[Wazuh](Wazuh · The Open Source Security Platform)是一整套基于ossec安全检测工具和EFK日志工具构成的终端安全管理工具。不管是将其分类至HIDS,还是EDR,它都是一套通过监控主机日志行为,提供安全检测、分析和完整报告的开源、免费利器。Wazuh基于C/S架构,它的Agent支持Windows、MacOS、Linux、HP-UX、AIX等主流操作系统。其服务端负责提供认证和数据收集,然后通过filebeat进行日志清洗,最后导入ElasticSearch,通过Kinbana进行展示和输出日志。它不仅可以收集主机的事件日志进行一般的入侵检测功能,还可以通过第三方提供的系统漏洞检测feed文件,来实现主机的漏洞扫描和合规检查。

基本概念

功能示例

data_flow

组件模块

Wazuh的组件分为三部分:

  1. 客户端的功能
    agent

    1. 收集日志和事件日志;
    2. 文件和注册表的监控;
    3. 运行进程和安装软件的信息收集;
    4. 监控系统端口和网络配置;
    5. 检测恶意软件;
    6. 配置管理和策略监控
    7. 检测主机响应
  2. 服务端

    server

    1. 客户端的服务器注册;
    2. 实现客户端的连接服务;
    3. 根据各项规则实现事件日志的分析引擎;
    4. 提供RESTful API;
    5. 实现服务端的群集化;
    6. 使用Filebeat将日志文件吐给ES存储
  3. Elastic Stack

    show

    1. 事件日志的收集存储;
    2. 日志的分析和提供搜索功能;
    3. 展示和分析事件日志;

单点部署

安装要求

  1. 端口要求

    Component Software Port Protocol Purpose
    Wazuh server Wazuh manager 1514 TCP (default) Agents connection service
    1514 UDP Agents connection service
    1515 TCP Agents registration service
    1516 TCP Wazuh cluster daemon
    Wazuh API 55000 TCP Wazuh RESTful API
    Elastic Stack Elasticsearch 9200 TCP Elasticsearch RESTful API
    9300-9400 TCP Elasticsearch cluster communication
    Kibana 5601 TCP Kibana web interface
  2. 系统要求

    1. 服务端只能部署到Linux主机上
    2. 建议使用RHEL/CentOS 6.x、Ubuntu 12、Debian 7 版本以上
  3. 硬件要求

    最小配置 建议配置
    组件 RAM (GB) CPU (cores) RAM (GB) CPU (cores)
    Wazuh server 2 2 8 4
    Elastic Stack 4 2 16 8
  4. 存储配置

    1. 需要单独配置wazuh server的日志存储分区;
    2. 需要按当前月度日志量x6的最低要求配置,实际运行建议至少每台Wazuh Server配置100G日志存储;
    3. Elastic存储需要汇总多台Wazuh Server日志,至少需要保留半年日志量,建议配置1T存储。
  5. 部署拓扑

    topo


部署方案

  1. 部署拓扑

    topo

  2. 网络地址

    系统角色 版本 网络地址
    ElasticSearch 7.11.2 172.31.101.63
    Kibana 7.11.2 172.31.101.57
    WazuhMaster 4.1.5 172.31.101.57
    WazuhAgent 4..0.3

部署实施

  1. ElasticSearch的安装

    # 安装前置软件
    yum install -y zip unzip curl
    # 导入秘钥
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    # 增加官方源
    cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    # 安装软件
    yum makecache
    yum upgrade -y
    yum install -y elasticsearch-7.11.2
    
    # 导入配置文件
    mv /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml-bak
    touch /etc/elasticsearch/elasticsearch.yml
    cat > /etc/elasticsearch/elasticsearch.yml << EOF
    cluster.name: elastic
    node.name: elasticnode1
    network.host: 172.31.101.63
    cluster.initial_master_nodes: ["elasticnode1"]
    
    path.data: /var/lib/elasticsearch
    path.logs: /var/log/elasticsearch
    EOF
    
    # 开通防火墙
    firewall-cmd --permanent --add-service=elasticsearch 
    firewall-cmd --reload
    
    # 启动服务
    systemctl daemon-reload
    systemctl enable elasticsearch
    systemctl start elasticsearch
    
    # 校验服务
    # 使用其他主机访问es环境
    curl -XGET http://172.31.101.63:9200
    {
      "name" : "elasticnode1",
      "cluster_name" : "elastic",
      "cluster_uuid" : "ahjxhVEHREKNmBAfjcuyNw",
      "version" : {
        "number" : "7.11.2",
        "build_flavor" : "default",
        "build_type" : "rpm",
        "build_hash" : "3e5a16cfec50876d20ea77b075070932c6464c7d",
        "build_date" : "2021-03-06T05:54:38.141101Z",
        "build_snapshot" : false,
        "lucene_version" : "8.7.0",
        "minimum_wire_compatibility_version" : "6.8.0",
        "minimum_index_compatibility_version" : "6.0.0-beta1"
      },
      "tagline" : "You Know, for Search"
    }
    
    # 禁用软件源,避免非控升级组件
    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
  2. Kibana的安装

    # 安装前置软件
    yum install -y zip unzip curl
    # 导入源秘钥
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    # 增加官方源
    cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    
    # 安装软件
    yum makecache
    yum upgrade -y
    yum install -y kibana-7.11.2
    
    # 修改配置文件
    cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml-bak
    cat >> /etc/kibana/kibana.yml << EOF
    server.port: 5601
    server.host: "localhost"
    server.name: "kibana"
    i18n.locale: "zh-CN"
    elasticsearch.hosts: ["http://172.31.101.63:9200"]
    kibana.index: ".kibana"
    kibana.defaultAppId: "home"
    server.defaultRoute : "/app/wazuh"
    EOF
    
    # 创建数据目录
    mkdir /usr/share/kibana/data
    chown -R kibana:kibana /usr/share/kibana
    
    # 离线安装插件
    wget https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip
    cp ./wazuh_kibana-4.1.5_7.11.2-1.zip /tmp
    cd /usr/share/kibana
    sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuh_kibana-4.1.5_7.11.2-1.zip
    
    # 配置服务
    systemctl daemon-reload
    systemctl enable kibana
    systemctl start kibana
    
    # 禁用软件源,避免非控升级组件
    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
    
    # 配置反向代理
    yum install -y nginx
    systemctl enable --now nginx
    vim /etc/ngix/nginx.conf.default
    # 在server{}中添加配置项
    ​```
            proxy_redirect           off;
            proxy_set_header         X-Real-IP $remote_addr;
            proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header         Host $http_host;
    
            location / {
                    proxy_pass http://localhost:5601/;
            }```
    nginx -s reload
    
