Coverage Analysis - Phase 1

[Rebits]

Description

Wazuh-QA provides a great set of tests for many Wazuh modules. It is necessary to research and perform an analysis of coverage of this suite. After this process, we will know precisely the status of the quality assurance process in Wazuh, and it will help to aim for future developments.

Main objectives

Analyze test coverage of every Wazuh component.
Summarize main errors in test suites that may affect the quality assurance process.

General notes

• This issue is related to Coverage Analysis for 4.3

• This issue will analyze the test suite coverage in 4.3/master branch.

Coverage Analysis

Total

Capabilities	Covered	Key Capabality.
Active Response	✔️	Integration with Yara and VirusTotal
Agents connection service	❌	Centralized configuration management
Agent key polling	✔️
Agents Labels	✔️
Agents Anti-flooding system	❌
Agentless monitoring	❌
Agents Registration service (Authd)	✔️
Analysis engine (Analysisd)	✔️
Certificate Deployment	❌	wazuh-cert-tool
Cloud Security - Amazon AWS	❌	AWS CloudTrail Amazon VPC AWS Config Amazon ALB Amazon CLB AWS KMS Amazon Macie AWS Trusted Advisor Amazon GuardDuty Amazon WAF Amazon NLB Amazon Inspector Amazon NLB AWS CloudWatch Logs Cisco Umbrella
Cloud Security - Azure	❌	Azure Active Directory
Cloud Security - Google GCP	✔️
Cluster	✔️	Master node Worker node Configuration
Command Execution	❌	Bash Powershell
Command Monitoring	✔️
Compliance	❌	Using Wazuh for PCI DSS Using Wazuh for GDPR
Configuration assesment (SCA)	❌	Hardening checks CIS baselines
Configuration emails alerts	❌
Configure database output	❌	MySQL PostgreSQL
Containers Security	❌	Docker Kubernetes
Creation of Packages	❌
Deployment	❌	With Puppet With Ansible Virtual Machine
Elasticsearch tuning	❌	change user's password memory locking shards and replicas
FIM	✔️	Critical Files Audit Files
csyslogd	❌	Forwarding alerts through Syslog
fluentd	❌
Generating automatic reports	❌
Installation	❌	Unnatended Method Deployments (Puppet, Ansible, OVA) Types (Laptop - Desktop - Servers - Cloud instances - VMs) All platforms and version supported
Integration Daemon	❌
Integration with external APIs	❌	VirusTotal PagerDuty Slack
LogCollector	✔️	Log Messages Windows Events
Logtest	✔️	Test rules and decoders
Mitre ATT&CK	✔️
Osquery	❌
Regulatory Compliance	❌
Remoted	✔️
RESTful API	✔️
Rootkits Detection + CISC-SAT	❌
Rootkits Detection + OpenSCAP	❌
Rootkits Detection - Rootcheck	✔️
Rules and Decoders	❌	Custom Rules and Decoders CDB Lists Enhancing with MITRE
Setting Syslog output	❌	send alerts to syslog
Setting Database output	❌
Syscheck	✔️	whodata
System Inventory (syscollector)	❌
Tools	❌	agent-auth agent_control manage_agents wazuh-control wazuh-logtest clear-stats wazuh-regex verify-agent-conf agent_groups agent_upgrade cluster_control fim_migrate
Upgrade	✔️	Elasticsearch (Open Distro, Licence Basic) Manager Kibana Filebeat Wazuh agent All ways
Uninstall	❌	Elasticsearch (Open Distro, Licence Basic) Manager Kibana Filebeat Wazuh agent
Using Wazuh to monitor Office365	✔️
Using Wazuh to monitor Github	✔️
Vulnerability Detector	✔️
WazuhDB	✔️
Wazuh Cloud	❌

---

Total

Capabilities	Covered	Key Capabality.
Active Response	✔️	Integration with Yara and VirusTotal
Agent key polling	✔️
Agents Registration service (Authd)	✔️
Analysis engine (Analysisd)	✔️
Cloud Security - Google GCP	✔️
Cluster	✔️	Master node Worker node Configuration
Command Monitoring	✔️
FIM	✔️	Critical Files Audit Files
LogCollector	✔️	Log Messages Windows Events
Logtest	✔️	Test rules and decoders
Mitre ATT&CK	✔️
Remoted	✔️
RESTful API	✔️
Rootkits Detection - Rootcheck	✔️
Syscheck	✔️	whodata
Upgrade	✔️	Elasticsearch (Open Distro, Licence Basic) Manager Kibana Filebeat Wazuh agent All ways
Using Wazuh to monitor Office365	✔️
Using Wazuh to monitor Github	✔️
Vulnerability Detector	✔️
WazuhDB	✔️

