Wazuh and NIST 800-53 - Security Control Mapping
Wazuh supports the NIST SP 800-53 Revision 5 security and privacy controls catalog through log analysis, file integrity monitoring, configuration assessment, vulnerability detection, threat detection, and active response. The default ruleset includes nist_800_53_XX.Y tags mapping events to specific controls.
NIST 800-53 Overview
NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) is a catalog of security and privacy controls developed by the National Institute of Standards and Technology. Revision 5 contains over 1,000 controls organized into 20 families.
Wazuh covers seven key control families related to technical monitoring and threat detection.
Control Family Mapping to Wazuh Modules
| Family | Identifier | Description | Primary Wazuh Modules |
|---|---|---|---|
| Access Control | AC | Access to systems and data | Log analysis , SCA |
| Audit and Accountability | AU | Event auditing and accountability | Log analysis |
| Configuration Management | CM | System configuration management | SCA , FIM |
| Identification and Authentication | IA | User identification and authentication | Authentication log analysis |
| Incident Response | IR | Security incident handling | Active response , alerting |
| System and Communications Protection | SC | System and communication protection | SCA, log analysis |
| System and Information Integrity | SI | System and information integrity | FIM , Vulnerability Detector |
AC - Access Control
AC-2: Account Management
Wazuh tracks account creation, modification, and deletion through authentication log analysis:
<rule id="5901" level="8">
<if_sid>5900</if_sid>
<match>new user</match>
<description>New user added to the system</description>
<group>nist_800_53_AC.2,nist_800_53_AC.7,account_changed,</group>
</rule>AC-6: Least Privilege
Monitoring root/admin privilege usage:
<rule id="100300" level="8">
<if_sid>5715</if_sid>
<user>root</user>
<description>Direct root login detected - potential AC-6 violation</description>
<group>nist_800_53_AC.6,nist_800_53_AC.2,authentication_success,</group>
</rule>AC-7: Unsuccessful Logon Attempts
Wazuh detects brute-force attacks through correlation rules:
<rule id="5712" level="10" frequency="6" timeframe="120">
<if_matched_sid>5710</if_matched_sid>
<description>sshd: brute force trying to get access to the system</description>
<group>nist_800_53_AC.7,nist_800_53_SI.4,authentication_failures,</group>
</rule>AU - Audit and Accountability
AU-2: Event Logging
Wazuh defines auditable events through the default ruleset. Each rule classifies the event type and associates it with applicable standard requirements.
AU-3: Content of Audit Records
Every Wazuh alert includes:
- User identification
- Event type
- Date and time
- Event source
- Outcome (success/failure)
- Affected resource identity
AU-6: Audit Record Review and Analysis
The Wazuh Dashboard provides audit record review tools with:
- Filtering by event type, level, and agent
- Time-series distribution graphs
- Grouping by NIST control families
AU-8: Time Stamps
Wazuh uses synchronized timestamps for all events. Configure NTP on all agents:
checks:
- id: 40001
title: "Ensure NTP is configured"
compliance:
- nist_800_53: ["AU.8"]
condition: all
rules:
- 'p:chronyd'AU-12: Audit Record Generation
Wazuh generates audit records for all detected security events. For comprehensive auditing, enable log archiving:
<ossec_config>
<global>
<logall_json>yes</logall_json>
</global>
</ossec_config>CM - Configuration Management
CM-2: Baseline Configuration
SCA defines and verifies system baseline configurations. CIS Benchmark policies serve as secure configuration baselines.
CM-3: Configuration Change Control
FIM tracks changes to configuration files:
<syscheck>
<directories check_all="yes" whodata="yes" report_changes="yes">/etc</directories>
<directories check_all="yes" realtime="yes">/usr/local/etc</directories>
</syscheck>CM-6: Configuration Settings
Configuration verification through SCA:
checks:
- id: 40010
title: "Ensure SSH root login is disabled"
compliance:
- nist_800_53: ["CM.6"]
- cis: ["5.2.10"]
condition: all
rules:
- 'f:/etc/ssh/sshd_config -> r:^\s*PermitRootLogin\s+no'CM-8: System Component Inventory
The system inventory module maintains records of installed software, open ports, network interfaces, and hardware specifications.