    # 登录kibana之后选择wazuh插件
    # 返回控制台修改插件配置文件
    sed -i ‘:s/localhost/172.31.101.57/g’ /usr/share/kibana/data/wazuh/config/wazuh.yml

    wazuh

  3. WazuhMaster的安装

    # 安装前置软件
    yum install -y zip unzip curl
    # 导入秘钥
    rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    
    # 配置官方软件源
    cat > /etc/yum.repos.d/wazuh.repo << EOF
    [wazuh]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=EL-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
    cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    
    # 安装软件
    yum makecache
    yum upgrade -y
    
    yum install -y wazuh-manager
    yum install filebeat-7.11.2
    
    # 配置Filebeat
    mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml-bak
    touch /etc/filebeat/filebeat.yml
    
    cat > /etc/filebeat/filebeat.yml<<EOF
    filebeat.modules:
      - module: wazuh
        alerts:
          enabled: true
        archives:
          enabled: false
    
    setup.template.json.enabled: true
    setup.template.json.path: '/etc/filebeat/wazuh-template.json'
    setup.template.json.name: 'wazuh'
    setup.template.overwrite: true
    setup.ilm.enabled: false
    
    output.elasticsearch.hosts: ['http://172.31.101.63:9200']
    EOF
    
    # 导入filebeat的wazuh日志模板
    curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
    chmod go+r /etc/filebeat/wazuh-template.json
    
    # 导入filebeat的wazuh日志模型
    curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
    
    # 配置防火墙规则
    firewall-cmd --permanent --add-port={1514/tcp,1515/tcp,55000/tcp}
    firewall-cmd --reload
    
    # 禁用软件源,避免非控升级组件
    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
    
    # 启动服务
    systemctl daemon-reload
    systemctl enable --now wazuh-manager
    systemctl enable --now filebeat
    
    # 验证Filebeat
    filebeat test output
    ···
    elasticsearch: http://172.31.101.63:9200...
      parse url... OK
      connection...
        parse host... OK
        dns lookup... OK
        addresses: 172.31.101.63
        dial up... OK
      TLS... WARN secure connection disabled
      talk to server... OK
      version: 7.11.2
      ···
    # 刷新kibana
  4. WazuhAgent的安装(Linux)

    # 在es节点和kibana节点上安装
    sudo WAZUH_MANAGER='172.31.101.57' WAZUH_AGENT_GROUP='default' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpm
    
    # 启动服务
    sudo systemctl daemon-reload
    sudo systemctl enable wazuh-agent
    sudo systemctl start wazuh-agent
  5. WazuhAgent的安装(Windows)

    # 使用管理员权限打开powershell控制台
    Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER='172.31.101.57' WAZUH_REGISTRATION_SERVER='172.31.101.57' WAZUH_AGENT_GROUP='default'


漏洞扫描

漏扫原理

  1. Wazuh不是一个漏洞扫描工具,它只是借助本身的功能模块来实现对操作系统的漏洞监控;
  2. Wazuh的漏扫依赖于Agent的对系统软件版本的扫描,上传至Master节点之后,通过在线或者离线加载的各个操作系统官方发布的CVE数据库以及美国政府发布的NVD数据库来进行对比,从而实现漏洞的检查和告警;
  3. Wazuh不使用爬虫、端口扫描等传统漏扫技术路径,所以对客户端主机的性能影响极小;
  4. Wazuh官方支持对数据库、中间件等软件进行漏洞扫描,但只支持操作系统发行官方库中的包,因为它是简单的按照软件包名来进行对比的;
  5. Wazuh可以对接Clamav、Suricata等其他安全系统。

应用模块

  1. 配置离线文件
    # 在wazuh-master上安装Nginx
    yum install -y nginx
    mkdir -p /var/www/wazuh/os
    chown -R nginx:nginx /var/www/wazuh
    
    # 下载离线文件
    cd /var/www/wazuh/
    # 下载RHEL 7 8的漏洞种子文件
    wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
    wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
    
    # 下载微软漏洞文件
    wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
    
    # 下载Redhat的安全数据Json文件
    wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
    chmod +x ./*.sh
    mkdir redhat
    ./rh-generator.sh redhat/
    
    # 下载NVD的安全数据库(CVE)
    wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
    chmod +x ./*.sh
    mkdir nvd
     ./nvd-generator.sh 2010 nvd/
    
    # 配置nginx文件 
    vim /etc/nginx/nginx.conf
    # 在server{}中修改增补如下配置
            root         /var/www/wazuh;
        
            location / {
                    autoindex on;
                    autoindex_exact_size off;
                    autoindex_localtime on;
            }
  2. 配置漏洞扫描模块
    vim /var/ossec/etc/ossec.conf
    <vulnerability-detector>
        <enabled>yes</enabled>
        <interval>5m</interval>
        <ignore_time>6h</ignore_time>
        <run_on_start>yes</run_on_start>
    
        <!-- RedHat OS vulnerabilities -->
        <provider name="redhat">
          <enabled>yes</enabled>
          <os url="http://172.31.101.57/rhel-7-including-unpatched.oval.xml.bz2">7</os>
          <os url="http://172.31.101.57/rhel-8-including-unpatched.oval.xml.bz2">8</os>
          <url start="1" end="25">http://172.31.101.57/redhat/redhat-feed[-].json</url>
          <update_interval>1h</update_interval>
        </provider>
    
        <!-- Windows OS vulnerabilities -->
        <provider name="msu">
          <enabled>yes</enabled>
          <url>http://172.31.101.57/msu-updates.json.gz</url>
          <update_interval>1h</update_interval>
        </provider>
    
        <!-- Aggregate vulnerabilities -->
        <provider name="nvd">
          <enabled>yes</enabled>
          <url start="2010" end="2021">http://172.31.101.57/nvd/nvd-feed[-].json.gz</url>
          <update_interval>1h</update_interval>
        </provider>
    
      </vulnerability-detector>
  3. 配置定期更新漏洞文件
    #!/bin/bash
    cd /var/www/wazuh/
    
    # 下载Ubuntu 20.04的漏洞种子
    wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2
    
    # 下载RHEL 6/7/8的漏洞种子
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
    
    # 下载微软漏洞文件
    wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
    
    #下载Redhat的安全数据Json文件
    /bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat
    
