wazuh all in one 一步步部署

x10n9

已于 2022-09-02 13:20:50 修改

阅读量1.1k

点赞数

文章标签： elasticsearch 大数据

于 2022-08-30 12:50:12 首次发布

本文链接：https://blog.csdn.net/qq_39438868/article/details/126601116

版权

Wazuh 是一个免费、开源和企业级的安全监控解决方案，用于威胁检测、完整性监控、事件响应和合规性。

Adding the Wazuh repository

yum install curl unzip wget libcap -y
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

安装 Wazuh manager

yum install wazuh-manager-4.2.7-1
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager

安装 Elasticsearch

yum install opendistroforelasticsearch

Configuring Elasticsearch

curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Elasticsearch users and roles

curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml

用户配置文件在：/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Certificates creation

rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

Generate and deploy the certificates:

curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml

Run the wazuh-cert-tool.sh to create the certificates:

bash ~/wazuh-cert-tool.sh

08/30/2022 12:29:28 INFO: Configuration file found. Creating certificates...
08/30/2022 12:29:28 INFO: Creating the Elasticsearch certificates...
08/30/2022 12:29:28 INFO: Creating Wazuh server certificates...
08/30/2022 12:29:29 INFO: Creating Kibana certificate...
08/30/2022 12:29:29 INFO: Certificates creation finished. They can be found in ~/certs.

Move the Elasticsearch certificates to their corresponding location:

mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

以上有坑，执行下面命令补坑：

cp /etc/elasticsearch/certs/root-ca.*  /etc/elasticsearch/
cp /etc/elasticsearch/certs/elasticsearch-key.pem /etc/elasticsearch/esnode-key.pem
cp /etc/elasticsearch/certs/elasticsearch.pem /etc/elasticsearch/esnode.pem

Add the following configuration to mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability - CVE-2021-44228 - ESA-2021-31.

mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:

export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

curl -XGET https://localhost:9200 -u admin:admin -k
在这里插入图片描述
默认情况下会安装Elasticsearch性能分析器插件，可能会对系统资源产生负面影响。我们建议使用以下命令删除它:/usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer。请确保重启Elasticsearch服务。
/usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer
在这里插入图片描述

安装 Filebeat

yum install filebeat -y

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy the Elasticsearch certificates into /etc/filebeat/certs:

mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
filebeat test output

在这里插入图片描述

安装 Kibana

yum install opendistroforelasticsearch-kibana -y

Download the Kibana configuration file:

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data

Install the Wazuh Kibana plugin

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.7_7.10.2-1.zip

Copy the Elasticsearch certificates into /etc/kibana/certs:

mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

Link Kibana socket to privileged port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

访问kibana
URL: https://<wazuh_server_ip>
user: admin
password: admin

在这里插入图片描述
至此安装完成，之后就是安装agent、配置规则

linux部署agent

Add the Wazuh repository

Import the GPG key:

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

安装

WAZUH_MANAGER="server ip"  yum install wazuh-agent-4.2.7-1
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Disable Wazuh updates

sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

自定义规则:

反弹shell检测
服务端：
/var/ossec/etc/rules/local_rules.xml

<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->

<!-- Example -->
<group name="local,syslog,sshd,">

  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

  <rule id="100011" level="0">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'ps -eo user,cmd,pid'</match>
    <description>Important process not running.</description>
    <group>process_monitor,</group>
  </rule>
  <rule id="100012" level="15">
    <if_sid>100011</if_sid>
    <match>bash -i|sh -i|nc -e|/bin/bash -i|/bin/sh -i|ruby -rsocket -e|python -c 'import sys,socket,os,pty;s=socket.socket();'|exec 5|awk BEGIN{s="/inet/tcp</match>
    <description>检测到反弹shell</description>
    <group>process_monitor,</group>
  </rule>
</group>

/var/ossec/etc/shared/default/agent.conf

<agent_config>

  <!-- Shared agent configuration here -->

    <localfile>
        <log_format>command</log_format>
        <command>ps -eo user,cmd,pid</command>
        <frequency>120</frequency>
    </localfile>
</agent_config>

systemctl restart wazuh-manager.service

客户端：
/var/ossec/etc/local_internal_options.conf

# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades.
logcollector.remote_commands=1

systemctl restart wazuh-agent

反弹shell检测
在这里插入图片描述
暴力破解：
brute force

配置邮件告警：

/var/ossec/etc/ossec.conf

<!--
  Wazuh - Manager - Default configuration for centos 7.5
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>xxxxx@hxxxer.com.cn</email_from>
    <email_to>xxxx@qq.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>5</email_alert_level>  #自定义邮件告警level
  </alerts>

yum install postfix mailx cyrus-sasl cyrus-sasl-plain

/etc/postfix/main.cf 末尾添加

inet_interfaces = all  #修改
relayhost = [smtphm.xxx.163.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes

配置密码

echo [smtphm.xxe.163.com]:587 monitor@xxx.com.cn:pass > /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
systemctl start postfix
systemctl start postfix
postmap /etc/postfix/sasl_passwd
chmod 400 /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

重启服务

systemctl restart wazuh-manager.service

在这里插入图片描述
检测Cobalt Strike
https://wazuh.com/blog/detecting-cobalt-strike-beacons-using-wazuh/

rootkit

/var/ossec/etc/shared/default/agent.conf

<agent_config os="linux">
 
  <!-- Shared agent configuration here -->
 
  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit>
    <check_files>yes</check_files>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <ignore type="sregex">^/etc/</ignore>
    <scanall>yes</scanall>
 
    <frequency>1800</frequency>
 
    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
  </rootcheck>
 
</agent_config>

etc/shared/default/rootkit_files.txt

#Reptile
reptile/reptile_cmd         ! Reptile rootkit ::
reptile/reptile_rc          ! Reptile rootkit ::
reptile/reptile_shell       ! Reptile rootkit ::
reptile/reptile_start       ! Reptile rootkit ::
lib/udev/reptile            ! Reptile rootkit ::

在这里插入图片描述

x10n9

关注

0
点赞
踩
3

收藏

觉得还不错? 一键收藏
0
评论
wazuh all in one 一步步部署

默认情况下会安装Elasticsearch性能分析器插件，可能会对系统资源产生负面影响。我们建议使用以下命令删除它:/usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer。用户配置文件在：/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml。..............
复制链接

扫一扫