Wazuh and GDPR - Article Mapping and Data Monitoring

Wazuh supports the technical requirements of the European Union General Data Protection Regulation (GDPR) through file integrity monitoring, intrusion detection, log analysis, configuration assessment, and automated response. The default ruleset includes tags in the format gdpr_CHAPTER_Article.Paragraph, enabling mapping of security events to specific regulation articles.

GDPR Overview

GDPR (General Data Protection Regulation) took effect on 25 May 2018 and establishes requirements for the processing, storage, and protection of personal data belonging to European Union citizens. The regulation applies to any organization processing EU subject data, regardless of the organization’s location.

Wazuh addresses the technical GDPR requirements related to ensuring processing security, breach detection, and maintaining records of processing activities.

GDPR Article Mapping to Wazuh Modules

Article 5(1)(f) - Integrity and Confidentiality

Article 5(1)(f) requires that personal data be processed in a manner ensuring appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Integrity Monitoring with FIM

The FIM module maintains cryptographic checksums and file attributes, generating alerts on file creation, modification, or deletion.

Configure monitoring for directories containing personal data:

<syscheck>
  <directories check_all="yes" whodata="yes" report_changes="yes">/var/data/personal</directories>
  <directories check_all="yes" whodata="yes">/var/data/customers</directories>
</syscheck>

When changes are detected, alerts are generated with the gdpr_II_5.1.f tag:

• Rule 550 - file integrity checksum changed
• Rule 554 - new file added to a monitored directory

Example Alert

{
  "rule": {
    "id": "550",
    "level": 7,
    "description": "Integrity checksum changed.",
    "groups": ["ossec", "syscheck", "gdpr_II_5.1.f"]
  },
  "syscheck": {
    "path": "/var/data/personal/subjects.db",
    "changed_attributes": ["mtime", "md5", "sha1", "sha256"],
    "audit": {
      "user": { "name": "www-data" },
      "process": { "name": "python3" }
    }
  }
}

Article 25 - Data Protection by Design

Article 25 requires implementation of technical and organizational measures to ensure data protection principles are applied by design and by default.

Wazuh supports this requirement through:

• SCA - system configuration verification against security standards
• FIM - change control for application configuration files
• Log analysis - monitoring access to data processing systems

Example SCA policy for verifying data protection settings:

checks:
  - id: 20001
    title: "Ensure database encryption is enabled"
    compliance:
      - gdpr: ["IV_25.1"]
    condition: all
    rules:
      - 'f:/etc/mysql/mysql.conf.d/mysqld.cnf -> r:^\s*require_secure_transport\s*=\s*ON'

Article 30 - Records of Processing Activities

GDPR requires maintaining records of personal data processing activities. Wazuh supports this through centralized log collection and storage with archiving capabilities.

To ensure complete records, enable full log archiving:

<ossec_config>
  <global>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>

This captures all events, including those that did not trigger any detection rules.

Article 32 - Security of Processing

32(1)(b) - Confidentiality and Integrity

Wazuh provides confidentiality and integrity monitoring for data processing systems through:

• Tracking unauthorized access to files containing personal data
• Monitoring privileged operations on database servers
• Controlling changes to encryption system configurations

32(1)(d) - Testing Security Measures

For regular assessment of security measure effectiveness, use:

• SCA - automated configuration verification
• Vulnerability Detector - software vulnerability identification
• Alert analysis - security rule trigger review

32(2) - Risk Assessment

Wazuh helps assess risks associated with personal data processing through:

• Alert classification by severity level (0-15)
• Mapping to MITRE ATT&CK tactics and techniques
• Statistical analysis of security incidents

Article 33 - Data Breach Notification

GDPR requires notifying the supervisory authority of a data breach within 72 hours. Wazuh helps detect breaches and promptly notify responsible personnel.

Breach Alert Configuration

Create custom rules for detecting potential data breaches:

<rule id="100100" level="12">
  <if_sid>550</if_sid>
  <match>personal_data|customer_records|subjects</match>
  <description>Possible personal data breach: file modification detected in protected directory</description>
  <group>gdpr_IV_33.1,data_breach,</group>
</rule>

<rule id="100101" level="14">
  <if_sid>100100</if_sid>
  <frequency>5</frequency>
  <timeframe>300</timeframe>
  <description>Multiple personal data file modifications - potential data exfiltration</description>
  <group>gdpr_IV_33.1,data_breach,</group>
</rule>

Notification System Integration

Configure active response for immediate notification when a potential breach is detected:

<integration>
  <name>slack</name>
  <level>12</level>
  <group>data_breach</group>
  <hook_url>https://hooks.slack.com/services/XXX/YYY/ZZZ</hook_url>
</integration>

Article 35 - Data Protection Impact Assessment (DPIA)

Wazuh supports DPIA by providing data on:

• Types of processed security events
• Frequency and nature of incidents
• Effectiveness of existing controls

Data from the Wazuh Dashboard can serve as input for the impact assessment process.

Personal Data Access Monitoring

Wazuh enables personal data access tracking at multiple levels:

File Level

<syscheck>
  <directories check_all="yes" whodata="yes">/var/data/personal</directories>
  <directories check_all="yes" whodata="yes">/opt/app/uploads/documents</directories>
</syscheck>

Database Level

Monitor DBMS logs to track queries against tables containing personal data:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/mysql/audit.log</location>
</localfile>

Application Level

Collect logs from applications that process personal data:

<localfile>
  <log_format>json</log_format>
  <location>/var/log/app/access.log</location>
</localfile>

GDPR Rule Groups

Wazuh uses the format gdpr_CHAPTER_Article.Paragraph for rule tagging. Retrieve available tags:

docker exec wazuh-manager grep -r "gdpr_" /var/ossec/ruleset/rules/ | \
  grep -oP 'gdpr_[A-Z]+_[\d.a-z]+' | sort -u

Key groups:

GDPR Dashboard Module

The Wazuh Dashboard includes a GDPR module under Modules > Regulatory compliance > GDPR. The module provides:

• Alert overview by GDPR article
• Alert grouping by chapter (II, III, IV)
• Compliance event timeline
• Per-agent detail views

Generating GDPR Reports

To query GDPR-related alerts via the API:

curl -sk -u admin:$WAZUH_ADMIN_PASS \
  "https://localhost:9200/wazuh-alerts-*/_search" \
  -H "Content-Type: application/json" \
  -d '{
    "size": 0,
    "query": {
      "bool": {
        "must": [
          { "range": { "timestamp": { "gte": "now-30d" } } },
          { "exists": { "field": "rule.gdpr" } }
        ]
      }
    },
    "aggs": {
      "gdpr_articles": {
        "terms": { "field": "rule.gdpr", "size": 50 }
      }
    }
  }' | jq '.aggregations.gdpr_articles.buckets'

Troubleshooting

GDPR alerts not appearing

1. Verify that rules contain gdpr_ tags
2. Confirm the GDPR module is enabled in the dashboard
3. Check the time range filter

FIM not generating alerts for personal data files

1. Confirm directory paths are correct in the <syscheck> configuration
2. Verify the agent has read permissions on monitored directories
3. When using whodata, confirm that auditd is installed and running

Breach alerts not being sent

1. Review the integration configuration in ossec.conf
2. Verify the rule level meets the integration threshold
3. Test webhook URL accessibility