Wazuh for CMMC Compliance: Complete Implementation Guide#

Introduction#

The Cybersecurity Maturity Model Certification (CMMC) is reshaping how organizations in the Defense Industrial Base (DIB) approach cybersecurity. Created by the U.S. Department of Defense, CMMC ensures that contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) maintain robust security practices.

Wazuh, an open-source SIEM and XDR platform, provides comprehensive capabilities that directly support CMMC compliance requirements. This guide demonstrates practical implementations for key CMMC domains using Wazuh’s out-of-the-box features.

Understanding CMMC Requirements#

CMMC organizes cybersecurity practices across multiple domains:

Access Control (AC): Managing who can access systems and data
Audit & Accountability (AU): Logging and monitoring system activities
Configuration Management (CM): Maintaining secure system configurations
Risk Assessment (RA): Identifying and managing vulnerabilities
System and Information Integrity (SI): Ensuring system security

How Wazuh Supports CMMC Compliance#

Wazuh provides built-in mappings to CMMC controls through data.sca.check.compliance.cmmc_v2.0 tags, enabling automated compliance tracking and reporting.

CMMC Domain Mapping#

CMMC Domain	Wazuh Capability	Implementation
Audit & Accountability (AU)	Log Data Analysis	Centralized logging, retention, analysis
Access Control (AC)	Active Response + Logging	Automated account lockout, access monitoring
Configuration Management (CM)	Security Configuration Assessment	CIS benchmark scanning
Risk Assessment (RA)	Vulnerability Detection	CVE scanning, patch management
System Integrity (SI)	File Integrity Monitoring	Critical file change detection

Infrastructure Setup#

For this implementation, we’ll use:

Wazuh Server: Ubuntu 24.04 with Wazuh 4.12.0 central components
Monitored Endpoints:
- Ubuntu 24.04 server
- Windows 11 workstation
- Kali Linux 2025.2 (for testing)

Implementation Guide#

Part 1: Audit and Accountability (AU.L2-3.3.1)#

Requirement: Retain system audit logs for monitoring, analysis, and investigation of unauthorized activity.

Configure Authentication Failure Detection#

Wazuh automatically detects authentication failures across platforms. Let’s verify this capability:

Test Failed Logins:

1
# On Linux endpoints - attempt failed SSH login
2
ssh invaliduser@localhost
3

4
# On Windows - attempt failed RDP or local login
5
# Use incorrect credentials at login screen

View Results in Wazuh Dashboard:

Navigate to Threat Intelligence → Threat Hunting
Apply filter: Authentication failure
Review detected events

Architecture for Audit Logging#

1
flowchart LR
2
    subgraph "Endpoints"
3
        L1[Linux Logs] --> A1[Wazuh Agent]
4
        W1[Windows Events] --> A2[Wazuh Agent]
5
        K1[Kali Logs] --> A3[Wazuh Agent]
6
    end
7

8
    subgraph "Wazuh Server"
9
        A1 --> S1[Log Collection]
10
        A2 --> S1
11
        A3 --> S1
12
        S1 --> S2[Analysis Engine]
13
        S2 --> S3[Alert Generation]
14
        S3 --> S4[Long-term Storage]
15
    end
16

17
    subgraph "Compliance Reporting"
18
        S4 --> R1[CMMC AU Reports]
19
        S4 --> R2[Audit Trail Archive]
20
    end
21

22
    style L1 fill:#4dabf7
23
    style W1 fill:#ffd43b
24
    style S2 fill:#51cf66
25
    style R1 fill:#ff6b6b

Part 2: Access Control (AC.L2-3.1.11)#

Requirement: Automatically terminate user sessions after defined conditions.

We’ll implement automated account lockout after multiple failed login attempts.

