Wazuh部署操作

2024-08-16 15:51:16 浏览数 (2)

1、安装dockerdocker-compose

安装docker

代码语言:shell复制
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker- ce/linux/centos/docker-ce.repo

yum -y install docker-ce

安装docker-compose

curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker- compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

chmod  x /usr/local/bin/docker-compose

或者

使用jumpserver的离线包,执行install后,删除jumpserver镜像和容器,只保留docker和docker- compose

2、环境变量配置

首先,官方建议Docker主机配置至少 6 GB 的内存。根据部署和使用情况,Wazuh索引器的内存消耗会有所不同。因此,需要分配建议的内存以使完整的堆栈部署正常工作。同时,如果是docker安装,需要内核版本3.10或更高版本的amd 64架构系统。并且Wazuh Docker部署需要Docker Compose 1.29或更高版本

Wazuh索引器创建了许多内存映射区域。因此需要设置内核,使进程至少拥有262144个内存映射区域。如果未在主机上设置max_map_count ,Wazuh索引器将无法正常工作。配置如下

代码语言:shell复制
# 关闭selinux setenforce 0 #临时生效

sysctl -w vm.max_map_count=262144 #永久生效

echo "vm.max_map_count=262144" >> /etc/sysctl.conf && sysctl -p

同时安装git,并下载部署项目

yum -y install git cd /opt

#  可以连接到github,否则需要手动到github下载项目压缩文件

git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.1 # 建议win上浏览器下载github项目压缩包

项目下载完后,将wazuh-docker-4.8.1.zip上传到/opt目录

## 3、**下载**wazuh**需要的镜像到本地**

由于海外dockerhub镜像限制的原因,你需要将docker-compose.yml文件中的镜像,先下载到本地你可以更改/etc/docker/daemon.json 文件,添加镜像加速地址(不稳定)

也可以使用docker_image_pusher项目,先拉取到阿里云镜像源,然后再从阿里云镜像仓库拉取需要的镜像列表如下:

wazuh/wazuh-certs-generator:0.0.2 wazuh/wazuh-manager:4.8.1 wazuh/wazuh-indexer:4.8.1 wazuh/wazuh-dashboard:4.8.1

方法一:阿里云镜像容器仓库下载,命令范例

代码语言:shell复制
#wazuh/wazuh-certs-generator:0.0.2

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-certs- generator:0.0.2 && docker tag registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-certs-generator:0.0.2 wazuh/wazuh-certs-generator:0.0.2 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-certs-generator:0.0.2 #wazuh/wazuh-manager:4.8.1

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-manager:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-manager:4.8.1 wazuh/wazuh-indexer:4.8.1 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-manager:4.8.1

#wazuh/wazuh-indexer:4.8.1

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-indexer:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-indexer:4.8.1 wazuh/wazuh-indexer:4.8.1 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-indexer:4.8.1

#wazuh/wazuh-dashboard:4.8.1

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-dashboard:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh- dashboard:4.8.1 wazuh/wwazuh-dashboard:4.8.1 && docker rmi registry.cn- hangzhou.aliyuncs.com/theon-images/wazuh-dashboard:4.8.1

方法二:从本地导入

代码语言:shell复制
cd /opt/images

docker load -i wazuh-certs-generator.tar && docker tag 60d428874d3a wazuh/wazuh- certs-generator:0.0.2

docker load -i wazuh-dashboard.tar && docker tag e4390291c3da wazuh/wazuh-

dashboard:4.8.1

docker load -i wazuh-indexer.tar && docker tag d811dc2ddc13 wazuh/wazuh- indexer:4.8.1

docker load -i wazuh-manager.tar && docker tag b6cd33858983 wazuh/wazuh-

manager:4.8.1

4、docker-compose安装wazuh

第一步)项目下载好后,解压项目,使用单节点项目的目录即可

代码语言:shell复制
#没有unzip则进行安装

# yum -y install unzip

#  如果是win上下载的zip包,则将wazuh-docker-4.8.1.zip上传到/opt目录

cd /opt

unzip wazuh-docker-4.8.1.zip

#allinone安装只需要项目中的multi-node目录即可 mv wazuh-docker-4.8.1/single-node/ wazuh

cd wazuh

第二步)更改wauzh dashboard 的登陆密码(默认用户名/密码是 admin/SecretPassword)