    # 下载NVD的安全数据库(CVE)
    /bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd
    
    # 更新文件权限
    chown -R nginx:nginx /var/www/wazuh
    
    # 重启服务,更新数据库
    systemctl restart wazuh-manager.service
  4. 查询漏扫情况

vul

  1. 邮件告警

    # 开启全局邮件通知
    # Wazuh本身没有邮件功能,它依赖系统的邮件投递
      <global>
          <email_notification>yes</email_notification>
          <email_to>sujx@live.cn</email_to>
          <smtp_server>exmail.qq.com</smtp_server>
          <email_from>i@sujx.net</email_from>
          <email_maxperhour>12</email_maxperhour>
      </global>
    
    # 定义邮件告警级别,设定事件级别>=12级即发送邮件告警
      <alerts>
        <log_alert_level>3</log_alert_level>
        <email_alert_level>12</email_alert_level>
      </alerts>
      
    # 定义每日高危漏洞通知(>=13级漏洞)
      <reports>
          <level>13</level>
          <title>Daily report: Alerts with level higher than 13</title>
          <email_to>sujx@live.cn</email_to>
      </reports>
      
    # 强制发送告警邮件,即不管上述如何设定一定要发邮件告警,是配置在rule上,而不是全局conf中
      <rule id="502" level="3">
        <if_sid>500</if_sid>
        <options>alert_by_email</options>
        <match>Ossec started</match>
        <description>Ossec server started.</description>
      </rule>
  2. 邮件投递

    yum install -y mailx
    # 使用mailx发送内部邮件
    cat >> /etc/mail.rc<<EOF
    # 设定内部匿名邮件服务器
    set smtp=smtp.example.com
    EOF
    # 使用公共邮箱发送邮件
    yum install -y postfix mailx cyrus-sasl cyrus-sasl-plain
    # 建立邮件中继
    cat >> /etc/postfix/main.cf<<EOF
    relayhost = [smtp.exmail.qq.com]:587
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
    smtp_use_tls = yes
    EOF
    # 设定使用i@sujx.net发送邮件给指定接收方
    echo [smtp.exmail.qq.com]:587 i@sujx.net:PASSWORD > /etc/postfix/sasl_passwd
    postmap /etc/postfix/sasl_passwd
    chmod 400 /etc/postfix/sasl_passwd
    
    chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
    chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
    
    # 重置服务
    systemctl reload postfix
    
    # 邮件测试
    echo "Test mail from postfix" | mail -s "Test Postfix" -r "i@sujx.net" sujx@live.cn
    
    # 邮件告警
    
    Wazuh Notification.
    2021 Jul 03 23:21:09
    
    Received From: (server002.sujx.net) any->syscheck
    Rule: 550 fired (level 7) -> "Integrity checksum changed."
    Portion of the log(s):
    
    File '/etc/sysconfig/iptables.save' modified
    Mode: scheduled
    Changed attributes: mtime,md5,sha1,sha256
    …………
    --END OF NOTIFICATION
    
    # 邮件报告
    
    Report 'Daily report: Alerts with level higher than 13.' completed.
    ------------------------------------------------
    ->Processed alerts: 481384
    ->Post-filtering alerts: 1953
    ->First alert: 2021 Jun 29 00:06:08
    ->Last alert: 2021 Jun 29 23:59:17
    Top entries for 'Level':
    ------------------------------------------------
    Severity 13                                                                   |1953    |
    Top entries for 'Group':
    ------------------------------------------------
    gdpr_IV_35.7.d                                                                |1953    |
    pci_dss_11.2.1                                                                |1953    |
    pci_dss_11.2.3                                                                |1953    |
    tsc_CC7.1                                                                     |1953    |
    tsc_CC7.2                                                                     |1953    |
    vulnerability-detector                                                        |1953    |
    Top entries for 'Location':
    ……
  3. 使用Kibana产生PDF版本的漏洞报告

    report


生产建议

  1. 由于Wazuh的漏扫模块很容易将CPU资源打满,建议使用wazuh的群集模式部署相应数量的worker来承担漏扫功能。
  2. Wazuh的worker建议使用4核4G的配置进行部署,其内存占用2G左右,但CPU占用较高,且多核性能不理想。官方回复是以后版本会改进。
  3. 如果要求每天(24hour)产生一次全网漏扫报告的话,建议使用200:1的比例部署worker;
  4. 由于Wazuh的多线程优化以及Cluster模式下worker管理的优化存在问题,在面对>1000台以上的agent环境中,建议使用高配物理机部署。

使用案例

使用系统官方库

  1. 安装数据库

    yum makecache
    # 系统自带版本为10
    yum install -y postgresql postgresql-server
  2. 启动数据库

    # 启动服务
    postgresql-setup initdb
    systemctl enable postgresql.service --now
  3. 执行漏洞检测

    postgresql

使用软件官方库

  1. 安装数据库
    # 安装PG官方源
    yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
    # 添加更新源,安装版本以12版本为例
    yum makecache
    # 安装数据库
    yum install -y postgresql12 postgresql12-server
  2. 启动数据库
    # 创建目录
    mkdir -p /var/lib/pgsql/12/data/
    chown postgres:postgres /var/lib/pgsql/12/ -R
    
    # 启动服务
    postgresql-12-setup initdb
    systemctl enable postgresql-12.service --now
  3. 执行漏洞检测
  • 无检测结果

问题所在

Wazuh使用软件包名或者KB名来进行对比,对于RPM系发行版就是访问rpminfo数据库来进行对比。
以postgresql为例

  1. Redhat官方漏洞库

    # redhat官方的漏洞库中是有postgresql12的漏洞的
     <criterion comment="Module postgresql:12 is enabled" test_ref="oval:com.redhat.cve:tst:202120229037"/>
             <criterion comment="postgresql-plperl is installed" test_ref="oval:com.redhat.cve:tst:202120229001"/>
             <criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229002"/>
             <criterion comment="postgresql-server-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229007"/>
             <criterion comment="postgresql-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229008"/>
             <criterion comment="postgresql-plpython3 is installed" test_ref="oval:com.redhat.cve:tst:202120229009"/>
             <criterion comment="postgresql-plpython3 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229010"/>
             <criterion comment="postgresql is installed" test_ref="oval:com.redhat.cve:tst:202120229011"/>
             <criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229012"/>
             <criterion comment="postgresql-static is installed" test_ref="oval:com.redhat.cve:tst:202120229013"/>
             <criterion comment="postgresql-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229014"/>
             <criterion comment="postgresql-upgrade is installed" test_ref="oval:com.redhat.cve:tst:202120229015"/>
             <criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229016"/>
             <criterion comment="postgresql-docs is installed" test_ref="oval:com.redhat.cve:tst:202120229017"/>
             <criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229018"/>
             <criterion comment="postgresql-contrib is installed" test_ref="oval:com.redhat.cve:tst:202120229019"/>
             <criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229020"/>
             <criterion comment="postgresql-pltcl is installed" test_ref="oval:com.redhat.cve:tst:202120229023"/>
             <criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229024"/>
             <criterion comment="postgresql-test-rpm-macros is installed" test_ref="oval:com.redhat.cve:tst:202120229025"/>
             <criterion comment="postgresql-test-rpm-macros is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229026"/>
             <criterion comment="postgresql-debugsource is installed" test_ref="oval:com.redhat.cve:tst:202120229029"/>
             <criterion comment="postgresql-debugsource is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229030"/>
             <criterion comment="postgresql-server is installed" test_ref="oval:com.redhat.cve:tst:202120229031"/>
             <criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229032"/>
             <criterion comment="postgresql-upgrade-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229033"/>
             <criterion comment="postgresql-upgrade-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229034"/>