Configure Active Response#

Step 1: Create Detection Rule

Add to /var/ossec/etc/rules/local_rules.xml:

1
<group name="pam,syslog,">
2
  <rule id="120100" level="10" frequency="5" timeframe="120">
3
    <if_matched_sid>5503</if_matched_sid>
4
    <description>Possible password guess on $(dstuser): five failed logins in 2 minutes</description>
5
    <mitre>
6
      <id>T1110</id>
7
    </mitre>
8
  </rule>
9
</group>

Step 2: Configure Active Response

Add to /var/ossec/etc/ossec.conf:

1
<ossec_config>
2
  <!-- Command definition -->
3
  <command>
4
    <name>disable-account</name>
5
    <executable>disable-account</executable>
6
    <timeout_allowed>yes</timeout_allowed>
7
  </command>
8

9
  <!-- Active response configuration -->
10
  <active-response>
11
    <disabled>no</disabled>
12
    <command>disable-account</command>
13
    <location>local</location>
14
    <rules_id>120100</rules_id>
15
    <timeout>300</timeout>
16
  </active-response>
17
</ossec_config>

Step 3: Restart Wazuh Manager

1
sudo systemctl restart wazuh-manager

Test Account Lockout#

Create Test Users:

1
# On Ubuntu and Kali
2
sudo adduser user1
3
sudo adduser user2

Trigger Lockout:

1
# Switch to user2
2
su user2
3

4
# Attempt to switch to user1 with wrong password (6 times)
5
su user1
6
# Enter incorrect password each time

Verify in Dashboard:

Navigate to Threat Hunting
Filter by rule.id: 657 (Active Response alerts)
Confirm account disable actions

Part 3: Risk Assessment (RA.L2-3.11.2)#

Requirement: Scan for vulnerabilities periodically and when new vulnerabilities are introduced.

Configure Vulnerability Detection#

Wazuh automatically performs vulnerability detection on monitored endpoints. Let’s review the results:

View Vulnerability Dashboard:

Navigate to Threat Intelligence → Vulnerability Detection
Review detected CVEs by severity
Click Inventory tab for endpoint-specific vulnerabilities

Vulnerability Management Architecture#

1
flowchart TB
2
    subgraph "Vulnerability Detection Flow"
3
        E1[Endpoint Inventory] --> V1[Package Collection]
4
        V1 --> V2[CVE Database Matching]
5
        V2 --> V3[Severity Assessment]
6
        V3 --> V4[Alert Generation]
7
    end
8

9
    subgraph "Risk Prioritization"
10
        V4 --> R1{Severity Level}
11
        R1 -->|Critical| R2[Immediate Action]
12
        R1 -->|High| R3[Scheduled Remediation]
13
        R1 -->|Medium/Low| R4[Regular Patching]
14
    end
15

16
    subgraph "CMMC Reporting"
17
        R2 --> C1[RA.L2-3.11.2 Report]
18
        R3 --> C1
19
        R4 --> C1
20
    end
21

22
    style E1 fill:#4dabf7
23
    style V2 fill:#ffd43b
24
    style R1 fill:#ff6b6b
25
    style C1 fill:#51cf66

Creating Custom CMMC Dashboard#

Step 1: Create Visualizations#

Audit & Accountability Visualization#

Failed Login Summary (Pie Chart):

Navigate to Visualize → Create new visualization
Select Pie chart type
Configure:
- Metrics: Count aggregation
- Buckets: Split slices by agent.name
- Filter: rule.mitre.technique is one of “Password Guessing”, “Account Access Removal”

1
{
2
  "visualization": {
3
    "title": "Failed Login Attempts by Endpoint",
4
    "visState": {
5
      "type": "pie",
6
      "params": {
7
        "addTooltip": true,
8
        "addLegend": true,
9
        "legendPosition": "right"
10
      }
11
    }
12
  }
13
}

Access Control Visualization#

Active Response Triggers (Data Table):

Create Data Table visualization
Configure:
- Metrics: Count with label “Active response (disable user)”
- Buckets:
  - Split rows by agent.name
  - Sub-bucket by data.dstuser
- Filters:
  - data.command: add
  - rule.groups: active_response

1
{
2
  "visualization": {
3
    "title": "Account Lockout Actions",
4
    "visState": {
5
      "type": "table",
6
      "params": {
7
        "perPage": 10,
8
        "showPartialRows": false,
9
        "showMetricsAtAllLevels": false
10
      }
11
    }
12
  }
13
}

