Wazuh從入門到上線-有解無憂

[Wazuh](Wazuh · The Open Source Security Platform)是一整套基于ossec安全檢測工具和EFK日志工具構成的終端安全管理工具，不管是將其分類至HIDS，還是EDR，它都是一套通過監控主機日志行為，提供安全檢測、分析和完整報告的開源、免費利器，Wazuh基于C/S架構，它的Agent支持Windows、MacOS、Linux、HP-UX、AIX等主流作業系統，其服務端負責提供認證和資料收集，然后通過filebeat進行日志清洗，最后匯入ElasticSearch，通過Kinbana進行展示和輸出日志，它不僅可以收集主機的事件日志進行一般的入侵檢測功能，還可以通過第三方提供的系統漏洞檢測feed檔案，來實作主機的漏洞掃描和合規檢查，

基本概念

功能示例

組件模塊

Wazuh的組件分為三部分：

客戶端的功能
1. 收集日志和事件日志；
2. 檔案和注冊表的監控；
3. 運行行程和安裝軟體的資訊收集；
4. 監控系統埠和網路配置；
5. 檢測惡意軟體；
6. 配置管理和策略監控
7. 檢測主機回應
服務端
1. 客戶端的服務器注冊；
2. 實作客戶端的連接服務；
3. 根據各項規則實作事件日志的分析引擎；
4. 提供RESTful API；
5. 實作服務端的群集化；
6. 使用Filebeat將日志檔案吐給ES存盤
Elastic Stack
1. 事件日志的收集存盤；
2. 日志的分析和提供搜索功能；
3. 展示和分析事件日志；

單點部署

安裝要求

埠要求

Component	Software	Port	Protocol	Purpose
Wazuh server	Wazuh manager	1514	TCP (default)	Agents connection service
		1514	UDP	Agents connection service
		1515	TCP	Agents registration service
		1516	TCP	Wazuh cluster daemon
	Wazuh API	55000	TCP	Wazuh RESTful API
Elastic Stack	Elasticsearch	9200	TCP	Elasticsearch RESTful API
		9300-9400	TCP	Elasticsearch cluster communication
	Kibana	5601	TCP	Kibana web interface

系統要求
1. 服務端只能部署到Linux主機上
2. 建議使用RHEL/CentOS 6.x、Ubuntu 12、Debian 7 版本以上
硬體要求

最小配置建議配置
組件 RAM (GB) CPU (cores) RAM (GB) CPU (cores)
Wazuh server 2 2 8 4
Elastic Stack 4 2 16 8
存盤配置
1. 需要單獨配置wazuh server的日志存盤磁區；
2. 需要按當前月度日志量x6的最低要求配置，實際運行建議至少每臺Wazuh Server配置100G日志存盤；
3. Elastic存盤需要匯總多臺Wazuh Server日志，至少需要保留半年日志量，建議配置1T存盤，
部署拓撲

	最小配置		建議配置
組件	RAM (GB)	CPU (cores)	RAM (GB)	CPU (cores)
Wazuh server	2	2	8	4
Elastic Stack	4	2	16	8

部署方案

部署拓撲
網路地址

系統角色版本網路地址
ElasticSearch 7.11.2 172.31.101.63
Kibana 7.11.2 172.31.101.57
WazuhMaster 4.1.5 172.31.101.57
WazuhAgent 4..0.3

系統角色	版本	網路地址
ElasticSearch	7.11.2	172.31.101.63
Kibana	7.11.2	172.31.101.57
WazuhMaster	4.1.5	172.31.101.57
WazuhAgent	4..0.3

部署實施

ElasticSearch的安裝

SHELL

# 安裝前置軟體
yum install -y zip unzip curl
# 匯入秘鑰
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# 增加官方源
cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
# 安裝軟體
yum makecache
yum upgrade -y
yum install -y elasticsearch-7.11.2

# 匯入組態檔
mv /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml-bak
touch /etc/elasticsearch/elasticsearch.yml
cat > /etc/elasticsearch/elasticsearch.yml << EOF
cluster.name: elastic
node.name: elasticnode1
network.host: 172.31.101.63
cluster.initial_master_nodes: ["elasticnode1"]

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
EOF

# 開通防火墻
firewall-cmd --permanent --add-service=elasticsearch 
firewall-cmd --reload

# 啟動服務
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

# 校驗服務
# 使用其他主機訪問es環境
curl -XGET http://172.31.101.63:9200
{
  "name" : "elasticnode1",
  "cluster_name" : "elastic",
  "cluster_uuid" : "ahjxhVEHREKNmBAfjcuyNw",
  "version" : {
    "number" : "7.11.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "3e5a16cfec50876d20ea77b075070932c6464c7d",
    "build_date" : "2021-03-06T05:54:38.141101Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

# 禁用軟體源，避免非控升級組件
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

Kibana的安裝

SHELL

# 安裝前置軟體
yum install -y zip unzip curl
# 匯入源秘鑰
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# 增加官方源
cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

# 安裝軟體
yum makecache
yum upgrade -y
yum install -y kibana-7.11.2

# 修改組態檔
cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml-bak
cat >> /etc/kibana/kibana.yml << EOF
server.port: 5601
server.host: "localhost"
server.name: "kibana"
i18n.locale: "zh-CN"
elasticsearch.hosts: ["http://172.31.101.63:9200"]
kibana.index: ".kibana"
kibana.defaultAppId: "home"
server.defaultRoute : "/app/wazuh"
EOF

# 創建資料目錄
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana

# 離線安裝插件
wget https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip
cp ./wazuh_kibana-4.1.5_7.11.2-1.zip /tmp
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuh_kibana-4.1.5_7.11.2-1.zip