    vuln

  2. PG官方包的名称

    [sujx@postgresql ~]$ rpm -qa |grep postgresql
    postgresql12-12.7-2PGDG.rhel8.x86_64
    postgresql12-libs-12.7-2PGDG.rhel8.x86_64
    postgresql12-server-12.7-2PGDG.rhel8.x86_64

    结论

    postgresql12 ≠ postgresql,所以wazuh使用redhat的OVAL文件可以搜出redhat打包的postgresql的漏洞,其他就不可以。

    维护管理

    客户端的删除

    cd /var/ossec/bin/
    # 执行管理程序
    [root@vlnx101057 bin]# ./manage_agents 
    
    ****************************************
    * Wazuh v4.1.5 Agent manager.          *
    * The following options are available: *
    ****************************************
       (A)dd an agent (A).                手动增加客户端
       (E)xtract key for an agent (E).     提取客户端秘钥
       (L)ist already added agents (L).    列出当前客户端
       (R)emove an agent (R).              删除客户端
       (Q)uit.                             退出
    Choose your action: A,E,L,R or Q:R      输入R,确认删除客户端
    Provide the ID of the agent to be removed (or '\q' to quit): 180     输入agent id
    Confirm deleting it?(y/n):               确认删除
    Agent '180' removed.                    完成删除  

    客户端的离线注册

Wazuh-Manager和Wazuh-Agent之间通过1515/tcp端口来进行认证的,具体实现形式类似CA证书的形式。Manager有自建Key,然后Agent通过注册的形式提交主机名、IP地址获取相应的ID和Key。注册之后,Manager和Agent就不再使用1515端口进行认证,只使用1514/TCP端口进行加密的数据通讯。

在无法开通1515/tcp端口或者其他特定情况下,我们需要离线注册Wazuh-Agent。大体步骤为:

  1. 在管理端注册Agent主机名和IP地址,并获取相应主机ID;
  2. 导出客户端注册Key;
  3. 在Agent上导入上述Key;
  4. 重启Agent服务。
# on the Manger
/var/ossec/bin/manage_agents -a <agent_IP> -n <agent_name>
/var/ossec/bin/manage_agents -l | grep <agent_name>
ID: 001, Name: agent_1, IP: any
/var/ossec/bin/manage_agents -e <agent_id>
Agent key information for '001' is:
MDAxIDE4NWVlNjE1Y2YzYiBhbnkgMGNmMDFiYTM3NmMxY2JjNjU0NDAwYmFhZDY1ZWU1YjcyMGI2NDY3ODhkNGQzMjM5ZTdlNGVmNzQzMGFjMDA4Nw==

# on the Agent
/var/ossec/bin/manage_agents -i <key>
# 修改Agent上的Manager IP
vim /var/ossec/etc/ossec.conf
<client>
  <server>
    <address>MANAGER_IP</address>
    ...
  </server>
</client>
systemctl restart wazuh-agent

其他

此外,Wazuh Manager默认是开放认证的,即只要知道Manager的IP就可直接注册。但它也支持通过密码认证、通过SSL证书认证、通过API认证、通过主机环境认证(限定主机名和主机组来认证)。
以下,仅提供密码认证的配置介绍:

# 在Manager主机上打开密码认证选项
# vim /var/ossec/etc/ossec.conf
<auth>
  ...
  <use_password>yes</use_password>
  ...
</auth>

# 添加随机密码
systemctl restart wazuh-manager
grep "Random password" /var/ossec/logs/ossec.log

# 添加指定密码
# 如不进行如下操作,wazuh实际就会产生一个随机密码
echo "<custom_password>" > /var/ossec/etc/authd.pass
systemctl restart wazuh-manager

# 在Agent上开启密码认证并注册
/var/ossec/bin/agent-auth -m <manager_IP> -P "<custom_password>"
systemctl restart wazuh-agent

# 或者将密码注入相应文件
echo "<custom_password>" > /var/ossec/etc/authd.pass
/var/ossec/bin/agent-auth -m <manager_IP>
systemctl restart wazuh-agent

系统调优

wazuh本身是一个对资源要求较低的系统,但长期运行下来,还是会出现各种各样资源使用不足的问题。因此,需要进行一定程度的优化和调整

调整ES参数

开启内存锁定参数

# 锁定物理内存地址,防止ES内存被交换出去,避免频繁使用swap分区
cat >> /etc/elasticsearch/elasticsearch.yml <<EOF
bootstrap.memory_lock: true
EOF

限制系统资源

# 配置Elasticsearch的systemd调用
mkdir -p /etc/systemd/system/elasticsearch.service.d/
 
cat > /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf << EOF
[Service]
LimitMEMLOCK=infinity
EOF

调整内核参数

cat >> /etc/security/limits.conf <<EOF
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
EOF

调整JVM参数

# 在可用内存使用率不超过50%,且使用量不超过32GB内存的情况下,设定Xms和Xmx的值为当年内存总量的一半
# 当前内存总量为8GB
cat >> /etc/elasticsearch/jvm.options <<EOF
-Xms4g
-Xmx4g
EOF

重启服务

systemctl daemon-reload
systemctl restart elasticsearch

设置分片和副本数据量

Wazuh设置单节点ES主机

# 获取Wazuh ES 模板
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.1.5/extensions/elasticsearch/7.x/wazuh-template.json -o w-elastic-template.json
# 结合实际环境,设置分片数为1,副本数为0
  
{
  "order": 1,
  "index_patterns": ["wazuh-alerts-4.x-*"],
  "settings": {
    "index.refresh_interval": "5s",
    "index.number_of_shards": "1",
    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "0-1",
    "index.mapping.total_fields.limit": 2000
  },
  "mappings": {
  "...": "..."
  }
}

