دليل Wazuh المختصر
Wazuh هي منصة أمنية مفتوحة المصدر شاملة توفر حماية موحدة للـ XDR والـ SIEM للنقاط الطرفية وأعمال السحابة. إنها تجمع بين كشف التسلل، وتقييم نقاط الضعف، وتقييم التكوين، والاستجابة للحوادث، والامتثال التنظيمي، ومراقبة أمن السحابة في منصة واحدة.
التثبيت والإعداد
تثبيت الخادم (المدير)
تثبيت Ubuntu/Debian:
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb
# Update package information
sudo apt-get update
# Install Wazuh manager
sudo apt-get install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
``````bash
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-manager/wazuh-manager_4.3.10-1_amd64.deb
sudo dpkg -i ./wazuh-manager_4.3.10-1_amd64.deb# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo
# Install Wazuh manager
sudo yum install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
``````bash
sudo rpm -ivh https://packages.wazuh.com/4.x/yum/wazuh-manager-4.3.10-1.x86_64.rpmتثبيت الوكيل
وكيل Linux:
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb
# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf
# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
``````bash
curl -sO https://packages.wazuh.com/4.x/linux/wazuh-agent-4.3.10.x86_64.rpm
sudo rpm -ivh wazuh-agent-4.3.10.x86_64.rpmوكيل Windows:
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"
# Start Wazuh agent service
NET START WazuhSvc
``````powershell
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /qnالأوامر الأساسية للإدارة
عمليات المدير
إدارة الخدمات:
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager
# Check service status
sudo systemctl status wazuh-manager
# View service logs
sudo journalctl -u wazuh-manager -f
``````bash
sudo systemctl start/stop/restart/status wazuh-managerإدارة الوكلاء:
# List all agents
sudo /var/ossec/bin/manage_agents -l
# Add new agent
sudo /var/ossec/bin/manage_agents -a
# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID
# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID
# Import agent key
sudo /var/ossec/bin/manage_agents -i
``````bash
/var/ossec/bin/agent_control -l # سرد الوكلاء
/var/ossec/bin/agent_control -r -a # إعادة تشغيل جميع الوكلاءإدارة التكوين
الملف الرئيسي للتكوين:
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf
# Validate configuration
sudo /var/ossec/bin/ossec-logtest
# Reload configuration
sudo systemctl reload wazuh-manager
````/var/ossec/etc/ossec.conf`
**القواعد والمفككات:**
```bash
# Custom rules location
/var/ossec/etc/rules/local_rules.xml
# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml
# Test rules and decoders
sudo /var/ossec/bin/ossec-logtest
``````bash
/var/ossec/bin/ossec-logtest # اختبار القواعد
/var/ossec/bin/ossec-decoder # فحص المفككاتتحليل وتتبع السجلات
مراقبة السجلات في الوقت الفعلي
عرض السجلات النشطة:
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log
# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json
# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID"
``````bash
tail -f /var/ossec/logs/active-responses.logأوامر تحليل السجلات:
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log
# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log
# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log
``````bash
/var/ossec/bin/ossec-logtest -t # اختبار تحليل السجلإنشاء قواعد مخصصة
هيكل القاعدة الأساسي:
<group name="custom_rules,">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>192.168.1.0/24</srcip>
<description>SSH connection from internal network</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
</group>
``````xml
<rule id="100100" level="5">
<if_sid>rules_group</if_sid>
<description>قاعدة مخصصة</description>
</rule>أمثلة قواعد متقدمة:
<rule id="100002" level="10" frequency="5" timeframe="300">
<if_matched_sid>5716</if_matched_sid>
<description>Multiple SSH authentication failures</description>
<group>authentication_failures,pci_dss_11.4,</group>
</rule>
<rule id="100003" level="7">
<if_sid>550</if_sid>
<field name="file">/etc/passwd</field>
<description>Critical system file modified</description>
<group>syscheck,pci_dss_11.5,</group>
</rule>
``````xml
<rule id="100101" level="10">
<if_group>authentication_success</if_group>
<description>تسجيل دخول مشبوه</description>
</rule>تقييم نقاط الضعف
إعداد كشف نقاط الضعف
تمكين كشف نقاط الضعف:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
``````xml
<vulnerability-detector>
<enabled>yes</enabled>
