This chapter describes requirements concerning GDPR basic principles, mainly for personal data and how to process it, but also regarding shared data.
Article 5 “Principles relating to processing of personal data. Head 1(f). processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The article ensures the ongoing confidentiality, integrity, availability and resilience of processing systems and services, verifying its modifications, accesses, locations while guaranteeing the safety of them. File sharing protection and file sharing technologies that meet data protection requirements.
Wazuh’s File integrity monitoring (FIM) helps on this task by watching specific files and triggering alerts when these are modified. The component responsible for this task is called Syscheck. It stores the cryptographic checksum and other attributes from file or Windows registry keys and regularly compares it to the file’s current checksum.
Here are some Wazuh rules examples tagged as gdpr_II_5.1.f:
<rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group> </rule> <rule id="554" level="5"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,</group> </rule>
In this example we configured Wazuh to detect changes in
<syscheck> <directories check_all="yes" report_changes="yes">/root/personal_data</directories> </syscheck>
When we modify the file Wazuh generates an alert.
root@agent:~# ls -l personal_data total 4 -rw-r--r-- 1 root root 18 may 16 11:39 subject_data.txt root@agent:~# cat personal_data/subject_data.txt User01= user03_ID root@agent:~# echo "User01= user02_ID" > personal_data/subject_data.txt root@agent:~# cat personal_data/subject_data.txt User01= user02_ID
As you can see, syscheck alerts are tagged with gdpr_II_5.1.f.
** Alert 1526470666.11377: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f, 2018 May 16 13:37:46 (agent01) 192.168.1.50->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/root/personal_data/subject_data.txt' Old md5sum was: 'c86fc18b025cb03c698548a5a7e04bc1' New md5sum is : '425e63943d8ae5491f1769033da66456' Old sha1sum was: '3bef1dc414e7fe247cdca4d4900c23047e003a06' New sha1sum is : '048af26252c3b9eb6fd4335d5e218891f90c9037' What changed: 1c1 < User01= user03_ID --- > User01= user02_ID File: /root/personal_data/subject_data.txt New size: 18 New permissions: 100644 New user: root (0) New group: root (0) Old MD5: c86fc18b025cb03c698548a5a7e04bc1 New MD5: 425e63943d8ae5491f1769033da66456 Old SHA1: 3bef1dc414e7fe247cdca4d4900c23047e003a06 New SHA1: 048af26252c3b9eb6fd4335d5e218891f90c9037 Old date: Wed May 16 12:18:15 2018 New date: Wed May 16 13:32:54 2018 New inode: 19690