Scribd
Upload
224 views49 pages

Siem

Uploaded by

wintersolider.at
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
224 views49 pages

Siem

Uploaded by

wintersolider.at
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 49

SIEM

Policy Management

With Ali Ali


SIEM Training Course

Module Description Training Hrs.


Module 1: Introduction to SIEM Done
Module 2: Network Threats Done
Module 3: SIEM Architecture Done
Module 4: SIEM Deployment with all Components Done
Module 5: Logs and Events Done
Module 6: Event Collection and Event Correlation Done
Module 7: Correlation Rules Done
Module 8: Forensically Ready Data Done
Module 9: Intrusion Detection, Prevention, and Tolerance Done
Module 10: Properties of a Robust SIEM Done
Module 11: Up and running Wazuh SIEM Done
Module 12: Using Web Interface Done
Module 13: Configuring Sensor, Logger, and Server Done
Module 14: Configuring Network Inventory Done
SIEM Training Course

Module Description Training Hrs.


Module 15: Configuring Vulnerability Scanning Done
Module 16: Configuring Signature Updates Done
Module 17: Policy Management In Progress
Module 18: Configuring Tickets 2
Module 19: Introduction to e-search 2
Module 20: Overview of machine data 2
Module 21: How SIEM Works with machine data 2
Module 22: developing, building new rules 2
Module 23: Searching and saving results 2
Module 24: Creating Reports and Visualizations 2
Module 25: Intrusion detection with Suricata 8
Module 26: digging deep with reading machine data 16
Module 27: expanding SIEM with new assets 12
SIEM
Policy Management
Policy Management in SIEM

• Policy management in Security Information and Event Management (SIEM) refers to the
set of processes and rules that govern the collection, monitoring, and analysis of security-
related data from an organization’s IT infrastructure

• It involves defining the activities and logs that the SIEM software should monitor, and
using those policies to ensure compliance with external regulatory requirements

• This helps in determining the type of dashboard and reporting that the organization
requires for effective security management

• In essence, policy management in SIEM is about building a framework that allows for the
real-time monitoring and analysis of security events, ensuring that the organization’s
security posture is maintained and that any potential threats are identified and responded
to promptly

• It is a crucial aspect of SIEM that enables organizations to have a proactive approach to


security and compliance
SIEM
Policy Management
Policy Management in SIEM

 Governance refers to the overarching policies, processes, and rules that ensure the
effective and efficient management of an organization’s security operations
 It encompasses the strategies and practices that guide how security information is
collected, monitored, analyzed, and responded to, in alignment with the
organization’s security objectives and regulatory requirements

 key aspects of governance in SIEM:

1. Policy Management: This involves defining and maintaining policies for security
monitoring. For example, a policy might specify that all failed login attempts to critical
systems must be logged and reviewed daily

2. Compliance Management: Ensuring that SIEM processes adhere to relevant laws,


regulations, and standards. For instance, a company might use SIEM to generate reports that
demonstrate compliance with GDPR or HIPAA

3. Incident Response: Establishing procedures for responding to security incidents detected


by the SIEM. An example would be an automated workflow that isolates a compromised
system from the network upon detection of suspicious activity
SIEM
Policy Management
Policy Management in SIEM

4. Threat Detection: Developing rules and analytics to identify potential security threats. For
example, SIEM might correlate multiple failed login attempts across different systems to
detect a possible brute force attack

5. User and Entity Behavior Analytics (UEBA): Implementing systems to detect anomalies
in user behavior that could indicate insider threats or compromised accounts. For example,
SIEM might flag an employee downloading large amounts of data at an unusual time as
suspicious

6. Log Management: Collecting and managing logs from various sources for security
analysis. An example is aggregating logs from firewalls, servers, and endpoints to identify
patterns indicative of a cyber attack

7. Security Event Management: Real-time monitoring and analysis of security events. For
example, SIEM might immediately alert the security team if it detects malware activity on the
network
SIEM
Policy Management
Policy Management in WAZUH

 Policy management in Wazuh refers to the process of verifying that all systems conform
to a set of predefined rules regarding configuration settings and approved application
usage
 This is essential for maintaining the security and compliance of an organization’s IT
infrastructure

Wazuh uses three main components to perform policy management:


 Rootcheck: This component checks the system against a database of known
malicious rootkits and trojans to prevent or detect unauthorized access