代码语言:shell复制
cd /opt/wazuh ## 生成密码hash值

# 启动容器后,在交互界面,输入新密码并按Enter键

docker run --rm -ti wazuh/wazuh-indexer:4.8.1 bash /usr/share/wazuh- indexer/plugins/opensearch-security/tools/hash.sh

#  复制生成的hash,打开config/wazuh_indexer/internal_users.yml文件。找到要更改密码的用户

的块进行替换

vim config/wazuh_indexer/internal_users.yml # 替换内容如下

#admin用户

...

admin:

hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" reserved: true

backend_roles:

- "admin"

description: "Demo admin user"

...

第三步)并生成wazuh通讯需要的证书

代码语言:shell复制
cd /opt/wazuh

#下面的命令会将证书保存到config/wazuh_indexer_ssl_certs目录中。

docker-compose -f generate-indexer-certs.yml run --rm generator

#如果是自有证书,则需要你在config/wazuh_indexer_ssl_certs目录中按如下方式配置它们 ##Wazuh索引器

#config/wazuh_indexer_ssl_certs/root-ca.pem #config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem #config/wazuh_indexer_ssl_certs/wazuh.indexer.pem #config/wazuh_indexer_ssl_certs/admin.pem #config/wazuh_indexer_ssl_certs/admin-key.pem

##Wazuh manager

#config/wazuh_indexer_ssl_certs/root-ca-manager.pem #config/wazuh_indexer_ssl_certs/wazuh.manager.pem #config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem

##Wazuh仪表板

#config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem #config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem #config/wazuh_indexer_ssl_certs/root-ca.pem



上面命令无法正常执行,可以使用自有的证书,命令如下

cd /opt

unzip wazuh_indexer_ssl_certs.zip

cp -ar /opt/wazuh_indexer_ssl_certs /opt/wazuh/config/wazuh_indexer_ssl_certs chmod 777 /opt/wazuh/config/wazuh_indexer_ssl_certs/*

第四步)使用docker-compose.yml文件来启动wazuh平台

代码语言:shell复制
cd /opt/wazuh

#  下面命令会默认查找当前目录下的docker-compose.yml文件

docker-compose up -d

5、登陆wazuh manager平台

容器启动后,查看wazuh-wazuh.dashboard-1容器映射的端口(默认是443),然后同网段的windows主机浏览器访问 https://ip 登陆到manager管理平台

用户名是 admin

密码是你 第4步骤 中第二步设置的密码

登陆后,wazuh会检查架构配置情况,注意,检查时,可能会出现下图情况

解决办法:这个是因为没有索引导致,手动创建索引即可

v4.8.1 是你当前wazuh的版本,不同版本,这个不一样

代码语言:shell复制
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7. x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u kibanaserver:kibanaserver -k

#  离线模式,你需要先下载wazuh-template.json文件,然后上传wazuh-template.json

到/root/json目录下,没有json目录则创建即可

cat /root/json/wazuh-template.json |curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u kibanaserver:kibanaserver -k

