株式会社ヴァンデミックシステム

Blog

<スポンサーリンク>

wazhuはOSSのセキュリティ基盤。
各OSやクラウドプロバイダからのログを収集する。
収集先はElasticSearchとなり、各OSにエージェントをインストールする形になる。
簡易的なインストーラとStep-by-stepの手動インストール方式がある。
せっかくなので手動インストール方式で試しました。

構成

  • ubuntu22.04
  • wazhu version4.5
  • Agent:WindowsServer2022

Indexer

https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html

sudo su -

証明書の作成

curl -sO https://packages.wazuh.com/4.5/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.5/config.yml

configを修正する

All-In-Oneで構成するため全部同じIPにする

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: 192.168.50.130
    #- name: node-2
    #  ip: <indexer-node-ip>
    #- name: node-3
    #  ip: <indexer-node-ip>

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: 192.168.50.130
    #  node_type: master
    #- name: wazuh-2
    #  ip: <wazuh-manager-ip>
    #  node_type: worker
    #- name: wazuh-3
    #  ip: <wazuh-manager-ip>
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: 192.168.50.130

証明書の準備

bash ./wazuh-certs-tool.sh -A

インストール

apt-get install debconf adduser procps

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

apt-get -y install wazuh-indexer

/etc/wazuh-indexer/opensearch.ymlを編集

discovery.seed_hosts:
  - "192.168.50.130"

証明書のセットアップ

NODE_NAME=node-1

mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

サービス再起動

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

クラスタ初期化

Done with successと出ればOK

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

クラスタテスト

curl -k -u admin:admin https://192.168.50.130:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "buIP34ygQf2O-tGy-dyc1Q",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6",
    "build_date" : "2023-02-24T18:57:04.388618985Z",
    "build_snapshot" : false,
    "lucene_version" : "9.5.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Server

https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html

apt-get install gnupg apt-transport-https

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

apt-get -y install wazuh-manager

サービス再起動

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager

filebeat(elasticsearch専用軽量ログ収集サービス)インストール

apt-get -y install filebeat
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/wazuh/filebeat/filebeat.yml

/etc/filebeat/filebeat.ymlを編集

# hostsに最初に指定したipを指定する
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["192.168.50.130:9200"]

filebeatkeystoreを生成

filebeat keystore create

パスワード生成admin:admin

echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force

アラートテンプレートのダウンロード

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.5/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

wazuhモジュールダウンロード

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

証明書セットアップ

NODE_NAME=node-1

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

サーバー再起動

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

テストコマンド

filebeat test output

以下のようにOKと出ればOK

parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.50.130
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

dashboard

インストール

apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

apt-get -y install wazuh-dashboard

/etc/wazuh-dashboard/opensearch_dashboards.ymlを編集

opensearch.hosts: https://192.168.50.130:9200

証明書セットアップ

NODE_NAME=node-1

mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

サービス再起動

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

出力の中にadminパスワードがあるのでメモする

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh
root@wazhu:/home/yuta# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh
14/10/2023 05:44:13 INFO: The password for user admin is Jc18LUZWgbTKWYK?uK59Miuyzc7.tf3V
14/10/2023 05:44:13 INFO: The password for user kibanaserver is WgK9PHCLKPQKnjWgb7KX39CYkqq9fzc?
14/10/2023 05:44:13 INFO: The password for user kibanaro is Ru*ApfF21qdd7kvAxXnsx+6eyy8wWdl*
14/10/2023 05:44:13 INFO: The password for user logstash is PgEdQGnbrz1QHDKt5*w1nulAXMDaIQXa
14/10/2023 05:44:13 INFO: The password for user readall is lu+sInkvqfAuelYoXi6AoN9ai8K*dg7S
14/10/2023 05:44:13 INFO: The password for user snapshotrestore is BAvDDgGD*IZsumLBNu*pkkuu919mR53c
14/10/2023 05:44:13 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
14/10/2023 05:44:14 INFO: The password for Wazuh API user wazuh is fMrrIhAeQB8P.WzlRwO.r37t0E3valM8
14/10/2023 05:44:15 INFO: The password for Wazuh API user wazuh-wui is 9zfqIWbf?BPaxexq7ROQ*ETa7CMSSn?Q                                                                                                                                                                                 14/10/2023 05:44:15 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.
(reverse-i-search)`curl': ^Crl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

ダッシュボードへアクセス

admin/Jc18LUZWgbTKWYK?uK59Miuyzc7.tf3V

https://192.168.50.130

Agentインストール

Agentページの手順に従いインストールする

 

インストールの状況

Discoverを見るとデータ収集ができている

<スポンサーリンク>

コメントを残す

Allowed tags:  you may use these HTML tags and attributes: <a href="">, <strong>, <em>, <h1>, <h2>, <h3>
Please note:  all comments go through moderation.

*

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)