 OpenSCAP: OpenSCAP is an open-source framework that provides a set of tools for


maintaining the security of systems via standards-compliant security content

 CIS-CAT: The CIS Configuration Assessment Tool (CIS-CAT) is an assessment tool for
establishing a system’s conformance to the benchmarks provided by the Center for
Internet Security (CIS)

 These components work together within Wazuh to ensure that security policies are
effectively monitored and enforced
SIEM
Policy Management
Importance of Policy Management in SIEM

 Policy management is a critical component of Security Information and Event


Management (SIEM) systems. It plays a vital role in ensuring that security policies are
consistently applied across an organization’s network to protect against threats and
comply with regulatory requirements. Here’s why policy management is important in
SIEM:

1. Threat Detection and Response: SIEM systems aggregate and analyze security data from
across the network
• Policy management ensures that the SIEM system has a set of rules to identify what
constitutes normal and anomalous behavior
• This enables the SIEM to generate alerts for potential security incidents

2. Compliance and Auditing: Many organizations are subject to regulatory requirements


that dictate how security data should be handled
• Policy management within SIEM ensures that the organization can demonstrate that
required security controls and policies are in place and enforced

3. Efficiency and Automation: By managing policies effectively, SIEM systems can automate
many of the manual processes associated with threat detection and incident response
• This improves the efficiency of security operations and reduces the mean time to
detect (MTTD) and mean time to respond (MTTR) to incidents
SIEM
Policy Management
Importance of Policy Management in SIEM

4. Centralized Management: SIEM provides a central view of an organization’s security


posture
• Policy management contributes to this by ensuring that all security and event data is
analyzed in accordance with the organization’s security policies

5. Forensic Analysis: In the event of a security breach, policy management helps ensure that
the SIEM system has retained the necessary logs and event data to perform a forensic
investigation and understand the scope of the breach

6. Advanced Analytics: Modern SIEM systems use artificial intelligence and machine
learning to identify complex threats
• Policy management is essential for defining the parameters within which these
advanced analytics operate

For example,
• a SIEM system might use policy management to define a rule that any login attempt to a
high-value server from a foreign country outside of business hours should be flagged as a
potential threat
• The SIEM would then alert the security team, who could quickly investigate and respond
to the incident
SIEM
Policy Management
Importance of Policy Management in WAZUH

• It uses components like Rootcheck, OpenSCAP, and CIS-CAT to ensure systems adhere to
policy requirements

For instance, to apply a policy for index lifecycle management in Wazuh, you would select
the index or indices to attach the policy to, then click Actions > Apply policy

After selecting the created policy from the Policy ID menu, you would click Apply to enforce
the policy

Index life management - Wazuh indexer · Wazuh documentation

Monitoring security policies - Capabilities · Wazuh documentation


SIEM
Policy Management
Steps to configure devices and create security policies within Wazuh

 Configuring devices and creating security policies within Wazuh involves several
steps

 Configuring Devices like Mikrotik in Wazuh


To monitor network devices with Wazuh, you need to follow these steps:

1. Prerequisites
• Ensure you have a pre-built, ready-to-use Wazuh

• Install the Wazuh agent 4.7.2 on an Ubuntu 22.04 endpoint

2. Configure Rsyslog on Ubuntu Endpoint

• Edit the /etc/rsyslog.conf file to enable UDP port 514 for syslogs and define a location to
store security events

• Create a mikrotik.log file in /var/log to store syslog events

• Change the file ownership to syslog and group to adm

• Restart the rsyslog service


SIEM
Policy Management
Steps to configure devices and create security policies within Wazuh

3. Configure Wazuh Agent


• Add the following configuration within the <ossec_config> block of the Wazuh agent’s
ossec.conf file:

<localfile>
<log_format>syslog</log_format>
<location>/var/log/mikrotik.log</location>
<out_format>RouterOS7.1-logs: $(log)</out_format>
</localfile>
SIEM
Policy Management
Steps to configure devices and create security policies within Wazuh

 Creating Security Policies in Wazuh


For creating security policies, you can use Wazuh’s Security Configuration Assessment (SCA)
feature:

1. Define Policy File Sections


• Policy: Contains the policy ID, file, name, and description

• Requirements: Defines the prerequisites for the policy

• Variables: Sets variables used in checks

• Checks: Specifies the actual security checks to be performed


SIEM
Policy Management
Configure Security Policies within Wazuh

In Wazuh, the policies for Security Configuration Assessment (SCA) are typically stored in
the /var/ossec/ruleset/sca directory on the Wazuh manager

You can place your custom SCA policy files in this directory. Here’s how you can manage
these files:

• Navigate to the SCA directory:


cd /var/ossec/ruleset/sca

• Place your custom SCA policy file: You can create or copy your .yml policy file into this
directory

• Restart the Wazuh manager: After adding or modifying policy files, restart the Wazuh
manager to apply the changes
systemctl restart wazuh-manager

• Verify the policy is loaded: You can check if your policy file is loaded correctly by looking
at the Wazuh manager logs or using the Wazuh API to list the loaded SCA policies
SIEM
Policy Management
Steps to configure devices and create security policies within Wazuh
Policy checking for SSH hardening
# Security Configuration Assessment
# Audit for UNIX systems
policy:
id: "unix_audit"
file: "sca_unix_audit.yml"
name: "System audit for Unix based systems"
description: "Guidance for establishing a secure configuration for Unix based systems."
references:
- "https://www.ssh.com/ssh/"
checks:
- id: 3000
title: "SSH Hardening: Port should not be 22"
description: "The ssh daemon should not be listening on port 22."
rationale: "Changing the default port may reduce the number of successful attacks."
remediation: "Change the Port option value in the sshd_config file."
compliance:
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
condition: all
rules:
- 'f:$sshd_file->!r:^#&&r:Port&&!r:\\s*\\t*22$’
In this example, the policy checks if the SSH port is set to a value other than the default 222
SIEM
Policy Management
Steps to configure devices and create security policies within Wazuh

3. Deploying the Policy

• Place the new policy file in the /var/ossec/etc/shared/default folder on the Wazuh server

• Change the ownership of the policy file to the appropriate user and group
SIEM
Policy Management
Security Policies in Wazuh

 Security policies in Wazuh are a set of rules and checks designed to ensure that systems
are configured securely and in compliance with best practices or regulatory standards

• Security Configuration Assessment (SCA)


Wazuh’s SCA feature allows you to define and assess the security configuration of your
systems

It provides out-of-the-box checks for system hardening and supports custom policy creation

Example of an SCA Policy

Here’s an example of a Wazuh Security Configuration Assessment (SCA) policy that focuses
on ensuring secure configurations for the Nginx web server:
SIEM
Policy Management
Security Policies in Wazuh

# Security Configuration Assessment


# NGINX Web Server Benchmark
policy:
id: "nginx_audit"
file: "nginx_audit.yml"
name: "NGINX Web Server Benchmark"
description: "This policy helps to improve the security of NGINX web servers running on
Linux or UNIX-like operating systems."
references:
- "https://nginx.org/en/docs/"
checks:
- id: 1001
title: "Ensure NGINX is running"
description: "Check if NGINX service is active and running."
rationale: "NGINX should be running to serve web content securely."
remediation: "Use systemctl to start NGINX if it is not running."
compliance:
- cis: "9.1.1"
condition: any
rules:
- 'c:systemctl is-active nginx -> r:^active$'
SIEM
Policy Management
Security Policies in Wazuh

- id: 1002
title: "Check for default NGINX page"
description: "The default NGINX page should not be present."
rationale: "The default page may contain information useful to attackers."
remediation: "Replace the default index.html with a custom page."
compliance:
- cis: "9.1.2"
condition: none
rules:
- 'f:/usr/share/nginx/html/index.html -> r:Welcome to nginx!'

- id: 1003
title: "Ensure NGINX version is hidden"
description: "NGINX version should not be disclosed in error pages."
rationale: "Revealing the version can expose the server to targeted attacks."
remediation: "Set 'server_tokens off;' in the NGINX configuration."
compliance:
- cis: "9.1.3"
condition: all
rules:
- 'f:/etc/nginx/nginx.conf -> !r:server_tokens\s+on;'
SIEM
Policy Management
Security Policies in Wazuh

In this policy:
• Check 1001 ensures that the NGINX service is actively running on the system

• Check 1002 verifies that the default NGINX welcome page is not present, which could give
away information to potential attackers

• Check 1003 checks that the NGINX version number is not disclosed in error pages, which
is a common security measure to prevent targeted attacks
SIEM
Policy Management
Security Policies in Wazuh

• Policy File Sections


When creating custom SCA policies, you need to consider the following sections:

 Policy: Contains the policy ID, file, name, and description

 Checks: Specifies the actual security checks to be performed, including the title,
description, rationale, remediation, compliance, condition, and rules

• Deploying the Policy


To deploy the policy, you would:

 Place the policy file in the /var/ossec/etc/shared/default directory on the Wazuh


manager

 Restart the Wazuh manager to apply the new policy


SIEM
Policy Management
Security Policies in Wazuh

# Security Configuration Assessment


# Apache Web Server Benchmark
policy:
id: "apache_audit"
file: "apache_audit.yml"
name: "Apache Web Server Benchmark"
description: "This policy is designed to ensure the security of Apache web servers on Linux
systems."
references:
- "https://httpd.apache.org/docs/"
checks:
- id: 2001
title: "Verify Apache is running with the correct user"
description: "Check if Apache is running under the recommended 'www-data' user."
rationale: "Running Apache as a non-root user minimizes the risk of privilege escalation."
remediation: "Edit the 'User' directive in the Apache configuration file to 'www-data'."
compliance:
- cis: "2.2.4"
condition: any
rules:
- 'c:ps -aux | grep httpd -> r:^www-data'
SIEM
Policy Management
Security Policies in Wazuh

- id: 2002
title: "Ensure Apache server signature is off"
description: "Apache should not reveal its version number and server operating system."
rationale: "Hiding server information helps prevent targeted attacks."
remediation: "Add 'ServerSignature Off' and 'ServerTokens Prod' to the Apache
configuration."
compliance:
- cis: "2.2.15"
condition: all
rules:
- 'f:/etc/httpd/conf/httpd.conf -> !r:ServerSignature\s+On'
- 'f:/etc/httpd/conf/httpd.conf -> !r:ServerTokens\s+Full'
SIEM
Policy Management
Security Policies in Wazuh

- id: 2003
title: "Check for Directory Listing"
description: "Directory listing should be disabled on the server."
rationale: "Preventing directory listing reduces information leakage."
remediation: "Set 'Options -Indexes' in the Apache directory configuration."
compliance:
- cis: "2.2.8"
condition: none
rules:
- 'f:/etc/httpd/conf/httpd.conf -> r:Options\s+-Indexes'

- id: 2004
title: "Ensure use of latest Apache version"
description: "Apache should be updated to the latest stable version."
rationale: "Latest versions contain security patches and feature improvements."
remediation: "Regularly check for updates and apply them."
compliance:
- cis: "2.2.1"
condition: all
rules:
- 'c:httpd -v -> r:Apache/2.4.41'
SIEM
Policy Management
Security Policies in Wazuh

- id: 2005
title: "Restrict access to Apache configuration files"
description: "Access to Apache's main configuration files should be restricted."
rationale: "Protecting configuration files prevents unauthorized changes."
remediation: "Set proper permissions on the configuration files."
compliance:
- cis: "2.2.10"
condition: all
rules:
- 'f:/etc/httpd/conf/httpd.conf -> p:600'
- 'f:/etc/httpd/conf.d/* -> p:600'
SIEM
Policy Management
Security Policies in Wazuh

f:/etc/httpd/conf/httpd.conf -> p:600

f: indicates that this rule applies to a file

/etc/httpd/conf/httpd.conf is the path to the main configuration file for the Apache HTTP
Server

 is a separator that distinguishes the file path from the permissions

p:600 sets the permissions for this file. In Unix-like systems, 600 means that the file is
readable and writable by the owner, and not accessible by anyone else

f:/etc/httpd/conf.d/* -> p:600

f: again indicates a file rule

/etc/httpd/conf.d/* refers to all files within the conf.d directory of the Apache HTTP Server
configuration. The asterisk * is a wildcard that matches any file name

 separates the file path from the permissions


SIEM
Policy Management
Security Policies in Wazuh

p:600 sets the permissions for all matched files to be readable and writable by the owner
only, just like the first rule

These rules are likely part of a security policy to ensure that sensitive configuration files are
not exposed to unauthorized users

By setting the permissions to 600, the system is configured to prevent non-owners from
reading or modifying these critical configuration files, which helps maintain the integrity and
security of the web server

Keep in mind that the owner should be a user account specifically designated for managing
the web server to minimize the risk of accidental or malicious changes
SIEM
Policy Management
Security Policies in Wazuh

In this policy:

1. Check 2001 verifies that Apache is running under the recommended non-root user,
typically ‘www-data’, to minimize security risks

2. Check 2002 ensures that the Apache server signature is turned off to prevent revealing
version numbers and server OS, which could aid an attacker

3. Check 2003 checks that directory listing is disabled, reducing the risk of attackers gaining
insights into the server’s directory structure

4. Check 2004 confirms that the Apache server is running the latest stable version, which
includes the most recent security patches

