Cloud Security Posture Management (CSPM) is important in ensuring the security and compliance of cloud environments. In cloud computing where organizations can quickly and easily provision, configure, and modify cloud resources, the potential for security misconfigurations increases. These security issues can arise due to mismanagement of permissions, gaps in network configurations, and various other factors.

Cloud Security Posture Management addresses this challenge by continuously monitoring and assessing cloud workloads to identify misconfigurations, vulnerabilities, and potential risks. It also provides remediation steps on how to rectify potential security risks, thereby enhancing the overall security posture of the cloud environment.

Wazuh is a free, open source, enterprise-grade security monitoring platform that provides comprehensive protection for cloud, on-premises, containerized, and virtualized environments. This blog post demonstrates how to use Wazuh to manage posture security on the Google Cloud Platform (GCP).

Infrastructure

The following components are the requirements for this demonstration.

• A pre-built, ready-to-use Wazuh OVA 4.5.1. Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
• A GCP account with administrative privileges. We recommend using a test account that does not manage production workloads for this demonstration.

Integrating Wazuh with GCP

Wazuh integrates with GCP using the Google Cloud publisher and subscriber service (GCP Pub/Sub). Google Cloud Pub/Sub is a messaging service that helps you send and receive log data between applications. Wazuh provides an integration module for GCP that fetches logs from the Pub/Sub service.

Google Cloud Platform

Configuring the GCP account

We create a new GCP project and a service account that enables the Wazuh GCP module to pull log data from the Google Pub/Sub service. We then configure the Pub/Sub and the Sink services. The Sink service routes cloud security posture logs from the central GCP Cloud Logging service to the Pub/Sub service. 

Follow the steps below to perform the configuration.

1. Create a new GCP project. Take note of the project ID.

Where:

• Project name is the name given to the project name.
• Organization is the name of the GCP organization.

2. Go to the IAM and admin drop-down menu and select Service accounts to create a new service account. On the service accounts creation page, add the Pub/Sub Publisher and Pub/Sub Subscriber roles to the account.

Where:

• Service account name is the privileged account that Wazuh uses to connect to GCP.
• Roles are the rights given to the service account.

3. Open the newly created service account and create a private key in JSON format. Your browser automatically downloads the key. Wazuh uses the key to authenticate to your GCP project.

4. Search for Pub/Sub from the console search field at the top of the page and select it. Click on Create Topic. On the Create Topic page, input the Topic ID and ensure the Add a default subscription checkbox is selected. Then, click Create. Take note of the Subscription ID.

5. Search for Log Router in the GCP console and select it. Click on Create Sink. Name the sink and click Next. On the Sink destination service, select Cloud Pub/Sub topic. Next, select the topic name created above. Click Create Sink.

The Log Router and Sink services in a GCP project are responsible for log management and log destination routing respectively.

6. Configure continuous log export from the GCP Findings service to the GCP Pub/Sub service.

Wazuh server

Configure the Wazuh server to receive logs from GCP by performing the following steps.

Note: Run the commands with root permission.

1. Create a credentials.json file in the /var/ossec/wodles/gcloud/ directory:

# touch /var/ossec/wodles/gcloud/credentials.json

2. Update the /var/ossec/wodles/gcloud/credentials.json file with the contents of the private key JSON file downloaded earlier. The Wazuh GCP module uses the key file to authenticate your GCP account.

3. Append the following content to the /var/ossec/etc/ossec.conf configuration file. The configuration specifies how Wazuh connects to GCP using the project ID, GCP PubSub subscription ID, and a credential.

<ossec_config>
  <gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>5m</interval>
    <project_id><PROJECT_ID></project_id>
    <subscription_name><SUBSCRIPTION_ID></subscription_name>
     <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
  </gcp-pubsub>
</ossec_config>

Replace the variables in the configuration with the appropriate values.

Where:

• <PROJECT_ID> is the ID of the project created above.
• <SUBSCRIPTION_NAME> is the subscription ID of your GCP Pub/Sub.

4. Create a rule file gcp_posture.xml in the /var/ossec/etc/rules/ directory and add the following custom rules to detect GCP posture findings:

<group name="gcp,">

  <!-- Misconfiguration detection -->
    <rule id="100200" level="10">
        <if_sid>65000</if_sid>
        <field name="gcp.finding.findingClass">MISCONFIGURATION</field>
        <description>A $(gcp.finding.findingClass) with $(gcp.finding.severity) severity has been discovered on the GCP project $(gcp.resource.projectDisplayName). $(gcp.finding.description)</description>
        <mitre>
          <id>T1562</id>
        </mitre>
    </rule>
    

  <!-- Threat detection -->
    <rule id="100201" level="10">
        <if_sid>65000</if_sid>
        <field name="gcp.finding.findingClass">THREAT</field>
        <description>A $(gcp.finding.findingClass) with $(gcp.finding.severity) severity has been discovered on the GCP project $(gcp.resource.projectDisplayName). $(gcp.finding.category).</description>
        <mitre>
          <id>T1562</id>
        </mitre>
    </rule>
   
</group>

Where:

• Rule ID 100200 is triggered when Wazuh detects a misconfiguration in a GCP account.
• Rule ID 100201 is triggered when GCP detects a threat.

5. Restart the Wazuh manager to apply the configuration:

# systemctl restart wazuh-manager

Cloud security posture management simulation

The Findings module is a GCP Security Command Centre service that records security misconfigurations across a GCP project. The simulation will produce sample misconfigurations that will be shipped to Wazuh. 

Network misconfigurations

Perform the following actions on the GCP console to simulate network misconfiguration.

1. Enable the Compute Engine API. This will enable the internal VPC firewall.

2. Create a firewall rule, “verybadrule” on the GCP network security to simulate multiple network misconfigurations. The firewall rule allows connections from all IP addresses and ports.

3. Delete the firewall rule “verybadrule” from the list of rules on GCP network security.

Identity and access management anomalous activity

1. Create a test Gmail email address if you don’t have one already.

2. Navigate to the IAM & Admin drop-down menu and select IAM. Click on Grant Access. On the Grant Access page, enter the test user Gmail address as a New principal. Next assign the role, Project > Owner and click Save.

Posture management result

Visualize the GCP posture management results by navigating to Modules > Security events. Filter for the rule IDs 100200 and 100201.

Conclusion

The integration of Wazuh with the Google Cloud Platform offers a centralized solution for managing cloud security posture. In this blog post, we show how to integrate GCP with Wazuh. We also simulate a possible network firewall rule misconfiguration.

Wazuh is a free and open source enterprise-ready security solution for threat detection, incident response, and compliance. You can integrate Wazuh with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References

1. Work with findings in the Google Cloud console

2. Using Wazuh to monitor GCP services