执行结果如上图所示后,再次检查架构配置情况,就没有问题了

检查没有问题,可以看到wazuh的后台首页,如下图

6、wazuh的管理平台操作

(第一步)按照操作系统不同来,创建分组

添加分组

第二步)修改windows分组的检测策略

内容为

代码语言:shell复制
<agent_config>

<client_buffer>

<!-- Agent buffer options -->

<disabled>no</disabled>

<queue_size>5000</queue_size>

<events_per_second>500</events_per_second>

</client_buffer>

<!-- Policy monitoring -->

<rootcheck>

<disabled>no</disabled>

<windows_apps>./shared/win_applications_rcl.txt</windows_apps>

<windows_malware>./shared/win_malware_rcl.txt</windows_malware>

</rootcheck>

<sca>

<enabled>yes</enabled>

<scan_on_start>yes</scan_on_start>

<interval>12h</interval>

<skip_nfs>yes</skip_nfs>

</sca>

<!-- File integrity monitoring -->

<syscheck>

<disabled>no</disabled>

<!-- Frequency that syscheck is executed default every 12 hours -->

<frequency>43200</frequency>

<!-- Default files to be monitored. -->

<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

<directories recursion_level="0"

restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsas s.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.ex e|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%SysNative</directories>

<directories recursion_level="0">%WINDIR%SysNativedriversetc</directories>

<directories recursion_level="0"

restrict="WMIC.exe$">%WINDIR%SysNativewbem</directories>

<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%SysNativeWindowsPowerShellv1.0</directorie  s>

<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%SysNative</directories>

<!-- 32-bit programs. -->

<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsas  s.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr3  2.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%System32

</directories>

<directories recursion_level="0">%WINDIR%System32driversetc</directories>

<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%System32wbem</directories>

<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%System32WindowsPowerShellv1.0</directories

>

<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%System32</directories>

<directories realtime="yes">%PROGRAMDATA%MicrosoftWindowsStart MenuProgramsStartup</directories>

<ignore>%PROGRAMDATA%MicrosoftWindowsStart

MenuProgramsStartupdesktop.ini</ignore>

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

<!-- Windows registry entries to monitor. -->

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesbatfile</windows_registry

>

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassescmdfile</windows_registry

>

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassescomfile</windows_registry

>

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesexefile</windows_registry

>

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassespiffile</windows_registry

>

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesAllFilesystemObjects</win  dows_registry>

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesDirectory</windows_regist  ry>

<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesFolder</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareClassesProtocols</windows_registry>

<windows_registry

arch="both">HKEY_LOCAL_MACHINESoftwarePolicies</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINESecurity</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINESystemCurrentControlSetServices</windows

_registry>

<windows_registry>HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession  ManagerKnownDLLs</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePip  eServerswinreg</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun</wi  ndows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce

</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion  RunOnceEx</windows_registry>

<windows_registry

arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionURL</wi  ndows_registry>

<windows_registry

arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicie  s</windows_registry>

<windows_registry  arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindows

NTCurrentVersionWindows</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components</windows_registry>

<!-- Windows registry entries to ignore. -->

<registry_ignore>HKEY_LOCAL_MACHINESecurityPolicySecrets</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESecuritySAMDomainsAccountUsers</registr  y_ignore>

<registry_ignore type="sregex">Enum$</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa  rametersAppCs</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa  rametersPortKeywordsDHCP</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa  rametersPortKeywordsIPTLSIn</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa  rametersPortKeywordsIPTLSOut</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa  rametersPortKeywordsRPC-EPMap</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa  rametersPortKeywordsTeredo</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesPolicyAge  ntParametersCache</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionR  unOnceEx</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesADOVMPPac  kageFinal</registry_ignore>