IA - Identification and Authentication
IA-2: Identification and Authentication (Users)
Wazuh monitors all authentication events on managed systems:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>IA-5: Authenticator Management
Password policy verification through SCA:
checks:
- id: 40020
title: "Ensure password minimum length is configured"
compliance:
- nist_800_53: ["IA.5"]
condition: all
rules:
- 'f:/etc/security/pwquality.conf -> r:^\s*minlen\s*=\s*(\d+) -> compare >= 14'IR - Incident Response
IR-4: Incident Handling
Wazuh supports incident detection and handling through:
- Detection rules with severity classification (levels 0-15)
- MITRE ATT&CK tactic mapping
- Active response for automated blocking
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>10</level>
<timeout>3600</timeout>
</active-response>IR-5: Incident Monitoring
The Wazuh Dashboard visualizes incidents with filtering by:
- Severity level
- MITRE ATT&CK tactics
- Agents and groups
- NIST control families
IR-6: Incident Reporting
Integration with external notification systems:
<integration>
<name>slack</name>
<level>10</level>
<hook_url>https://hooks.slack.com/services/XXX/YYY/ZZZ</hook_url>
</integration>SC - System and Communications Protection
SC-7: Boundary Protection
Wazuh analyzes firewall and IDS/IPS logs for network boundary monitoring:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/firewall.log</location>
</localfile>SC-8: Transmission Confidentiality and Integrity
Encryption configuration verification through SCA:
checks:
- id: 40030
title: "Ensure TLS 1.2 minimum is enforced"
compliance:
- nist_800_53: ["SC.8"]
condition: all
rules:
- 'f:/etc/ssl/openssl.cnf -> r:^\s*MinProtocol\s*=\s*(TLSv1\.2|TLSv1\.3)'SI - System and Information Integrity
SI-2: Flaw Remediation
The Vulnerability Detector identifies software vulnerabilities and provides remediation guidance:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>12h</interval>
<run_on_start>yes</run_on_start>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>SI-3: Malicious Code Protection
The rootcheck and YARA modules detect malware on monitored systems.
SI-4: System Monitoring
Wazuh provides continuous monitoring through:
- Real-time log analysis
- File integrity monitoring
- Anomaly detection
- Event correlation
SI-7: Software, Firmware, and Information Integrity
FIM monitors file integrity including executables, libraries, and configurations:
<syscheck>
<directories check_all="yes" realtime="yes">/usr/bin</directories>
<directories check_all="yes" realtime="yes">/usr/sbin</directories>
<directories check_all="yes" realtime="yes">/usr/lib</directories>
</syscheck>Continuous Monitoring
NIST SP 800-137 defines continuous monitoring requirements. Wazuh delivers continuous monitoring through:
- Agents - persistent data collection from managed systems
- Detection rules - real-time event analysis
- Dashboard - security posture visualization
- Alerts - immediate notification of violations
Assessment Automation
Wazuh automates NIST 800-53 compliance assessment through:
- SCA - scheduled configuration verification
- Vulnerability Detector - periodic vulnerability scanning
- FIM - continuous integrity monitoring
- Detection rules - automatic event classification
NIST 800-53 Rule Groups
Wazuh uses the nist_800_53_XX.Y format for rule tagging. Retrieve available tags:
docker exec wazuh-manager grep -r "nist_800_53_" /var/ossec/ruleset/rules/ | \
grep -oP 'nist_800_53_[A-Z]+\.\d+' | sort -uKey groups:
| Group | Control |
|---|---|
nist_800_53_AC.2 | Account management |
nist_800_53_AC.6 | Least privilege |
nist_800_53_AC.7 | Unsuccessful logon attempts |
nist_800_53_AU.6 | Audit record review |
nist_800_53_AU.8 | Time stamps |
nist_800_53_AU.12 | Audit record generation |
nist_800_53_AU.14 | Session audit and review |
nist_800_53_CM.3 | Configuration change control |
nist_800_53_CM.6 | Configuration settings |
nist_800_53_IA.2 | User identification |
nist_800_53_IA.5 | Authenticator management |
nist_800_53_IR.4 | Incident handling |
nist_800_53_SC.7 | Boundary protection |
nist_800_53_SI.2 | Flaw remediation |
nist_800_53_SI.4 | System monitoring |
nist_800_53_SI.7 | Software integrity |
NIST 800-53 Dashboard Module
The Wazuh Dashboard includes a NIST 800-53 module under Modules > Regulatory compliance > NIST 800-53. The module provides:
- Alert overview by control family
- Grouping by control identifier
- Compliance event timeline
- Per-agent detail views
Generating Reports
To query NIST 800-53 alerts via the API:
curl -sk -u admin:$WAZUH_ADMIN_PASS \
"https://localhost:9200/wazuh-alerts-*/_search" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"query": {
"bool": {
"must": [
{ "range": { "timestamp": { "gte": "now-30d" } } },
{ "exists": { "field": "rule.nist_800_53" } }
]
}
},
"aggs": {
"nist_controls": {
"terms": { "field": "rule.nist_800_53", "size": 50 }
}
}
}' | jq '.aggregations.nist_controls.buckets'Troubleshooting
NIST 800-53 alerts not appearing
- Verify that rules contain
nist_800_53_tags in the<group>field - Confirm the module is enabled in the dashboard settings
- Check the time range filter for correctness
SCA checks not mapping to NIST controls
- Confirm SCA policies include a
complianceblock specifyingnist_800_53 - Verify the control identifier format in the policy
- Reload the agent after policy updates
Missing audit data for AU-12
- Review the log collection configuration in
ossec.conf - Confirm archiving is enabled via the
logall_jsonparameter - Verify that index templates in OpenSearch include the
rule.nist_800_53field