Cyberattacks have not lost their power. Many companies and individuals are at risk from various types of calculated attacks. Education and user awareness are very important for combating the danger of cyberattacks. Unfortunately, sometimes sysadmins don't find the necessary information in time because the techniques for breaking through security are constantly changing. One of the best practices is to install a security system that will collect all information about computers and inform the security team about threats. For many users, Wazuh [1] might be the answer.

Wazuh is a free and open source security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. Wazuh components abide by the GNU General Public License version 2 and the Apache License Version 2.0. The Wazuh agent is a single and lightweight monitoring tool. You can deploy the agent on laptops, desktops, servers, cloud instances, containers, or virtual machines. You can also use the agent to obtain information about vulnerabilities.

Wazuh can detect malware threats, identify vulnerabilities, monitor file integrity, and display information on system inventory. Another important benefit of Wazuh is that it is easy to integrate with other tools.

To detect vulnerabilities, the Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint. The Vulnerability Detection module generates alerts when it detects new vulnerabilities or when a vulnerability is fixed due to a package update, removal, or system upgrade. The alerts mean you do not have to monitor the console and check the scan results every day.

What to Do with Wazuh

Wazuh (Figure 1) is a versatile security tool with a number of useful capabilities. The FIN module performs periodic file scans for integrity violations. FIN scans specific files and directories in real time. It is important to note that this is a fully configurable functionality, which means that the administrator can set specific paths for scanning. The FIN module searches for file modifications by comparing the checksums of previously scanned files. This is possible because the data on the previous scan is stored in the local FIN database.

Figure 1: The Wazuh console displays security information at a glance.

The FIN module itself is not able to indicate whether a file is malicious; it merely informs the user about possible errors related to the integrity of the file. You can configure FIN to work with other external platforms, such as VirusTotal. Wazuh is also able to detect rootkits using the built-in Rootcheck module. Rootcheck monitors endpoints and alerts you if it detects anomalies. Detection of these threats is based on signatures. The administrator can update these signatures to detect newly discovered rootkits or Trojans. The last element of detecting malicious files is the Log Collection module, which allows collecting and analyzing data from tools such as Microsoft Defender.

The Vulnerability Detection module helps system administrators manage and patch vulnerabilities (Figure 2). Wazuh works based on data from the following sources:

• Wazuh Vulnerability repository
• Offline local repository

Figure 2: Wazuh's Vulnerability Detection console.

Wazuh will inform you with an alert when a new vulnerability occurs and when it is fixed or removed.

Information about the assets in the infrastructure is very important, for example, for a security analyst who will analyze a security alert. A system inventory helps to maximize visibility and centralize control. Wazuh is able to keep tabs on the inventory because the endpoints send information about it to the server. You can then review this data and use it for further work.

Wazuh can also monitor system calls or commands, and it has an Active Response function that provides visibility of events in real time and automates the entire process.

Wazuh Installation

You can install the Wazuh indexer and Wazuh server on a single host or in cluster configuration. The fastest way to get the central Wazuh components up and running is an all-in-one installation. Start by downloading and running the Wazuh installation assistant:

curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Access the Wazuh web interface with

https://<WAZUH_DASHBOARD_IP_ADDRESS>

Provide your credentials:

Username: admin
Password: <ADMIN_PASSWORD> random generated password

To install the agent, add the Wazuh repository to download the official packages. Then install the GPG key:

curl -s https://packages.wazuh.com/ key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/ share/keyrings/wazuh.gpg --import && chmod 644 /usr/ share/keyrings/wazuh.gpg

Add the repository:

echo "deb [signed-by=/usr/share/ keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the package information:

apt-get update
Install the Wazuh agent:
apt-get install wazuh-agent

Enable and start the Wazuh agent service:

systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Wazuh recommends disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:

sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
apt-get update

Or you could also use the following command:

echo "wazuh-agent hold" | dpkg --set-selections

Vulnerability Detection Module

The Vulnerability Detection module is enabled by default. To check and make sure that the module is enabled, open the /var/ossec/etc/ossec.conf file on the Wazuh server. Check for the following settings:

<vulnerability-detection>
   <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60m </feed-update-interval>
</vulnerability-detection>

Then make sure the indexer connection is properly configured. By default, the indexer settings have one host configured. The host is set to 0.0.0.0. Replace 0.0.0.0 with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.

Restart the Wazuh manager:

sudo systemctl restart wazuh-manager

To see a list of active vulnerabilities, go to Vulnerability Detection and select Inventory. You can add filters to search for vulnerabilities on endpoints.