# 配置服務
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

# 禁用軟體源，避免非控升級組件
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

# 配置反向代理
yum install -y nginx
systemctl enable --now nginx
vim /etc/ngix/nginx.conf.default
# 在server{}中添加配置項
?```
        proxy_redirect           off;
        proxy_set_header         X-Real-IP $remote_addr;
        proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header         Host $http_host;

        location / {
                proxy_pass http://localhost:5601/;
        }
?```
nginx -s reload

# 登錄kibana之后選擇wazuh插件
# 回傳控制臺修改插件組態檔
sed -i ‘:s/localhost/172.31.101.57/g’ /usr/share/kibana/data/wazuh/config/wazuh.yml

WazuhMaster的安裝

SHELL

# 安裝前置軟體
yum install -y zip unzip curl
# 匯入秘鑰
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

# 配置官方軟體源
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

# 安裝軟體
yum makecache
yum upgrade -y

yum install -y wazuh-manager
yum install filebeat-7.11.2

# 配置Filebeat
mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml-bak
touch /etc/filebeat/filebeat.yml

cat > /etc/filebeat/filebeat.yml<<EOF
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.hosts: ['http://172.31.101.63:9200']
EOF

# 匯入filebeat的wazuh日志模板
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

# 匯入filebeat的wazuh日志模型
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

# 配置防火墻規則
firewall-cmd --permanent --add-port={1514/tcp,1515/tcp,55000/tcp}
firewall-cmd --reload

# 禁用軟體源，避免非控升級組件
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# 啟動服務
systemctl daemon-reload
systemctl enable --now wazuh-manager
systemctl enable --now filebeat

# 驗證Filebeat
filebeat test output
···
elasticsearch: http://172.31.101.63:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.31.101.63
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.11.2
  ···
# 重繪kibana

WazuhAgent的安裝(Linux)

SHELL

# 在es節點和kibana節點上安裝
sudo WAZUH_MANAGER='172.31.101.57' WAZUH_AGENT_GROUP='default' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpm

# 啟動服務
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

WazuhAgent的安裝(Windows)

POWERSHELL

# 使用管理員權限打開powershell控制臺
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER='172.31.101.57' WAZUH_REGISTRATION_SERVER='172.31.101.57' WAZUH_AGENT_GROUP='default'

漏洞掃描

漏掃原理

Wazuh不是一個漏洞掃描工具，它只是借助本身的功能模塊來實作對作業系統的漏洞監控；
Wazuh的漏掃依賴于Agent的對系統軟體版本的掃描，上傳至Master節點之后，通過在線或者離線加載的各個作業系統官方發布的CVE資料庫以及美國政府發布的NVD資料庫來進行對比，從而實作漏洞的檢查和告警；
Wazuh不使用爬蟲、埠掃描等傳統漏掃技術路徑，所以對客戶端主機的性能影響極小；
Wazuh官方支持對資料庫、中間件等軟體進行漏洞掃描，但只支持作業系統發行官方庫中的包，因為它是簡單的按照軟體包名來進行對比的；
Wazuh可以對接Clamav、Suricata等其他安全系統，

應用模塊

配置離線檔案

SHELL

# 在wazuh-master上安裝Nginx
yum install -y nginx
mkdir -p /var/www/wazuh/os
chown -R nginx:nginx /var/www/wazuh

# 下載離線檔案
cd /var/www/wazuh/
# 下載RHEL 7 8的漏洞種子檔案
wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2

# 下載微軟漏洞檔案
wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

# 下載Redhat的安全資料Json檔案
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
chmod +x ./*.sh
mkdir redhat
./rh-generator.sh redhat/

# 下載NVD的安全資料庫(CVE)
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
chmod +x ./*.sh
mkdir nvd
 ./nvd-generator.sh 2010 nvd/

# 配置nginx檔案 
vim /etc/nginx/nginx.conf
# 在server{}中修改增補如下配置
        root         /var/www/wazuh;
    
        location / {
                autoindex on;
                autoindex_exact_size off;
                autoindex_localtime on;
        }

配置漏洞掃描模塊
vim /var/ossec/etc/ossec.conf

SHELL

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os url="http://172.31.101.57/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <os url="http://172.31.101.57/rhel-8-including-unpatched.oval.xml.bz2">8</os>
      <url start="1" end="25">http://172.31.101.57/redhat/redhat-feed[-].json</url>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <url>http://172.31.101.57/msu-updates.json.gz</url>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <url start="2010" end="2021">http://172.31.101.57/nvd/nvd-feed[-].json.gz</url>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

配置定期更新漏洞檔案

BASH

#!/bin/bash
cd /var/www/wazuh/

# 下載Ubuntu 20.04的漏洞種子
wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2

# 下載RHEL 6/7/8的漏洞種子
wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2

# 下載微軟漏洞檔案
wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

#下載Redhat的安全資料Json檔案
/bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat

# 下載NVD的安全資料庫(CVE)
/bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd

# 更新檔案權限
chown -R nginx:nginx /var/www/wazuh

# 重啟服務,更新資料庫
systemctl restart wazuh-manager.service

查詢漏掃情況

郵件告警

SHELL

# 開啟全域郵件通知
# Wazuh本身沒有郵件功能，它依賴系統的郵件投遞
  <global>
      <email_notification>yes</email_notification>
      <email_to>sujx@live.cn</email_to>
      <smtp_server>exmail.qq.com</smtp_server>
      <email_from>i@sujx.net</email_from>
      <email_maxperhour>12</email_maxperhour>
  </global>

