前往小程序,Get更优阅读体验!
立即前往
文档建议反馈控制台
首页
学习
活动
专区
工具
TVP
最新优惠活动
文章/答案/技术大牛
发布
首页
学习
活动
专区
工具
TVP最新优惠活动
返回腾讯云官网
社区首页 >专栏 >Wazuh部署操作

Wazuh部署操作

原创
作者头像
曲奇小点点
发布2024-08-16 15:51:16
2900
发布2024-08-16 15:51:16
举报
文章被收录于专栏:基础项目部署

1、安装dockerdocker-compose

安装docker

代码语言:shell
复制
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker- ce/linux/centos/docker-ce.repo

yum -y install docker-ce

安装docker-compose

curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker- compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

或者

使用jumpserver的离线包,执行install后,删除jumpserver镜像和容器,只保留docker和docker- compose

2、环境变量配置

首先,官方建议Docker主机配置至少 6 GB 的内存。根据部署和使用情况,Wazuh索引器的内存消耗会有所不同。因此,需要分配建议的内存以使完整的堆栈部署正常工作。同时,如果是docker安装,需要内核版本3.10或更高版本的amd 64架构系统。并且Wazuh Docker部署需要Docker Compose 1.29或更高版本

Wazuh索引器创建了许多内存映射区域。因此需要设置内核,使进程至少拥有262144个内存映射区域。如果未在主机上设置max_map_count ,Wazuh索引器将无法正常工作。配置如下

代码语言:shell
复制
# 关闭selinux setenforce 0 #临时生效

sysctl -w vm.max\_map\_count=262144 #永久生效

echo "vm.max\_map\_count=262144" >> /etc/sysctl.conf && sysctl -p

同时安装git,并下载部署项目

yum -y install git cd /opt

#  可以连接到github,否则需要手动到github下载项目压缩文件

git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.1 # 建议win上浏览器下载github项目压缩包

项目下载完后,将wazuh-docker-4.8.1.zip上传到/opt目录

## 3、**下载**wazuh**需要的镜像到本地**

由于海外dockerhub镜像限制的原因,你需要将docker-compose.yml文件中的镜像,先下载到本地你可以更改/etc/docker/daemon.json 文件,添加镜像加速地址(不稳定)

也可以使用docker\_image\_pusher项目,先拉取到阿里云镜像源,然后再从阿里云镜像仓库拉取需要的镜像列表如下:

wazuh/wazuh-certs-generator:0.0.2 wazuh/wazuh-manager:4.8.1 wazuh/wazuh-indexer:4.8.1 wazuh/wazuh-dashboard:4.8.1

方法一:阿里云镜像容器仓库下载,命令范例

代码语言:shell
复制
#wazuh/wazuh-certs-generator:0.0.2

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-certs- generator:0.0.2 && docker tag registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-certs-generator:0.0.2 wazuh/wazuh-certs-generator:0.0.2 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-certs-generator:0.0.2 #wazuh/wazuh-manager:4.8.1

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-manager:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-manager:4.8.1 wazuh/wazuh-indexer:4.8.1 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-manager:4.8.1

#wazuh/wazuh-indexer:4.8.1

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-indexer:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-indexer:4.8.1 wazuh/wazuh-indexer:4.8.1 && docker rmi registry.cn-hangzhou.aliyuncs.com/theon- images/wazuh-indexer:4.8.1

#wazuh/wazuh-dashboard:4.8.1

docker pull registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh-dashboard:4.8.1 && docker tag registry.cn-hangzhou.aliyuncs.com/theon-images/wazuh- dashboard:4.8.1 wazuh/wwazuh-dashboard:4.8.1 && docker rmi registry.cn- hangzhou.aliyuncs.com/theon-images/wazuh-dashboard:4.8.1

