oxeo0/selfhosting-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git synced 2025-05-16 12:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
selfhosting-blogposts/wazuh/index.md

351 lines
16 KiB
Markdown
Raw Permalink Blame History

---
search:
exclude: true
---
# wazuh Setup
![](0.png)
In this tutorial we're going to setup wazuh, an open source EDR:
## **Initial Setup**
For the minimum requirements, please check wazuh's [system requirements](https://documentation.wazuh.com/current/installation-guide/requirements.html) page for that:
[ 10.0.0.101/16 ] [ /dev/pts/0 ] [~]
→ ssh wazuh
The authenticity of host '10.0.0.180 (10.0.0.180)' can't be established.
ECDSA key fingerprint is SHA256:4UFX+pjoqh93S+OLKQo8/rfDX/Rs2S6TGu9VgG7EGtQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.180' (ECDSA) to the list of known hosts.
Linux wazuh 5.4.143-1-pve #1 SMP PVE 5.4.143-1 (Tue, 28 Sep 2021 09:10:37 +0200) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@wazuh:~# apt update -y ; apt upgrade -y ; apt autoremove -y
root@wazuh:~# apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg -y
root@wazuh:~# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
root@wazuh:~# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
root@wazuh:~# apt-get update
root@wazuh:~# apt-get install wazuh-manager
root@wazuh:~# systemctl daemon-reload
root@wazuh:~# systemctl enable wazuh-manager --now
root@wazuh:~# systemctl status wazuh-manager
* wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-04-07 16:18:04 UTC; 12s ago
Process: 1879 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 127 (limit: 7372)
Memory: 196.9M
CGroup: /system.slice/wazuh-manager.service
|-1933 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-1972 /var/ossec/bin/wazuh-authd
|-1988 /var/ossec/bin/wazuh-db
|-2011 /var/ossec/bin/wazuh-execd
|-2026 /var/ossec/bin/wazuh-analysisd
|-2087 /var/ossec/bin/wazuh-syscheckd
|-2103 /var/ossec/bin/wazuh-remoted
|-2142 /var/ossec/bin/wazuh-logcollector
|-2186 /var/ossec/bin/wazuh-monitord
`-2237 /var/ossec/bin/wazuh-modulesd
Apr 07 16:17:56 wazuh env[1879]: Started wazuh-execd...
Apr 07 16:17:56 wazuh env[1879]: 2022/04/07 16:17:56 wazuh-analysisd: ERROR: Could not set resource limit for file descriptors to 458752: Operation not permitted (1)
Apr 07 16:17:57 wazuh env[1879]: Started wazuh-analysisd...
Apr 07 16:17:58 wazuh env[1879]: Started wazuh-syscheckd...
Apr 07 16:17:59 wazuh env[1879]: Started wazuh-remoted...
Apr 07 16:18:00 wazuh env[1879]: Started wazuh-logcollector...
Apr 07 16:18:01 wazuh env[1879]: Started wazuh-monitord...
Apr 07 16:18:02 wazuh env[1879]: Started wazuh-modulesd...
Apr 07 16:18:04 wazuh env[1879]: Completed.
Apr 07 16:18:04 wazuh systemd[1]: Started Wazuh manager.
Now that's done we setup elasticsearch:
root@wazuh:~# apt install elasticsearch-oss opendistroforelasticsearch
moot@wazuh:~# curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml
root@wazuh:~# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml
root@wazuh:~# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml
root@wazuh:~# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml
root@wazuh:~# rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
root@wazuh:~# curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
root@wazuh:~# curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml
root@wazuh:~# bash ~/wazuh-cert-tool.sh
04/07/2022 18:42:41 INFO: Configuration file found. Creating certificates...
04/07/2022 18:42:41 INFO: Creating the Elasticsearch certificates...
04/07/2022 18:42:42 INFO: Creating Wazuh server certificates...
04/07/2022 18:42:42 INFO: Creating Kibana certificate...
04/07/2022 18:42:42 INFO: Certificates creation finished. They can be found in ~/certs.
root@wazuh:~# mkdir /etc/elasticsearch/certs/
root@wazuh:~# mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
root@wazuh:~# mv ~/certs/admin* /etc/elasticsearch/certs/
root@wazuh:~# cp ~/certs/root-ca* /etc/elasticsearch/certs/
root@wazuh:~# mkdir -p /etc/elasticsearch/jvm.options.d
root@wazuh:~# echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
root@wazuh:~# chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
root@wazuh:~# chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options
root@wazuh:~# systemctl daemon-reload
root@wazuh:~# systemctl enable elasticsearch --now
Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service -> /usr/lib/systemd/system/elasticsearch.service.
Then we run elasticsearch securityadmin to load the new certificates information and start the cluster:
root@wazuh:~# export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
Open Distro Security Admin v7
Will connect to localhost:9300
... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update '_doc/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for 'audit' created or updated
Done with success
And then we check that the installation is successful:
root@wazuh:~# curl -XGET https://localhost:9200 -u admin:admin -k
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "ZDjVBV2HSXKHuJLKlGaGiQ",
"version" : {
"number" : "7.10.2",
"build_flavor" : "oss",
"build_type" : "deb",
"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
"build_date" : "2021-01-13T00:42:12.435326Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Then we install filebeat:
root@wazuh:~# apt-get install filebeat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
filebeat
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 22.1 MB of archives.
