1337skills.com

Appearance

Wazuh Cheatsheet

Wazuh is a comprehensive open-source security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. It combines intrusion detection, vulnerability assessment, configuration assessment, incident response, regulatory compliance, and cloud security monitoring in a single platform.

Installation and Setup

Server Installation (Manager)

Ubuntu/Debian Installation:

bash
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb

# Update package information
sudo apt-get update

# Install Wazuh manager
sudo apt-get install wazuh-manager

# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager

CentOS/RHEL Installation:

bash
# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | sudo tee /etc/yum.repos.d/wazuh.repo

# Install Wazuh manager
sudo yum install wazuh-manager

# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager

Agent Installation

Linux Agent:

bash
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb

# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf

# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Windows Agent:

powershell
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"

# Start Wazuh agent service
NET START WazuhSvc

Core Management Commands

Manager Operations

Service Management:

bash
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager

# Check service status
sudo systemctl status wazuh-manager

# View service logs
sudo journalctl -u wazuh-manager -f

Agent Management:

bash
# List all agents
sudo /var/ossec/bin/manage_agents -l

# Add new agent
sudo /var/ossec/bin/manage_agents -a

# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID

# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID

# Import agent key
sudo /var/ossec/bin/manage_agents -i

Configuration Management

Main Configuration File:

bash
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf

# Validate configuration
sudo /var/ossec/bin/ossec-logtest

# Reload configuration
sudo systemctl reload wazuh-manager

Rules and Decoders:

bash
# Custom rules location
/var/ossec/etc/rules/local_rules.xml

# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml

# Test rules and decoders
sudo /var/ossec/bin/ossec-logtest

Log Analysis and Monitoring

Real-time Log Monitoring

View Active Logs:

bash
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log

# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json

# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log | grep "Agent ID"

Log Analysis Commands:

bash
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log

# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log

# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log

Custom Rules Creation

Basic Rule Structure:

xml
<group name="custom_rules,">
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>192.168.1.0/24</srcip>
    <description>SSH connection from internal network</description>
    <group>authentication_success,pci_dss_10.2.5,</group>
  </rule>
</group>

Advanced Rule Examples:

xml
<!-- Failed login attempts -->
<rule id="100002" level="10" frequency="5" timeframe="300">
  <if_matched_sid>5716</if_matched_sid>
  <description>Multiple SSH authentication failures</description>
  <group>authentication_failures,pci_dss_11.4,</group>
</rule>

<!-- File integrity monitoring -->
<rule id="100003" level="7">
  <if_sid>550</if_sid>
  <field name="file">/etc/passwd</field>
  <description>Critical system file modified</description>
  <group>syscheck,pci_dss_11.5,</group>
</rule>

Vulnerability Assessment

Vulnerability Detection Setup

Enable Vulnerability Detection:

xml
<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <min_full_scan_interval>6h</min_full_scan_interval>
  <run_on_start>yes</run_on_start>
  
  <provider name="canonical">
    <enabled>yes</enabled>
    <os>trusty</os>
    <os>xenial</os>
    <os>bionic</os>
    <os>focal</os>
    <update_interval>1h</update_interval>
  </provider>
</vulnerability-detector>

Vulnerability Scanning Commands:

bash
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f

# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"

# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log

File Integrity Monitoring (FIM)

FIM Configuration

Basic FIM Setup:

xml
<syscheck>
  <disabled>no</disabled>
  <frequency>43200</frequency>
  <scan_on_start>yes</scan_on_start>
  
  <!-- Directories to monitor -->
  <directories>/etc,/usr/bin,/usr/sbin</directories>
  <directories>/bin,/sbin,/boot</directories>
  
  <!-- Files to ignore -->
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
  
  <!-- Real-time monitoring -->
  <directories realtime="yes">/etc</directories>
</syscheck>

Advanced FIM Options:

xml
<!-- Monitor with specific attributes -->
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>

<!-- Windows registry monitoring -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

<!-- Ignore files by pattern -->
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>

Active Response

Active Response Configuration

Basic Active Response:

xml
<active-response>
  <disabled>no</disabled>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>5720</rules_id>
  <timeout>600</timeout>
</active-response>

Custom Active Response Script:

bash
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh

ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

case "$ACTION" in
  add)
    # Block IP address
    iptables -I INPUT -s $IP -j DROP
    echo "Blocked IP: $IP" >> /var/log/custom-response.log
    ;;
  delete)
    # Unblock IP address
    iptables -D INPUT -s $IP -j DROP
    echo "Unblocked IP: $IP" >> /var/log/custom-response.log
    ;;
esac

API Management

Wazuh API Usage

Authentication:

bash
# Get authentication token
curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"

# Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

Common API Endpoints:

bash
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"

Cluster Configuration

Multi-node Setup

Master Node Configuration:

xml
<cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>NODE_IP</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

Worker Node Configuration:

xml
<cluster>
  <name>wazuh</name>
  <node_name>worker-node</node_name>
  <node_type>worker</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>MASTER_IP</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

Performance Tuning

Optimization Settings

Manager Performance:

xml
<global>
  <logall>no</logall>
  <logall_json>no</logall_json>
  <email_notification>no</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from>wazuh@localhost</email_from>
  <email_to>admin@localhost</email_to>
  <email_maxperhour>12</email_maxperhour>
  <email_log_source>alerts.log</email_log_source>
  <agents_disconnection_time>10m</agents_disconnection_time>
  <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>

Database Optimization:

bash
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144

# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf

Troubleshooting

Common Issues

Agent Connection Problems:

bash
# Check agent status
sudo /var/ossec/bin/agent_control -l

# Test connectivity
sudo /var/ossec/bin/agent_control -R 001

# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log | grep "Agent"

Performance Issues:

bash
# Monitor resource usage
top -p $(pgrep -d',' wazuh)

# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*

# Monitor network connections
netstat -tulpn | grep wazuh

Log Analysis:

bash
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log

# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v

# Check rule compilation
sudo /var/ossec/bin/ossec-makelists

Integration Examples

SIEM Integration

Splunk Integration:

bash
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf

# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart

ELK Stack Integration:

yaml
# Filebeat configuration
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/ossec/logs/alerts/alerts.json
  json.keys_under_root: true
  json.add_error_key: true

output.elasticsearch:
  hosts: ["localhost:9200"]
  index: "wazuh-alerts-%{+yyyy.MM.dd}"

Security Best Practices

Hardening Guidelines

SSL/TLS Configuration:

bash
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /var/ossec/etc/sslmanager.key \
  -out /var/ossec/etc/sslmanager.cert

# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert

Access Control:

bash
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user

# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf

Network Security:

bash
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000

This comprehensive Wazuh cheatsheet covers installation, configuration, monitoring, and advanced features for effective security information and event management.