方法二:从本地导入

代码语言:shell
复制
cd /opt/images

docker load -i wazuh-certs-generator.tar && docker tag 60d428874d3a wazuh/wazuh- certs-generator:0.0.2

docker load -i wazuh-dashboard.tar && docker tag e4390291c3da wazuh/wazuh-

dashboard:4.8.1

docker load -i wazuh-indexer.tar && docker tag d811dc2ddc13 wazuh/wazuh- indexer:4.8.1

docker load -i wazuh-manager.tar && docker tag b6cd33858983 wazuh/wazuh-

manager:4.8.1

4、docker-compose安装wazuh

第一步)项目下载好后,解压项目,使用单节点项目的目录即可

代码语言:shell
复制
#没有unzip则进行安装

# yum -y install unzip

#  如果是win上下载的zip包,则将wazuh-docker-4.8.1.zip上传到/opt目录

cd /opt

unzip wazuh-docker-4.8.1.zip

#allinone安装只需要项目中的multi-node目录即可 mv wazuh-docker-4.8.1/single-node/ wazuh

cd wazuh

第二步)更改wauzh dashboard 的登陆密码(默认用户名/密码是 admin/SecretPassword)

代码语言:shell
复制
cd /opt/wazuh ## 生成密码hash值

# 启动容器后,在交互界面,输入新密码并按Enter键

docker run --rm -ti wazuh/wazuh-indexer:4.8.1 bash /usr/share/wazuh- indexer/plugins/opensearch-security/tools/hash.sh

#  复制生成的hash,打开config/wazuh\_indexer/internal\_users.yml文件。找到要更改密码的用户

的块进行替换

vim config/wazuh\_indexer/internal\_users.yml # 替换内容如下

#admin用户

...

admin:

hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" reserved: true

backend\_roles:

- "admin"

description: "Demo admin user"

...

第三步)并生成wazuh通讯需要的证书

代码语言:shell
复制
cd /opt/wazuh

#下面的命令会将证书保存到config/wazuh\_indexer\_ssl\_certs目录中。

docker-compose -f generate-indexer-certs.yml run --rm generator

#如果是自有证书,则需要你在config/wazuh\_indexer\_ssl\_certs目录中按如下方式配置它们 ##Wazuh索引器

#config/wazuh\_indexer\_ssl\_certs/root-ca.pem #config/wazuh\_indexer\_ssl\_certs/wazuh.indexer-key.pem #config/wazuh\_indexer\_ssl\_certs/wazuh.indexer.pem #config/wazuh\_indexer\_ssl\_certs/admin.pem #config/wazuh\_indexer\_ssl\_certs/admin-key.pem

##Wazuh manager

#config/wazuh\_indexer\_ssl\_certs/root-ca-manager.pem #config/wazuh\_indexer\_ssl\_certs/wazuh.manager.pem #config/wazuh\_indexer\_ssl\_certs/wazuh.manager-key.pem

##Wazuh仪表板

#config/wazuh\_indexer\_ssl\_certs/wazuh.dashboard.pem #config/wazuh\_indexer\_ssl\_certs/wazuh.dashboard-key.pem #config/wazuh\_indexer\_ssl\_certs/root-ca.pem



上面命令无法正常执行,可以使用自有的证书,命令如下

cd /opt

unzip wazuh\_indexer\_ssl\_certs.zip

cp -ar /opt/wazuh\_indexer\_ssl\_certs /opt/wazuh/config/wazuh\_indexer\_ssl\_certs chmod 777 /opt/wazuh/config/wazuh\_indexer\_ssl\_certs/\*

第四步)使用docker-compose.yml文件来启动wazuh平台

代码语言:shell
复制
cd /opt/wazuh

#  下面命令会默认查找当前目录下的docker-compose.yml文件

docker-compose up -d

5、登陆wazuh manager平台

容器启动后,查看wazuh-wazuh.dashboard-1容器映射的端口(默认是443),然后同网段的windows主机浏览器访问 https://ip 登陆到manager管理平台

用户名是 admin

密码是你 第4步骤 中第二步设置的密码

登陆后,wazuh会检查架构配置情况,注意,检查时,可能会出现下图情况

解决办法:这个是因为没有索引导致,手动创建索引即可

v4.8.1 是你当前wazuh的版本,不同版本,这个不一样

代码语言:shell
复制
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7. x/wazuh-template.json | curl -X PUT "https://localhost:9200/\_template/wazuh" -H 'Content-Type: application/json' -d @- -u kibanaserver:kibanaserver -k

#  离线模式,你需要先下载wazuh-template.json文件,然后上传wazuh-template.json

到/root/json目录下,没有json目录则创建即可

cat /root/json/wazuh-template.json |curl -X PUT "https://localhost:9200/\_template/wazuh" -H 'Content-Type: application/json' -d @- -u kibanaserver:kibanaserver -k