Risk Assessment Visualization#

Vulnerable Packages (Horizontal Bar):

Create Horizontal Bar chart
Configure:
- Y-axis: Count aggregation
- X-axis: Split by data.vulnerability.package.name (Top 15)
- Split series: By agent.name
- Filters:
  - data.vulnerability.severity is one of “High”, “Critical”
  - data.vulnerability.status: Active

Step 2: Build Dashboard#

Navigate to Dashboards → Create Dashboard
Add all three visualizations
Arrange in logical layout:
- Top: Failed Login Summary
- Middle: Active Response Actions
- Bottom: Critical Vulnerabilities

Step 3: Import Pre-built Dashboard#

Alternatively, import our pre-configured CMMC dashboard:

Import Dashboard JSON:

1
{
2
  "version": "4.12.0",
3
  "objects": [
4
    {
5
      "id": "cmmc-dashboard",
6
      "type": "dashboard",
7
      "attributes": {
8
        "title": "CMMC Compliance Overview",
9
        "hits": 0,
10
        "description": "CMMC compliance monitoring for AU, AC, and RA domains",
11
        "panelsJSON": "[...]",
12
        "timeRestore": false,
13
        "kibanaSavedObjectMeta": {
14
          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"}}"
15
        }
16
      }
17
    }
18
  ]
19
}

Advanced CMMC Compliance Features#

Automated Compliance Reporting#

Create scheduled reports for CMMC audits:

1
#!/usr/bin/env python3
2
import requests
3
import json
4
from datetime import datetime, timedelta
5

6
class CMMCReporter:
7
    def __init__(self, wazuh_api, api_user, api_pass):
8
        self.api = wazuh_api
9
        self.auth = (api_user, api_pass)
10

11
    def generate_au_report(self):
12
        """Generate Audit & Accountability report"""
13
        # Query authentication failures
14
        endpoint = f"{self.api}/security/events"
15
        params = {
16
            "pretty": "true",
17
            "q": "rule.groups:authentication_failed",
18
            "time_frame": "7d"
19
        }
20

21
        response = requests.get(endpoint, auth=self.auth, params=params)
22
        return self.format_au_report(response.json())
23

24
    def generate_ac_report(self):
25
        """Generate Access Control report"""
26
        # Query active response actions
27
        endpoint = f"{self.api}/security/events"
28
        params = {
29
            "pretty": "true",
30
            "q": "rule.groups:active_response",
31
            "time_frame": "30d"
32
        }
33

34
        response = requests.get(endpoint, auth=self.auth, params=params)
35
        return self.format_ac_report(response.json())
36

37
    def generate_ra_report(self):
38
        """Generate Risk Assessment report"""
39
        # Query vulnerabilities
40
        endpoint = f"{self.api}/vulnerability/{agent_id}"
41

42
        critical_vulns = []
43
        for agent in self.get_agents():
44
            response = requests.get(
45
                f"{endpoint}/{agent['id']}",
46
                auth=self.auth
47
            )
48
            vulns = response.json()
49
            critical_vulns.extend([
50
                v for v in vulns
51
                if v['severity'] in ['Critical', 'High']
52
            ])
53

54
        return self.format_ra_report(critical_vulns)

Continuous Compliance Monitoring#

Implement real-time CMMC compliance scoring:

1
<!-- Add to local_rules.xml -->
2
<group name="cmmc_compliance,">
3
  <!-- AU Compliance Check -->
4
  <rule id="130001" level="12">
5
    <if_sid>999999</if_sid>
6
    <match>log_retention_check_failed</match>
7
    <description>CMMC AU.L2-3.3.1: Log retention policy violation detected</description>
8
    <group>cmmc_audit,compliance_failure,</group>
9
  </rule>
10

11
  <!-- AC Compliance Check -->
12
  <rule id="130002" level="10">
13
    <if_sid>5501</if_sid>
14
    <time_period>86400</time_period>
15
    <frequency>10</frequency>
16
    <same_user />
17
    <description>CMMC AC.L2-3.1.1: Excessive authentication attempts from user</description>
18
    <group>cmmc_access,compliance_warning,</group>
19
  </rule>
20

