ones. So in order to amend an existing decoder, it must be removed from the standard rules and replaced with a custom ruleset for all elements. * Custom rules, decoders and configuration files should be backed up prior to running an upgrade. From d953551543524e4ece0fa32dbcc4a0b52511aefd Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:00:54 +0000 Subject: [PATCH 06/15] Update wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD Co-authored-by: Adam Farley --- wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index a034aa7fc4..4b4e664a86 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -139,7 +139,7 @@ The following output is then displayed, which shows the new field being capture: ## References -Useful sections from the Wazuh documentation +Useful sections from the Wazuh documentation: * Wazuh Decoder Reference: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html From 909076eb9249f328baacd17df2b0835d806a71f6 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:07:50 +0000 Subject: [PATCH 07/15] Update wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD Co-authored-by: Adam Farley --- wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index 4b4e664a86..265c828f69 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -135,7 +135,7 @@ The following output is then displayed, which shows the new field being capture: * It is important to note that custom decoders WILL NOT override existing ones. So in order to amend an existing decoder, it must be removed from the standard rules and replaced with a custom ruleset for all elements. -* Custom rules, decoders and configuration files should be backed up prior to running an upgrade. +* Custom rules, decoders, and configuration files should be backed up prior to running an upgrade. ## References From 604448bed0a9acaecd6ed31f18aae4f4c3b2d2d4 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:07:56 +0000 Subject: [PATCH 08/15] Update wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD Co-authored-by: Adam Farley --- wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index 265c828f69..b386a15993 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -95,7 +95,7 @@ At this point, paste in a sample log line extracted from a log, e.g Nov 19 21:33:32 xxxxxx sshd[1914646]: Accepted publickey for xxxxxx from xxx.xx.xxx.xxx port xxxxx ssh2: RSA SHA256:XXXXXXXXX ``` -The following output is then displayed, which shows the new field being capture: +The following output is then displayed, which shows the new field being captured: ``` **Phase 1: Completed pre-decoding. From 6645a7024d3ad8c3737ac4f79e264133fcd7d828 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:08:03 +0000 Subject: [PATCH 09/15] Update wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD Co-authored-by: Adam Farley --- wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index b386a15993..29d19df224 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -89,7 +89,7 @@ Starting wazuh-logtest v4.5.3 Type one log per line ``` -At this point, paste in a sample log line extracted from a log, e.g +At this point, paste in a sample line extracted from a log, e.g ``` Nov 19 21:33:32 xxxxxx sshd[1914646]: Accepted publickey for xxxxxx from xxx.xx.xxx.xxx port xxxxx ssh2: RSA SHA256:XXXXXXXXX From f17abe253a0190fa3a7c36df2085f2542b3f2f90 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:08:10 +0000 Subject: [PATCH 10/15] Update wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD Co-authored-by: Adam Farley --- wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index 29d19df224..30d9de262e 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -8,7 +8,7 @@ Implementing A Mechanism For Tracing Direct Logins : https://github.com/adoptium Wazuh uses elements called decoders for processing the log files shipped from the agents to the servers, the standard set of decoders can both extended and customised, the official documentation from Wazuh is linked in the references section below, but this document will detail the specific process used to extend the SSH logger to capture the checksum of the SSH keys used to login. -A pre-requisite of this, is of course to ensure the auditd/sshd/system logs being captured contain the relevant information for Wazuh to capture and process. Wazuh also provide a very useful testing tool (detailed here: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html) +A pre-requisite of this is to ensure the captured auditd/sshd/system logs have the relevant information for Wazuh to capture and process. Wazuh also provide a very useful testing tool, detailed here: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html In order to capture the Checksum of an SSH key, it was necessary to extend the following standard decoder : /var/ossec/ruleset/decoders/0310-ssh_decoders.xml. From 04f1269440985150f940e5bf230f1b4e811e2ca7 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:08:18 +0000 Subject: [PATCH 11/15] Update wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD Co-authored-by: Adam Farley --- wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD index 30d9de262e..f431408d95 100644 --- a/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD +++ b/wazuh/server/ssh-key-logging/Extending_The_SSH_Logger.MD @@ -6,7 +6,7 @@ Implementing A Mechanism For Tracing Direct Logins : https://github.com/adoptium ## How -Wazuh uses elements called decoders for processing the log files shipped from the agents to the servers, the standard set of decoders can both extended and customised, the official documentation from Wazuh is linked in the references section below, but this document will detail the specific process used to extend the SSH logger to capture the checksum of the SSH keys used to login. +Wazuh uses "decoders" to process the log files shipped from the agents to the servers. The standard set of decoders can be extended and customised. The official Wazuh docs are linked under "References" below, but here we will detail the specific process used to extend the SSH logger to capture the checksum of the SSH keys used to log in. A pre-requisite of this is to ensure the captured auditd/sshd/system logs have the relevant information for Wazuh to capture and process. Wazuh also provide a very useful testing tool, detailed here: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html From ab832690ec66e12b95a346f551d4d369f45017fb Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:08:27 +0000 Subject: [PATCH 12/15] Update wazuh/agent/windows/anti_flooding_config.MD Co-authored-by: Adam Farley --- wazuh/agent/windows/anti_flooding_config.