<!-- Frequency for ACL checking (seconds) -->

<windows_audit_interval>60</windows_audit_interval>

<!-- Nice value for Syscheck module -->

<process_priority>10</process_priority>

<!-- Maximum output throughput -->

<max_eps>100</max_eps>

<!-- Database synchronization settings -->

<synchronization>

<enabled>yes</enabled>

<interval>5m</interval>

<max_interval>1h</max_interval>

<max_eps>10</max_eps>

</synchronization>

</syscheck>

<!-- System inventory -->

<wodle name="syscollector">

<disabled>no</disabled>

<interval>1h</interval>

<scan_on_start>yes</scan_on_start>

<hardware>yes</hardware>

<os>yes</os>

<network>yes</network>

<packages>yes</packages>

<ports all="no">yes</ports>

<processes>yes</processes>

<!-- Database synchronization settings -->

<synchronization>

<max_eps>10</max_eps>

</synchronization>

</wodle>

<!-- CIS policies evaluation -->

<wodle name="cis-cat">

<disabled>yes</disabled>

<timeout>1800</timeout>

<interval>1d</interval>

<scan-on-start>yes</scan-on-start>

<java_path>\serverjrebinjava.exe</java_path>

<ciscat_path>C:cis-cat</ciscat_path>

</wodle>

<!-- Osquery integration -->

<wodle name="osquery">

<disabled>yes</disabled>

<run_daemon>yes</run_daemon>

<bin_path>C:Program Filesosqueryosqueryd</bin_path>

<log_path>C:Program  Filesosquerylogosqueryd.results.log</log_path>

<config_path>C:Program Filesosqueryosquery.conf</config_path>

<add_labels>yes</add_labels>

</wodle>

<!-- Active response -->

<active-response>

<disabled>no</disabled>

<ca_store>wpk_root.pem</ca_store>

<ca_verification>yes</ca_verification>

</active-response>

<!-- Log analysis -->

<localfile>

<location>Microsoft-Windows-Sysmon/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Windows PowerShell</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-CodeIntegrity/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-TaskScheduler/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-PowerShell/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-Windows Defender/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

</agent_config>

第三步)修改Linux分组的检测策略

内容为

代码语言:shell复制
<agent_config>

<client_buffer>

<!-- Agent buffer options -->

<disabled>no</disabled>

<queue_size>5000</queue_size>

<events_per_second>500</events_per_second>

</client_buffer>

<!-- Policy monitoring -->

<rootcheck>

<disabled>no</disabled>

<!-- Frequency that rootcheck is executed - every 12 hours -->

<frequency>43200</frequency>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<wodle name="open-scap">

<disabled>yes</disabled>

<timeout>1800</timeout>

<interval>1d</interval>

<scan-on-start>yes</scan-on-start>

<content type="xccdf" path="ssg-debian-8-ds.xml">

<profile>xccdf_org.ssgproject.content_profile_common</profile>

</content>

<content type="oval" path="cve-debian-oval.xml"/>

</wodle>

<!-- File integrity monitoring -->

<syscheck>

<disabled>no</disabled>

<!-- Frequency that syscheck is executed default every 12 hours -->

<frequency>43200</frequency>

<scan_on_start>yes</scan_on_start>

<!-- Directories to check (perform all possible verifications) -->

<directories>/etc,/usr/bin,/usr/sbin</directories>

<directories>/bin,/sbin,/boot</directories>

<!-- Files/directories to ignore -->

<ignore>/etc/mtab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>/sys/kernel/security</ignore>

<ignore>/sys/kernel/debug</ignore>

<!-- File types to ignore -->

<ignore type="sregex">.log$|.swp$</ignore>

<!-- Check the file, but never compute the diff -->

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<skip_dev>yes</skip_dev>

<skip_proc>yes</skip_proc>

<skip_sys>yes</skip_sys>

<!-- Nice value for Syscheck process -->

<process_priority>10</process_priority>

<!-- Maximum output throughput -->

<max_eps>100</max_eps>

<!-- Database synchronization settings -->

<synchronization>

<enabled>yes</enabled>

<interval>5m</interval>

<response_timeout>30</response_timeout>

<queue_size>16384</queue_size>

<max_eps>10</max_eps>

</synchronization>

</syscheck>

<!-- Log analysis -->

<localfile>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/auth.log</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/syslog</location>

