Difference between revisions of "Wazuh"

From 24PinTech Wiki
Jump to navigation Jump to search
Line 82: Line 82:
'''Cannot connect to server web based page:'''
'''Cannot connect to server web based page:'''


== Monitoring ==
== Monitoring Wazuh ==


===How to Monitor===
===How to Monitor===
Line 136: Line 136:
'''''<big>Do not under any circumstance, unless told otherwise by a higherup, configure anything within the Ossec.Conf file on either of the nodes or anything on the server web page or as it will lead to the server malfunctioning or not performing at its best. Any and all changes made need to be reported and approved by whoever the manager is at the time or with the Founder and CEO, Mr. Chamberlain.</big>'''''
'''''<big>Do not under any circumstance, unless told otherwise by a higherup, configure anything within the Ossec.Conf file on either of the nodes or anything on the server web page or as it will lead to the server malfunctioning or not performing at its best. Any and all changes made need to be reported and approved by whoever the manager is at the time or with the Founder and CEO, Mr. Chamberlain.</big>'''''


== Commands: ==
== Wazuh Commands: ==


====<u>Agent Config (Agent Side)</u>====
====<u>Agent Config (Agent Side)</u>====

Revision as of 15:18, 16 September 2022

Configuring Wazuh

What is an SIEM

A Security Information and Event Manager (SIEM) is software that manages, monitors, and collects data on a system. Typically used in large It environments to make it possible to monitor hundreds of devices all in one place. Any incidents that are happening within the environment are able to be spotted out by the SIEM and be handled accordingly by us quicker or even before we would know it is there. While its purpose is not to fix issues with security, it helps to spot out anything that we would be unable to detect regularly to improve overall system health within 24Pintech's environment.

Things that the SIEM will look for

  • Events and log data
  • Policies
  • File integrity
  • Vulnerabilities
  • Intrusions
  • Malware

Wazuh

Wazuh is the SIEM software that is currently implemented into 24Pintech's systems in order to make sure that everything is up to standard in terms of system health. It consist of two main parts in order work, that being the agents and the manger or server. The agents are deployed onto each device and collect necessary information that will be needed to make a full report on any issues that may be occurring on said system. All of the data is then processed and sent to the manager which takes all of the data and organizes it into one source. It also utilizes Elasticstack which visualizes all of the data the manager has so that everything going on in 24Pintech's systems can be looked at.

Installation Process

Wazuh Manager

The manger can either be installed as a all in-one or distributed deployment. The deployment that has been used is all in-one which has all of the components of Wazuh installed onto the server, Sleipnir, through Ubuntu. Each of the components gets installed through the use of a script in terminal in order to make the process efficient. Once the script has finished installing all of the packages for the software, the manager can be accessed the web by typing in the IP address of system that the manager was installed on into the search bar (https://<manager ip>). Once that is done, you will be taken to the manager page and type in the user name and password, then all of the information on the systems added can be viewed.

Wazuh Agent

The agent get installed on each individual system using the package found on the Wazuh website (for version of OS needed). Then to register the agent, the command on either the system the manager was installed or the agent system to configure the necessary information for that system. When using the manager, you can change the name and ID the that system will be seen as. Once that it is configured, the manager will need to be check to see if it has been connected correctly.

(It must be noted that all commands will only run if running as an administrator, sudo, or root.)

On the manager system (Linux OS Only)

By using the manager system to set up any agents, the agent application will have to be installed first. From there, by using the command down below, the system that is going to be added can be customized with what ID will be shown and the display name of the device from the manager. This way of establishing the connection between the manager and the agent allows for more customization of the device being added, but it will take longer to set up compared to other methods of registering. 

/var/ossec/bin/manage_agents -a <agent_IP> -n <agent_name>

On the agent system

Windows Configuration

There are two ways that the agent can be installed onto a windows device. The first being through command prompt where you can use the command to receive an authorization key from the manager and then fill in the IP address of the manager to successfully connect the agent to the manager. The other way that this can be done is through the use of group policy and orca. Configuring the agent with this method will allow for multiple systems to be set up at one time. Issues that may be present during the installation is that the agent may connect, but will not be recognized, this could be due if the Group Policy set up is not done correctly or if the command is not input correctly. 

"C:\Program Files (x86)\ossec-agent\agent-auth.exe" -m <manager_IP>

Mac Configuration

When installing on a mac, once the package is installed, configure it to whatever drive it will be on and make sure to keep the package after the installation of the agent is complete. When that is finished, check the library to see if the Ossec file for the agent is there to ensure it has been installed properly. After that you will then open up terminal and run the command down below to register the agent with the manager. Then you will be able to run the command to start the agent and it will automatically relay the data to the manager. If the start up of the agent fails or the agent is shown as never connected on the manager page, make sure that the manger IP is set correctly in the ossec.conf file as well as the protocol if the manager IP is correct.*Install the package if not installed already.