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/agent/windows/anti_flooding_config.MD b/wazuh/agent/windows/anti_flooding_config.MD index 5377c2b625..792574c209 100644 --- a/wazuh/agent/windows/anti_flooding_config.MD +++ b/wazuh/agent/windows/anti_flooding_config.MD @@ -6,7 +6,7 @@ The Adoptium public infrastructure windows hosts, receive significantly more int ## How -To achieve this, a simple configuration change can be made specifically on the windows hosts by amending the client buffer section of the agent configuration on each windows machine. This change could be made in the centralised configuration, but given we have only encountered flooding issues on windows, globally increasing the amount of logging available for all agents across all platforms, could potentially cause disk space issues, and a loss of visibility of an period where an increased number of attacks on a specific machine or platform are occurring. +To achieve this on windows, we could amend the client buffer section of the agent configuration. We could also put this change in the centralised configuration, but given we've only seen flooding issues on windows, allowing more logs for all agents across all platforms could cause disk space issues and a loss of visibility during periods of focused hacker activity. Assuming a default installation, the file agent.conf can be found in "C:\Program Files (x86)\ossec-agent\ossec.conf" , and the client buffer section should be altered to match the below. From 11cc8b0b93c0564897663b8cf4443bba90edcddb Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:08:34 +0000 Subject: [PATCH 13/15] Update wazuh/agent/windows/anti_flooding_config.MD Co-authored-by: Adam Farley --- wazuh/agent/windows/anti_flooding_config.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/agent/windows/anti_flooding_config.MD b/wazuh/agent/windows/anti_flooding_config.MD index 792574c209..690164e75e 100644 --- a/wazuh/agent/windows/anti_flooding_config.MD +++ b/wazuh/agent/windows/anti_flooding_config.MD @@ -2,7 +2,7 @@ ## Requirement -The Adoptium public infrastructure windows hosts, receive significantly more intrusion attempts than any other platform, and as such, Wazuh will issue anti-flooding alerts & warnings. The best solution to this, is to improve the volume of logging requests permitted on windows hosts. +Adoptium's public windows hosts receive significantly more intrusion attempts than any other platform. As such, Wazuh will issue anti-flooding alerts & warnings for this platform. The best solution is to increase the number of logging requests permitted on windows hosts. ## How From 7ba1b7a9c7b110d927ff5f955bc600356de50e9c Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:08:52 +0000 Subject: [PATCH 14/15] Update wazuh/README.md Co-authored-by: Adam Farley --- wazuh/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/README.md b/wazuh/README.md index 4db0b38a2f..8d4dab45b2 100644 --- a/wazuh/README.md +++ b/wazuh/README.md @@ -12,6 +12,6 @@ Documentation for which can be found: https://documentation.wazuh.com/4.5/user-m ## Repository Structure -At the top level, this repository has a folder for each of the two main components, server, which will contain any configuration changes that are applied to files hosted on the physical server, which will include changes to the shared agent configuration, which is located on the Wazuh server, and then applied to all agents connected. +At the top level, this repository has a folder for each of the two main components on the server. These will contain any configuration changes that are applied to files hosted on the physical server. These, in turn, will include changes to the shared agent configuration (located on the Wazuh server), and then applied to all agents connected. The agents folder will contain only configuration changes required to individual agents, platforms or groups of agents, that should not be applied via the global shared agent configuration. From 2e3bb9498006ec13ac9036ebfcaf1c00241fdcb0 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 23 Nov 2023 13:14:47 +0000 Subject: [PATCH 15/15] Improve readability --- wazuh/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/wazuh/README.md b/wazuh/README.md index 8d4dab45b2..af905d1501 100644 --- a/wazuh/README.md +++ b/wazuh/README.md @@ -12,6 +12,8 @@ Documentation for which can be found: https://documentation.wazuh.com/4.5/user-m ## Repository Structure -At the top level, this repository has a folder for each of the two main components on the server. These will contain any configuration changes that are applied to files hosted on the physical server. These, in turn, will include changes to the shared agent configuration (located on the Wazuh server), and then applied to all agents connected. +At the top level, this repository contains two folders that relate directly to the Wazuh application. These consist of the Wazuh central server, and the agent components that are installed on each machine. These individual folders contain any relevant configuration changes that are applied to files hosted on the physical server, or the agents as appropriate. -The agents folder will contain only configuration changes required to individual agents, platforms or groups of agents, that should not be applied via the global shared agent configuration. +The server folder will contain configuration changes, that are applied to the server itself, or to the global shared configuration shared by all agents. + +The agent folder will contain only configuration changes required to individual agents, platforms or groups of agents, that should not be applied via the global shared agent configuration.