</localfile>

<localfile>

<log_format>command</log_format>

<command>df -P</command>

<frequency>360</frequency>

</localfile>

<localfile>

<log_format>full_command</log_format>

<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>

<frequency>360</frequency>

</localfile>

<localfile>

<log_format>full_command</log_format>

<command>last -n 5</command>

<frequency>360</frequency>

</localfile>

<wodle name="osquery">

<disabled>yes</disabled>

<run_daemon>yes</run_daemon>

<log_path>/var/log/osquery/osqueryd.results.log</log_path>

<config_path>/etc/osquery/osquery.conf</config_path>

<add_labels>yes</add_labels>

</wodle>

<wodle name="syscollector">

<disabled>no</disabled>

<interval>24h</interval>

<scan_on_start>yes</scan_on_start>

<packages>yes</packages>

<os>yes</os>

<hotfixes>yes</hotfixes>

<ports all="no">yes</ports>

<processes>yes</processes>

</wodle>

</agent_config>

第四步)修改完成后需要将wazuh-manager服务重启,命令如下

代码语言:shell复制
cd /opt/wazuh

docker-compose restart wazuh.manager

第五步)Wazuh server高级规则,添加高级检测规则,Wazuh server允许自定义检测规则,在 GitHub平台上由SOCFortress Team开源对应检测规则,提升检测效果。项目地址:https://github.co m/socfortress/Wazuh-Rules

下载Wazuh-Rules项目文件Wazuh-Rules-main.zip,上传到/root/rules目录并解压,没有rules目录则创建即可

代码语言:shell复制
cd /opt/wazuh

mkdir -p /var/tmp/rules/

cp /root/rules/Wazuh-Rules-main/*/*.xml /var/tmp/rules/ docker-compose cp /var/tmp/rules wazuh.manager:/var/ossec/etc rm -f /var/tmp/rules/*

修改规则文件权限和属性

代码语言:shell复制
docker-compose exec -it wazuh.manager /bin/bash -c "chown wazuh:wazuh -R

/var/ossec/etc/rules"

docker-compose exec -it wazuh.manager /bin/bash -c "chmod 660 -R

/var/ossec/etc/rules"

7、agent安装

Linux主机安装

我们在wazuh 的主机Centos 7安装agent,选择linux RPM amd64 (不同的操作系统不一样, ubuntu/debian是DEB amd64),Server address地址是你安装wazuh的服务器地址。分组为 linux分组,配置参数如下图

参数填写完毕后,在第4部分,有执行的命令,下载agent需要你联网

联网模式

代码语言:shell复制
curl -o wazuh-agent-4.8.1-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.8.1-1.x86_64.rpm && sudo WAZUH_MANAGER='192.168.239.140' WAZUH_AGENT_GROUP='Linux' rpm -ihv wazuh-

agent-4.8.1-1.x86_64.rpm

离线模式,你需要先下载wazuh-agent-4.8.1-1.x86_64.rpm文件,然后上传到/root/rpm目录下,没有rpm目录则创建即可

代码语言:shell复制
cd /root/rpm WAZUH_MANAGER='192.168.239.140' WAZUH_AGENT_GROUP='Linux'

sudo WAZUH_MANAGER='192.168.239.140' WAZUH_AGENT_GROUP='Linux' rpm -ihv

wazuh-agent-4.8.1-1.x86_64.rpm # 启动agent

systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent

agent启动后,你将在wazuh的控制台看到agent信息,如下图

补充

补充:项目删除

当我们不在需要wazuh项目时,如何进行删除

第一步)停止并docker容器,参考命令

代码语言:shell复制
cd /opt/wazuh docker-compose down

第二步)删除容器的本地存储卷,我们之前的配置信息,文件信息等内容,是永久存储在本地的,可以通过命令查看

查看docker的占用空间

代码语言:shell复制
docker system df

查看docker的本地存储情况

代码语言:shell复制
docker volume ls

删除docker的本地存储,删除后,之前wazuh平台的配置等信息全部清零

代码语言:shell复制
docker volume ls|grep -v VOLUME|awk '{print $2}'|xargs docker volume rm 

其他命令

代码语言:shell复制
#docker builder prune #builder缓存清零

0 人点赞