wazhuはOSSのセキュリティ基盤。
各OSやクラウドプロバイダからのログを収集する。
収集先はElasticSearchとなり、各OSにエージェントをインストールする形になる。
簡易的なインストーラとStep-by-stepの手動インストール方式がある。
せっかくなので手動インストール方式で試しました。
構成
- ubuntu22.04
- wazhu version4.5
- Agent:WindowsServer2022
Indexer
https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html
sudo su -証明書の作成
curl -sO https://packages.wazuh.com/4.5/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.5/config.ymlconfigを修正する
All-In-Oneで構成するため全部同じIPにする
nodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: 192.168.50.130
#- name: node-2
# ip: <indexer-node-ip>
#- name: node-3
# ip: <indexer-node-ip>
# Wazuh server nodes
# If there is more than one Wazuh server
# node, each one must have a node_type
server:
- name: wazuh-1
ip: 192.168.50.130
# node_type: master
#- name: wazuh-2
# ip: <wazuh-manager-ip>
# node_type: worker
#- name: wazuh-3
# ip: <wazuh-manager-ip>
# node_type: worker
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: 192.168.50.130証明書の準備
bash ./wazuh-certs-tool.sh -Aインストール
apt-get install debconf adduser procps
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get -y install wazuh-indexer/etc/wazuh-indexer/opensearch.ymlを編集
discovery.seed_hosts:
- "192.168.50.130"証明書のセットアップ
NODE_NAME=node-1
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certsサービス再起動
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexerクラスタ初期化
Done with successと出ればOK
/usr/share/wazuh-indexer/bin/indexer-security-init.shクラスタテスト
curl -k -u admin:admin https://192.168.50.130:9200{
"name" : "node-1",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "buIP34ygQf2O-tGy-dyc1Q",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6",
"build_date" : "2023-02-24T18:57:04.388618985Z",
"build_snapshot" : false,
"lucene_version" : "9.5.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}Server
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
apt-get install gnupg apt-transport-https
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get -y install wazuh-managerサービス再起動
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-managerfilebeat(elasticsearch専用軽量ログ収集サービス)インストール
apt-get -y install filebeat
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/wazuh/filebeat/filebeat.yml/etc/filebeat/filebeat.ymlを編集
# hostsに最初に指定したipを指定する
# Wazuh - Filebeat configuration file
output.elasticsearch:
hosts: ["192.168.50.130:9200"]filebeatkeystoreを生成
filebeat keystore createパスワード生成admin:admin
echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --forceアラートテンプレートのダウンロード
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.5/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.jsonwazuhモジュールダウンロード
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module証明書セットアップ
NODE_NAME=node-1
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certsサーバー再起動
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeatテストコマンド
filebeat test output以下のようにOKと出ればOK
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.50.130
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2dashboard
インストール
apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later
apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
apt-get -y install wazuh-dashboard/etc/wazuh-dashboard/opensearch_dashboards.ymlを編集
opensearch.hosts: https://192.168.50.130:9200証明書セットアップ
NODE_NAME=node-1
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certsサービス再起動
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard出力の中にadminパスワードがあるのでメモする
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuhroot@wazhu:/home/yuta# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh
14/10/2023 05:44:13 INFO: The password for user admin is Jc18LUZWgbTKWYK?uK59Miuyzc7.tf3V
14/10/2023 05:44:13 INFO: The password for user kibanaserver is WgK9PHCLKPQKnjWgb7KX39CYkqq9fzc?
14/10/2023 05:44:13 INFO: The password for user kibanaro is Ru*ApfF21qdd7kvAxXnsx+6eyy8wWdl*
14/10/2023 05:44:13 INFO: The password for user logstash is PgEdQGnbrz1QHDKt5*w1nulAXMDaIQXa
14/10/2023 05:44:13 INFO: The password for user readall is lu+sInkvqfAuelYoXi6AoN9ai8K*dg7S
14/10/2023 05:44:13 INFO: The password for user snapshotrestore is BAvDDgGD*IZsumLBNu*pkkuu919mR53c
14/10/2023 05:44:13 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
14/10/2023 05:44:14 INFO: The password for Wazuh API user wazuh is fMrrIhAeQB8P.WzlRwO.r37t0E3valM8
14/10/2023 05:44:15 INFO: The password for Wazuh API user wazuh-wui is 9zfqIWbf?BPaxexq7ROQ*ETa7CMSSn?Q 14/10/2023 05:44:15 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.
(reverse-i-search)`curl': ^Crl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpgダッシュボードへアクセス
admin/Jc18LUZWgbTKWYK?uK59Miuyzc7.tf3V
https://192.168.50.130Agentインストール
Agentページの手順に従いインストールする
インストールの状況
Discoverを見るとデータ収集ができている