---

Total

Capabilities	Covered	Key Capabality.
Agents connection service	❌	Centralized configuration management
Agents Anti-flooding system	❌
Agentless monitoring	❌
Certificate Deployment	❌	wazuh-cert-tool
Cloud Security - Amazon AWS	❌	AWS CloudTrail Amazon VPC AWS Config Amazon ALB Amazon CLB AWS KMS Amazon Macie AWS Trusted Advisor Amazon GuardDuty Amazon WAF Amazon NLB Amazon Inspector Amazon NLB AWS CloudWatch Logs Cisco Umbrella
Cloud Security - Azure	❌	Azure Active Directory
Command Execution	❌	Bash Powershell
Compliance	❌	Using Wazuh for PCI DSS Using Wazuh for GDPR
Configuration assesment (SCA)	❌	Hardening checks CIS baselines
Configuration emails alerts	❌
Configure database output	❌	MySQL PostgreSQL
Containers Security	❌	Docker Kubernetes
Creation of Packages	❌
Deployment	❌	With Puppet With Ansible Virtual Machine
Elasticsearch tuning	❌	change user's password memory locking shards and replicas
csyslogd	❌	Forwarding alerts through Syslog
fluentd	❌
Generating automatic reports	❌
Installation	❌	Unnatended Method Deployments (Puppet, Ansible, OVA) Types (Laptop - Desktop - Servers - Cloud instances - VMs) All platforms and version supported
Integration Daemon	❌
Integration with external APIs	❌	VirusTotal PagerDuty Slack
Osquery	❌
Regulatory Compliance	❌
Rootkits Detection + CISC-SAT	❌
Rootkits Detection + OpenSCAP	❌
Rules and Decoders	❌	Custom Rules and Decoders CDB Lists Enhancing with MITRE
Setting Syslog output	❌	send alerts to syslog
Setting Database output	❌
System Inventory (syscollector)	❌
Tools	❌	agent-auth agent_control manage_agents wazuh-control wazuh-logtest clear-stats wazuh-regex verify-agent-conf agent_groups agent_upgrade cluster_control fim_migrate
Uninstall	❌	Elasticsearch (Open Distro, Licence Basic) Manager Kibana Filebeat Wazuh agent
Wazuh Cloud	❌

[MizugorouZ]

Draft - 2021/09/03 (Antonio)

User Manual

Overview

• Wazuh server 🟢
  • Receiving logs and analyzing data
  • Trigger alerts, match rules
  • Register agents
  • Send data to Elastic Stack server
• Wazuh agent 🟢
  • Rootcheck
  • Log monitoring and analysis
  • Syscheck

Wazuh server administration

• Remote service 🟢
• Defining an alert level threshold
• Integration with external APIs: Slack/PagerDuty/VirusTotal/Custom
• Syslog output: Alerts sent to syslog
• Database output: Alerts into a DB
• Automatic reports
• Email alerts

Certificates deployment

• Script for certificates (bash ~/wazuh-cert-tool.sh)

Registering Wazuh agents

• Using simple registration service
• Using command line: Extract Registration key from manager/Inster key in agent
• Using the Wazuh API
• Using registration service with password authorization
• Using registration service with host verification

Agent management 🟢

• Agent life cycle: Register/Status/Remove
• Listing agents: Using the CLI/Wazuh API/Wazuh app
• Removing agents: Using the CLI/Wazuh API
• Checking connection with manager
• Grouping agents: Single group/Multiple groups (assign multiple groups, list groups, make changes on multiple groups, shared files)
• Remote upgrading
  • Upgrading agent: Using the command line/RESTful API
  • Agent upgrade module: Request/Result request
  • Adding a custom repository
  • Custom WPK packages creation
  • Installing WPK packages

Deploying a Wazuh cluster

• Single/Muli node cluster
• Threads: Keep alive/Agent info/Integrity
• Pointing agents: Load balancer/Failover mode
• Cluster management

Capabilities

• Log data collection 🟢
  • Log files, Remote syslog/Analysis/Alert
  • Windows logs
  • Configuration
• File integrity monitoring (FIM) 🟢
• Auditing who-data: Linux/Windows
• Anomaly and malware detection: Rootcheck 🟢
• Security Configuration Assessment (SCA)
• Monitoring security policies: Rootcheck/OpenSCAP/CIS-CAT integration
• Monitoring system calls
• Command monitoring
• Active response 🟢
• Agentless monitoring
• Anti-flooding mechanism
• Agent labels
• System inventory
• Vulnerability detection 🟢f
• VirusTotal integration
• Osquery
• Agent key polling
• Fluentd forwarder
• Wazuh-Logtest 🟢

Ruleset

• Custom rules and decoders
• Dynamic fields
• CDB lists
• Enhancing with MITRE

RESTful API 🟢

• API

Wazuh Kibana plugin

• Wazuh Kibana plugin

Elasticsearch tuning

• Change users' password
• Memory locking
• Shards and replicas

Uninstall Wazuh

• OpenDistro for Elasticsearch/Elastic stack