Difference between revisions of "Wazuh"

From 24PinTech Wiki
Jump to navigation Jump to search
Line 86: Line 86:


'''''<small>Warning: Configuring the Ossec.Conf file on either of the nodes or the server web page can lead to the server malfunctioning. Make sure you know exactly what you are doing and you have a backup ready before changing anything.</small>'''''
'''''<small>Warning: Configuring the Ossec.Conf file on either of the nodes or the server web page can lead to the server malfunctioning. Make sure you know exactly what you are doing and you have a backup ready before changing anything.</small>'''''
== Creating a new Wazuh Server ==
For whatever reason we may need to make a new Wazuh server. This could be due to the system breaking and we are unable to fix it or maybe the server starts to have problems over time and needs to be rebuilt to get rid of any bugs. Creating a new server sounds like it would be tough but it is actually ridiculously easy and simple. The steps for creating a new Wazuh server only consist of making a new VM running Ubuntu Linux and to run a handful of easy commands that do not require any Linux knowledge. After this all of the agents that were connected to the previous server will automatically transfer over to the new server.
==== Step 1: Create a new server ====
Creating the new server in ESXI is as easy as follows
# Give it 4-8 CPU cores


== Wazuh Commands: ==
== Wazuh Commands: ==

Revision as of 21:53, 25 April 2023

Wazuh is the SIEM software that is used to make sure that all of our computers are up to standard in terms of system health and to monitor any security events. The Wazuh server lives on Valhalla in an Ubuntu virtual machine called Gustavo which was named after the manager of Los Pollos Hermanos in the television series Breaking Bad. There are also agents that are deployed onto each device which collect necessary information that will be needed to make a full report on any issues that may be occurring on said system. All of the data is then processed and sent to the manager which takes all of the data and organizes it into one source. It also utilizes Elasticstack which visualizes all of the data the manager has so that everything going on in 24Pintech's systems can be monitored without much hassle.

Configuring Wazuh Agents

Installation Process

Wazuh Agent Windows Configuration

If you need to the Wazuh agent can be downloaded from https://documentation.wazuh.com/current/installation-guide

  • Get Wazuh running on a computer that already has it installed
  1. Open command prompt (admin)
  2. Run the command below
  3. "C:\Program Files (x86)\ossec-agent\agent-auth.exe" -m 10.21.25.12 -P password
  4. If this command worked you are done. If this command fails you need to remove the agent from the list.
  • Get Wazuh running on a 24pintech computer that does not have it installed
  1. In file explorer navigate to Cisco Curriculum in Midgard (Q:)
  2. Copy the Deployed Applications folder and paste it in C:
  3. Change the folder name to DeployedApplications
  4. Run Windows PowerShell as ADMIN
  5. Enter: cd c:\DeployedApplications
  6. Enter the command: .\wazuh-agent-4.2.5-1.msi /q WAZUH_MANAGER="10.21.25.12" WAZUH_REGISTRATION_SERVER="10.21.25.12" WAZUH_REGISTRATION_PASSWORD="password"

Wazuh Agent Mac Configuration

  • Log in to the computer with the 24pintech account. You may also open this wiki page on that computer to copy and paste commands.
  • Open a terminal window and install Wazuh agent using this command: curl -so wazuh-agent-4.3.9.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.3.9-1.pkg && sudo launchctl setenv WAZUH_MANAGER '10.21.25.12' && sudo installer -pkg ./wazuh-agent-4.3.9.pkg -target / (If prompted, use the 24pintech account password to finish the installation)
  • Run this command to start Wazuh: sudo /Library/Ossec/bin/wazuh-control start
  • Verify that the agent has been added in wazuh after refreshing the page.
This is the menu, also known as the agent manager that opens when you insert /var/ossec/bin/manage_agents

Wazuh Agent Manager

Running this command will open the menu to add, remove, and edit agents (see picture on the right)

/var/ossec/bin/manage_agents

  • Add an agent (A)

By entering "A" you can add an agent to the list. All you need is to input the name of the computer you want to add and the computers IP address.

  • Extract key for an agent (E)

By entering "E" you can get a new key for an agent. All you need is to input the ID number of the agent. This can be done to help get a new key however this is likely unnecessary as you just need to run one command from command prompt on the agent you are trying to give a key to. (See "Wazuh Agent Windows Configuration")

  • List already added agents (L)

By entering "L" you can view a list of every agent and that agents ID number. This can also be viewed from the Wazuh manager page in more detail however this is often a very convenient command when you need to check the list for one agent.

  • Remove an agent (R)

By entering "R" you can remove an agent from the manager by entering the agents ID number. This is useful to remove agents we do not need or to remove faulty agents to fix them and get them running properly.

  • Quit (Q)

By entering "Q" or alternatively "Quagmire" you can close the menu and return to the normal terminal screen.

Monitoring Wazuh

How to Monitor

There is a lot of information present on the manager page with details on everything connected. Mainly, all the information that will want to be looked at is present on the Security Events, Integrity Monitoring, Agents, and Manager tabs for the information that we will be troubleshooting and coming up with solutions for. The main thing that will need to be looked for are going to be any failures seen on one of the servers or workstations. You will also want to look at the agents connected to see if things are in order or not with connection to the manager. Another thing would be vulnerabilities detected by the manager within our systems and note what kind of vulnerability that it is. The processes being made will also be something that needs to be monitored for any issues on the systems.

