Wazuh for Compliance with NIST 800-53

| by | Wazuh 3.10
Post icon

NIST (National Institute of Standards and Technology) sets forth in their Special Publication 800-53 a full set of security controls to be followed by all U.S. federal information systems. The Security Control Catalog is organized into 17 families with more than 200 prioritized security controls in total.

Assessing and monitoring the implementation of all these controls in any information system can be extremely challenging for most organizations. Fortunately, Wazuh helps you comply with NIST 800-53 by continuously updating a ruleset, where alerts generated are automatically classified accordingly to detect violations of NIST security controls with much less effort. Wazuh does with other security standards like GDPRPCI DSS or GPG13 in a similar manner.

Wazuh stands out as a powerful tool for system administrators who want to visualize, analyze and understand quickly the threats to and weaknesses of an information system, especially for the purpose of compliance. Introduced in version 3.10, the new dashboard designed specifically for NIST 800-53 makes this task easier. When an alert is generated, Wazuh tags it with the related security control, thanks to the enriched ruleset.

In addition, the SCA (Security Configuration Assessment) module has been improved, so that an administrator is always aware of bad configuration practices and the resulting impact on compliance.

Exploring the ruleset with Wazuh API

The ruleset constitutes a large expert knowledge base used by Wazuh daemons to decide if an event should generate a security alert or not. It is made up of logical rules which, in most cases, are linked to a specific security standard. As Wazuh grows in functionality and features, the rules become more complex. A great way to browse the ruleset beyond querying plain XML files in the console terminal is through the Wazuh API. For example, if we want to get all security controls:

curl -u foo:bar 'https://localhost:55000/rules/nist-800-53?pretty'
{
   "error": 0,
   "data": {
      "items": [
         "AC.12",
         "AC.2",
         "AC.7",
         "AU.1",
         "AU.3.1",
         "AU.6",
         "AU.8",
         "AU.9",
         "CA.3",
         "CM.1",
         "CM.3",
         "IA.10",
         "IA.4",
         "IA.5",
         "MA.2",
         "SA.11",
         "SC.2",
         "SC.7",
         "SC.8",
         "SI.10",
         "SI.11",
         "SI.15",
         "SI.16",
         "SI.5",
         "SI.7"
      ],
      "totalItems": 25
   }
}

Let’s choose a security control and find out the related rules:

curl -u foo:bar 'https://localhost:55000/rules?nist-800-53=AC.7&pretty'
{
   "error": 0,
   "data": {
      "items": [
         {
            "file": "0580-win-security_rules.xml",
            "path": "ruleset/rules",
            "id": 60115,
            "description": "User account locked out (multiple login errors)",
            "level": 9,
            "status": "enabled",
            "groups": [
               "authentication_failures",
               "windows",
               "windows_security"
            ],
            "pci": [
               "8.1.6",
               "11.4"
            ],
            "gdpr": [
               "IV_35.7.d"
            ],
            "hipaa": [
               "164.312.a.1"
            ],
            "nist-800-53": [
               "AC.7",
               "SC.7"
            ],
            "gpg13": [
               "7.5"
            ],
            "details": {
               "if_sid": "60103",
               "win.system.eventID": "^644$|^4740{{code:1:}}",
               "options": "no_full_log"
            }
         },
         {
            "file": "0580-win-security_rules.xml",
            "path": "ruleset/rules",
            "id": 60130,
            "description": "Logon Failure - Account locked out",
            "level": 7,
            "status": "enabled",
            "groups": [
               "win_authentication_failed",
               "windows",
               "windows_security"
            ],
            "pci": [
               "10.2.4",
               "10.2.5",
               "8.1.6"
            ],
            "gdpr": [
               "IV_35.7.d",
               "IV_32.2"
            ],
            "hipaa": [
               "164.312.b",
               "164.312.a.1"
            ],
            "nist-800-53": [
               "AU.3.1",
               "IA.10",
               "AC.7"
            ],
            "gpg13": [
               "7.5",
               "7.1"
            ],
            "details": {
               "if_sid": "60105",
               "win.system.eventID": "^539{{code:1:}}",
               "options": "no_full_log"
            }
         },
         {
            "file": "0580-win-security_rules.xml",
            "path": "ruleset/rules",
            "id": 60133,
            "description": "User account unlocked",
            "level": 5,
            "status": "enabled",
            "groups": [
               "account_changed",
               "windows",
               "windows_security"
            ],
            "pci": [
               "10.2.5",
               "8.1.6"
            ],
            "gdpr": [
               "IV_32.2"
            ],
            "hipaa": [
               "164.312.b",
               "164.312.a.1"
            ],
            "nist-800-53": [
               "AU.3.1",
               "IA.10",
               "AC.7"
            ],
            "gpg13": [
               "7.10"
            ],
            "details": {
               "if_sid": "60103",
               "win.system.eventID": "^671$|^4767{{code:1:}}",
               "options": "no_full_log"
            }
         }
      ],
      "totalItems": 3
   }
}

As you can see, it is quite simple and straightforward. If you would like to know all the parameters available to suit your needs, feel free to visit our API reference documentation.

Visualizing your compliance with NIST 800-53

Although the API allows querying your data easily, it is not the most efficient way to see ‘the whole picture’ of what’s going on in your system. The Wazuh App is the best visualization tool for gaining insight into your data. Similar to PCI DSS or GDPR mapping in previous versions of the app, a new dashboard is available to control security alerts and threats specifically for NIST 800-53 compliance. This screen is placed under the Overview tab and shows several interesting statistics, including the number of alerts in time and the distribution of alerts per agent:

Conclusion

Complying with a security standard is always a difficult task that demands a lot of human, technical and economic resources from companies, so any help is highly appreciated. Once more, Wazuh stands out as a useful open-source tool that simplifies a complex task and lets users watch and manage a system to meet NIST 800-53 requirements.

References

If you have any questions about this, don’t hesitate to check out our documentation to learn more about Wazuh or join our community where our team and contributors will help you.