1、安装docker和docker-compose
安装docker
代码语言:shell复制wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker- ce/linux/centos/docker-ce.repo
yum -y install docker-ce
安装docker-compose
curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker- compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod x /usr/local/bin/docker-compose或者
使用jumpserver的离线包,执行install后,删除jumpserver镜像和容器,只保留docker和docker- compose
2、环境变量配置
首先,官方建议Docker主机配置至少 6 GB 的内存。根据部署和使用情况,Wazuh索引器的内存消耗会有所不同。因此,需要分配建议的内存以使完整的堆栈部署正常工作。同时,如果是docker安装,需要内核版本3.10或更高版本的amd 64架构系统。并且Wazuh Docker部署需要Docker Compose 1.29或更高版本
Wazuh索引器创建了许多内存映射区域。因此需要设置内核,使进程至少拥有262144个内存映射区域。如果未在主机上设置max_map_count ,Wazuh索引器将无法正常工作。配置如下
代码语言:shell复制# 关闭selinux setenforce 0 #临时生效
sysctl -w vm.max_map_count=262144 #永久生效
echo "vm.max_map_count=262144" >> /etc/sysctl.conf && sysctl -p
同时安装git,并下载部署项目
yum -y install git cd /opt
# 可以连接到github,否则需要手动到github下载项目压缩文件
git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.1 # 建议win上浏览器下载github项目压缩包
项目下载完后,将wazuh-docker-4.8.1.zip上传到/opt目录
## 3、**下载**wazuh**需要的镜像到本地**
由于海外dockerhub镜像限制的原因,你需要将docker-compose.yml文件中的镜像,先下载到本地你可以更改/etc/docker/daemon.json 文件,添加镜像加速地址(不稳定)
也可以使用docker_image_pusher项目,先拉取到阿里云镜像源,然后再从阿里云镜像仓库拉取需要的镜像列表如下:
wazuh/wazuh-certs-generator:0.0.2 wazuh/wazuh-manager:4.8.1 wazuh/wazuh-indexer:4.8.1 wazuh/wazuh-dashboard:4.8.1方法一:阿里云镜像容器仓库下载,命令范例
代码语言:shell复制#wazuh/wazuh-certs-generator:0.0.2
docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-certs- generator:0.0.2 && docker tag registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-certs-generator:0.0.2 wazuh/wazuh-certs-generator:0.0.2 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-certs-generator:0.0.2 #wazuh/wazuh-manager:4.8.1
docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-manager:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-manager:4.8.1 wazuh/wazuh-indexer:4.8.1 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-manager:4.8.1
#wazuh/wazuh-indexer:4.8.1
docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-indexer:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-indexer:4.8.1 wazuh/wazuh-indexer:4.8.1 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-indexer:4.8.1
#wazuh/wazuh-dashboard:4.8.1
docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-dashboard:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh- dashboard:4.8.1 wazuh/wwazuh-dashboard:4.8.1 && docker rmi registry.cn- hangzhou.aliyuncs.com/theon-images/wazuh-dashboard:4.8.1方法二:从本地导入
代码语言:shell复制cd /opt/images
docker load -i wazuh-certs-generator.tar && docker tag 60d428874d3a wazuh/wazuh- certs-generator:0.0.2
docker load -i wazuh-dashboard.tar && docker tag e4390291c3da wazuh/wazuh-
dashboard:4.8.1
docker load -i wazuh-indexer.tar && docker tag d811dc2ddc13 wazuh/wazuh- indexer:4.8.1
docker load -i wazuh-manager.tar && docker tag b6cd33858983 wazuh/wazuh-
manager:4.8.14、docker-compose安装wazuh
(第一步)项目下载好后,解压项目,使用单节点项目的目录即可
代码语言:shell复制#没有unzip则进行安装
# yum -y install unzip
# 如果是win上下载的zip包,则将wazuh-docker-4.8.1.zip上传到/opt目录
cd /opt
unzip wazuh-docker-4.8.1.zip
#allinone安装只需要项目中的multi-node目录即可 mv wazuh-docker-4.8.1/single-node/ wazuh
cd wazuh(第二步)更改wauzh dashboard 的登陆密码(默认用户名/密码是 admin/SecretPassword)
代码语言:shell复制cd /opt/wazuh ## 生成密码hash值
# 启动容器后,在交互界面,输入新密码并按Enter键
docker run --rm -ti wazuh/wazuh-indexer:4.8.1 bash /usr/share/wazuh- indexer/plugins/opensearch-security/tools/hash.sh
# 复制生成的hash,打开config/wazuh_indexer/internal_users.yml文件。找到要更改密码的用户
的块进行替换
vim config/wazuh_indexer/internal_users.yml # 替换内容如下
#admin用户
...
