1. Wazuh profile
Wazuh is a free, open source, and enterprise-class security monitoring solution for threat detection, integrity monitoring, event response, and compliance.
(Click to enlarge the picture to view)
Making address:
https://github.com/wazuh
Copy the codeWazuh consists of an endpoint security agent deployed to a monitored system and an administration server that collects and analyzes the data collected by the agent. In addition, Wazuh is fully integrated with Elastic Stack, providing a search engine and data visualization tools that allow users to browse its security alerts.
Wazuh provides features including log data analysis, intrusion and malware detection, file integrity monitoring, configuration evaluation, vulnerability detection, and regulatory compliance support.
2. Components and architecture of the Wazuh Platform
The Wazuh platform consists of three main components: the Wazuh Proxy, the Wazuh Server, and the Elastic Stack.
- Wazuh agent: It is installed on an endpoint, such as a laptop, desktop, server, cloud instance, or virtual machine. It provides prevention, detection and response functions. It does support Windows, Linux, macOS, HP-UX, Solaris and AIX platforms.
- Wazuh server: It analyzes data received from agents, processes it through decoders and rules, and uses threat intelligence to find well-known hazard indicators (IOC). A single server can analyze data from hundreds or thousands of agents and scale horizontally when set up as a cluster. The server is also used to administer the agent and perform remote configuration and upgrades when necessary.
- Elastic Stack: It indexes and stores alerts generated by the Wazuh server. In addition, the integration between Wazuh and Kibana provides a powerful user interface for the visualization and analysis of data. The interface can also be used to manage Wazuh configurations and monitor their status.
(Click to enlarge the picture)\
(Click to enlarge the picture)\The Wazuh architecture is shown below
1. Overall architecture diagram
(Click to enlarge the picture to view)
2. Component architecture of the Agent
(Click to enlarge the picture to view)
3. Server architecture
(Click to enlarge the picture to view)
About the installation
You can refer to the official manual to install step by step
https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/all_in_one.html
Copy the codeYou need to install the following components separately
- Wazuh manager
- Elasticsearch
- Filebeat
- Kibana
Here for convenience, I directly download the WAzuh4.1.5 VERSION of ova VM template image
The specific address
https://packages.wazuh.com/4.x/vm/wazuh-4.1.5_1.13.2.ova
Copy the code
(Click to enlarge the picture to view)
The following section describes the Wazuh open source security platform deployment and experience
1. Import an OVA VM
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
2. Log in to the VM as the root user and set the IP address
The default password of user root is wazuh
The modified IP operation is not detailed
(Click to enlarge the picture to view)
Add: You are advised to change the time zone Settings of the server in time
(Click to enlarge the picture to view)
3. Log in to the Wazuh Web interface
The initial password is admin or admin
The main interface is as follows (Kibana)
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
4. Deploy and register the Wazuh Agent
Select the corresponding operating system version, set the IP address of the Wazuh Server, and specify the Agent group (I use the default group default here).
Then copy the command to install on the client server (CentOS7.9 192.168.31.127)
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
Sudo WAZUH_MANAGER='192.168.31.46' WAZUH_AGENT_GROUP='default' https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpmCopy the code
(Click to enlarge the picture to view)
Start the Agent and set it to automatically start upon startup
systemctl start wazuh-agent
systemctl status wazuh-agent
systemctl enable wazuh-agent
Copy the code
(Click to enlarge the picture to view)
5. Confirm that the Agent is online
The Agent is displayed online on the Web interface
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
You can also view the online status of the Agent in the background
/var/ossec/bin/agent_control -l
Copy the code
(Click to enlarge the picture to view)
6. Default functions on the home screen
Security events
(Click to enlarge the picture to view)
SCA (CIS Baseline Test)
(Click to enlarge the picture to view)
Integrity monitoring
Wazuh – manager server
Vim/var/ossec/etc/ossec. Conf modified to the following configuration < syscheck > < disabled > no < / disabled > <! -- Frequency that syscheck is executed default every 12 hours --> < Frequency >600</ Frequency wazuh-manager.serviceCopy the code
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
Wazuh-agent Client For example, create an LL file in /usr/bin/
(Click to enlarge the picture)\
Mandatory system check
/var/ossec/bin/ossec-syscheckd -f
Copy the codeYou can see this record in Integrity Monitoring \
(Click to enlarge the picture to view)
8, Vulnerabilities Vulnerabilities Vulnerabilities vulnerability function tests
- Wazuh – manager server
Vim/var/ossec/etc/ossec. Conf configuration file open vulnerability detection Such as redhat vulnerabilities enabled is set to yesCopy the code
(Click to enlarge the picture to view)
- Wazuh – agent to the client
Vim/var/ossec/etc/ossec. Conf syscollector open system to collect the switchCopy the code
(Click to enlarge the picture to view)
The following error is reported due to network reasons
wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 7' database could not be fetched.
Copy the codeUnable to pull vulnerability data for RHEL7
You can use offline update to solve, refer to the following link to solve the article
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline_update.html
Copy the codeI’m just downloading it locally
(Click to enlarge the picture to view)
In the configuration file, specify < OS path="/opt/rhel-7- patched -unpatched oval.xml.bz2">7</ OS > To restart the systemctl restart wazuh-manager.service serverCopy the code
(Click to enlarge the picture to view)
You can see the data \
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
9, Virustotal integration – Virus detection function test
1) Register an account on the virustotal website to get the API KEY
(Click to enlarge the picture to view)
2) Wazuh-Manager server
Add the following paragraph \ at the bottom of the configuration file
vim /var/ossec/etc/ossec.conf <ossec_config> <integration> <name>virustotal</name> <api_key>XXXXXX</api_key> <! -- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration> </ossec_config> systemctl restart wazuh-manager.serviceCopy the code
(Click to enlarge the picture to view)
3) Wazuh-agent server
Vim/var/ossec/etc/ossec. Add to the conf directory of real-time detection, such as the/opt directory to restart the agent systemctl restart wazuh - agentCopy the code
(Click to enlarge the picture to view)
And upload a Trojan test
For example, upload the shell. Sh script for mining viruses to opt/software
(Click to enlarge the picture to view)
4) Enable VirusTotal on the Web interface
(Click to enlarge the picture to view)
And then you can see the effect
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
API calls \
(Click to enlarge the picture to view)
10. MITRE ATT&CK tests SSH cracking
Enable a Kali machine to test SSH brute force cracking
(Click to enlarge the picture to view)
You can see the logs and data of Brute Force on the ATT&CK page
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
(Click to enlarge the picture to view)
Conclusion:
Wazuh has many functions. You can refer to the official documents for configuration and verification
https://documentation.wazuh.com/current/index.html
Copy the code
(Click to enlarge the picture to view)