# 定義郵件告警級別，設定事件級別>=12級即發送郵件告警
  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>
  
# 定義每日高危漏洞通知(>=13級漏洞)
  <reports>
      <level>13</level>
      <title>Daily report: Alerts with level higher than 13</title>
      <email_to>sujx@live.cn</email_to>
  </reports>
  
# 強制發送告警郵件，即不管上述如何設定一定要發郵件告警，是配置在rule上，而不是全域conf中
  <rule id="502" level="3">
    <if_sid>500</if_sid>
    <options>alert_by_email</options>
    <match>Ossec started</match>
    <description>Ossec server started.</description>
  </rule>

郵件投遞

SHELL

yum install -y mailx
# 使用mailx發送內部郵件
cat >> /etc/mail.rc<<EOF
# 設定內部匿名郵件服務器
set smtp=smtp.example.com
EOF
# 使用公共郵箱發送郵件
yum install -y postfix mailx cyrus-sasl cyrus-sasl-plain
# 建立郵件中繼
cat >> /etc/postfix/main.cf<<EOF
relayhost = [smtp.exmail.qq.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
EOF
# 設定使用i@sujx.net發送郵件給指定接收方
echo [smtp.exmail.qq.com]:587 i@sujx.net:PASSWORD > /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
chmod 400 /etc/postfix/sasl_passwd

chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

# 重置服務
systemctl reload postfix

# 郵件測驗
echo "Test mail from postfix" | mail -s "Test Postfix" -r "i@sujx.net" sujx@live.cn

# 郵件告警

Wazuh Notification.
2021 Jul 03 23:21:09

Received From: (server002.sujx.net) any->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

File '/etc/sysconfig/iptables.save' modified
Mode: scheduled
Changed attributes: mtime,md5,sha1,sha256
…………
--END OF NOTIFICATION

# 郵件報告

Report 'Daily report: Alerts with level higher than 13.' completed.
------------------------------------------------
->Processed alerts: 481384
->Post-filtering alerts: 1953
->First alert: 2021 Jun 29 00:06:08
->Last alert: 2021 Jun 29 23:59:17
Top entries for 'Level':
------------------------------------------------
Severity 13                                                                   |1953    |
Top entries for 'Group':
------------------------------------------------
gdpr_IV_35.7.d                                                                |1953    |
pci_dss_11.2.1                                                                |1953    |
pci_dss_11.2.3                                                                |1953    |
tsc_CC7.1                                                                     |1953    |
tsc_CC7.2                                                                     |1953    |
vulnerability-detector                                                        |1953    |
Top entries for 'Location':
……

使用Kibana產生PDF版本的漏洞報告

生產建議

由于Wazuh的漏掃模塊很容易將CPU資源打滿，建議使用wazuh的群集模式部署相應數量的worker來承擔漏掃功能，
Wazuh的worker建議使用4核4G的配置進行部署，其記憶體占用2G左右，但CPU占用較高，且多核性能不理想，官方回復是以后版本會改進，
如果要求每天(24hour)產生一次全網漏掃報告的話，建議使用200:1的比例部署worker；
由于Wazuh的多執行緒優化以及Cluster模式下worker管理的優化存在問題，在面對>1000臺以上的agent環境中，建議使用高配物理機部署，

使用案例

使用系統官方庫

安裝資料庫

SHELL

yum makecache
# 系統自帶版本為10
yum install -y postgresql postgresql-server

啟動資料庫

SHELL

# 啟動服務
postgresql-setup initdb
systemctl enable postgresql.service --now

執行漏洞檢測

使用軟體官方庫

安裝資料庫

SHELL

# 安裝PG官方源
yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
# 添加更新源，安裝版本以12版本為例
yum makecache
# 安裝資料庫
yum install -y postgresql12 postgresql12-server

啟動資料庫

SHELL

# 創建目錄
mkdir -p /var/lib/pgsql/12/data/
chown postgres:postgres /var/lib/pgsql/12/ -R

# 啟動服務
postgresql-12-setup initdb
systemctl enable postgresql-12.service --now

執行漏洞檢測

無檢測結果

問題所在

Wazuh使用軟體包名或者KB名來進行對比，對于RPM系發行版就是訪問rpminfo資料庫來進行對比，
以postgresql為例

Redhat官方漏洞庫

BASH

# redhat官方的漏洞庫中是有postgresql12的漏洞的
 <criterion comment="Module postgresql:12 is enabled" test_ref="oval:com.redhat.cve:tst:202120229037"/>
         <criterion comment="postgresql-plperl is installed" test_ref="oval:com.redhat.cve:tst:202120229001"/>
         <criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229002"/>
         <criterion comment="postgresql-server-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229007"/>
         <criterion comment="postgresql-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229008"/>
         <criterion comment="postgresql-plpython3 is installed" test_ref="oval:com.redhat.cve:tst:202120229009"/>
         <criterion comment="postgresql-plpython3 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229010"/>
         <criterion comment="postgresql is installed" test_ref="oval:com.redhat.cve:tst:202120229011"/>
         <criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229012"/>
         <criterion comment="postgresql-static is installed" test_ref="oval:com.redhat.cve:tst:202120229013"/>
         <criterion comment="postgresql-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229014"/>
         <criterion comment="postgresql-upgrade is installed" test_ref="oval:com.redhat.cve:tst:202120229015"/>
         <criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229016"/>
         <criterion comment="postgresql-docs is installed" test_ref="oval:com.redhat.cve:tst:202120229017"/>
         <criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229018"/>
         <criterion comment="postgresql-contrib is installed" test_ref="oval:com.redhat.cve:tst:202120229019"/>
         <criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229020"/>
         <criterion comment="postgresql-pltcl is installed" test_ref="oval:com.redhat.cve:tst:202120229023"/>
         <criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229024"/>
         <criterion comment="postgresql-test-rpm-macros is installed" test_ref="oval:com.redhat.cve:tst:202120229025"/>
         <criterion comment="postgresql-test-rpm-macros is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229026"/>
         <criterion comment="postgresql-debugsource is installed" test_ref="oval:com.redhat.cve:tst:202120229029"/>
         <criterion comment="postgresql-debugsource is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229030"/>
         <criterion comment="postgresql-server is installed" test_ref="oval:com.redhat.cve:tst:202120229031"/>
         <criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229032"/>
         <criterion comment="postgresql-upgrade-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229033"/>
         <criterion comment="postgresql-upgrade-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229034"/>