执行结果如上图所示后,再次检查架构配置情况,就没有问题了

检查没有问题,可以看到wazuh的后台首页,如下图

6、wazuh的管理平台操作

(第一步)按照操作系统不同来,创建分组

添加分组

第二步)修改windows分组的检测策略

内容为

代码语言:shell
复制
<agent\_config>

<client\_buffer>

<!-- Agent buffer options -->

<disabled>no</disabled>

<queue\_size>5000</queue\_size>

<events\_per\_second>500</events\_per\_second>

</client\_buffer>

<!-- Policy monitoring -->

<rootcheck>

<disabled>no</disabled>

<windows\_apps>./shared/win\_applications\_rcl.txt</windows\_apps>

<windows\_malware>./shared/win\_malware\_rcl.txt</windows\_malware>

</rootcheck>

<sca>

<enabled>yes</enabled>

<scan\_on\_start>yes</scan\_on\_start>

<interval>12h</interval>

<skip\_nfs>yes</skip\_nfs>

</sca>

<!-- File integrity monitoring -->

<syscheck>

<disabled>no</disabled>

<!-- Frequency that syscheck is executed default every 12 hours -->

<frequency>43200</frequency>

<!-- Default files to be monitored. -->

<directories recursion\_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

<directories recursion\_level="0"

restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsas s.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.ex e|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>

<directories recursion\_level="0">%WINDIR%\SysNative\drivers\etc</directories>

<directories recursion\_level="0"

restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>

<directories recursion\_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directorie  s>

<directories recursion\_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>

<!-- 32-bit programs. -->

<directories recursion\_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsas  s.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr3  2.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32

</directories>

<directories recursion\_level="0">%WINDIR%\System32\drivers\etc</directories>

<directories recursion\_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>

<directories recursion\_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories

>

<directories recursion\_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>

<directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

<ignore>%PROGRAMDATA%\Microsoft\Windows\Start

Menu\Programs\Startup\desktop.ini</ignore>

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

<!-- Windows registry entries to monitor. -->

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\batfile</windows\_registry

>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\cmdfile</windows\_registry

>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\comfile</windows\_registry

>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\exefile</windows\_registry

>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\piffile</windows\_registry

>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\AllFilesystemObjects</win  dows\_registry>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\Directory</windows\_regist  ry>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Classes\Folder</windows\_registry>

<windows\_registry arch="both">HKEY\_LOCAL\_MACHINE\Software\Classes\Protocols</windows\_registry>

<windows\_registry

arch="both">HKEY\_LOCAL\_MACHINE\Software\Policies</windows\_registry>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Security</windows\_registry>

<windows\_registry arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Internet Explorer</windows\_registry>

<windows\_registry>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services</windows

\_registry>

<windows\_registry>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\Session  Manager\KnownDLLs</windows\_registry>

<windows\_registry>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\SecurePip  eServers\winreg</windows\_registry>

<windows\_registry arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</wi  ndows\_registry>

<windows\_registry arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

</windows\_registry>

<windows\_registry>HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\  RunOnceEx</windows\_registry>

<windows\_registry

arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</wi  ndows\_registry>

<windows\_registry

arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policie  s</windows\_registry>

<windows\_registry  arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Windows</windows\_registry>

<windows\_registry arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows\_registry>

<windows\_registry arch="both">HKEY\_LOCAL\_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows\_registry>

<!-- Windows registry entries to ignore. -->

<registry\_ignore>HKEY\_LOCAL\_MACHINE\Security\Policy\Secrets</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\Security\SAM\Domains\Account\Users</registr  y\_ignore>

<registry\_ignore type="sregex">\Enum$</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\MpsSvc\Pa  rameters\AppCs</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\MpsSvc\Pa  rameters\PortKeywords\DHCP</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\MpsSvc\Pa  rameters\PortKeywords\IPTLSIn</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\MpsSvc\Pa  rameters\PortKeywords\IPTLSOut</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\MpsSvc\Pa  rameters\PortKeywords\RPC-EPMap</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\MpsSvc\Pa  rameters\PortKeywords\Teredo</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\PolicyAge  nt\Parameters\Cache</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\R  unOnceEx</registry\_ignore>