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
...(第三步)并生成wazuh通讯需要的证书
代码语言:shell复制cd /opt/wazuh
#下面的命令会将证书保存到config/wazuh_indexer_ssl_certs目录中。
docker-compose -f generate-indexer-certs.yml run --rm generator
#如果是自有证书,则需要你在config/wazuh_indexer_ssl_certs目录中按如下方式配置它们 ##Wazuh索引器
#config/wazuh_indexer_ssl_certs/root-ca.pem #config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem #config/wazuh_indexer_ssl_certs/wazuh.indexer.pem #config/wazuh_indexer_ssl_certs/admin.pem #config/wazuh_indexer_ssl_certs/admin-key.pem
##Wazuh manager
#config/wazuh_indexer_ssl_certs/root-ca-manager.pem #config/wazuh_indexer_ssl_certs/wazuh.manager.pem #config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem
##Wazuh仪表板
#config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem #config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem #config/wazuh_indexer_ssl_certs/root-ca.pem
上面命令无法正常执行,可以使用自有的证书,命令如下
cd /opt
unzip wazuh_indexer_ssl_certs.zip
cp -ar /opt/wazuh_indexer_ssl_certs /opt/wazuh/config/wazuh_indexer_ssl_certs chmod 777 /opt/wazuh/config/wazuh_indexer_ssl_certs/*(第四步)使用docker-compose.yml文件来启动wazuh平台
代码语言:shell复制cd /opt/wazuh
# 下面命令会默认查找当前目录下的docker-compose.yml文件
docker-compose up -d5、登陆wazuh manager平台
容器启动后,查看wazuh-wazuh.dashboard-1容器映射的端口(默认是443),然后同网段的windows主机浏览器访问 https://ip 登陆到manager管理平台
用户名是 admin
密码是你 第4步骤 中第二步设置的密码
登陆后,wazuh会检查架构配置情况,注意,检查时,可能会出现下图情况
解决办法:这个是因为没有索引导致,手动创建索引即可
v4.8.1 是你当前wazuh的版本,不同版本,这个不一样
代码语言:shell复制curl https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7. x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u kibanaserver:kibanaserver -k
# 离线模式,你需要先下载wazuh-template.json文件,然后上传wazuh-template.json
到/root/json目录下,没有json目录则创建即可
cat /root/json/wazuh-template.json |curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u kibanaserver:kibanaserver -k执行结果如上图所示后,再次检查架构配置情况,就没有问题了
检查没有问题,可以看到wazuh的后台首页,如下图
6、wazuh的管理平台操作
(第一步)按照操作系统不同来,创建分组
添加分组
(第二步)修改windows分组的检测策略
内容为
代码语言:shell复制<agent_config>
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0"
restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsas s.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.ex e|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%SysNative</directories>
<directories recursion_level="0">%WINDIR%SysNativedriversetc</directories>
<directories recursion_level="0"
restrict="WMIC.exe$">%WINDIR%SysNativewbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%SysNativeWindowsPowerShellv1.0</directorie s>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%SysNative</directories>
<!-- 32-bit programs. -->
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsas s.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr3 2.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%System32
</directories>
<directories recursion_level="0">%WINDIR%System32driversetc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%System32wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%System32WindowsPowerShellv1.0</directories
>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%System32</directories>
<directories realtime="yes">%PROGRAMDATA%MicrosoftWindowsStart MenuProgramsStartup</directories>
<ignore>%PROGRAMDATA%MicrosoftWindowsStart
MenuProgramsStartupdesktop.ini</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesbatfile</windows_registry
>
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassescmdfile</windows_registry
>
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassescomfile</windows_registry
>
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesexefile</windows_registry
>
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassespiffile</windows_registry
>
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesAllFilesystemObjects</win dows_registry>
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesDirectory</windows_regist ry>
<windows_registry>HKEY_LOCAL_MACHINESoftwareClassesFolder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareClassesProtocols</windows_registry>
<windows_registry
arch="both">HKEY_LOCAL_MACHINESoftwarePolicies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINESecurity</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINESystemCurrentControlSetServices</windows
_registry>
<windows_registry>HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerKnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePip eServerswinreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun</wi ndows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RunOnceEx</windows_registry>