PG官方包的名稱

BASH

[sujx@postgresql ~]$ rpm -qa |grep postgresql
postgresql12-12.7-2PGDG.rhel8.x86_64
postgresql12-libs-12.7-2PGDG.rhel8.x86_64
postgresql12-server-12.7-2PGDG.rhel8.x86_64

結論

postgresql12 ≠ postgresql,所以wazuh使用redhat的OVAL檔案可以搜出redhat打包的postgresql的漏洞，其他就不可以，

維護管理

客戶端的洗掉

SHELL

cd /var/ossec/bin/
# 執行管理程式
[root@vlnx101057 bin]# ./manage_agents 

****************************************
* Wazuh v4.1.5 Agent manager.          *
* The following options are available: *
****************************************
   (A)dd an agent (A).                手動增加客戶端
   (E)xtract key for an agent (E).     提取客戶端秘鑰
   (L)ist already added agents (L).    列出當前客戶端
   (R)emove an agent (R).              洗掉客戶端
   (Q)uit.                             退出
Choose your action: A,E,L,R or Q:R      輸入R，確認洗掉客戶端
Provide the ID of the agent to be removed (or '\q' to quit): 180     輸入agent id
Confirm deleting it?(y/n):               確認洗掉
Agent '180' removed.                    完成洗掉

客戶端的離線注冊

Wazuh-Manager和Wazuh-Agent之間通過1515/tcp埠來進行認證的，具體實作形式類似CA證書的形式，Manager有自建Key，然后Agent通過注冊的形式提交主機名、IP地址獲取相應的ID和Key，注冊之后，Manager和Agent就不再使用1515埠進行認證，只使用1514/TCP埠進行加密的資料通訊，

在無法開通1515/tcp埠或者其他特定情況下，我們需要離線注冊Wazuh-Agent，大體步驟為：

在管理端注冊Agent主機名和IP地址，并獲取相應主機ID;
匯出客戶端注冊Key；
在Agent上匯入上述Key；
重啟Agent服務，

SHELL

# on the Manger
/var/ossec/bin/manage_agents -a <agent_IP> -n <agent_name>
/var/ossec/bin/manage_agents -l | grep <agent_name>
ID: 001, Name: agent_1, IP: any
/var/ossec/bin/manage_agents -e <agent_id>
Agent key information for '001' is:
MDAxIDE4NWVlNjE1Y2YzYiBhbnkgMGNmMDFiYTM3NmMxY2JjNjU0NDAwYmFhZDY1ZWU1YjcyMGI2NDY3ODhkNGQzMjM5ZTdlNGVmNzQzMGFjMDA4Nw==

# on the Agent
/var/ossec/bin/manage_agents -i <key>
# 修改Agent上的Manager IP
vim /var/ossec/etc/ossec.conf
<client>
  <server>
    <address>MANAGER_IP</address>
    ...
  </server>
</client>
systemctl restart wazuh-agent

其他

此外，Wazuh Manager默認是開放認證的，即只要知道Manager的IP就可直接注冊，但它也支持通過密碼認證、通過SSL證書認證、通過API認證、通過主機環境認證(限定主機名和主機組來認證)，
以下，僅提供密碼認證的配置介紹：

SHELL

# 在Manager主機上打開密碼認證選項
# vim /var/ossec/etc/ossec.conf
<auth>
  ...
  <use_password>yes</use_password>
  ...
</auth>

# 添加隨機密碼
systemctl restart wazuh-manager
grep "Random password" /var/ossec/logs/ossec.log

# 添加指定密碼
# 如不進行如下操作，wazuh實際就會產生一個隨機密碼
echo "<custom_password>" > /var/ossec/etc/authd.pass
systemctl restart wazuh-manager

# 在Agent上開啟密碼認證并注冊
/var/ossec/bin/agent-auth -m <manager_IP> -P "<custom_password>"
systemctl restart wazuh-agent

# 或者將密碼注入相應檔案
echo "<custom_password>" > /var/ossec/etc/authd.pass
/var/ossec/bin/agent-auth -m <manager_IP>
systemctl restart wazuh-agent

系統調優

wazuh本身是一個對資源要求較低的系統，但長期運行下來，還是會出現各種各樣資源使用不足的問題，因此，需要進行一定程度的優化和調整

調整ES引數

開啟記憶體鎖定引數

SHELL

# 鎖定物理記憶體地址，防止ES記憶體被交換出去，避免頻繁使用swap磁區
cat >> /etc/elasticsearch/elasticsearch.yml <<EOF
bootstrap.memory_lock: true
EOF

限制系統資源

SHELL

# 配置Elasticsearch的systemd呼叫
mkdir -p /etc/systemd/system/elasticsearch.service.d/
 
cat > /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf << EOF
[Service]
LimitMEMLOCK=infinity
EOF

調整內核引數

SHELL

cat >> /etc/security/limits.conf <<EOF
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
EOF