<registry\_ignore>HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services\ADOVMPPac  kage\Final</registry\_ignore>

<!-- Frequency for ACL checking (seconds) -->

<windows\_audit\_interval>60</windows\_audit\_interval>

<!-- Nice value for Syscheck module -->

<process\_priority>10</process\_priority>

<!-- Maximum output throughput -->

<max\_eps>100</max\_eps>

<!-- Database synchronization settings -->

<synchronization>

<enabled>yes</enabled>

<interval>5m</interval>

<max\_interval>1h</max\_interval>

<max\_eps>10</max\_eps>

</synchronization>

</syscheck>

<!-- System inventory -->

<wodle name="syscollector">

<disabled>no</disabled>

<interval>1h</interval>

<scan\_on\_start>yes</scan\_on\_start>

<hardware>yes</hardware>

<os>yes</os>

<network>yes</network>

<packages>yes</packages>

<ports all="no">yes</ports>

<processes>yes</processes>

<!-- Database synchronization settings -->

<synchronization>

<max\_eps>10</max\_eps>

</synchronization>

</wodle>

<!-- CIS policies evaluation -->

<wodle name="cis-cat">

<disabled>yes</disabled>

<timeout>1800</timeout>

<interval>1d</interval>

<scan-on-start>yes</scan-on-start>

<java\_path>\\server\jre\bin\java.exe</java\_path>

<ciscat\_path>C:\cis-cat</ciscat\_path>

</wodle>

<!-- Osquery integration -->

<wodle name="osquery">

<disabled>yes</disabled>

<run\_daemon>yes</run\_daemon>

<bin\_path>C:\Program Files\osquery\osqueryd</bin\_path>

<log\_path>C:\Program  Files\osquery\log\osqueryd.results.log</log\_path>

<config\_path>C:\Program Files\osquery\osquery.conf</config\_path>

<add\_labels>yes</add\_labels>

</wodle>

<!-- Active response -->

<active-response>

<disabled>no</disabled>

<ca\_store>wpk\_root.pem</ca\_store>

<ca\_verification>yes</ca\_verification>

</active-response>

<!-- Log analysis -->

<localfile>

<location>Microsoft-Windows-Sysmon/Operational</location>

<log\_format>eventchannel</log\_format>

</localfile>

<localfile>

<location>Windows PowerShell</location>

<log\_format>eventchannel</log\_format>

</localfile>

<localfile>

<location>Microsoft-Windows-CodeIntegrity/Operational</location>

<log\_format>eventchannel</log\_format>

</localfile>

<localfile>

<location>Microsoft-Windows-TaskScheduler/Operational</location>

<log\_format>eventchannel</log\_format>

</localfile>

<localfile>

<location>Microsoft-Windows-PowerShell/Operational</location>

<log\_format>eventchannel</log\_format>

</localfile>

<localfile>

<location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>

<log\_format>eventchannel</log\_format>

</localfile>

<localfile>

<location>Microsoft-Windows-Windows Defender/Operational</location>

<log\_format>eventchannel</log\_format>

</localfile>

</agent\_config>

第三步)修改Linux分组的检测策略

内容为

代码语言:shell
复制
<agent\_config>

<client\_buffer>

<!-- Agent buffer options -->

<disabled>no</disabled>

<queue\_size>5000</queue\_size>

<events\_per\_second>500</events\_per\_second>

</client\_buffer>

<!-- Policy monitoring -->

<rootcheck>

<disabled>no</disabled>

<!-- Frequency that rootcheck is executed - every 12 hours -->

<frequency>43200</frequency>

<rootkit\_files>/var/ossec/etc/shared/rootkit\_files.txt</rootkit\_files>

<rootkit\_trojans>/var/ossec/etc/shared/rootkit\_trojans.txt</rootkit\_trojans>

<system\_audit>/var/ossec/etc/shared/system\_audit\_rcl.txt</system\_audit>

<system\_audit>/var/ossec/etc/shared/system\_audit\_ssh.txt</system\_audit>

<system\_audit>/var/ossec/etc/shared/cis\_debian\_linux\_rcl.txt</system\_audit>

<skip\_nfs>yes</skip\_nfs>

