Wazuh PCI DSS 4.0 - Requirements Mapping and Setup
Wazuh delivers comprehensive PCI DSS version 4.0 support through log data collection and analysis, file integrity monitoring, security configuration assessment, system inventory, real-time alerting, and active response. The default Wazuh ruleset ships with pre-tagged pci_dss_X.Y.Z labels that cover the key requirements of the standard.
PCI DSS 4.0 Overview
PCI DSS (Payment Card Industry Data Security Standard) defines security requirements for organizations that process, store, or transmit payment card data. Version 4.0 replaced PCI DSS 3.2.1 and introduced updated requirements for authentication, encryption, and continuous monitoring.
The standard comprises 12 core requirements organized into 6 objectives. Wazuh covers requirements related to technical security controls.
PCI DSS Requirements Mapping to Wazuh Modules
| PCI DSS Requirement | Description | Wazuh Module | Rule Group |
|---|---|---|---|
| 1.x | Install and maintain network security controls | FIM , log analysis | pci_dss_1.1.1 |
| 2.2 | Secure configuration of system components | SCA | pci_dss_2.2 |
| 5.x | Protect against malicious software | Rootcheck, YARA | pci_dss_5.1, pci_dss_5.2 |
| 6.1 | Identify and remediate vulnerabilities | Vulnerability Detector | pci_dss_6.1 |
| 6.2 | Secure software development | Application log analysis | pci_dss_6.2 |
| 8.x | Identification and authentication | Log analysis, SCA | pci_dss_8.1, pci_dss_8.2 |
| 10.x | Log and monitor all access | Log analysis | pci_dss_10.2.4, pci_dss_10.2.5 |
| 10.4.1 | Daily security log review | Dashboard, alerting | pci_dss_10.4.1 |
| 10.5.1 | Audit log retention | Log archiving | pci_dss_10.5.1 |
| 11.5 | File integrity monitoring | FIM | pci_dss_11.5 |
| 11.x | Security testing | SCA , Vulnerability Detector | pci_dss_11.2 |
| 12.x | Information security policies | Documentation, SCA | pci_dss_12.1 |
Requirement 1 - Network Security Controls
Wazuh tracks changes to firewall configurations through the FIM module and network device log analysis.
Firewall Configuration Monitoring
<syscheck>
<directories check_all="yes" realtime="yes">/etc/iptables</directories>
<directories check_all="yes" realtime="yes">/etc/firewalld</directories>
<directories check_all="yes" realtime="yes">/etc/pf.conf</directories>
</syscheck>When firewall configuration files change, FIM generates an alert tagged with pci_dss_1.1.1, recording who made the change, when, and what was modified.
Requirement 2.2 - Secure Configuration
The SCA module performs system configuration checks against CIS Benchmark standards. Check results are automatically mapped to PCI DSS requirement 2.2.
Example SCA policy for SSH configuration verification:
checks:
- id: 10001
title: "Ensure SSH Protocol is set to 2"
compliance:
- pci_dss: ["2.2"]
- cis: ["5.2.4"]
condition: all
rules:
- 'f:/etc/ssh/sshd_config -> r:^\s*Protocol\s+2'Requirement 5 - Malware Protection
Wazuh provides multi-layered malware protection:
- Rootcheck - rootkit and system anomaly detection
- YARA integration - file scanning by signatures through the malware detection module
- Process monitoring - tracking suspicious processes through system calls
Wazuh rules tagged with pci_dss_5.1 and pci_dss_5.2 trigger when malware or suspicious activity is detected.
Requirement 6.1 - Vulnerability Management
The vulnerability detection module scans installed software for known CVEs. Results map to PCI DSS requirement 6.1.
Module configuration in ossec.conf:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>12h</interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>Requirement 10 - Logging and Monitoring
Requirement 10 is one of the most thoroughly covered by Wazuh. The platform provides:
10.2.4 - Audit Log Detail
Each auditable event must record user identification, event type, date/time, success/failure indicator, event source, and affected resource identity. Wazuh automatically extracts this data during log decoding.
Example rule for failed SSH authentication:
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>10.2.5 - Privileged Access Logging
Wazuh monitors all privileged user actions, generating alerts with user identification, event classification, and timestamps.