調整JVM引數

SHELL

# 在可用記憶體使用率不超過50%，且使用量不超過32GB記憶體的情況下，設定Xms和Xmx的值為當年記憶體總量的一半
# 當前記憶體總量為8GB
cat >> /etc/elasticsearch/jvm.options <<EOF
-Xms4g
-Xmx4g
EOF

重啟服務

SHELL

systemctl daemon-reload
systemctl restart elasticsearch

設定分片和副本資料量

Wazuh設定單節點ES主機

SHELL

# 獲取Wazuh ES 模板
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.1.5/extensions/elasticsearch/7.x/wazuh-template.json -o w-elastic-template.json
# 結合實際環境，設定分片數為1，副本數為0
  
{
  "order": 1,
  "index_patterns": ["wazuh-alerts-4.x-*"],
  "settings": {
    "index.refresh_interval": "5s",
    "index.number_of_shards": "1",
    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "0-1",
    "index.mapping.total_fields.limit": 2000
  },
  "mappings": {
  "...": "..."
  }
}

# 應用模板
curl -X PUT "http://localhost:9200/_template/wazuh-custom" -H 'Content-Type: application/json' -d @w-elastic-template.json

設定永久分片數

SHELL

# 設定ES的永久分片數為20000
curl -XPUT  "127.0.0.1:9200/_cluster/settings" -H 'Content-Type: application/json' -d '{"persistent":{"cluster":{"max_shards_per_node":20000}}}'

洗掉過期分片

SHELL

# 洗掉2021.06所有分片
curl -XDELETE http://127.0.0.1:9200/wazuh-alerts-4.x-2021.06.*

硬體調優

使用固態磁盤

更多的CPU和記憶體

群集部署

在中大型網路環境中，單臺Allinone的Wazuh系統或者單節點的分布式部署Wazuh系統從性能上已經無法滿足日志分析和漏洞掃描的需求，因此應當采用高可用、多節點的分布式部署來滿足Wazuh對CPU和存盤的要求，

序號	系統描述	配置	網路地址	系統角色
1	Lvsnode1	1c/1g	192.168.79.51	LVS+KeepLived 提供VIP和負載均衡
2	Lvsnode2	1c/1g	192.168.79.52	LVS+KeepLived 提供VIP和負載均衡
3	Wazuhnode0	2c/2g	192.168.79.60	Wazuh主節點，提供認證以及cve庫
4	Wazuhnode1	1c/1g	192.168.79.61	WazuhWorker，作業節點，提供事件日志分析和漏洞掃描
5	Wazuhnode2	1c/1g	192.168.79.62	WazuhWorker，作業節點，提供事件日志分析和漏洞掃描
6	KibanaNode	2c/4g	192.168.79.80	Kibana展示節點
7	ElasticNode1	4c/4g	192.168.79.81	ElasticSearch 群集節點
8	ElasticNode2	4c/4g	192.168.79.82	ElasticSearch 群集節點
9	ElasticNode3	4c/4g	192.168.79.83	ElasticSearch 群集節點
10	UbuntuNode	1c/1g	192.168.79.127	Ubuntu 20.04 LTS 測驗機 + Wordpress
11	CentOSNode	1c/1g	192.168.79.128	CentOS 8.4 測驗機 + PostgreSQL
12	WindowsNode	2c/2g	192.168.79.129	Windows Server 2012R2 測驗機+ SQL Server
13	VIP	——-	192.168.79.50	前端訪問IP
14	Gateway	1c/1g	192.168.79.254	使用iKuai提供網關服務和外部DNS服務

后端存盤群集

ElasticSearch三節點部署

CODE

# 安裝前置軟體
yum install -y zip unzip curl
# 匯入秘鑰
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# 增加官方源
cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
# 安裝軟體
yum makecache
yum upgrade -y
yum install -y elasticsearch-7.11.2

# 匯入組態檔
cp -a /etc/elasticsearch/elasticsearch.yml{,_$(date +%F)}

# 依次在各個節點上設定
cat > /etc/elasticsearch/elasticsearch.yml << EOF
network.host: 192.168.79.81
node.name: elasticnode1
cluster.name: elastic
cluster.initial_master_nodes:
        - elasticnode1
        - elasticnode2
        - elasticnode3
discovery.seed_hosts:
        - 192.168.79.81
        - 192.168.79.82
        - 192.168.79.83
EOF

# 開通防火墻
firewall-cmd --permanent --add-service=elasticsearch 
firewall-cmd --reload

# 啟動服務
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

# 禁用軟體源，避免非控升級組件
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

# 在各個節點上依次部署，注意變更主機名和IP地址

ElasticSearch群集驗證

CODE

sujx@LEGION:~$ curl http://192.168.79.81:9200/_cluster/health?pretty
{
  "cluster_name" : "elastic",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

sujx@LEGION:~$ curl http://192.168.79.81:9200/_cat/nodes?v
ip            heap.percent ram.percent cpu load_1m load_5m load_15m node.role  master name
192.168.79.83           10          86   0    0.08    0.08     0.03 cdhilmrstw -      elasticnode3
192.168.79.82           18          97   0    0.01    0.12     0.08 cdhilmrstw *      elasticnode2
192.168.79.81           16          95   0    0.06    0.08     0.08 cdhilmrstw -      elasticnode1

處理系統群集

Wazuh Master的部署

CODE

# 安裝前置軟體
yum install -y zip unzip curl
# 匯入秘鑰
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

# 配置官方軟體源
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

# 安裝軟體
yum makecache
yum upgrade -y

yum install -y wazuh-manager
yum install -y filebeat-7.11.2

# 配置Filebeat
cp -a /etc/filebeat/filebeat.yml{,_$(date +%F)}

cat > /etc/filebeat/filebeat.yml<<EOF
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.hosts: ['http://192.168.79.81:9200','http://192.168.79.82:9200','http://192.168.79.83:9200']
EOF