5. Check 2005 restricts access to Apache’s main configuration files to prevent unauthorized
modifications

Each check includes a title, description, rationale, remediation, compliance reference,


condition, and rules to validate the check

The rules use Wazuh’s rule syntax to check system configurations against the policy’s
requirements
SIEM
Policy Management
Security Policies in Wazuh

• Monitoring Security Policies


Wazuh uses components like Rootcheck, OpenSCAP, and CIS-CAT to perform policy
monitoring. This process verifies that all systems conform to a set of predefined rules
regarding configuration settings and approved application usage

Example of Policy Monitoring


• An example of policy monitoring could be checking for unauthorized changes in critical
system files or ensuring that only approved applications are running on the system

• Regulatory Compliance
Wazuh helps in achieving compliance with industry standards and regulations by providing
necessary security controls like File Integrity Monitoring (FIM), SCA, vulnerability detection,
and more

By utilizing these features, you can create a robust security policy framework within
Wazuh to protect your systems and ensure they meet compliance requirements
SIEM
Policy Management
Example of (SCA) policy that checks for secure file permissions and
ownership on a Linux system
# Security Configuration Assessment
# Linux File Permissions and Ownership Benchmark
policy:
id: "linux_file_permissions"
file: "linux_file_permissions.yml"
name: "Linux File Permissions and Ownership Benchmark"
description: "This policy ensures that critical files and directories have the correct permissions and
ownership to prevent unauthorized access."
references:
- "https://www.linux.org/"
checks:
- id: 2001
title: "Ensure /etc/passwd has correct permissions"
description: "The /etc/passwd file should have 644 permissions."
rationale: "The /etc/passwd file contains user account information and should be readable by all users,
but only writable by the root user."
remediation: "Run 'chmod 644 /etc/passwd' to set correct permissions."
compliance:
- cis: "6.1.2"
condition: all
rules:
- 'f:/etc/passwd -> p:^rw-r--r--$'
SIEM
Policy Management
Example of (SCA) policy that checks for secure file permissions and
ownership on a Linux system
- id: 2002
title: "Check ownership of /etc/shadow"
description: "The /etc/shadow file should be owned by root."
rationale: "The /etc/shadow file contains sensitive user password information and should only be
accessible by the root user."
remediation: "Run 'chown root:root /etc/shadow' to set correct ownership."
compliance:
- cis: "6.1.3"
condition: all
rules:
- 'f:/etc/shadow -> u:root && g:root'

- id: 2003
title: "Verify no world-writable files exist"
description: "There should be no world-writable files on the system."
rationale: "World-writable files can be modified by any user and pose a security risk."
remediation: "Find and remove world-writable permissions from files."
compliance:
- cis: "6.1.10"
condition: none
rules:
- 'd:/ -> !p:^.*w.*$'
SIEM
Policy Management
Example of (SCA) policy that checks for secure file permissions and
ownership on a Linux system
In this policy:

• Check 2001 ensures that the /etc/passwd file has the correct permissions set, allowing
read access to all users but write access only to the root user

• Check 2002 verifies that the /etc/shadow file, which contains sensitive password
information, is owned by the root user to prevent unauthorized access

• Check 2003 checks for the absence of world-writable files on the system, which could
otherwise be modified by any user and potentially lead to security breaches
SIEM
Policy Management
Example of (SCA) policy, System Authentication

• Checks for secure password policies and authentication mechanisms

checks:
- id: 4001
title: "Ensure password expiration is 90 days or less"
description: "The password expiration must be set to 90 days or less."
compliance:
- cis: "5.4.1.1"
rules:
- 'c:chage --list $user -> r:Maximum number of days between password change: 90'
SIEM
Policy Management
Example of (SCA) policy, User Accounts and Environment

• Verifies the security of user accounts, environment variables, and user profiles

checks:
- id: 4002
title: "Check for presence of user .netrc files"
description: "User .netrc files should not exist as they may contain unencrypted
passwords."
compliance:
- cis: "6.2.13"
rules:
- 'd:/home -> f:.netrc'
SIEM
Policy Management
Example of (SCA) policy, File and Directory Permissions

• Ensures that files and directories have appropriate permissions to prevent


unauthorized access

checks:
- id: 4003
title: "Verify /etc/shadow group ownership"
description: "The /etc/shadow file should be owned by the 'shadow' group."
compliance:
- cis: "6.1.6"
rules:
- 'f:/etc/shadow -> g:shadow'
SIEM
Policy Management
Example of (SCA) policy, Network Configuration

