Skip to content

๐Ÿ“Š Section 8: Monitoring and Logging

๐ŸŽฏ Objective

This section guides you through configuring a secure, scalable monitoring and logging stack using Wazuh, Auditd, and optional remote logging. These components support key CMMC Level 2 controls across Audit and Accountability (AU) and Security Incident Response (IR/SI) domains.

๐Ÿงฉ Why Wazuh?

Wazuh is a powerful open-source Security Information and Event Management (SIEM) solution that offers:

  • Host-based intrusion detection (HIDS)
  • Centralized log collection and analysis
  • File integrity monitoring
  • Rootkit and malware detection
  • CMMC/NIST 800-171 rule packs

It serves as the primary audit log and incident detection platform in the OpenCMMC stack.

๐Ÿงช Deploying Wazuh with Podman

podman volume create wazuh_data

podman run -d --name wazuh \
  -p 55000:55000 \
  -v wazuh_data:/var/ossec/data \
  docker.io/wazuh/wazuh:4.6.0

Optional: expose the dashboard via reverse proxy (NGINX) on HTTPS port 443.

๐Ÿ“‹ Configure Auditd (Local Audit Logging)

Install and enable auditd:

sudo apt install auditd audispd-plugins
sudo systemctl enable auditd --now

Define critical rules in /etc/audit/rules.d/cmmc.rules:

-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k credentials
-w /var/log/ -p wa -k logfiles

Reload rules:

sudo augenrules --load

๐Ÿ” Secure Logging Best Practices

  • Enable log forwarding from auditd to rsyslog, and optionally to Wazuh
  • Use TLS for remote log transmission (if using an external SIEM)
  • Protect /var/log using strict permissions and AIDE
  • Retain logs for a minimum of 90 days, per NIST 800-171 guidance

๐Ÿ› ๏ธ Wazuh Agent Integration (Optional for Additional Hosts)

Install Wazuh agents on endpoints and configure secure connection to the Wazuh server using authd:

sudo /var/ossec/bin/agent-auth -m <wazuh_server_ip>

Use Wazuhโ€™s built-in compliance dashboard to validate:

  • Policy violations
  • Suspicious login activity
  • File integrity issues

๐Ÿ›ก๏ธ CMMC Practices Addressed

CMMC Practice Description
AU.2.042 Ensure audit records are reviewed and retained
AU.2.043 Provide audit record protection
AU.3.045 Review and analyze audit logs
SI.1.210 Identify and report anomalous events
IR.2.093 Detect and report incidents automatically

โœ… Next Step

With monitoring and auditing in place, the next phase is configuring your container environment using hardened Podman runtimes and secure systemd services in Section 9: Application Hosting.