# 匯入filebeat的wazuh日志模板
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

# 匯入filebeat的wazuh日志模型
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

# 配置防火墻規則
firewall-cmd --permanent --add-port={1514/tcp,1515/tcp,1516/tcp,55000/tcp}
firewall-cmd --reload

# 禁用軟體源，避免非控升級組件
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# 啟動服務
systemctl daemon-reload
systemctl enable --now wazuh-manager
systemctl enable --now filebeat

# 測驗filebeat
[root@WazuhNode0 wazuh]# filebeat test output
elasticsearch: http://192.168.79.81:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.79.81
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.11.2
elasticsearch: http://192.168.79.82:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.79.82
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.11.2
elasticsearch: http://192.168.79.83:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.79.83
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.11.2

Wazuh worker的部署

CODE

# 同Master部署一致

# 安裝軟體
yum install -y wazuh-manager
yum install -y filebeat-7.11.2

# 配置Filebeat
cp -a /etc/filebeat/filebeat.yml{,_$(date +%F)}

cat > /etc/filebeat/filebeat.yml<<EOF
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.hosts: ['http://192.168.79.81:9200','http://192.168.79.82:9200','http://192.168.79.83:9200']
EOF

# 匯入filebeat的wazuh日志模板
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

# 匯入filebeat的wazuh日志模型
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

# 配置防火墻規則
firewall-cmd --permanent --add-port={1514/tcp,1516/tcp}
firewall-cmd --reload

# 啟動服務
systemctl daemon-reload
systemctl enable --now wazuh-manager
systemctl enable --now filebeat

實作wazuh群集

CODE

# 進行群集認證
# Master節點
#生成隨機串值
openssl rand -hex 16
d84691d111f86e70e8ed7eff80cde39e

# 編輯ossec.conf的cluster

  <cluster>
    <name>wazuh</name>
    <node_name>wazuhnode0</node_name>
    <node_type>master</node_type>
    <key>d84691d111f86e70e8ed7eff80cde39e</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>192.168.79.60</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>
  
# Worker節點
# 編輯ossec.conf的cluster

  <cluster>
    <name>wazuh</name>
    <node_name>wazuhnode1</node_name>
    <node_type>worker</node_type>
    <key>d84691d111f86e70e8ed7eff80cde39e</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>192.168.79.60</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>
  
# 驗證
[root@WazuhNode0 bin]# ./cluster_control -l
NAME        TYPE    VERSION  ADDRESS        
wazuhnode0  master  4.1.5    192.168.79.60  
wazuhnode1  worker  4.1.5    192.168.79.61  
wauzhnode2  worker  4.1.5    192.168.79.62

前端群集

前端部署采用Keeplived+Nginx代理的模式，提供一個VIP供Wazuh的agent進行部署，

部署Nginx的TCP代理節點

BASH

# 部署第一個節點Node1
# 開放防火墻埠
firewall-cmd --permanent --add-port={1514/tcp,1515/tcp}
firewall-cmd --reload

# 新增官方源地址
cat > /etc/yum.repos.d/nginx.repo <<\EOF
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
EOF

# 安裝Nginx
yum makecache
yum install -y nginx
systemctl daemon-reload
systemctl enable nginx.service --now

# 配置stream
cd /etc/nginx
cp -a nginx.conf{,_$(date +%F)}
cat >> /etc/nginx/nginx.conf <<EOF
include /etc/nginx/stream.d/*.conf;
EOF

mkdir ./stream.d
touch /etc/nginx/stream.d/wazuh.conf

cat > /etc/nginx/stream.d/wazuh.conf<<EOF
stream {
    upstream cluster {
        hash $remote_addr consistent;
        server 192.168.79.61:1514;
        server 192.168.79.62:1514;
    }
    upstream master {
        server 192.168.79.60:1515;
    }
    server {
        listen 1514;
        proxy_pass cluster;
    }
    server {
        listen 1515;
        proxy_pass master;
    }
}
EOF

# 重啟Nginx
systemctl restart nginx
# 檢查埠情況
[root@lvsnode1 nginx]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      1897/nginx: master  
tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      1897/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1897/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1022/sshd           
tcp6       0      0 :::80                   :::*                    LISTEN      1897/nginx: master  
tcp6       0      0 :::22                   :::*                    LISTEN      1022/sshd   

# 安裝Keeplived
yum install -y keepalived
cd /etc/keepalived/
cp -a keepalived.conf{,_$(date +%F)}

# 進行配置
cat > keepalived.conf<<EOF
# Configuration File for keepalived
#
global_defs {
    router_id nginxnode1
    vrrp_mcast_group4 224.0.0.18
    lvs_timeouts tcp 900 tcpfin 30 udp 300
    lvs_sync_daemon ens160 route_lvs
    vrrp_skip_check_adv_addr
    #vrrp_strict
    vrrp_garp_interval 0
    vrrp_gna_interval 0
}
vrrp_instance route_lvs {
    state BACKUP
    priority 100
    virtual_router_id 18
    interface ens160
    track_interface {
        ens160
    }
    advert_int 3
    authentication {
        auth_type PASS
        auth_pass password
    }
    virtual_ipaddress {
        192.168.79.50/24 dev ens160 label ens160:0
    }
}
EOF

systemctl enable keepalived.service --now

驗證服務

SHELL

sujx@LEGION:~$ ping 192.168.79.50
PING 192.168.79.50 (192.168.79.50) 56(84) bytes of data.
64 bytes from 192.168.79.50: icmp_seq=1 ttl=64 time=0.330 ms
64 bytes from 192.168.79.50: icmp_seq=2 ttl=64 time=0.306 ms

--- 192.168.79.50 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.306/0.430/0.655/0.159 ms

sujx@LEGION:~$ telnet 192.168.79.50 1515
Trying 192.168.79.140...
Connected to 192.168.79.140.
Escape character is '^]'.
   
sujx@LEGION:~$ telnet 192.168.79.50 1514
Trying 192.168.79.140...
Connected to 192.168.79.140.
Escape character is '^]'.

