Disk space utilization

Windows endpoint

Perform the following steps on the Windows endpoint.

1. Enable remote command execution on the Windows endpoint by appending the following settings to the C:\Program Files (x86)\ossec-agent\local_internal_options.conf file:

   Warning

   Enable remote command execution with caution as this gives the ThreatLockDown user permission to run any command on the endpoint.

   logcollector.remote_commands=1
   

2. Restart the ThreatLockDown agent to apply the changes, using PowerShell with administrator privileges:

   > Restart-Service -Name wazuh
   

ThreatLockDown server

Perform the following steps on the ThreatLockDown server.

1. Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the ThreatLockDown server:

   <agent_config os="Windows">
     <localfile>
       <log_format>command</log_format>
       <command>Powershell -c "Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}"</command>
       <alias>check_win_disk_space</alias>
     </localfile>
   </agent_config>
   

   Where:

   • The value command of the <log_format> tag specifies the output of the command is read as multiple events.

   • The value Powershell -c "Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}" of the <command> tag is the command the Logcollector module executes to get the percentage of free space available in the C: drive.

   • The value check_win_disk_space of the <alias> tag is a string that represents the Powershell -c "Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}" command for better identification in creating rules.

   • Notice the absence of the <frequency> tag. This implies the command is scheduled to run periodically using the default frequency value of 360 seconds.

2. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the ThreatLockDown server:

   <group name="disk_space_utilization,">
     <rule id="100014" level="7">
       <if_sid>530</if_sid>
       <match>^ossec: output: 'check_win_disk_space': </match>
       <regex type="pcre2">[0-1]\d.\d+%$</regex>
       <description>C: Drive free space less than 20%.</description>
     </rule>
   </group>
   

3. Restart the ThreatLockDown manager to apply the changes:

   $ sudo systemctl restart wazuh-manager
   

Linux endpoint

Perform the following steps on the Linux endpoint.

1. Enable remote command execution on the Linux endpoint by appending the following settings to the /var/ossec/etc/local_internal_options.conf file:

   Warning

   Enable remote command execution with caution as this gives the ThreatLockDown user permission to run any command on the endpoint.

   wazuh_command.remote_commands=1
   

2. Restart the ThreatLockDown agent to apply the changes:

   $ sudo systemctl restart wazuh-agent
   

ThreatLockDown server

Knowing the Command module does have a default decoder for its log format, we need to figure out a way to format the command output so that a custom decoder can parse it. So, we leverage the below script to format the command output.

1. Create a bash script named disk-usage.sh in the /var/ossec/etc/shared/default/ directory of the ThreatLockDown server and add the following content. ThreatLockDown pushes the script to the /var/ossec/etc/shared/ directory on the Linux endpoint where it is executed. The script adds a disk-usage header to the output of the df -h command:

   #!/bin/bash
   df -h | while IFS= read -r line;
   do
     echo "disk-usage: "$line
   done
   

2. Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the ThreatLockDown server. Replace <MD5_HASH>, <SHA1_HASH>, and <SHA256_HASH> with the appropriate hashes of the /bin/bash shell binary on the Linux endpoint:

   <agent_config os="Linux">
     <wodle name="command">
       <disabled>no</disabled>
       <tag>disk-usage</tag>
       <command>/bin/bash /var/ossec/etc/shared/disk-usage.sh</command>
       <interval>2m</interval>
       <run_on_start>yes</run_on_start>
       <timeout>10</timeout>
       <verify_md5><MD5_HASH></verify_md5>
       <verify_sha1><SHA1_HASH></verify_sha1>
       <verify_sha256><SHA256_HASH></verify_sha256>
     </wodle>
   </agent_config>
   

   Where:

   • The value /bin/bash /var/ossec/etc/shared/disk-usage.sh of the <command> tag specifies the Command module uses the /bin/bash binary to execute the /var/ossec/etc/shared/disk-usage.sh script.

   • The value 2m of the <interval> tag indicates that the command module runs the command every 2 minutes.

3. Add the following decoder to the /var/ossec/etc/decoders/local_decoder.xml file on the ThreatLockDown server:

   <decoder name="disk-usage">
     <prematch>^disk-usage: </prematch>
     <regex offset="after_prematch">(\S+)\s*(\S+)\s*(\S+)\s*(\S+)\s*(\S+)%\s*(\S+)</regex>
     <order>filesystem, size, used, available, usage, mnt</order>
   </decoder>
   

4. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the ThreatLockDown server. The rule generates an alert when the disk usage of the /dev partition exceeds 80%:

   <group name="disk_space_utilization,">
     <rule id="100015" level="7">
       <decoded_as>disk-usage</decoded_as>
       <field name="filesystem">^/dev/</field>
       <field name="usage">^9\d|^8\d</field>
       <description>Usage $(usage)% of $(filesystem) partition exceeded 80%.</description>
     </rule>
   </group>
   

5. Restart the ThreatLockDown manager to apply the changes:

   $ sudo systemctl restart wazuh-manager
   

macOS endpoint

Perform the following steps on the macOS endpoint.

1. Enable remote command execution on the macOS endpoint by appending the following settings to the /Library/Ossec/etc/local_internal_options.conf file:

   Warning

   Enable remote command execution with caution as this gives the ThreatLockDown user permission to run any command on the endpoint.

   logcollector.remote_commands=1
   

2. Restart the ThreatLockDown agent to apply the changes:

   # /Library/Ossec/bin/wazuh-control restart
   

ThreatLockDown server

ThreatLockDown has an out-of-the-box rule with ID 531 that generates an alert when the disk usage of the /dev partition is 100%. The rule is defined below and is found in the ThreatLockDown GitHub repository.

<rule id="531" level="7" ignore="7200">
  <if_sid>530</if_sid>
  <match>ossec: output: 'df -P': /dev/</match>
  <regex>100%</regex>
  <description>Partition usage reached 100% (disk space monitor).</description>
  <group>low_diskspace,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Perform the following steps on the ThreatLockDown server.

1. Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the ThreatLockDown server:

   <agent_config os="macOS">
     <localfile>
       <log_format>command</log_format>
       <command>df -P</command>
       <frequency>180</frequency>
     </localfile>
   </agent_config>
   

   Where:

   • The value command of the <log_format> tag specifies the output of the command is read as multiple events.

   • The value df -P of the <command> tag specifies the command the Logcollector module executes.

   • The value 180 of the <frequency> tag specifies the command runs every 180 seconds (3 minutes).

Test the configuration

Run the following command on the macOS endpoint to fill the disk space with random data of 10GB. This action can take approximately 45 seconds:

# df -h .; date; dd if=/dev/zero of=big_file count=10240000 bs=1024 ; date; df -h .