Wazuh Cheatsheet¶
Wazuh ist eine umfassende Open-Source-Sicherheitsplattform, die einen einheitlichen XDR- und SIEM-Schutz für Endpunkte und Cloud-Workloads bietet. Sie kombiniert Intrusion Detection, Schwachstellenbewertung, Konfigurationsbewertung, Incident Response, regulatorische Compliance und Cloud-Sicherheitsüberwachung in einer einzigen Plattform.
## Installation und Einrichtung
### Server-Installation (Manager)
**Ubuntu/Debian-Installation:**
**CentOS/RHEL-Installation:**
### Agent-Installation
**Linux-Agent:**
**Windows-Agent:**
## Grundlegende Verwaltungsbefehle
### Manager-Operationen
**Service-Verwaltung:**
**Agent-Verwaltung:**
### Konfigurationsverwaltung
**Hauptkonfigurationsdatei:**
**Regeln und Decoder:**
## Protokollanalyse und Überwachung
### Echtzeit-Protokollüberwachung
**Aktive Protokolle anzeigen:**
**Protokollanalyse-Befehle:**
### Erstellung benutzerdefinierter Regeln
**Grundlegende Regelstruktur:**
**Erweiterte Regelbeispiele:**
## Schwachstellenbewertung
### Einrichtung der Schwachstellenerkennung
**Schwachstellenerkennung aktivieren:**
**Befehle zur Schwachstellensuche:**
## Dateiintegritätsüberwachung (FIM)
### FIM-Konfiguration
**Grundlegende FIM-Einrichtung:**
**Erweiterte FIM-Optionen:**
## Aktive Reaktion
### Konfiguration der aktiven Reaktion
**Grundlegende aktive Reaktion:**
**Benutzerdefiniertes Skript für aktive Reaktion:**
## API-Verwaltung
### Verwendung der Wazuh-API
**Authentifizierung:**
Would you like me to continue with the remaining sections or placeholders?```bash
# Get authentication token
curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"
# Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
```**Häufige API-Endpunkte:**
```bash
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"
```## Cluster-Konfiguration
```xml
wazuh
master-node
master
c98b62a9b6169ac5f67dae55ae4a9088
1516
0.0.0.0
NODE_IP
no
no
```### Multi-Node-Setup
```xml
wazuh
worker-node
worker
c98b62a9b6169ac5f67dae55ae4a9088
1516
0.0.0.0
MASTER_IP
no
no
```**Master-Node-Konfiguration:**
```xml
no
no
no
localhost
wazuh@localhost
admin@localhost
12
alerts.log
10m
0
```**Worker-Node-Konfiguration:**
```bash
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144
# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf
```## Performance-Optimierung
```bash
# Check agent status
sudo /var/ossec/bin/agent_control -l
# Test connectivity
sudo /var/ossec/bin/agent_control -R 001
# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent"
```### Optimierungseinstellungen
```bash
# Monitor resource usage
top -p $(pgrep -d',' wazuh)
# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*
# Monitor network connections
netstat -tulpn|grep wazuh
```**Manager-Performance:**
```bash
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log
# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v
# Check rule compilation
sudo /var/ossec/bin/ossec-makelists
```**Datenbank-Optimierung:**
```bash
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf
# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart
```## Fehlerbehebung
```yaml
# Filebeat configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/ossec/logs/alerts/alerts.json
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["localhost:9200"]
index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}"
```### Häufige Probleme
```bash
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /var/ossec/etc/sslmanager.key \
-out /var/ossec/etc/sslmanager.cert
# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert
```**Agent-Verbindungsprobleme:**
```bash
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user
# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf
```**Performance-Probleme:**
```bash
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000
```**Log-Analyse:**
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb
# Update package information
sudo apt-get update
# Install Wazuh manager
sudo apt-get install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo
# Install Wazuh manager
sudo yum install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb
# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf
# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"
# Start Wazuh agent service
NET START WazuhSvc
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager
# Check service status
sudo systemctl status wazuh-manager
# View service logs
sudo journalctl -u wazuh-manager -f
# List all agents
sudo /var/ossec/bin/manage_agents -l
# Add new agent
sudo /var/ossec/bin/manage_agents -a
# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID
# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID
# Import agent key
sudo /var/ossec/bin/manage_agents -i
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf
# Validate configuration
sudo /var/ossec/bin/ossec-logtest
# Reload configuration
sudo systemctl reload wazuh-manager
# Custom rules location
/var/ossec/etc/rules/local_rules.xml
# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml
# Test rules and decoders
sudo /var/ossec/bin/ossec-logtest
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log
# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json
# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID"
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log
# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log
# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log
<group name="custom_rules,">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>192.168.1.0/24</srcip>
<description>SSH connection from internal network</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
</group>
<rule id="100002" level="10" frequency="5" timeframe="300">
<if_matched_sid>5716</if_matched_sid>
<description>Multiple SSH authentication failures</description>
<group>authentication_failures,pci_dss_11.4,</group>
</rule>
<rule id="100003" level="7">
<if_sid>550</if_sid>
<field name="file">/etc/passwd</field>
<description>Critical system file modified</description>
<group>syscheck,pci_dss_11.5,</group>
</rule>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f
# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"
# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<directories realtime="yes">/etc</directories>
</syscheck>
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720</rules_id>
<timeout>600</timeout>
</active-response>
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
case "$ACTION" in
add)
# Block IP address
iptables -I INPUT -s $IP -j DROP
echo "Blocked IP: $IP" >> /var/log/custom-response.log
;;
delete)
# Unblock IP address
iptables -D INPUT -s $IP -j DROP
echo "Unblocked IP: $IP" >> /var/log/custom-response.log
;;
esac