Wazuh Cheatsheet

📋 Kopieren Sie alle Wazuh Commands 📄 Wazuh PDF Guide generieren

Wazuh ist eine umfassende Open-Source-Sicherheitsplattform, die einen einheitlichen XDR- und SIEM-Schutz für Endpunkte und Cloud-Workloads bietet. Es kombiniert Intrusionserkennung, Schwachstellenbeurteilung, Konfigurationsbeurteilung, Vorfallantwort, regulatorische Compliance und Cloud-Sicherheitsüberwachung in einer einzigen Plattform. ## Installation und Inbetriebnahme ### Serverinstallation (Manager) **Ubuntu/Debian Installation:** ```bash # Download and install Wazuh repository curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb # Update package information sudo apt-get update # Install Wazuh manager sudo apt-get install wazuh-manager # Enable and start Wazuh manager sudo systemctl daemon-reload sudo systemctl enable wazuh-manager sudo systemctl start wazuh-manager ```_ **CentOS/RHEL Installation:** ```bash # Import GPG key sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH # Add Wazuh repository echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo # Install Wazuh manager sudo yum install wazuh-manager # Enable and start Wazuh manager sudo systemctl daemon-reload sudo systemctl enable wazuh-manager sudo systemctl start wazuh-manager ```_ ### Installation von Agenten **Linux Agent:** ```bash # Download and install agent wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb # Configure manager IP sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf # Enable and start agent sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent ```_ **Windows Agent:** ```powershell # Download and install Windows agent Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP" # Start Wazuh agent service NET START WazuhSvc ```_ ## Befehle der Kernverwaltung ### Manager Operations **Service Management: ** ```bash # Start/stop/restart Wazuh manager sudo systemctl start wazuh-manager sudo systemctl stop wazuh-manager sudo systemctl restart wazuh-manager # Check service status sudo systemctl status wazuh-manager # View service logs sudo journalctl -u wazuh-manager -f ```_ **Agent Management: ** ```bash # List all agents sudo /var/ossec/bin/manage_agents -l # Add new agent sudo /var/ossec/bin/manage_agents -a # Remove agent sudo /var/ossec/bin/manage_agents -r AGENT_ID # Extract agent key sudo /var/ossec/bin/manage_agents -e AGENT_ID # Import agent key sudo /var/ossec/bin/manage_agents -i ```_ ### Konfigurationsmanagement ** Hauptkonfiguration Datei:** ```bash # Edit main configuration sudo nano /var/ossec/etc/ossec.conf # Validate configuration sudo /var/ossec/bin/ossec-logtest # Reload configuration sudo systemctl reload wazuh-manager ```_ **Register und Decoder:** ```bash # Custom rules location /var/ossec/etc/rules/local_rules.xml # Custom decoders location /var/ossec/etc/decoders/local_decoder.xml # Test rules and decoders sudo /var/ossec/bin/ossec-logtest ```_ ## Log Analyse und Überwachung ### Echtzeit-Log Monitoring **Aktive Logs anzeigen:** ```bash # Monitor alerts in real-time sudo tail -f /var/ossec/logs/alerts/alerts.log # Monitor JSON alerts sudo tail -f /var/ossec/logs/alerts/alerts.json # Monitor specific agent logs sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID" ```_ **Log Analysis Commands:** ```bash # Search for specific patterns sudo grep "pattern" /var/ossec/logs/alerts/alerts.log # Count alerts by severity sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log # Filter alerts by time range sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log ```_ ### Kundenspezifische Regeln schaffen **Basic Rule Structure:** ```xml 5716 192.168.1.0/24 SSH connection from internal network authentication_success,pci_dss_10.2.5, ```_ **Erweiterte Regelbeispiele:** ```xml 5716 Multiple SSH authentication failures authentication_failures,pci_dss_11.4, 550 /etc/passwd Critical system file modified syscheck,pci_dss_11.5, ```_ ## Bewertung der Schwachstelle ### Sicherheitsdetektion Setup ** Verträglichkeit Nachweis:** ```xml yes 5m 6h yes yes trusty xenial bionic focal 1h ```_ **Schwierbarkeit Scanning Commands:** ```bash # Manual vulnerability scan sudo /var/ossec/bin/wazuh-modulesd -f # Check vulnerability database status sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;" # View vulnerability alerts sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log ```_ ## Dateiintegrity Monitoring (FIM) ### FIM Konfiguration **Basic FIM Einrichtung:** ```xml no 43200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /etc/mtab /etc/hosts.deny /etc ```_ **Erweitert FIM Optionen:** ```xml /etc/passwd HKEY_LOCAL_MACHINE\Software\Classes\batfile ^/proc \.log$|\.tmp$ ```_ ## Aktive Antwort ### Active Response Konfiguration **Basic Active Response:** ```xml no firewall-drop local 5720 600 ```_ **Custom Active Response Script:** ```bash #!