<windows_registry
arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionURL</wi ndows_registry>
<windows_registry
arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicie s</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINESecurityPolicySecrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESecuritySAMDomainsAccountUsers</registr y_ignore>
<registry_ignore type="sregex">Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa rametersAppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa rametersPortKeywordsDHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa rametersPortKeywordsIPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa rametersPortKeywordsIPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa rametersPortKeywordsRPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMpsSvcPa rametersPortKeywordsTeredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesPolicyAge ntParametersCache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionR unOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINESystemCurrentControlSetServicesADOVMPPac kageFinal</registry_ignore>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>60</windows_audit_interval>
<!-- Nice value for Syscheck module -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<!-- CIS policies evaluation -->
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>\serverjrebinjava.exe</java_path>
<ciscat_path>C:cis-cat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:Program Filesosqueryosqueryd</bin_path>
<log_path>C:Program Filesosquerylogosqueryd.results.log</log_path>
<config_path>C:Program Filesosqueryosquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Log analysis -->
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Windows PowerShell</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-CodeIntegrity/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-TaskScheduler/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-PowerShell/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>(第三步)修改Linux分组的检测策略
内容为
代码语言:shell复制<agent_config>
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-oval.xml"/>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<response_timeout>30</response_timeout>
<queue_size>16384</queue_size>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
<frequency>360</frequency>
</localfile>
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>24h</interval>
<scan_on_start>yes</scan_on_start>
<packages>yes</packages>
<os>yes</os>
<hotfixes>yes</hotfixes>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</agent_config>(第四步)修改完成后需要将wazuh-manager服务重启,命令如下
代码语言:shell复制cd /opt/wazuh
docker-compose restart wazuh.manager(第五步)Wazuh server高级规则,添加高级检测规则,Wazuh server允许自定义检测规则,在 GitHub平台上由SOCFortress Team开源对应检测规则,提升检测效果。项目地址:https://github.co m/socfortress/Wazuh-Rules
下载Wazuh-Rules项目文件Wazuh-Rules-main.zip,上传到/root/rules目录并解压,没有rules目录则创建即可
代码语言:shell复制cd /opt/wazuh
mkdir -p /var/tmp/rules/
cp /root/rules/Wazuh-Rules-main/*/*.xml /var/tmp/rules/ docker-compose cp /var/tmp/rules wazuh.manager:/var/ossec/etc rm -f /var/tmp/rules/*修改规则文件权限和属性
代码语言:shell复制docker-compose exec -it wazuh.manager /bin/bash -c "chown wazuh:wazuh -R
/var/ossec/etc/rules"
docker-compose exec -it wazuh.manager /bin/bash -c "chmod 660 -R
/var/ossec/etc/rules"7、agent安装
Linux主机安装
我们在wazuh 的主机Centos 7安装agent,选择linux RPM amd64 (不同的操作系统不一样, ubuntu/debian是DEB amd64),Server address地址是你安装wazuh的服务器地址。分组为 linux分组,配置参数如下图
参数填写完毕后,在第4部分,有执行的命令,下载agent需要你联网
联网模式
代码语言:shell复制curl -o wazuh-agent-4.8.1-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.8.1-1.x86_64.rpm && sudo WAZUH_MANAGER='192.168.239.140' WAZUH_AGENT_GROUP='Linux' rpm -ihv wazuh-
agent-4.8.1-1.x86_64.rpm离线模式,你需要先下载wazuh-agent-4.8.1-1.x86_64.rpm文件,然后上传到/root/rpm目录下,没有rpm目录则创建即可
代码语言:shell复制cd /root/rpm WAZUH_MANAGER='192.168.239.140' WAZUH_AGENT_GROUP='Linux'
sudo WAZUH_MANAGER='192.168.239.140' WAZUH_AGENT_GROUP='Linux' rpm -ihv
wazuh-agent-4.8.1-1.x86_64.rpm # 启动agent
systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent
agent启动后,你将在wazuh的控制台看到agent信息,如下图
补充
补充:项目删除
当我们不在需要wazuh项目时,如何进行删除
(第一步)停止并docker容器,参考命令
代码语言:shell复制cd /opt/wazuh docker-compose down(第二步)删除容器的本地存储卷,我们之前的配置信息,文件信息等内容,是永久存储在本地的,可以通过命令查看
查看docker的占用空间
代码语言:shell复制docker system df查看docker的本地存储情况
代码语言:shell复制docker volume ls删除docker的本地存储,删除后,之前wazuh平台的配置等信息全部清零
代码语言:shell复制docker volume ls|grep -v VOLUME|awk '{print $2}'|xargs docker volume rm 其他命令
代码语言:shell复制#docker builder prune #builder缓存清零