  • Download contents of package*#Once installed, open the package from recently installed.
    1. Look in the appfinder and go to downloads and open the package.
    2. Accept all the fields for the installation and let it complete.
  • Open up terminal
    1. Go to appfinder>applications>the utilities folder>terminal to access it.
  • Run the command to register agent
    1. Use the “sudo /Library/Ossec/bin/agent-auth -m 10.21.25.12”. (Make sure to run it as root or administrator otherwise the command will not work).
    2. To set the password needed for installation type in the following command - sudo echo "password" > /Library/Ossec/etc/authd.pass
    3. Use the “sudo /Library/Ossec/bin/wazuh-control start” to start the agent*Ensure that it is properly connected to the manager*#Access the manager online (That will be done by me).
    4. Ensure that it is being detected properly and information .
    5. Make sure that the mac is active and not under the “never connected” tab.


What to do if the agent cannot connect to the manager

  • Access the ossec config file
    1. Access the terminal using the instructions from step 3 of the setup.
    2. Use the command “sudo nano /Library/Ossec/etc/ossec.conf”. If you are not familiar with NANO go here
  • Configure the Manager IP address in the config file
    1. Once in the config file navigate down to the manager ip line using the arrow keys.
    2. Change the “MANAGER_ IP” address to “10.21.25.12” if it is not already.
    3. Make sure that it is using “TCP” for the protocol.
    4. Save any changes made to the file by holding CTRL X and then pressing enter twice.
  • Restart the agent
    1. Make sure that the file was saved.
    2. Using the terminal again, run the command “Sudo /Library/Ossec/bin/ossec-control restart”.
    3. Make sure the agent is registered.
  • Check the manager to see if the connection was established
    1. Access the manager to make sure that the agent is connected to the manager properly (not in the never connected tab).

Linux Configuration

/var/ossec/bin/agent-auth -m <manager_IP>

Here is the link to the Wazuh site with specific information on registering agents in various OS's. If you are doing this in OS X or Linux you will need to use a file editor like VIM or Nano to access the file and make changes.

More information on the installation can be found on the Wazuh site.

Troubleshooting

Quite a few issues can occur when trying to add, update, or restarting the SIEM that can cause it to malfunction. One of the main things that has to be looked at are the config files for each component.

Manager is no longer tracking information:

The server has used up all of its space to hold all the events and alerts going on so it is best to delete the oldest events or even expand the node if need (but is not recommended) if it is absolutely necessary.

Agent is listed as "never connected" or not showing up:

The agent has not been configured properly as it has located the server but not not connected. To fix this you can re-run the command "C:\Program Files (x86)\ossec-agent\agent-auth.exe" -m <manager_IP> on windows and make sure that the correct IP has been put in, then on Mac you will access the config file in order to input the correct IP into the manager IP line then restarting the agent. More on this can be found above in the Mac Configuration section and in the document attached to it.

Cannot connect to server web based page:

Monitoring Wazuh

How to Monitor

There is a lot of information present on the manager page with details on everything connected. Mainly, all the information that will want to be looked at is present on the Security Events, Integrity Monitoring, Agents, and Manager tabs for the information that we will be troubleshooting and coming up with solutions for. The main thing that will need to be looked for are going to be any failures seen on one of the servers or workstations. You will also want to look at the agents connected to see if things are in order or not with connection to the manager. Another thing would be vulnerabilities detected by the manager within our systems and note what kind of vulnerability that it is. The processes being made will also be something that needs to be monitored for any issues on the systems.