21
  <!-- RA Compliance Check -->
22
  <rule id="130003" level="14">
23
    <if_sid>23504</if_sid>
24
    <field name="data.vulnerability.severity">Critical</field>
25
    <time_period>604800</time_period>
26
    <description>CMMC RA.L2-3.11.2: Critical vulnerability unpatched for 7 days</description>
27
    <group>cmmc_risk,compliance_critical,</group>
28
  </rule>
29
</group>

Integration with GRC Platforms#

Connect Wazuh to Governance, Risk, and Compliance tools:

1
# Export CMMC compliance data to GRC platform
2
def export_to_grc(compliance_data):
3
    """Export CMMC compliance metrics to GRC platform"""
4

5
    grc_payload = {
6
        "framework": "CMMC",
7
        "level": 2,
8
        "timestamp": datetime.utcnow().isoformat(),
9
        "controls": {
10
            "AU.L2-3.3.1": {
11
                "status": "compliant",
12
                "evidence": compliance_data['audit_logs'],
13
                "last_verified": datetime.utcnow().isoformat()
14
            },
15
            "AC.L2-3.1.11": {
16
                "status": "compliant",
17
                "evidence": compliance_data['access_controls'],
18
                "automated_controls": True
19
            },
20
            "RA.L2-3.11.2": {
21
                "status": "partial",
22
                "evidence": compliance_data['vulnerabilities'],
23
                "remediation_plan": "Patch Tuesday implementation"
24
            }
25
        }
26
    }
27

28
    # Send to GRC API
29
    response = requests.post(
30
        "https://grc-platform.com/api/compliance",
31
        json=grc_payload,
32
        headers={"Authorization": f"Bearer {GRC_TOKEN}"}
33
    )
34

35
    return response.status_code == 200

Best Practices for CMMC Compliance#

1. Log Retention Strategy#

Configure appropriate retention periods:

1
# Configure Wazuh log rotation for CMMC compliance
2
cat > /etc/logrotate.d/wazuh-cmmc << EOF
3
/var/ossec/logs/alerts/alerts.json {
4
    daily
5
    rotate 365
6
    compress
7
    delaycompress
8
    missingok
9
    notifempty
10
    create 0640 wazuh wazuh
11
    sharedscripts
12
    postrotate
13
        # Archive to long-term storage
14
        aws s3 cp /var/ossec/logs/alerts/alerts.json.1.gz \
15
            s3://cmmc-audit-logs/$(date +%Y/%m/%d)/
16
    endscript
17
}
18
EOF

2. Access Control Matrix#

Implement role-based access for CMMC domains:

1
# Wazuh RBAC configuration for CMMC
2
roles:
3
  cmmc_auditor:
4
    - indices:
5
        - "wazuh-alerts-*"
6
      privileges:
7
        - read
8
      query: |
9
        {
10
          "bool": {
11
            "should": [
12
              {"match": {"rule.groups": "cmmc_audit"}},
13
              {"match": {"rule.groups": "cmmc_access"}},
14
              {"match": {"rule.groups": "cmmc_risk"}}
15
            ]
16
          }
17
        }
18

19
  security_analyst:
20
    - indices:
21
        - "wazuh-alerts-*"
22
      privileges:
23
        - read
24
        - write
25
      query: |
26
        {
27
          "match_all": {}
28
        }

3. Automated Evidence Collection#

Script for CMMC audit evidence:

1
#!/bin/bash
2
EVIDENCE_DIR="/var/cmmc/evidence/$(date +%Y%m%d)"
3
mkdir -p "$EVIDENCE_DIR"
4

5
# AU Evidence - Log retention
6
echo "Collecting AU.L2-3.3.1 evidence..."
7
find /var/ossec/logs/alerts -name "*.gz" -mtime -365 | \
8
    wc -l > "$EVIDENCE_DIR/au_log_retention.txt"
9