</rootcheck>

<wodle name="open-scap">

<disabled>yes</disabled>

<timeout>1800</timeout>

<interval>1d</interval>

<scan-on-start>yes</scan-on-start>

<content type="xccdf" path="ssg-debian-8-ds.xml">

<profile>xccdf\_org.ssgproject.content\_profile\_common</profile>

</content>

<content type="oval" path="cve-debian-oval.xml"/>

</wodle>

<!-- File integrity monitoring -->

<syscheck>

<disabled>no</disabled>

<!-- Frequency that syscheck is executed default every 12 hours -->

<frequency>43200</frequency>

<scan\_on\_start>yes</scan\_on\_start>

<!-- Directories to check (perform all possible verifications) -->

<directories>/etc,/usr/bin,/usr/sbin</directories>

<directories>/bin,/sbin,/boot</directories>

<!-- Files/directories to ignore -->

<ignore>/etc/mtab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>/sys/kernel/security</ignore>

<ignore>/sys/kernel/debug</ignore>

<!-- File types to ignore -->

<ignore type="sregex">.log$|.swp$</ignore>

<!-- Check the file, but never compute the diff -->

<nodiff>/etc/ssl/private.key</nodiff>

<skip\_nfs>yes</skip\_nfs>

<skip\_dev>yes</skip\_dev>

<skip\_proc>yes</skip\_proc>

<skip\_sys>yes</skip\_sys>

<!-- Nice value for Syscheck process -->

<process\_priority>10</process\_priority>

<!-- Maximum output throughput -->

<max\_eps>100</max\_eps>

<!-- Database synchronization settings -->

<synchronization>

<enabled>yes</enabled>

<interval>5m</interval>

<response\_timeout>30</response\_timeout>

<queue\_size>16384</queue\_size>

<max\_eps>10</max\_eps>

</synchronization>

</syscheck>

<!-- Log analysis -->

<localfile>

<log\_format>syslog</log\_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<localfile>

<log\_format>syslog</log\_format>

<location>/var/log/messages</location>

</localfile>

<localfile>

<log\_format>syslog</log\_format>

<location>/var/log/auth.log</location>

</localfile>

<localfile>

<log\_format>syslog</log\_format>

<location>/var/log/syslog</location>

</localfile>

<localfile>

<log\_format>command</log\_format>

<command>df -P</command>

<frequency>360</frequency>

</localfile>

<localfile>

<log\_format>full\_command</log\_format>

<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>

<frequency>360</frequency>

</localfile>

<localfile>

<log\_format>full\_command</log\_format>

<command>last -n 5</command>

<frequency>360</frequency>

</localfile>

<wodle name="osquery">

<disabled>yes</disabled>

<run\_daemon>yes</run\_daemon>

<log\_path>/var/log/osquery/osqueryd.results.log</log\_path>

<config\_path>/etc/osquery/osquery.conf</config\_path>

<add\_labels>yes</add\_labels>

</wodle>

<wodle name="syscollector">

<disabled>no</disabled>

<interval>24h</interval>

<scan\_on\_start>yes</scan\_on\_start>

<packages>yes</packages>

<os>yes</os>

<hotfixes>yes</hotfixes>

<ports all="no">yes</ports>

<processes>yes</processes>

</wodle>

</agent\_config>

第四步)修改完成后需要将wazuh-manager服务重启,命令如下

代码语言:shell
复制
cd /opt/wazuh

docker-compose restart wazuh.manager

第五步)Wazuh server高级规则,添加高级检测规则,Wazuh server允许自定义检测规则,在 GitHub平台上由SOCFortress Team开源对应检测规则,提升检测效果。项目地址:https://github.co m/socfortress/Wazuh-Rules

下载Wazuh-Rules项目文件Wazuh-Rules-main.zip,上传到/root/rules目录并解压,没有rules目录则创建即可

代码语言:shell
复制
cd /opt/wazuh

mkdir -p /var/tmp/rules/

cp /root/rules/Wazuh-Rules-main/\*/\*.xml /var/tmp/rules/ docker-compose cp /var/tmp/rules wazuh.manager:/var/ossec/etc rm -f /var/tmp/rules/\*

修改规则文件权限和属性

代码语言:shell
复制
docker-compose exec -it wazuh.manager /bin/bash -c "chown wazuh:wazuh -R