After this operation, 73.6 MB of additional disk space will be used.
Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 filebeat amd64 7.10.2 [22.1 MB]
Fetched 22.1 MB in 8s (2905 kB/s)
Selecting previously unselected package filebeat.
(Reading database ... 42497 files and directories currently installed.)
Preparing to unpack .../filebeat_7.10.2_amd64.deb ...
Unpacking filebeat (7.10.2) ...
Setting up filebeat (7.10.2) ...
Processing triggers for systemd (241-7~deb10u8) ...
root@wazuh:~# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml
root@wazuh:~#
root@wazuh:~# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
root@wazuh:~# chmod go+r /etc/filebeat/wazuh-template.json
root@wazuh:~# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
wazuh/
wazuh/module.yml
wazuh/archives/
wazuh/archives/config/
wazuh/archives/config/archives.yml
wazuh/archives/ingest/
wazuh/archives/ingest/pipeline.json
wazuh/archives/manifest.yml
wazuh/alerts/
wazuh/alerts/config/
wazuh/alerts/config/alerts.yml
wazuh/alerts/ingest/
wazuh/alerts/ingest/pipeline.json
wazuh/alerts/manifest.yml
wazuh/_meta/
wazuh/_meta/config.yml
wazuh/_meta/fields.yml
wazuh/_meta/docs.asciidoc
root@wazuh:~# mkdir /etc/filebeat/certs
root@wazuh:~# cp ~/certs/root-ca.pem /etc/filebeat/certs/
root@wazuh:~# mv ~/certs/filebeat* /etc/filebeat/certs/
root@wazuh:~# systemctl daemon-reload
root@wazuh:~# systemctl enable filebeat
Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service -> /lib/systemd/system/filebeat.service.
root@wazuh:~# systemctl start filebeat
Then we test filebeat:
root@wazuh:~# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Then we install kibana:
root@wazuh:~# apt-get install opendistroforelasticsearch-kibana
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
opendistroforelasticsearch-kibana
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 234 MB of archives.
After this operation, 692 MB of additional disk space will be used.
Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 opendistroforelasticsearch-kibana amd64 1.13.2 [234 MB]
Fetched 234 MB in 42s (5540 kB/s)
Selecting previously unselected package opendistroforelasticsearch-kibana.
(Reading database ... 42816 files and directories currently installed.)
Preparing to unpack .../opendistroforelasticsearch-kibana_1.13.2_amd64.deb ...
Unpacking opendistroforelasticsearch-kibana (1.13.2) ...
Setting up opendistroforelasticsearch-kibana (1.13.2) ...
chown: cannot access '/usr/share/kibana/optimize': No such file or directory
no optimize folder
Processing triggers for systemd (241-7~deb10u8) ...
root@wazuh:~# curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml
root@wazuh:~# mkdir /usr/share/kibana/data
root@wazuh:~# chown -R kibana:kibana /usr/share/kibana/data
root@wazuh:~# cd /usr/share/kibana
root@wazuh:/usr/share/kibana# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.10.2-1.zip
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.10.2-1.zip
Transferring 33013640 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete
root@wazuh:/usr/share/kibana# mkdir /etc/kibana/certs
root@wazuh:/usr/share/kibana# cp ~/certs/root-ca.pem /etc/kibana/certs/
root@wazuh:/usr/share/kibana# mv ~/certs/kibana* /etc/kibana/certs/
root@wazuh:/usr/share/kibana# chown kibana:kibana /etc/kibana/certs/*
root@wazuh:/usr/share/kibana# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
root@wazuh:/usr/share/kibana# systemctl daemon-reload
root@wazuh:/usr/share/kibana# systemctl enable kibana --now
Synchronizing state of kibana.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable kibana
Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service -> /etc/systemd/system/kibana.service.
And from there we simply access the wazuh web interface at https://ip/ :
![](1.png)
change the admin password here:
![](2.png)
Now that's done we're going to install the wazuh agent where we need it, for this tutorial i'll install it on my local nextcloud server:
[ 10.0.0.10/16 ] [ /dev/pts/18 ] [Github/blog/servers]
→ ssh home
Last login: Thu Apr 7 18:09:18 2022 from 10.0.0.10
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[ 10.0.0.101/16 ] [ /dev/pts/2 ] [~]
→ curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
OK
[ 10.0.0.101/16 ] [ /dev/pts/2 ] [~]
→ echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb https://packages.wazuh.com/4.x/apt/ stable main
[ 10.0.0.101/16 ] [ /dev/pts/2 ] [~]
→ apt-get update
[ 10.0.0.101/16 ] [ /dev/pts/2 ] [~]
→ WAZUH_MANAGER="10.0.0.180" apt-get install wazuh-agent
[ 10.0.0.101/16 ] [ /dev/pts/2 ] [~]
→ systemctl daemon-reload
[ 10.0.0.101/16 ] [ /dev/pts/2 ] [~]
→ systemctl enable --now wazuh-agent
![](3.png)
Reference in a new issue View git blame Copy permalink