/bin/bash # /var/ossec/active-response/bin/custom-response.sh ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5 case "$ACTION" in add) # Block IP address iptables -I INPUT -s $IP -j DROP echo "Blocked IP: $IP" >> /var/log/custom-response.log ;; delete) # Unblock IP address iptables -D INPUT -s $IP -j DROP echo "Unblocked IP: $IP" >> /var/log/custom-response.log ;; esac ```_ ## API Management ### Wazuh API Verwendung **Autorisierung:** ```bash # Get authentication token curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true" # Use token for API calls TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true") ```_ **Common API Endpoints:** ```bash # Get all agents curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN" # Get agent information curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN" # Get alerts curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN" # Get rules curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN" ```_ ## Clusterkonfiguration ### Multi-Node Setup **Master Node Konfiguration:** ```xml wazuh master-node master c98b62a9b6169ac5f67dae55ae4a9088 1516 0.0.0.0 NODE_IP no no ```_ **Worker Node Konfiguration:** ```xml wazuh worker-node worker c98b62a9b6169ac5f67dae55ae4a9088 1516 0.0.0.0 MASTER_IP no no ```_ ## Leistung Tuning ### Optimierungseinstellungen **Manager Performance:** ```xml no no no localhost wazuh@localhost admin@localhost 12 alerts.log 10m 0 ```_ ** Datenbankoptimierung:** ```bash # Optimize database performance echo 'vm.max_map_count=262144' >> /etc/sysctl.conf sysctl -w vm.max_map_count=262144 # Adjust memory settings echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf ```_ ## Fehlerbehebung ### Gemeinsame Themen ** Probleme mit der Verbindung:** ```bash # Check agent status sudo /var/ossec/bin/agent_control -l # Test connectivity sudo /var/ossec/bin/agent_control -R 001 # Check agent logs sudo tail -f /var/ossec/logs/ossec.log|grep "Agent" ```_ **Leistungsfragen:** ```bash # Monitor resource usage top -p $(pgrep -d',' wazuh) # Check disk usage du -sh /var/ossec/logs/* du -sh /var/ossec/queue/* # Monitor network connections netstat -tulpn|grep wazuh ```_ **Log-Analyse:** ```bash # Check for errors sudo grep -i error /var/ossec/logs/ossec.log # Monitor queue status sudo /var/ossec/bin/wazuh-logtest-legacy -v # Check rule compilation sudo /var/ossec/bin/ossec-makelists ```_ ## Integrationsbeispiele ### SIEM Integration **Splunk Integration:** ```bash # Configure Splunk forwarder echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf # Restart Splunk forwarder sudo /opt/splunkforwarder/bin/splunk restart ```_ **ELK Stack Integration:** ```yaml # Filebeat configuration filebeat.inputs: - type: log enabled: true paths: - /var/ossec/logs/alerts/alerts.json json.keys_under_root: true json.add_error_key: true output.elasticsearch: hosts: ["localhost:9200"] index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}" ```_ ## Sicherheit Best Practices ### Harding Guidelines **SSL/TLS Konfiguration:** ```bash # Generate SSL certificates sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /var/ossec/etc/sslmanager.key \ -out /var/ossec/etc/sslmanager.cert # Set proper permissions sudo chmod 600 /var/ossec/etc/sslmanager.key sudo chmod 644 /var/ossec/etc/sslmanager.cert ```_ **Access Control:** ```bash # Create dedicated user sudo useradd -r -s /bin/false wazuh-user # Set file permissions sudo chown -R wazuh:wazuh /var/ossec sudo chmod -R 750 /var/ossec/etc sudo chmod -R 640 /var/ossec/etc/*.conf ```_ **Netzwerksicherheit:** ```bash # Configure firewall rules sudo ufw allow from AGENT_NETWORK to any port 1514 sudo ufw allow from AGENT_NETWORK to any port 1515 sudo ufw allow from ADMIN_NETWORK to any port 55000 ```_

Diese umfassende Wazuh cheatsheet umfasst Installation, Konfiguration, Überwachung und erweiterte Funktionen für effektive Sicherheitsinformationen und Eventmanagement.