</vulnerability-detector>أوامر مسح نقاط الضعف:
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f
# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"
# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log
``````bash
/var/ossec/bin/wazuh-vulnerability-detectorمراقبة سلامة الملفات (FIM)
تكوين FIM
إعداد FIM الأساسي:
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<directories realtime="yes">/etc</directories>
</syscheck>
``````xml
<syscheck>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
</syscheck>خيارات FIM المتقدمة:
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>
``````xml
<syscheck>
<ignore>/path/to/exclude</ignore>
<frequency>43200</frequency>
</syscheck>الاستجابة النشطة
تكوين الاستجابة النشطة
الاستجابة النشطة الأساسية:
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720</rules_id>
<timeout>600</timeout>
</active-response>
``````xml
<active-response>
<command>firewall-drop</command>
<location>local</location>
</active-response>نص الاستجابة النشطة المخصص:
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
case "$ACTION" in
add)
# Block IP address
iptables -I INPUT -s $IP -j DROP
echo "Blocked IP: $IP" >> /var/log/custom-response.log
;;
delete)
# Unblock IP address
iptables -D INPUT -s $IP -j DROP
echo "Unblocked IP: $IP" >> /var/log/custom-response.log
;;
esac
``````bash
#!/bin/bash
# نص الاستجابة النشطة المخصصإدارة API
استخدام Wazuh API
المصادقة:
(Note: The last section about API Authentication was left blank in the original text, so I’ve kept it the same.)```bash
Get authentication token
curl -u wazuh:wazuh -k -X GET “https://localhost:55000/security/user/authenticate?raw=true”
Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET “https://localhost:55000/security/user/authenticate?raw=true”)
```bash
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"
```## تكوين العنقود
### إعداد متعدد العقد
**تكوين العقدة الرئيسية:**
```xml
<cluster>
<name>wazuh</name>
<node_name>master-node</node_name>
<node_type>master</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
```**تكوين عقدة العامل:**
```xml
<cluster>
<name>wazuh</name>
<node_name>worker-node</node_name>
<node_type>worker</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>MASTER_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
```## ضبط الأداء
### إعدادات التحسين
**أداء المدير:**
```xml
<global>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>wazuh@localhost</email_from>
<email_to>admin@localhost</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
```**تحسين قاعدة البيانات:**
```bash
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144
# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf
```## استكشاف الأخطاء وإصلاحها
### المشاكل الشائعة
**مشاكل اتصال الوكيل:**
```bash
# Check agent status
sudo /var/ossec/bin/agent_control -l
# Test connectivity
sudo /var/ossec/bin/agent_control -R 001
# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent"
```**مشاكل الأداء:**
```bash
# Monitor resource usage
top -p $(pgrep -d',' wazuh)
# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*
# Monitor network connections
netstat -tulpn|grep wazuh
```**تحليل السجلات:**
```bash
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log
# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v
# Check rule compilation
sudo /var/ossec/bin/ossec-makelists
```## أمثلة التكامل
### تكامل SIEM
**تكامل Splunk:**
```bash
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf
# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart
```**تكامل ELK Stack:**
```yaml
# Filebeat configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/ossec/logs/alerts/alerts.json
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["localhost:9200"]
index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}"
```## أفضل ممارسات الأمان
### إرشادات التحصين
**تكوين SSL/TLS:**
```bash
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /var/ossec/etc/sslmanager.key \
-out /var/ossec/etc/sslmanager.cert
# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert
```**التحكم في الوصول:**
```bash
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user
# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf
```**أمان الشبكة:**
```bash
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000هذه المرجعة الشاملة لـ Wazuh تغطي التثبيت والتكوين والمراقبة والميزات المتقدمة لإدارة معلومات وأحداث الأمان بشكل فعال.