# 应用模板
curl -X PUT "http://localhost:9200/_template/wazuh-custom" -H 'Content-Type: application/json' -d @w-elastic-template.json

设置永久分片数

# 设置ES的永久分片数为20000
curl -XPUT  "127.0.0.1:9200/_cluster/settings" -H 'Content-Type: application/json' -d '{"persistent":{"cluster":{"max_shards_per_node":20000}}}'

删除过期分片

# 删除2021.06所有分片
curl -XDELETE http://127.0.0.1:9200/wazuh-alerts-4.x-2021.06.*   

硬件调优

使用固态磁盘

更多的CPU和内存

群集部署

在中大型网络环境中,单台Allinone的Wazuh系统或者单节点的分布式部署Wazuh系统从性能上已经无法满足日志分析和漏洞扫描的需求,因此应当采用高可用、多节点的分布式部署来满足Wazuh对CPU和存储的要求。

序号 系统描述 配置 网络地址 系统角色
1 Lvsnode1 1c/1g 192.168.79.51 LVS+KeepLived 提供VIP和负载均衡
2 Lvsnode2 1c/1g 192.168.79.52 LVS+KeepLived 提供VIP和负载均衡
3 Wazuhnode0 2c/2g 192.168.79.60 Wazuh主节点,提供认证以及cve库
4 Wazuhnode1 1c/1g 192.168.79.61 WazuhWorker,工作节点,提供事件日志分析和漏洞扫描
5 Wazuhnode2 1c/1g 192.168.79.62 WazuhWorker,工作节点,提供事件日志分析和漏洞扫描
6 KibanaNode 2c/4g 192.168.79.80 Kibana展示节点
7 ElasticNode1 4c/4g 192.168.79.81 ElasticSearch 群集节点
8 ElasticNode2 4c/4g 192.168.79.82 ElasticSearch 群集节点
9 ElasticNode3 4c/4g 192.168.79.83 ElasticSearch 群集节点
10 UbuntuNode 1c/1g 192.168.79.127 Ubuntu 20.04 LTS 测试机 + Wordpress
11 CentOSNode 1c/1g 192.168.79.128 CentOS 8.4 测试机 + PostgreSQL
12 WindowsNode 2c/2g 192.168.79.129 Windows Server 2012R2 测试机+ SQL Server
13 VIP ——- 192.168.79.50 前端访问IP
14 Gateway 1c/1g 192.168.79.254 使用iKuai提供网关服务和外部DNS服务

后端存储群集

  1. ElasticSearch三节点部署

    # 安装前置软件
    yum install -y zip unzip curl
    # 导入秘钥
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    # 增加官方源
    cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    # 安装软件
    yum makecache
    yum upgrade -y
    yum install -y elasticsearch-7.11.2
    
    # 导入配置文件
    cp -a /etc/elasticsearch/elasticsearch.yml{,_$(date +%F)}
    
    # 依次在各个节点上设置
    cat > /etc/elasticsearch/elasticsearch.yml << EOF
    network.host: 192.168.79.81
    node.name: elasticnode1
    cluster.name: elastic
    cluster.initial_master_nodes:
            - elasticnode1
            - elasticnode2
            - elasticnode3
    discovery.seed_hosts:
            - 192.168.79.81
            - 192.168.79.82
            - 192.168.79.83
    EOF
    
    # 开通防火墙
    firewall-cmd --permanent --add-service=elasticsearch 
    firewall-cmd --reload
    
    # 启动服务
    systemctl daemon-reload
    systemctl enable elasticsearch
    systemctl start elasticsearch
    
    # 禁用软件源,避免非控升级组件
    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
    
    # 在各个节点上依次部署,注意变更主机名和IP地址
  2. ElasticSearch群集验证

    sujx@LEGION:~$ curl http://192.168.79.81:9200/_cluster/health?pretty
    {
      "cluster_name" : "elastic",
      "status" : "green",
      "timed_out" : false,
      "number_of_nodes" : 3,
      "number_of_data_nodes" : 3,
      "active_primary_shards" : 0,
      "active_shards" : 0,
      "relocating_shards" : 0,
      "initializing_shards" : 0,
      "unassigned_shards" : 0,
      "delayed_unassigned_shards" : 0,
      "number_of_pending_tasks" : 0,
      "number_of_in_flight_fetch" : 0,
      "task_max_waiting_in_queue_millis" : 0,
      "active_shards_percent_as_number" : 100.0
    }
    
    sujx@LEGION:~$ curl http://192.168.79.81:9200/_cat/nodes?v
    ip            heap.percent ram.percent cpu load_1m load_5m load_15m node.role  master name
    192.168.79.83           10          86   0    0.08    0.08     0.03 cdhilmrstw -      elasticnode3
    192.168.79.82           18          97   0    0.01    0.12     0.08 cdhilmrstw *      elasticnode2
    192.168.79.81           16          95   0    0.06    0.08     0.08 cdhilmrstw -      elasticnode1

    处理系统群集

    1. Wazuh Master的部署

      # 安装前置软件
      yum install -y zip unzip curl
      # 导入秘钥
      rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
      rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
      
      # 配置官方软件源
      cat > /etc/yum.repos.d/wazuh.repo << EOF
      [wazuh]
      gpgcheck=1
      gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
      enabled=1
      name=EL-$releasever - Wazuh
      baseurl=https://packages.wazuh.com/4.x/yum/
      protect=1
      EOF
      
      cat > /etc/yum.repos.d/elastic.repo << EOF
      [elasticsearch-7.x]
      name=Elasticsearch repository for 7.x packages
      baseurl=https://artifacts.elastic.co/packages/7.x/yum
      gpgcheck=1
      gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
      enabled=1
      autorefresh=1
      type=rpm-md
      EOF
      
      # 安装软件
      yum makecache
      yum upgrade -y
      
      yum install -y wazuh-manager
      yum install -y filebeat-7.11.2
      
      # 配置Filebeat
      cp -a /etc/filebeat/filebeat.yml{,_$(date +%F)}
      
      cat > /etc/filebeat/filebeat.yml<<EOF
      filebeat.modules:
        - module: wazuh
          alerts:
            enabled: true
          archives:
            enabled: false
      
      setup.template.json.enabled: true
      setup.template.json.path: '/etc/filebeat/wazuh-template.json'
      setup.template.json.name: 'wazuh'
      setup.template.overwrite: true
      setup.ilm.enabled: false
      
      output.elasticsearch.hosts: ['http://192.168.79.81:9200','http://192.168.79.82:9200','http://192.168.79.83:9200']
      EOF
      