10.4.1 - Daily Log Review
The Wazuh Dashboard provides visualization for daily review of:
- Security event logs
- Card data storage and processing system logs
- Critical system logs
- Security function logs
10.5.1 - Audit Log Retention
PCI DSS requires a minimum 12-month retention period, with the most recent 3 months immediately available. Configure log archiving in Wazuh:
<ossec_config>
<global>
<logall_json>yes</logall_json>
</global>
</ossec_config>Use Index State Management (ISM) policies in OpenSearch for tiered retention:
{
"policy": {
"policy_id": "pci-dss-retention",
"description": "PCI DSS 12-month log retention",
"default_state": "hot",
"states": [
{
"name": "hot",
"actions": [],
"transitions": [
{
"state_name": "warm",
"conditions": { "min_index_age": "90d" }
}
]
},
{
"name": "warm",
"actions": [
{ "read_only": {} }
],
"transitions": [
{
"state_name": "delete",
"conditions": { "min_index_age": "365d" }
}
]
},
{
"name": "delete",
"actions": [
{ "delete": {} }
]
}
]
}
}Requirement 11.5 - File Integrity Monitoring
PCI DSS 11.5.2 requires deployment of a change-detection mechanism to alert personnel of unauthorized modification of critical system files, configuration files, or content files.
Monitoring with User Attribution
<syscheck>
<directories check_all="yes" whodata="yes">/root/credit_cards</directories>
</syscheck>The whodata attribute captures the user and process responsible for each file change.
Change Content Tracking
<syscheck>
<frequency>3600</frequency>
<directories check_all="yes" report_changes="yes">/root/credit_cards/cardholder_data.txt</directories>
</syscheck>The report_changes option displays file content differences between scans.
Real-Time Deletion Detection
<syscheck>
<directories check_all="yes" realtime="yes">/root/credit_cards</directories>
</syscheck>Real-time mode generates alerts for modifications, additions, and deletions as they occur.
PCI DSS Rule Groups
Wazuh uses the pci_dss_ syntax followed by the requirement number for rule mapping. Retrieve the full list of tags from the ruleset:
docker exec wazuh-manager grep -r "pci_dss_" /var/ossec/ruleset/rules/ | \
grep -oP 'pci_dss_[\d.]+' | sort -uKey rule groups:
| Group | Requirement |
|---|---|
pci_dss_1.1.1 | Network security controls |
pci_dss_2.2 | Secure configuration |
pci_dss_5.1 | Malware protection |
pci_dss_6.1 | Vulnerability management |
pci_dss_6.5 | Secure development |
pci_dss_8.1 | User identification |
pci_dss_10.2.4 | Audit log detail |
pci_dss_10.2.5 | Privileged access |
pci_dss_10.5.1 | Audit log retention |
pci_dss_11.5 | Integrity monitoring |
PCI DSS Dashboard Module
The Wazuh Dashboard includes a dedicated PCI DSS module under Modules > Regulatory compliance > PCI DSS. The module provides:
- Overview panel - aggregate alert statistics by PCI DSS requirement
- Requirement filtering - drill-down into specific requirements for detailed analysis
- Timeline - alert visualization over time grouped by requirement
- Agents - per-agent and per-group compliance statistics
The dashboard renders information in real time, allowing filtering by alert field types including compliance controls.
Generating PCI DSS Reports
To generate compliance reports, use the dashboard capabilities:
- Navigate to Modules > PCI DSS
- Set the time range for the reporting period
- Apply filters by agent or agent group
- Export data in CSV or PDF format via the Generate report button
For automated report generation, use the Wazuh Indexer API:
curl -sk -u admin:$WAZUH_ADMIN_PASS \
"https://localhost:9200/wazuh-alerts-*/_search" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"query": {
"bool": {
"must": [
{ "range": { "timestamp": { "gte": "now-30d" } } },
{ "exists": { "field": "rule.pci_dss" } }
]
}
},
"aggs": {
"pci_requirements": {
"terms": { "field": "rule.pci_dss", "size": 50 }
}
}
}' | jq '.aggregations.pci_requirements.buckets'Troubleshooting
PCI DSS alerts not appearing in the dashboard
- Verify that rules contain
pci_dss_tags in the<group>field - Confirm the PCI DSS module is enabled in the dashboard settings
- Check the time range filter for correctness
Missing FIM data for PCI DSS 11.5
- Review the
<syscheck>configuration inossec.conf - Confirm monitoring is enabled (
<disabled>no</disabled>) - Verify that the correct paths are specified for monitoring
Missing vulnerability data for PCI DSS 6.1
- Review the
<vulnerability-detector>configuration inossec.conf - Confirm vulnerability database providers are enabled and updating
- Verify the system inventory module is active - it is required for the vulnerability detector to function
Logs not being archived for PCI DSS 10.5.1
- Confirm the
logall_jsonparameter is set toyes - Restart the Wazuh manager after configuration changes
- Configure an ISM policy in OpenSearch for retention management