1. Wazuh profile

Wazuh is a free, open source, and enterprise-class security monitoring solution for threat detection, integrity monitoring, event response, and compliance.

(Click to enlarge the picture to view)

Making address:

https://github.com/wazuh
Copy the code

Wazuh consists of an endpoint security agent deployed to a monitored system and an administration server that collects and analyzes the data collected by the agent. In addition, Wazuh is fully integrated with Elastic Stack, providing a search engine and data visualization tools that allow users to browse its security alerts.

Wazuh provides features including log data analysis, intrusion and malware detection, file integrity monitoring, configuration evaluation, vulnerability detection, and regulatory compliance support.

2. Components and architecture of the Wazuh Platform

The Wazuh platform consists of three main components: the Wazuh Proxy, the Wazuh Server, and the Elastic Stack.

• Wazuh agent: It is installed on an endpoint, such as a laptop, desktop, server, cloud instance, or virtual machine. It provides prevention, detection and response functions. It does support Windows, Linux, macOS, HP-UX, Solaris and AIX platforms.
• Wazuh server: It analyzes data received from agents, processes it through decoders and rules, and uses threat intelligence to find well-known hazard indicators (IOC). A single server can analyze data from hundreds or thousands of agents and scale horizontally when set up as a cluster. The server is also used to administer the agent and perform remote configuration and upgrades when necessary.
• Elastic Stack: It indexes and stores alerts generated by the Wazuh server. In addition, the integration between Wazuh and Kibana provides a powerful user interface for the visualization and analysis of data. The interface can also be used to manage Wazuh configurations and monitor their status.(Click to enlarge the picture)\

The Wazuh architecture is shown below

1. Overall architecture diagram

(Click to enlarge the picture to view)

2. Component architecture of the Agent

(Click to enlarge the picture to view)

3. Server architecture

(Click to enlarge the picture to view)

About the installation

You can refer to the official manual to install step by step

https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/all_in_one.html
Copy the code

You need to install the following components separately

• Wazuh manager 
• Elasticsearch 
• Filebeat 
• Kibana

Here for convenience, I directly download the WAzuh4.1.5 VERSION of ova VM template image

The specific address

https://packages.wazuh.com/4.x/vm/wazuh-4.1.5_1.13.2.ova
Copy the code

(Click to enlarge the picture to view)

The following section describes the Wazuh open source security platform deployment and experience

1. Import an OVA VM

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

2. Log in to the VM as the root user and set the IP address

The default password of user root is wazuh

The modified IP operation is not detailed

(Click to enlarge the picture to view)

Add: You are advised to change the time zone Settings of the server in time

(Click to enlarge the picture to view)

3. Log in to the Wazuh Web interface

The initial password is admin or admin

The main interface is as follows (Kibana)

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

4. Deploy and register the Wazuh Agent

Select the corresponding operating system version, set the IP address of the Wazuh Server, and specify the Agent group (I use the default group default here).

Then copy the command to install on the client server (CentOS7.9 192.168.31.127)

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

Sudo WAZUH_MANAGER='192.168.31.46' WAZUH_AGENT_GROUP='default' https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpmCopy the code

(Click to enlarge the picture to view)

Start the Agent and set it to automatically start upon startup

systemctl start wazuh-agent
systemctl status wazuh-agent
systemctl enable wazuh-agent
Copy the code

(Click to enlarge the picture to view)

5. Confirm that the Agent is online

The Agent is displayed online on the Web interface

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

You can also view the online status of the Agent in the background

/var/ossec/bin/agent_control -l
Copy the code

(Click to enlarge the picture to view)

6. Default functions on the home screen

Security events 

(Click to enlarge the picture to view)

SCA (CIS Baseline Test)

(Click to enlarge the picture to view)

Integrity monitoring

Wazuh – manager server

Vim/var/ossec/etc/ossec. Conf modified to the following configuration < syscheck > < disabled > no < / disabled > <! -- Frequency that syscheck is executed default every 12 hours --> < Frequency >600</ Frequency wazuh-manager.serviceCopy the code

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

Wazuh-agent Client For example, create an LL file in /usr/bin/

(Click to enlarge the picture)\

Mandatory system check

/var/ossec/bin/ossec-syscheckd -f
Copy the code

You can see this record in Integrity Monitoring \

(Click to enlarge the picture to view)

8, Vulnerabilities Vulnerabilities Vulnerabilities vulnerability function tests

• Wazuh – manager server

Vim/var/ossec/etc/ossec. Conf configuration file open vulnerability detection Such as redhat vulnerabilities enabled is set to yesCopy the code

(Click to enlarge the picture to view)

• Wazuh – agent to the client

Vim/var/ossec/etc/ossec. Conf syscollector open system to collect the switchCopy the code

(Click to enlarge the picture to view)

The following error is reported due to network reasons

wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 7' database could not be fetched.
Copy the code

Unable to pull vulnerability data for RHEL7

You can use offline update to solve, refer to the following link to solve the article

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline_update.html
Copy the code

I’m just downloading it locally

(Click to enlarge the picture to view)

In the configuration file, specify < OS path="/opt/rhel-7- patched -unpatched oval.xml.bz2">7</ OS > To restart the systemctl restart wazuh-manager.service serverCopy the code

(Click to enlarge the picture to view)

You can see the data \

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

9, Virustotal integration – Virus detection function test

1) Register an account on the virustotal website to get the API KEY

(Click to enlarge the picture to view)

2) Wazuh-Manager server

Add the following paragraph \ at the bottom of the configuration file

vim /var/ossec/etc/ossec.conf <ossec_config> <integration> <name>virustotal</name> <api_key>XXXXXX</api_key> <! -- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration> </ossec_config> systemctl restart wazuh-manager.serviceCopy the code

(Click to enlarge the picture to view)

3) Wazuh-agent server

Vim/var/ossec/etc/ossec. Add to the conf directory of real-time detection, such as the/opt directory to restart the agent systemctl restart wazuh - agentCopy the code

(Click to enlarge the picture to view)

And upload a Trojan test

For example, upload the shell. Sh script for mining viruses to opt/software

(Click to enlarge the picture to view)

4) Enable VirusTotal on the Web interface

(Click to enlarge the picture to view)

And then you can see the effect

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

API calls \

(Click to enlarge the picture to view)

10. MITRE ATT&CK tests SSH cracking

Enable a Kali machine to test SSH brute force cracking

(Click to enlarge the picture to view)

You can see the logs and data of Brute Force on the ATT&CK page

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

(Click to enlarge the picture to view)

Conclusion:

Wazuh has many functions. You can refer to the official documents for configuration and verification

https://documentation.wazuh.com/current/index.html
Copy the code

(Click to enlarge the picture to view)