10
# AC Evidence - Active responses
11
echo "Collecting AC.L2-3.1.11 evidence..."
12
grep -E "Active response" /var/ossec/logs/alerts/alerts.json | \
13
    jq -r '.timestamp + " | " + .agent.name + " | " + .data.command' \
14
    > "$EVIDENCE_DIR/ac_active_responses.txt"
15

16
# RA Evidence - Vulnerability scans
17
echo "Collecting RA.L2-3.11.2 evidence..."
18
curl -u admin:password \
19
    "https://localhost:55000/vulnerability/summary" | \
20
    jq '.' > "$EVIDENCE_DIR/ra_vulnerability_summary.json"
21

22
# Generate summary report
23
cat > "$EVIDENCE_DIR/cmmc_compliance_summary.txt" << EOF
24
CMMC Compliance Evidence Collection
25
Date: $(date)
26
Wazuh Version: $(cat /var/ossec/etc/VERSION)
27

28
AU.L2-3.3.1 - Log Retention: PASS
29
- Logs retained: $(cat au_log_retention.txt) files
30

31
AC.L2-3.1.11 - Access Control: PASS
32
- Active responses triggered: $(wc -l < ac_active_responses.txt)
33

34
RA.L2-3.11.2 - Vulnerability Management: REVIEW
35
- See ra_vulnerability_summary.json for details
36
EOF
37

38
# Archive evidence
39
tar czf "/var/cmmc/archive/evidence_$(date +%Y%m%d).tar.gz" "$EVIDENCE_DIR"

Performance Optimization#

Tuning for CMMC Workloads#

Optimize Wazuh for compliance monitoring:

1
<!-- ossec.conf optimizations -->
2
<ossec_config>
3
  <!-- Increase memory for compliance checks -->
4
  <global>
5
    <memory_size>2048</memory_size>
6
    <max_output_size>20480</max_output_size>
7
  </global>
8

9
  <!-- Dedicated compliance monitoring -->
10
  <localfile>
11
    <location>/var/log/cmmc-compliance.log</location>
12
    <log_format>json</log_format>
13
    <label key="cmmc">compliance</label>
14
  </localfile>
15

16
  <!-- Optimize vulnerability detection frequency -->
17
  <wodle name="vulnerability-detector">
18
    <disabled>no</disabled>
19
    <interval>6h</interval>
20
    <min_full_scan_interval>6h</min_full_scan_interval>
21
  </wodle>
22
</ossec_config>

Troubleshooting Common Issues#

Issue: Missing Compliance Events#

1
# Check agent connectivity
2
/var/ossec/bin/agent_control -l
3

4
# Verify log collection
5
tail -f /var/ossec/logs/ossec.log | grep -E "logcollector|cmmc"
6

7
# Test rule matching
8
echo 'test log entry' | /var/ossec/bin/ossec-logtest

Issue: Dashboard Not Showing CMMC Data#

1
# Refresh index patterns
2
curl -XPOST "localhost:5601/api/index_patterns/wazuh-alerts-*/_refresh_fields"
3

4
# Check field mappings
5
curl -XGET "localhost:9200/wazuh-alerts-*/_mapping/field/data.sca.check.compliance.cmmc_v2.0.*"

Conclusion#

Implementing Wazuh for CMMC compliance provides organizations with:

✅ Automated compliance monitoring across all CMMC domains
📊 Real-time visibility into security posture
🚨 Active response capabilities for access control
📈 Comprehensive vulnerability management
📝 Audit-ready evidence collection

By leveraging Wazuh’s native CMMC mappings and capabilities, organizations can confidently meet DoD requirements while maintaining operational efficiency.

Next Steps#

Phase 1: Deploy basic CMMC monitoring
Phase 2: Implement active response controls
Phase 3: Create custom dashboards
Phase 4: Automate evidence collection
Phase 5: Integrate with GRC platforms

Remember: CMMC compliance is an ongoing journey, not a destination. Regular reviews and updates ensure continued alignment with evolving requirements.

Resources#

Securing the Defense Industrial Base, one log at a time. Stay compliant! 🛡️