訪問面板

部署Elastic協調節點

SHELL

# 如果 Elasticsearch 集群有多個節點，分發 Kibana 節點之間請求的最簡單的方法就是在 Kibana 機器上運行一個 Elasticsearch 協調（Coordinating only node） 的節點，Elasticsearch 協調節點本質上是智能負載均衡器，也是集群的一部分，如果有需要，這些節點會處理傳入 HTTP 請求，重定向操作給集群中其它節點，收集并回傳結果

# 在Kibana節點上安裝Elasticsearch
# 安裝前置軟體
yum install -y zip unzip curl
# 匯入源秘鑰
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# 增加官方源
cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

# 安裝軟體
yum makecache
yum upgrade -y
yum install -y elasticsearch-7.11.2

#配置防火墻
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=elasticsearch
firewall-cmd --reload

# 修改配置
# 其他ES節點也需要增加該主機NodeIP，并重啟服務
cat >> /etc/elasticsearch/elasticsearch.yml<<EOF
node.name: kibananode0
cluster.name: elastic
node.master: false
node.data: false
node.ingest: false
network.host: localhost
http.port: 9200
transport.host: 192.168.79.80
transport.tcp.port: 9300

discovery.seed_hosts:
        - 192.168.79.81
        - 192.168.79.82
        - 192.168.79.83
        - 192.168.79.80
EOF

# 查看群集資訊，只允許本機Kibana訪問
[root@kibana wazuh]# curl http://localhost:9200/_cat/nodes?v
ip            heap.percent ram.percent cpu load_1m load_5m load_15m node.role  master name
192.168.79.81           18          96   0    0.04    0.06     0.02 cdhilmrstw -      elasticnode1
192.168.79.80           12          97   3    0.01    0.08     0.07 lr         -      kibananode0
192.168.79.82           23          96   0    0.04    0.09     0.04 cdhilmrstw *      elasticnode2
192.168.79.83           23          87   0    0.09    0.11     0.05 cdhilmrstw -      elasticnode3

配置Kibana

SHELL

yum install -y kibana-7.11.2

# 修改組態檔
cp -a /etc/kibana/kibana.yml{,_$(date +%F)}

cat >> /etc/kibana/kibana.yml << EOF
server.port: 5601
server.host: "localhost"
server.name: "kibana"
i18n.locale: "zh-CN"
elasticsearch.hosts: ["http://localhost:9200"]
kibana.index: ".kibana"
kibana.defaultAppId: "home"
server.defaultRoute : "/app/wazuh"
EOF

# 創建資料目錄
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana

# 離線安裝插件
wget https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip
cp ./wazuh_kibana-4.1.5_7.11.2-1.zip /tmp
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuh_kibana-4.1.5_7.11.2-1.zip

# 配置服務
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

# 禁用軟體源，避免非控升級組件
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

# 配置反向代理
yum install -y nginx
systemctl enable --now nginx
vim /etc/ngix/nginx.conf
# 在server{}中添加配置項
?```
        proxy_redirect           off;
        proxy_set_header         X-Real-IP $remote_addr;
        proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header         Host $http_host;

        location / {
                proxy_pass http://localhost:5601/;
        }
?```
nginx -s reload

# 登錄kibana之后選擇wazuh插件
# 回傳控制臺修改插件組態檔
sed -i "s/localhost/192.168.79.60/g" /usr/share/kibana/data/wazuh/config/wazuh.yml

客戶端驗證

部署Wazuh-Agent

SHELL

# CentOS主機
sudo WAZUH_MANAGER='192.168.79.50' WAZUH_AGENT_GROUP='default' yum install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpm -y

# Ubuntu主機
curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb && sudo WAZUH_MANAGER='192.168.79.60' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent.deb

# 啟動服務
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

# Windows主機
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER='192.168.79.50' WAZUH_REGISTRATION_SERVER='192.168.79.50' WAZUH_AGENT_GROUP='default' 
start-service wazuh

驗證客戶端所在管理節點

更新資料

相比較單機版本，群集化的Wazuh需要處理的第一個問題就是如何保證ossec.conf檔案和漏洞庫的統一配置、統一更新、統一下發，以下將使用簡單的Ansible命令和Shell腳本實作前述功能，

建立共享

部署Nginx

SHELL

# 在wazuh-master上安裝Nginx
yum install -y nginx
mkdir -p /var/www/wazuh
chown -R nginx:nginx /var/www/wazuh

下載更新

SHELL

# 下載離線檔案
cd /var/www/wazuh/

# 下載Ubuntu 20.04的漏洞種子
wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2

# 下載RHEL 7 8的漏洞種子檔案
wget https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2

# 下載微軟CVE檔案
wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

# 下載Redhat的安全資料Json檔案
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
chmod +x ./*.sh
mkdir redhat
./rh-generator.sh redhat/

# 下載NVD的安全資料庫(CVE)
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
chmod +x ./*.sh
mkdir nvd
 ./nvd-generator.sh 2010 nvd/