/var/ossec/etc/rules"

docker-compose exec -it wazuh.manager /bin/bash -c "chmod 660 -R

/var/ossec/etc/rules"

7、agent安装

Linux主机安装

我们在wazuh 的主机Centos 7安装agent,选择linux RPM amd64 (不同的操作系统不一样, ubuntu/debian是DEB amd64),Server address地址是你安装wazuh的服务器地址。分组为 linux分组,配置参数如下图

参数填写完毕后,在第4部分,有执行的命令,下载agent需要你联网

联网模式

代码语言:shell
复制
curl -o wazuh-agent-4.8.1-1.x86\_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.8.1-1.x86\_64.rpm && sudo WAZUH\_MANAGER='192.168.239.140' WAZUH\_AGENT\_GROUP='Linux' rpm -ihv wazuh-

agent-4.8.1-1.x86\_64.rpm

离线模式,你需要先下载wazuh-agent-4.8.1-1.x86_64.rpm文件,然后上传到/root/rpm目录下,没有rpm目录则创建即可

代码语言:shell
复制
cd /root/rpm WAZUH\_MANAGER='192.168.239.140' WAZUH\_AGENT\_GROUP='Linux'

sudo WAZUH\_MANAGER='192.168.239.140' WAZUH\_AGENT\_GROUP='Linux' rpm -ihv

wazuh-agent-4.8.1-1.x86\_64.rpm # 启动agent

systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent

agent启动后,你将在wazuh的控制台看到agent信息,如下图

补充

补充:项目删除

当我们不在需要wazuh项目时,如何进行删除

第一步)停止并docker容器,参考命令

代码语言:shell
复制
cd /opt/wazuh docker-compose down

第二步)删除容器的本地存储卷,我们之前的配置信息,文件信息等内容,是永久存储在本地的,可以通过命令查看

查看docker的占用空间

代码语言:shell
复制
docker system df

查看docker的本地存储情况

代码语言:shell
复制
docker volume ls

删除docker的本地存储,删除后,之前wazuh平台的配置等信息全部清零

代码语言:shell
复制
docker volume ls|grep -v VOLUME|awk '{print $2}'|xargs docker volume rm

其他命令

代码语言:shell
复制
#docker builder prune #builder缓存清零

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

endpoint

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

endpoint
评论
登录后参与评论
0 条评论
热度
最新
登录 后参与评论
推荐阅读
LV.
文章
0
获赞
0
目录
  • 1、安装docker和docker-compose
  • 2、环境变量配置
  • 4、docker-compose安装wazuh
  • 5、登陆wazuh manager平台
  • v4.8.1 是你当前wazuh的版本,不同版本,这个不一样
    • 6、wazuh的管理平台操作
    • 下载Wazuh-Rules项目文件Wazuh-Rules-main.zip,上传到/root/rules目录并解压,没有rules目录则创建即可
    • 修改规则文件权限和属性
      • 7、agent安装
      • 联网模式
      • 离线模式,你需要先下载wazuh-agent-4.8.1-1.x86_64.rpm文件,然后上传到/root/rpm目录下,没有rpm目录则创建即可
      • 补充
        • 补充:项目删除
        • 查看docker的占用空间
        • 查看docker的本地存储情况
        • 删除docker的本地存储,删除后,之前wazuh平台的配置等信息全部清零
        • 其他命令
        相关产品与服务
        容器服务
        腾讯云容器服务(Tencent Kubernetes Engine, TKE)基于原生 kubernetes 提供以容器为核心的、高度可扩展的高性能容器管理服务,覆盖 Serverless、边缘计算、分布式云等多种业务部署场景,业内首创单个集群兼容多种计算节点的容器资源管理模式。同时产品作为云原生 Finops 领先布道者,主导开源项目Crane,全面助力客户实现资源优化、成本控制。
        产品介绍产品文档
        11.11 上云拼团GO
        领券

        腾讯云开发者

        扫码关注腾讯云开发者

        扫码关注腾讯云开发者

        领取腾讯云代金券

        热门产品

        热门推荐

        更多推荐

        Copyright © 2013 - 2024 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

        深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

        腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

        问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档

        Copyright © 2013 - 2024 Tencent Cloud.

        All Rights Reserved. 腾讯云 版权所有

        登录 后参与评论