      # 导入filebeat的wazuh日志模板
      curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
      chmod go+r /etc/filebeat/wazuh-template.json
      
      # 导入filebeat的wazuh日志模型
      curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
      
      # 配置防火墙规则
      firewall-cmd --permanent --add-port={1514/tcp,1515/tcp,1516/tcp,55000/tcp}
      firewall-cmd --reload
      
      # 禁用软件源,避免非控升级组件
      sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
      sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
      
      # 启动服务
      systemctl daemon-reload
      systemctl enable --now wazuh-manager
      systemctl enable --now filebeat
      
      # 测试filebeat
      [root@WazuhNode0 wazuh]# filebeat test output
      elasticsearch: http://192.168.79.81:9200...
        parse url... OK
        connection...
          parse host... OK
          dns lookup... OK
          addresses: 192.168.79.81
          dial up... OK
        TLS... WARN secure connection disabled
        talk to server... OK
        version: 7.11.2
      elasticsearch: http://192.168.79.82:9200...
        parse url... OK
        connection...
          parse host... OK
          dns lookup... OK
          addresses: 192.168.79.82
          dial up... OK
        TLS... WARN secure connection disabled
        talk to server... OK
        version: 7.11.2
      elasticsearch: http://192.168.79.83:9200...
        parse url... OK
        connection...
          parse host... OK
          dns lookup... OK
          addresses: 192.168.79.83
          dial up... OK
        TLS... WARN secure connection disabled
        talk to server... OK
        version: 7.11.2
    2. Wazuh worker的部署

      # 同Master部署一致
      
      # 安装软件
      yum install -y wazuh-manager
      yum install -y filebeat-7.11.2
      
      # 配置Filebeat
      cp -a /etc/filebeat/filebeat.yml{,_$(date +%F)}
      
      cat > /etc/filebeat/filebeat.yml<<EOF
      filebeat.modules:
        - module: wazuh
          alerts:
            enabled: true
          archives:
            enabled: false
      
      setup.template.json.enabled: true
      setup.template.json.path: '/etc/filebeat/wazuh-template.json'
      setup.template.json.name: 'wazuh'
      setup.template.overwrite: true
      setup.ilm.enabled: false
      
      output.elasticsearch.hosts: ['http://192.168.79.81:9200','http://192.168.79.82:9200','http://192.168.79.83:9200']
      EOF
      
      # 导入filebeat的wazuh日志模板
      curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
      chmod go+r /etc/filebeat/wazuh-template.json
      
      # 导入filebeat的wazuh日志模型
      curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
      
      # 配置防火墙规则
      firewall-cmd --permanent --add-port={1514/tcp,1516/tcp}
      firewall-cmd --reload
      
      # 启动服务
      systemctl daemon-reload
      systemctl enable --now wazuh-manager
      systemctl enable --now filebeat
    3. 实现wazuh群集

      # 进行群集认证
      # Master节点
      #生成随机串值
      openssl rand -hex 16
      d84691d111f86e70e8ed7eff80cde39e
      
      # 编辑ossec.conf的cluster
      
        <cluster>
          <name>wazuh</name>
          <node_name>wazuhnode0</node_name>
          <node_type>master</node_type>
          <key>d84691d111f86e70e8ed7eff80cde39e</key>
          <port>1516</port>
          <bind_addr>0.0.0.0</bind_addr>
          <nodes>
              <node>192.168.79.60</node>
          </nodes>
          <hidden>no</hidden>
          <disabled>no</disabled>
        </cluster>
        
      # Worker节点
      # 编辑ossec.conf的cluster
      
        <cluster>
          <name>wazuh</name>
          <node_name>wazuhnode1</node_name>
          <node_type>worker</node_type>
          <key>d84691d111f86e70e8ed7eff80cde39e</key>
          <port>1516</port>
          <bind_addr>0.0.0.0</bind_addr>
          <nodes>
              <node>192.168.79.60</node>
          </nodes>
          <hidden>no</hidden>
          <disabled>no</disabled>
        </cluster>
        
      # 验证
      [root@WazuhNode0 bin]# ./cluster_control -l
      NAME        TYPE    VERSION  ADDRESS        
      wazuhnode0  master  4.1.5    192.168.79.60  
      wazuhnode1  worker  4.1.5    192.168.79.61  
      wauzhnode2  worker  4.1.5    192.168.79.62

前端群集

  1. 前端部署采用Keeplived+Nginx代理的模式,提供一个VIP供Wazuh的agent进行部署。

  2. 部署Nginx的TCP代理节点

    # 部署第一个节点Node1
    # 开放防火墙端口
    firewall-cmd --permanent --add-port={1514/tcp,1515/tcp}
    firewall-cmd --reload
    
    # 新增官方源地址
    cat > /etc/yum.repos.d/nginx.repo <<\EOF
    [nginx]
    name=nginx repo
    baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
    gpgcheck=0
    enabled=1
    EOF
    
    # 安装Nginx
    yum makecache
    yum install -y nginx
    systemctl daemon-reload
    systemctl enable nginx.service --now
    
    # 配置stream
    cd /etc/nginx
    cp -a nginx.conf{,_$(date +%F)}
    cat >> /etc/nginx/nginx.conf <<EOF
    include /etc/nginx/stream.d/*.conf;
    EOF
    
    mkdir ./stream.d
    touch /etc/nginx/stream.d/wazuh.conf
    
    cat > /etc/nginx/stream.d/wazuh.conf<<EOF
    stream {
        upstream cluster {
            hash $remote_addr consistent;
            server 192.168.79.61:1514;
            server 192.168.79.62:1514;
        }
        upstream master {
            server 192.168.79.60:1515;
        }
        server {
            listen 1514;
            proxy_pass cluster;
        }
        server {
            listen 1515;
            proxy_pass master;
        }
    }
    EOF
    
    # 重启Nginx
    systemctl restart nginx
    # 检查端口情况
    [root@lvsnode1 nginx]# netstat -tlnp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      1897/nginx: master  
    tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      1897/nginx: master  
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1897/nginx: master  
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1022/sshd           
    tcp6       0      0 :::80                   :::*                    LISTEN      1897/nginx: master  
    tcp6       0      0 :::22                   :::*                    LISTEN      1022/sshd   
    