What to look for

ELK.png
Modules
Security information management
  • Security Events
    • Alerts - This will be the main place to look for all of the systems current events taking place as far back as you need to. This will go over any login failures, malware, or anything of that nature will be viewed here across all agents. The key to looking at this all is section through the level of alert going from 1 - 12 with each increase in level being a higher alert that needs to be looked at. Anything above 7 will typically be what is unwanted unless another technician is performing a task that is causing said alerts. Take the proper steps as listed within the policy when any alert is worth being taken to the higher ups for proper handling.
Auditing and Policy Monitoring
  • Security Configuration Assessments
    • Here will be the most important place to look as you will need to monitor for any faults detected in the system's security. One of each device (All servers need to be checked) and then you as a tech will need to research into the issue if it is important. If there is a major security issue then this can be dealt with either by informing a higher up and getting the all clear to fix it, or if you are already in charge of fixing the security of the systems.
Management
Administration
  • This will probably be the most unused section of the SIEM, but if multiple technicians ever take it on then here is where all accounts would be managed depending on the trust within that technician, so restrictions can be set to ensure that all users have the correct access on the server, ensuring that nothing will be used against policy. This is also where rules will be configured for the nodes and clusters mainly for what will be showed on the virtual machine
Status and Reports
  • This is where you will be able to generate a status report of the SIEM as well as seeing the status of each manager/cluster. By generating a report you will be given a detailed pdf of everything that has been logged for when you set it and you will be able to go over it and see anything that sticks out instead of having to check each individual module on the SIEM. You will also view the cluster health by seeing if one of the nodes has gone down and needs to be repaired to get it in working order once more.
Agent
  • Any and all issues that are had within the agent monitoring page can be checked for in the troubleshooting section of the SIEM: Configuration wiki page.
Active
  • Here you will be looking for any and all agents connected to the SIEM. You will look here for any newly added agents that are supposed to be there as well as if they have properly connected.
Disconnected
  • You will look here to see if any important agents such as the servers are disconnected due to it being turned off or if it has been inactive for quite a while as they may need to be reset which can be done in many ways.
Never connected
  • This will be used to check for any agents that have been connected improperly due to human error or any oversight that had happened during the configuration. If this happens to occur then some of the issues with the setup of an agent should be able to be fixed by viewing previous troubleshooting, but if the issue is unknown, then consult either the Wazuh documentation or a manager.

Proper Procedure

For whoever is tasked with the job of monitoring the SIEM at any given time needs to know the procedure to do so. Down below will be a list of what should be done when one is to check over our systems. Anything not stated on this list will only be checked as need or if something has been change on the server that needs to be check for on the web based page.

Check all tabs for disconnect or never connected agents (Daily)

    • If there are any that have been disconnected or have never connected, follow the process above for this section to solve the problem.
  2. Click onto agents and look at the alerts (Daily)
    • Look to see if alerts are still being tracked, if not then follow the steps in the SIEM: Configuration page in troubleshooting.
    • (sort by level from highest to lowest for higher priority alerts) for any that are notable. If one happens to be a clear issue then report it.
  3. Go into the Security Configuration Assessment for security vulnerabilities (Once Weekly or when any big changes are made during imaging)
    • Check one Windows, Mac, and all of the Servers for any fails that have been detected by the SIEM.
    • Take a screenshot of each, then send it to whoever is in charge of creating images so that they can review previous issues.
  4. Check in the status and reports (End of week)
    • Look at the health of the cluster/nodes.
    • Check the logs and statistics section for any irregular spikes or gaps in the information (Unless it is due to the server being shutoff)
    • Generate a final report and compare with previous reports if there are any discrepancies between the two.
  5. Check on both of the node vm's in order to get updates installed for the managers (Monthly or after a new version comes out.)
    • Install when the prompt comes up to do so or go into the terminal and use the Sudo apt-get update Which can be used to update the Ubuntu software and the SIEM as well.
    • Reconfigure as needed in the different config files. It is best to get a screenshot of these files before updating to avoid any disconnect between the server and the agents.

If any issues do occur, make sure to report it first so that it can be dealt with appropriately. Do not attempt to make corrections if you are unable to fix the issue or make it worse as you will take responsibility.

Reporting

Config for email
Config for reports

Reports from the manager can be set up to email the information directly to us. In order to do this the Ossec.conf file needs to be edited to set up automatic reports by using the command With this you can choose who will receive it, the frequency of emails, and the level of alert it will send an email for once your information is filled into the box. Once you have made it in there will be a section to input a sending email and the recipient email, whatever your purpose is for receiving the email will most likely be for the higher alerts that need fixing immediately.

This is the command needed to access the ossec.conf file on the virtual machine. 

sudo nano /var/ossec/etc/ossec.conf

Do not under any circumstance, unless told otherwise by a higherup, configure anything within the Ossec.Conf file on either of the nodes or anything on the server web page or as it will lead to the server malfunctioning or not performing at its best. Any and all changes made need to be reported and approved by whoever the manager is at the time or with the Founder and CEO, Mr. Chamberlain.

Wazuh Commands:

Agent Config (Agent Side)

net stop wazuh

net start wazuh

Restart-Service -Name wazuh

Agent Config (Server Side)

/var/ossec/bin/manage_agents -a <agent_IP> -n <agent_name>

/var/ossec/bin/manage_agents -l | grep <agent_name>

/var/ossec/bin/manage_agents -e <agent_id>

Server Config - Nano

systemctl start/status/stop/restart wazuh-manager

/usr/share/kibana/data/wazuh/config/wazuh.yml

/var/ossec/etc/shared/dbms/agent.conf

/var/ossec/etc/ossec.conf

/etc/filebeat/filebeat.yml

/etc/kibana/kibana.yml

/var/ossec/bin/wazuh-control -j info

/var/ossec/logs/active-responses.log

Retrieved from "https://wiki.24pin.tech/index.php?title=Wazuh&oldid=1959"