頁面發布

SHELL

# 配置nginx檔案 
vim /etc/nginx/nginx.conf
# 在server{}中修改增補如下配置
        root         /var/www/wazuh;
    
        location / {
                autoindex on;
                autoindex_exact_size off;
                autoindex_localtime on;
        }

定時更新

在/opt/wazuh/目錄下建立wazuhupdate.sh檔案

SHELL

#!/bin/bash
cd /var/www/wazuh/

# 下載Ubuntu 20.04的漏洞種子
wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2

# 下載RHEL 6/7/8的漏洞種子
wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2

# 下載微軟漏洞檔案
wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

#下載Redhat的安全資料Json檔案
/bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat

# 下載NVD的安全資料庫(CVE)
/bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd

# 更新檔案權限
chown -R nginx:nginx /var/www/wazuh

# 重啟服務,更新資料庫
systemctl restart wazuh-manager.service

建立定時檔案

SHELL

#檢查crond.service運行狀態
systemctl status crond.service 
crontab -e
# 每周一、四下午6點半執行腳本進行升級
30 18 * * 1,4 /bin/bash /opt/wazuh/wazuhupdate.sh

批量下發

安裝配置Ansbile

SHELL

yum install -y centos-release-ansible-29.noarch 
yum install -y ansible

# 因主機默認設定不允許root使用ssh登錄，需要切換到普通用戶目錄
cd ~
mkdir ansible
cd ansible
touch .inventory
cat > .inventory <<EOF
[master]
192.168.79.60
[worker]
192.168.79.61
192.168.79.62
EOF

ssh-keygen
ssh-copy-id sujx@192.168.79.60
ssh-copy-id sujx@192.168.79.61
ssh-copy-id sujx@192.168.79.62

ansible all -m ping
[sujx@WazuhNode0 ansible]$ ansible worker -m ping
192.168.79.62 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
192.168.79.61 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

建立批量更新腳本

SHELL

# 在每臺Worker主機上建立相應腳本
mkdir /opt/wazuh
touch /opt/wazuh/cluster.sh
cat > /opt/wazuh/cluster.sh <<EOF
#!/bin/bash

cd ~

# 組態檔
wget http://192.168.79.60/conf/ossec.conf
# 自定義規則檔案
# wget http://192.168.79.60/conf/0015-ossec_rules.xml

# 替換主機名
workername=$(hostname -s)
sed -i "s/vlnx000000/$workername/g" ~/ossec.conf

# 替換組態檔
rm -Rf /var/ossec/etc/ossec.conf
mv ~/ossec.conf /var/ossec/etc/
chown root:ossec /var/ossec/etc/ossec.conf

# 更新自定義檔案
# rm -Rf /var/ossec/ruleset/rules/0015-ossec_rules.xml
# mv ~/0015-ossec_rules.xml /var/ossec/ruleset/rules/
# chown root:ossec /var/ossec/ruleset/rules/0015-ossec_rules.xml


# Reset The Service
systemctl restart wazuh-manager.service
EOF

chmod +x /opt/wazuh/cluster.sh

建立worker組態檔

SHELL

<vulnerability-detector>
  <enabled>no</enabled>
  <interval>5m</interval>
  <ignore_time>6h</ignore_time>
  <run_on_start>yes</run_on_start>
   
  <!-- Ubuntu OS vulnerabilities -->
  <provider name="canonical">
    <enabled>yes</enabled>
    <os url="http://192.168.79.60/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
    <update_interval>1d</update_interval>
  </provider>
   
  <!-- Debian OS vulnerabilities -->
  <provider name="debian">
    <enabled>no</enabled>
    <os>stretch</os>
    <os>buster</os>
    <update_interval>1d</update_interval>
  </provider>
   
  <!-- RedHat OS vulnerabilities -->
  <provider name="redhat">
    <enabled>yes</enabled>
    <os url="http://192.168.79.60/rhel-6-including-unpatched.oval.xml.bz2">6</os>
    <os url="http://192.168.79.60/rhel-7-including-unpatched.oval.xml.bz2">7</os>
    <os url="http://192.168.79.60/rhel-8-including-unpatched.oval.xml.bz2">8</os>
    <url start="1" end="25">http://192.168.79.60/redhat/redhat-feed[-].json</url>
    <update_interval>1d</update_interval>
  </provider>
   
  <!-- Windows OS vulnerabilities -->
  <provider name="msu">
    <enabled>yes</enabled>
    <url>http://192.168.79.60/msu-updates.json.gz</url>
    <update_interval>1d</update_interval>
  </provider>
   
  <!-- Aggregate vulnerabilities -->
  <provider name="nvd">
    <enabled>yes</enabled>
    <url start="2010" end="2021">http://192.168.79.60/nvd/nvd-feed[-].json.gz</url>
    <update_interval>1d</update_interval>
  </provider>
</vulnerability-detector>
   
<cluster>
  <name>wazuh</name>
  <node_name>vln000000</node_name>
  <node_type>worker</node_type>
  <key>d84691d111f86e70e8ed7eff80cde39e</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
      <node>192.168.79.60</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
……
略

使用Ansible觸發更新

SHELL

# 每個Worker上創建目錄
ansible worker -a 'mkdir /opt/wazuh'
# 復制腳本到worker上
ansible worker -m copy -a "src=/opt/wazuh/cluster.sh dest=/opt/wazuh owner=root group=root mode=0744"
# 每個worker執行腳本
ansible worker -a '/bin/sh /opt/wazuh/cluster.sh'

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/423328.html

標籤：其他

上一篇：英語寒假沉淀（七）

下一篇：Hadoop HA高可用