    # 安装Keeplived
    yum install -y keepalived
    cd /etc/keepalived/
    cp -a keepalived.conf{,_$(date +%F)}
    
    # 进行配置
    cat > keepalived.conf<<EOF
    # Configuration File for keepalived
    #
    global_defs {
        router_id nginxnode1
        vrrp_mcast_group4 224.0.0.18
        lvs_timeouts tcp 900 tcpfin 30 udp 300
        lvs_sync_daemon ens160 route_lvs
        vrrp_skip_check_adv_addr
        #vrrp_strict
        vrrp_garp_interval 0
        vrrp_gna_interval 0
    }
    vrrp_instance route_lvs {
        state BACKUP
        priority 100
        virtual_router_id 18
        interface ens160
        track_interface {
            ens160
        }
        advert_int 3
        authentication {
            auth_type PASS
            auth_pass password
        }
        virtual_ipaddress {
            192.168.79.50/24 dev ens160 label ens160:0
        }
    }
    EOF
    
    systemctl enable keepalived.service --now
  3. 验证服务

    sujx@LEGION:~$ ping 192.168.79.50
    PING 192.168.79.50 (192.168.79.50) 56(84) bytes of data.
    64 bytes from 192.168.79.50: icmp_seq=1 ttl=64 time=0.330 ms
    64 bytes from 192.168.79.50: icmp_seq=2 ttl=64 time=0.306 ms
    
    --- 192.168.79.50 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 0.306/0.430/0.655/0.159 ms
    
    sujx@LEGION:~$ telnet 192.168.79.50 1515
    Trying 192.168.79.140...
    Connected to 192.168.79.140.
    Escape character is '^]'.
       
    sujx@LEGION:~$ telnet 192.168.79.50 1514
    Trying 192.168.79.140...
    Connected to 192.168.79.140.
    Escape character is '^]'.
    

访问面板

  1. 部署Elastic协调节点

    # 如果 Elasticsearch 集群有多个节点,分发 Kibana 节点之间请求的最简单的方法就是在 Kibana 机器上运行一个 Elasticsearch 协调(Coordinating only node) 的节点。Elasticsearch 协调节点本质上是智能负载均衡器,也是集群的一部分,如果有需要,这些节点会处理传入 HTTP 请求,重定向操作给集群中其它节点,收集并返回结果
    
    # 在Kibana节点上安装Elasticsearch
    # 安装前置软件
    yum install -y zip unzip curl
    # 导入源秘钥
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    # 增加官方源
    cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    
    # 安装软件
    yum makecache
    yum upgrade -y
    yum install -y elasticsearch-7.11.2
    
    #配置防火墙
    firewall-cmd --permanent --add-service=http
    firewall-cmd --permanent --add-service=elasticsearch
    firewall-cmd --reload
    
    # 修改配置
    # 其他ES节点也需要增加该主机NodeIP,并重启服务
    cat >> /etc/elasticsearch/elasticsearch.yml<<EOF
    node.name: kibananode0
    cluster.name: elastic
    node.master: false
    node.data: false
    node.ingest: false
    network.host: localhost
    http.port: 9200
    transport.host: 192.168.79.80
    transport.tcp.port: 9300
    
    discovery.seed_hosts:
            - 192.168.79.81
            - 192.168.79.82
            - 192.168.79.83
            - 192.168.79.80
    EOF
    
    # 查看群集信息,只允许本机Kibana访问
    [root@kibana wazuh]# curl http://localhost:9200/_cat/nodes?v
    ip            heap.percent ram.percent cpu load_1m load_5m load_15m node.role  master name
    192.168.79.81           18          96   0    0.04    0.06     0.02 cdhilmrstw -      elasticnode1
    192.168.79.80           12          97   3    0.01    0.08     0.07 lr         -      kibananode0
    192.168.79.82           23          96   0    0.04    0.09     0.04 cdhilmrstw *      elasticnode2
    192.168.79.83           23          87   0    0.09    0.11     0.05 cdhilmrstw -      elasticnode3
  2. 配置Kibana

    yum install -y kibana-7.11.2
    
    # 修改配置文件
    cp -a /etc/kibana/kibana.yml{,_$(date +%F)}
    
    cat >> /etc/kibana/kibana.yml << EOF
    server.port: 5601
    server.host: "localhost"
    server.name: "kibana"
    i18n.locale: "zh-CN"
    elasticsearch.hosts: ["http://localhost:9200"]
    kibana.index: ".kibana"
    kibana.defaultAppId: "home"
    server.defaultRoute : "/app/wazuh"
    EOF
    
    # 创建数据目录
    mkdir /usr/share/kibana/data
    chown -R kibana:kibana /usr/share/kibana
    
    # 离线安装插件
    wget https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip
    cp ./wazuh_kibana-4.1.5_7.11.2-1.zip /tmp
    cd /usr/share/kibana
    sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuh_kibana-4.1.5_7.11.2-1.zip
    
    # 配置服务
    systemctl daemon-reload
    systemctl enable kibana
    systemctl start kibana
    
    # 禁用软件源,避免非控升级组件
    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
    
    # 配置反向代理
    yum install -y nginx
    systemctl enable --now nginx
    vim /etc/ngix/nginx.conf
    # 在server{}中添加配置项
    ​```
            proxy_redirect           off;
            proxy_set_header         X-Real-IP $remote_addr;
            proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header         Host $http_host;
    
            location / {
                    proxy_pass http://localhost:5601/;
            }```
    nginx -s reload
    
    # 登录kibana之后选择wazuh插件
    # 返回控制台修改插件配置文件
    sed -i "s/localhost/192.168.79.60/g" /usr/share/kibana/data/wazuh/config/wazuh.yml

    客户端验证

  3. 部署Wazuh-Agent

    # CentOS主机
    sudo WAZUH_MANAGER='192.168.79.50' WAZUH_AGENT_GROUP='default' yum install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpm -y
    
    # Ubuntu主机
    curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb && sudo WAZUH_MANAGER='192.168.79.60' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent.deb
    
    # 启动服务
    systemctl daemon-reload
    systemctl enable wazuh-agent
    systemctl start wazuh-agent
    
    # Windows主机
    Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER='192.168.79.50' WAZUH_REGISTRATION_SERVER='192.168.79.50' WAZUH_AGENT_GROUP='default' 
    start-service wazuh
  4. 验证客户端所在管理节点

更新数据


相比较单机版本,群集化的Wazuh需要处理的第一个问题就是如何保证ossec.conf文件和漏洞库的统一配置、统一更新、统一下发。以下将使用简单的Ansible命令和Shell脚本实现前述功能。

建立共享

  1. 部署Nginx

    # 在wazuh-master上安装Nginx
    yum install -y nginx
    mkdir -p /var/www/wazuh
    chown -R nginx:nginx /var/www/wazuh
  2. 下载更新