• Assesses the security of network settings and firewall configurations

checks:
- id: 4004
title: "Ensure no unowned files or directories exist"
description: "All files and directories must have an owner."
compliance:
- cis: "9.1.9"
rules:
- 'd:/ -> !u:0'
SIEM
Policy Management
Example of (SCA) policy, Application Configuration

• Checks application settings to ensure they are configured securely

checks:
- id: 4005
title: "Check for secure Apache server configuration"
description: "Apache server must be configured with secure settings."
compliance:
- cis: "7.1.14"
rules:
- 'f:/etc/apache2/apache2.conf -> r:ServerTokens Prod'
SIEM
Policy Management
Example of (SCA) policy, Logging and Auditing

• Verifies that logging and auditing configurations are set up correctly

checks:
- id: 4006
title: "Ensure audit log storage size is configured"
description: "The audit log storage size must be configured to prevent log tampering."
compliance:
- cis: "4.1.1.3"
rules:
- 'f:/etc/audit/auditd.conf -> r:max_log_file ='
SIEM
Policy Management
Example of (SCA) policy, Patch Management

• Ensures that systems are up-to-date with the latest security patches

checks:
- id: 4007
title: "Check if system is up-to-date with patches"
description: "The system must be regularly updated with the latest patches."
compliance:
- cis: "1.8.1.4"
rules:
- 'c:yum check-update -> r:No packages marked for update'
SIEM
Policy Management
Example of (SCA) policy, Cryptographic Practices

• Assesses the use of cryptographic standards within the system

checks:
- id: 4008
title: "Ensure strong ciphers are used for SSH"
description: "SSH must be configured to use strong ciphers."
compliance:
- cis: "5.2.11"
rules:
- 'f:/etc/ssh/sshd_config -> r:Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
SIEM
Policy Management
Example of (SCA) policy, Service Management

• Checks for proper configuration and management of system services

checks:
- id: 5001
title: "Ensure unnecessary services are disabled"
description: "Services that are not needed should be disabled to minimize the attack
surface."
compliance:
- cis: "2.2.1"
rules:
- 'c:systemctl is-enabled <service_name> -> r:disabled'
SIEM
Policy Management
Example of (SCA) policy, Environmental Controls

• Assesses the security of environmental variables and system paths

checks:
- id: 5002
title: "Check for secure PATH environment variable"
description: "The PATH environment variable should not contain any writable directories."
compliance:
- cis: "9.2.6"
rules:
- 'c:echo $PATH -> r:^/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin$'
SIEM
Policy Management
Example of (SCA) policy, Access Controls

• Verifies that access control policies are properly implemented

checks:
- id: 5003
title: "Ensure access to the su command is restricted"
description: "Only authorized users should be able to switch to another user using the su
command."
compliance:
- cis: "5.6"
rules:
- 'f:/etc/pam.d/su -> r:auth required pam_wheel.so use_uid'
SIEM
Policy Management
Example of (SCA) policy, Data Protection

• Ensures that data protection mechanisms are in place, such as encryption and access
controls

checks:
- id: 5004
title: "Verify encryption is used for data at rest"
description: "Sensitive data stored on disk should be encrypted to protect against
unauthorized access."
compliance:
- cis: "18.9"
rules:
- 'c:lsblk -> r:type crypt'
SIEM
Policy Management
Example of (SCA) policy, Intrusion Detection

• Checks for the presence and configuration of intrusion detection systems

checks:
- id: 5005
title: "Check for configured intrusion detection system"
description: "An intrusion detection system (IDS) should be configured and running."
compliance:
- cis: "12.4"
rules:
- 'p:snort'
SIEM
Policy Management
Example of (SCA) policy, Virtualization Security

• Assesses the security configurations of virtualized environments

checks:
- id: 5006
title: "Ensure virtual machines are isolated from the host"
description: "Virtual machines should be configured to prevent unauthorized access to the
host system."
compliance:
- cis: "7.7"
rules:
- 'c:virsh list --all -> r:isolated'
SIEM
Policy Management
Example of (SCA) policy, Cloud Infrastructure

• Verifies the security of cloud infrastructure and services

checks:
- id: 5007
title: "Check security groups for open access"
description: "Security groups should be configured to prevent open access from the
internet."
compliance:
- cis: "4.3"
rules:
- 'c:aws ec2 describe-security-groups -> r:0.0.0.0/0'
It’s NOT BUSINESS, It’s Very PERSONAL
Questions

Ali Ali

You might also like