批量更新Wazuh主机配置文件和漏洞库
批量更新Wazuh主机配置文件和漏洞库
综述
相比较单机版本,群集化的Wazuh需要处理的第一个问题就是如何保证ossec.conf文件和漏洞库的统一配置、统一更新、统一下发。以下将使用简单的Ansible命令和Shell脚本实现前述功能。
建立共享
部署Nginx
# 在wazuh-master上安装Nginx yum install -y nginx mkdir -p /var/www/wazuh chown -R nginx:nginx /var/www/wazuh下载更新
# 下载离线文件 cd /var/www/wazuh/ # 下载Ubuntu 20.04的漏洞种子 wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2 # 下载RHEL 7 8的漏洞种子文件 wget https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2 wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2 wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2 # 下载微软CVE文件 wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz # 下载Redhat的安全数据Json文件 wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh chmod +x ./*.sh mkdir redhat ./rh-generator.sh redhat/ # 下载NVD的安全数据库(CVE) wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh chmod +x ./*.sh mkdir nvd ./nvd-generator.sh 2010 nvd/页面发布
# 配置nginx文件 vim /etc/nginx/nginx.conf # 在server{}中修改增补如下配置 root /var/www/wazuh; location / { autoindex on; autoindex_exact_size off; autoindex_localtime on; }
定时更新
在/opt/wazuh/目录下建立wazuhupdate.sh文件
#!/bin/bash cd /var/www/wazuh/ rm -rf *.bz2 rm *.gz # 下载Ubuntu 20.04的漏洞种子 wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2 # 下载RHEL 6/7/8的漏洞种子 wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2 wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2 wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2 # 下载微软漏洞文件 wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz #下载Redhat的安全数据Json文件 /bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat # 下载NVD的安全数据库(CVE) /bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd # 更新文件权限 chown -R nginx:nginx /var/www/wazuh # 重启服务,更新数据库 systemctl restart wazuh-manager.service建立定时文件
#检查crond.service运行状态 systemctl status crond.service crontab -e # 每周一、四下午6点半执行脚本进行升级 30 18 * * 1,4 /bin/bash /opt/wazuh/wazuhupdate.sh
批量下发
- 安装配置Ansbile
yum install -y centos-release-ansible-29.noarch yum install -y ansible # 因主机默认设置不允许root使用ssh登录,需要切换到普通用户目录 cd ~ mkdir ansible cd ansible touch .inventory cat > .inventory <<EOF [master] 192.168.79.60 [worker] 192.168.79.61 192.168.79.62 EOF ssh-keygen ssh-copy-id sujx@192.168.79.60 ssh-copy-id sujx@192.168.79.61 ssh-copy-id sujx@192.168.79.62 ansible all -m ping [sujx@WazuhNode0 ansible]$ ansible worker -m ping 192.168.79.62 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": false, "ping": "pong" } 192.168.79.61 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": false, "ping": "pong" } - 建立批量更新脚本
# 在每台Worker主机上建立相应脚本 mkdir /opt/wazuh touch /opt/wazuh/cluster.sh cat > /opt/wazuh/cluster.sh <<EOF #!/bin/bash cd ~ # 配置文件 wget http://192.168.79.60/conf/ossec.conf # 自定义规则文件 # wget http://192.168.79.60/conf/0015-ossec_rules.xml # 替换主机名 workername=$(hostname -s) sed -i "s/vlnx000000/$workername/g" ~/ossec.conf # 替换配置文件 rm -Rf /var/ossec/etc/ossec.conf mv ~/ossec.conf /var/ossec/etc/ chown root:ossec /var/ossec/etc/ossec.conf # 更新自定义文件 # rm -Rf /var/ossec/ruleset/rules/0015-ossec_rules.xml # mv ~/0015-ossec_rules.xml /var/ossec/ruleset/rules/ # chown root:ossec /var/ossec/ruleset/rules/0015-ossec_rules.xml # Reset The Service systemctl restart wazuh-manager.service EOF chmod +x /opt/wazuh/cluster.sh - 建立worker配置文件
<vulnerability-detector> <enabled>no</enabled> <interval>5m</interval> <ignore_time>6h</ignore_time> <run_on_start>yes</run_on_start> <!-- Ubuntu OS vulnerabilities --> <provider name="canonical"> <enabled>yes</enabled> <os url="http://192.168.79.60/com.ubuntu.focal.cve.oval.xml.bz2">focal</os> <update_interval>1d</update_interval> </provider> <!-- Debian OS vulnerabilities --> <provider name="debian"> <enabled>no</enabled> <os>stretch</os> <os>buster</os> <update_interval>1d</update_interval> </provider> <!-- RedHat OS vulnerabilities --> <provider name="redhat"> <enabled>yes</enabled> <os url="http://192.168.79.60/rhel-6-including-unpatched.oval.xml.bz2">6</os> <os url="http://192.168.79.60/rhel-7-including-unpatched.oval.xml.bz2">7</os> <os url="http://192.168.79.60/rhel-8-including-unpatched.oval.xml.bz2">8</os> <url start="1" end="25">http://192.168.79.60/redhat/redhat-feed[-].json</url> <update_interval>1d</update_interval> </provider> <!-- Windows OS vulnerabilities --> <provider name="msu"> <enabled>yes</enabled> <url>http://192.168.79.60/msu-updates.json.gz</url> <update_interval>1d</update_interval> </provider> <!-- Aggregate vulnerabilities --> <provider name="nvd"> <enabled>yes</enabled> <url start="2010" end="2021">http://192.168.79.60/nvd/nvd-feed[-].json.gz</url> <update_interval>1d</update_interval> </provider> </vulnerability-detector> <cluster> <name>wazuh</name> <node_name>vln000000</node_name> <node_type>worker</node_type> <key>d84691d111f86e70e8ed7eff80cde39e</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>192.168.79.60</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster> …… 略 - 使用Ansible触发更新
# 每个Worker上创建目录 ansible worker -a 'mkdir /opt/wazuh' # 复制脚本到worker上 ansible worker -m copy -a "src=/opt/wazuh/cluster.sh dest=/opt/wazuh owner=root group=root mode=0744" # 每个worker执行脚本 ansible worker -a '/bin/sh /opt/wazuh/cluster.sh'
All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.