    # 下载离线文件
    cd /var/www/wazuh/
    
    # 下载Ubuntu 20.04的漏洞种子
    wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2
    
    # 下载RHEL 7 8的漏洞种子文件
    wget https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
    wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
    wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
    
    # 下载微软CVE文件
    wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
    
    # 下载Redhat的安全数据Json文件
    wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
    chmod +x ./*.sh
    mkdir redhat
    ./rh-generator.sh redhat/
    
    # 下载NVD的安全数据库(CVE)
    wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
    chmod +x ./*.sh
    mkdir nvd
     ./nvd-generator.sh 2010 nvd/
  3. 页面发布

    # 配置nginx文件 
    vim /etc/nginx/nginx.conf
    # 在server{}中修改增补如下配置
            root         /var/www/wazuh;
        
            location / {
                    autoindex on;
                    autoindex_exact_size off;
                    autoindex_localtime on;
            }

    定时更新

  4. 在/opt/wazuh/目录下建立wazuhupdate.sh文件

    #!/bin/bash
    cd /var/www/wazuh/
    
    # 下载Ubuntu 20.04的漏洞种子
    wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2
    
    # 下载RHEL 6/7/8的漏洞种子
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
    
    # 下载微软漏洞文件
    wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
    
    #下载Redhat的安全数据Json文件
    /bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat
    
    # 下载NVD的安全数据库(CVE)
    /bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd
    
    # 更新文件权限
    chown -R nginx:nginx /var/www/wazuh
    
    # 重启服务,更新数据库
    systemctl restart wazuh-manager.service
  5. 建立定时文件

    #检查crond.service运行状态
    systemctl status crond.service 
    crontab -e
    # 每周一、四下午6点半执行脚本进行升级
    30 18 * * 1,4 /bin/bash /opt/wazuh/wazuhupdate.sh

    批量下发

  6. 安装配置Ansbile

    yum install -y centos-release-ansible-29.noarch 
    yum install -y ansible
    
    # 因主机默认设置不允许root使用ssh登录,需要切换到普通用户目录
    cd ~
    mkdir ansible
    cd ansible
    touch .inventory
    cat > .inventory <<EOF
    [master]
    192.168.79.60
    [worker]
    192.168.79.61
    192.168.79.62
    EOF
    
    ssh-keygen
    ssh-copy-id sujx@192.168.79.60
    ssh-copy-id sujx@192.168.79.61
    ssh-copy-id sujx@192.168.79.62
    
    ansible all -m ping
    [sujx@WazuhNode0 ansible]$ ansible worker -m ping
    192.168.79.62 | SUCCESS => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/libexec/platform-python"
        },
        "changed": false,
        "ping": "pong"
    }
    192.168.79.61 | SUCCESS => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/libexec/platform-python"
        },
        "changed": false,
        "ping": "pong"
    }
  7. 建立批量更新脚本

    # 在每台Worker主机上建立相应脚本
    mkdir /opt/wazuh
    touch /opt/wazuh/cluster.sh
    cat > /opt/wazuh/cluster.sh <<EOF
    #!/bin/bash
    
    cd ~
    
    # 配置文件
    wget http://192.168.79.60/conf/ossec.conf
    # 自定义规则文件
    # wget http://192.168.79.60/conf/0015-ossec_rules.xml
    
    # 替换主机名
    workername=$(hostname -s)
    sed -i "s/vlnx000000/$workername/g" ~/ossec.conf
    
    # 替换配置文件
    rm -Rf /var/ossec/etc/ossec.conf
    mv ~/ossec.conf /var/ossec/etc/
    chown root:ossec /var/ossec/etc/ossec.conf
    
    # 更新自定义文件
    # rm -Rf /var/ossec/ruleset/rules/0015-ossec_rules.xml
    # mv ~/0015-ossec_rules.xml /var/ossec/ruleset/rules/
    # chown root:ossec /var/ossec/ruleset/rules/0015-ossec_rules.xml
    
    
    # Reset The Service
    systemctl restart wazuh-manager.service
    EOF
    
    chmod +x /opt/wazuh/cluster.sh
  8. 建立worker配置文件

    <vulnerability-detector>
      <enabled>no</enabled>
      <interval>5m</interval>
      <ignore_time>6h</ignore_time>
      <run_on_start>yes</run_on_start>
       
      <!-- Ubuntu OS vulnerabilities -->
      <provider name="canonical">
        <enabled>yes</enabled>
        <os url="http://192.168.79.60/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- Debian OS vulnerabilities -->
      <provider name="debian">
        <enabled>no</enabled>
        <os>stretch</os>
        <os>buster</os>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- RedHat OS vulnerabilities -->
      <provider name="redhat">
        <enabled>yes</enabled>
        <os url="http://192.168.79.60/rhel-6-including-unpatched.oval.xml.bz2">6</os>
        <os url="http://192.168.79.60/rhel-7-including-unpatched.oval.xml.bz2">7</os>
        <os url="http://192.168.79.60/rhel-8-including-unpatched.oval.xml.bz2">8</os>
        <url start="1" end="25">http://192.168.79.60/redhat/redhat-feed[-].json</url>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- Windows OS vulnerabilities -->
      <provider name="msu">
        <enabled>yes</enabled>
        <url>http://192.168.79.60/msu-updates.json.gz</url>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- Aggregate vulnerabilities -->
      <provider name="nvd">
        <enabled>yes</enabled>
        <url start="2010" end="2021">http://192.168.79.60/nvd/nvd-feed[-].json.gz</url>
        <update_interval>1d</update_interval>
      </provider>
    </vulnerability-detector>
       
    <cluster>
      <name>wazuh</name>
      <node_name>vln000000</node_name>
      <node_type>worker</node_type>
      <key>d84691d111f86e70e8ed7eff80cde39e</key>
      <port>1516</port>
      <bind_addr>0.0.0.0</bind_addr>
      <nodes>
          <node>192.168.79.60</node>
      </nodes>
      <hidden>no</hidden>
      <disabled>no</disabled>
    </cluster>
    ……
    略  
  9. 使用Ansible触发更新

    # 每个Worker上创建目录
    ansible worker -a 'mkdir /opt/wazuh'
    # 复制脚本到worker上
    ansible worker -m copy -a "src=/opt/wazuh/cluster.sh dest=/opt/wazuh owner=root group=root mode=0744"
    # 每个worker执行脚本
    ansible worker -a '/bin/sh /opt/wazuh/cluster.sh'