What to look for

Modules

Security information management

  • Security Events
    • Alerts - This will be the main place to look for all of the systems current events taking place as far back as you need to. This will go over any login failures, malware, or anything of that nature will be viewed here across all agents. The key to looking at this all is section through the level of alert going from 1 - 12 with each increase in level being a higher alert that needs to be looked at. Anything above 7 will typically be what is unwanted unless another technician is performing a task that is causing said alerts. Take the proper steps as listed within the policy when any alert is worth being taken to the higher ups for proper handling.

Auditing and Policy Monitoring

  • Security Configuration Assessments
    • Here will be the most important place to look as you will need to monitor for any faults detected in the system's security. One of each device (All servers need to be checked) and then you as a tech will need to research into the issue if it is important. If there is a major security issue then this can be dealt with either by informing a higher up and getting the all clear to fix it, or if you are already in charge of fixing the security of the systems.
Management

Administration

  • This will probably be the most unused section of the SIEM, but if multiple technicians ever take it on then here is where all accounts would be managed depending on the trust within that technician, so restrictions can be set to ensure that all users have the correct access on the server, ensuring that nothing will be used against policy. This is also where rules will be configured for the nodes and clusters mainly for what will be showed on the virtual machine

Status and Reports

  • This is where you will be able to generate a status report of the SIEM as well as seeing the status of each manager/cluster. By generating a report you will be given a detailed pdf of everything that has been logged for when you set it and you will be able to go over it and see anything that sticks out instead of having to check each individual module on the SIEM. You will also view the cluster health by seeing if one of the nodes has gone down and needs to be repaired to get it in working order once more.
Agent
  • Any and all issues that are had within the agent monitoring page can be checked for in the troubleshooting section of the SIEM: Configuration wiki page.

Active

  • Here you will be looking for any and all agents connected to the SIEM. You will look here for any newly added agents that are supposed to be there as well as if they have properly connected.

Disconnected

  • You will look here to see if any important agents such as the servers are disconnected due to it being turned off or if it has been inactive for quite a while as they may need to be reset which can be done in many ways.

Never connected

  • This will be used to check for any agents that have been connected improperly due to human error or any oversight that had happened during the configuration. If this happens to occur then some of the issues with the setup of an agent should be able to be fixed by viewing previous troubleshooting, but if the issue is unknown, then consult either the Wazuh documentation or a manager.

Reporting

Config for email
Config for reports

Reports from the manager can be set up to email the information directly to us. In order to do this the Ossec.conf file needs to be edited to set up automatic reports by using the command With this you can choose who will receive it, the frequency of emails, and the level of alert it will send an email for once your information is filled into the box. Once you have made it in there will be a section to input a sending email and the recipient email, whatever your purpose is for receiving the email will most likely be for the higher alerts that need fixing immediately.

This is the command needed to access the ossec.conf file on the virtual machine.

sudo nano /var/ossec/etc/ossec.conf

Warning: Configuring the Ossec.Conf file on either of the nodes or the server web page can lead to the server malfunctioning. Make sure you know exactly what you are doing and you have a backup ready before changing anything.

Creating a new Wazuh Server

For whatever reason we may need to make a new Wazuh server. This could be due to the system breaking and we are unable to fix it or maybe the server starts to have problems over time and needs to be rebuilt to get rid of any bugs. Creating a new server sounds like it would be tough but it is actually ridiculously easy and simple. The steps for creating a new Wazuh server only consist of making a new VM running Ubuntu Linux and to run a handful of easy commands that do not require any Linux knowledge. After this all of the agents that were connected to the previous server will automatically transfer over to the new server.

Step 1: Create a new server

Creating the new server in ESXI is as easy as follows

  1. Give it 4-8 CPU cores

Wazuh Commands:

Agent Config (Agent Side)

  • net stop wazuh
    • Stops Wazuh
  • net start wazuh
    • Starts Wazuh
  • Restart-Service -Name wazuh
  • systemctl restart wazuh-manager
    • Restarts Wazuh manager (This command sometimes entirely breaks Wazuh beyond repair. Be sure you have a snapshot before running this command)
  • "C:\Program Files (x86)\ossec-agent\agent-auth.exe" -m 10.21.25.12 -P password
    • Obtains a new key and activates an agent

Agent Config (Server Side)

  • /var/ossec/bin/manage_agents
    • Opens agent manager. More info on the manager under "Wazuh Agent Manager"

Server Config - Nano

  • systemctl start/status/stop/restart wazuh-manager
  • /usr/share/kibana/data/wazuh/config/wazuh.yml
  • /var/ossec/etc/shared/dbms/agent.conf
  • /var/ossec/etc/ossec.conf
  • /etc/filebeat/filebeat.yml
  • /etc/kibana/kibana.yml
  • /var/ossec/bin/wazuh-control -j info
  • /var/ossec/logs/active-responses.log
Retrieved from "https://wiki.24pin.tech/index.php?title=Wazuh&oldid=2203"