I came across a reference to #Wazuh in another thread. It looks interesting: an open-source thing that can manage a bunch of compliance requirements.
So I went looking for information about their agent's security. Things I did find:<li>Installing it requires root and it appears to run as root.</li>
Things I did not find:<li>Any security audit of the agent.</li><li>Any documentation on how they do privilege separation in the agent.</li><li>Any design docs for the agent.</li><li>Any threat model docs for the agent.</li>
Are these things somewhere I missed? Anyone familiar with the project know how they avoid their network-connected-and-highly-privileged thing being an attack vector for client devices? Is it possible to run it sandboxed with read-only access to the system (for reporting violations but not automatically trying to fix them)?
David Chisnall (*Now with 50% more sarcasm!*)
npub13g…dk50d
2026-04-09 15:51:25 UTC
Author Public Key
npub13gcwraghdcw9xzkg3tky24feu0lzkhtlt57wpdn58y4m4tyr9qdsxdk50dSeen on
wss://relay.momostr.pinkPublished at
2026-04-09 15:51:25 UTCEvent JSON
{
"id": "17cdcb7976e792c849d1f4274603196f93f23b2de8db92d7ae0f7a184fae3f39",
"pubkey": "8a30e1f5176e1c530ac88aec455539e3fe2b5d7f5d3ce0b674392bbaac83281b",
"created_at": 1775749885,
"kind": 1,
"tags": [
[
"t",
"wazuh"
],
[
"proxy",
"https://infosec.exchange/@david_chisnall/116375544474846939",
"web"
],
[
"proxy",
"https://infosec.exchange/users/david_chisnall/statuses/116375544474846939",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/david_chisnall/statuses/116375544474846939",
"pink.momostr"
],
[
"-"
]
],
"content": "I came across a reference to #Wazuh in another thread. It looks interesting: an open-source thing that can manage a bunch of compliance requirements.\n\nSo I went looking for information about their agent's security. Things I did find:\u003cli\u003eInstalling it requires root and it appears to run as root.\u003c/li\u003e\n\nThings I did not find:\u003cli\u003eAny security audit of the agent.\u003c/li\u003e\u003cli\u003eAny documentation on how they do privilege separation in the agent.\u003c/li\u003e\u003cli\u003eAny design docs for the agent.\u003c/li\u003e\u003cli\u003eAny threat model docs for the agent.\u003c/li\u003e\n\nAre these things somewhere I missed? Anyone familiar with the project know how they avoid their network-connected-and-highly-privileged thing being an attack vector for client devices? Is it possible to run it sandboxed with read-only access to the system (for reporting violations but not automatically trying to fix them)?",
"sig": "67f0c761b97b90d8c101d15841c33b3627e391d6a5154b85bc660cd8a338c5d2f5e3790f183578694a98930c98e9a0a7e93b87d27bca1b824404fa9633a39d75"
}