Aller au contenu

Feuille de chaleur Wazuh

Copier tous les commandes Wazuh Générer Wazuh PDF Guide
Wazuh est une plate-forme de sécurité ouverte qui offre une protection unifiée XDR et SIEM pour les terminaux et les charges de travail en nuage. Il combine la détection des intrusions, l'évaluation de la vulnérabilité, l'évaluation de la configuration, l'intervention en cas d'incident, la conformité à la réglementation et la surveillance de la sécurité du cloud dans une seule plateforme. ## Installation et configuration ### Installation du serveur (gestionnaire) **Ubuntu/Installation Debian :** 
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb

# Update package information
sudo apt-get update

# Install Wazuh manager
sudo apt-get install wazuh-manager

# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
**CentOS/RHEL Installation :** 
# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo

# Install Wazuh manager
sudo yum install wazuh-manager

# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager
```_

### Installation de l'agent

** Agent Linux :**
```bash
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb

# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf

# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
```_

**Agent Windows:**
```powershell
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"

# Start Wazuh agent service
NET START WazuhSvc
## Commandements de gestion de base ### Gestionnaire des opérations **Gestion des services : ** 
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager

# Check service status
sudo systemctl status wazuh-manager

# View service logs
sudo journalctl -u wazuh-manager -f
**Gestion de l'agent : ** 
# List all agents
sudo /var/ossec/bin/manage_agents -l

# Add new agent
sudo /var/ossec/bin/manage_agents -a

# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID

# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID

# Import agent key
sudo /var/ossec/bin/manage_agents -i
### Gestion de la configuration ** Configuration principale Dossier :** 
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf

# Validate configuration
sudo /var/ossec/bin/ossec-logtest

# Reload configuration
sudo systemctl reload wazuh-manager
**Règles et décors:** 
# Custom rules location
/var/ossec/etc/rules/local_rules.xml

# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml

# Test rules and decoders
sudo /var/ossec/bin/ossec-logtest
## Analyse et suivi des registres ### Surveillance des journaux en temps réel **Voir les journaux actifs :** 
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log

# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json

# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID"
**Commandes d'analyse de journal :** 
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log

# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log

# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log
### Création de règles personnalisées ** Structure des règles de base :** 
<group name="custom_rules,">
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>192.168.1.0/24</srcip>
    <description>SSH connection from internal network</description>
    <group>authentication_success,pci_dss_10.2.5,</group>
  </rule>
</group>
**Exemples de règles avancés :** 
<rule id="100002" level="10" frequency="5" timeframe="300">
  <if_matched_sid>5716</if_matched_sid>
  <description>Multiple SSH authentication failures</description>
  <group>authentication_failures,pci_dss_11.4,</group>
</rule>

<rule id="100003" level="7">
  <if_sid>550</if_sid>
  <field name="file">/etc/passwd</field>
  <description>Critical system file modified</description>
  <group>syscheck,pci_dss_11.5,</group>
</rule>
## Évaluation de la vulnérabilité ### Configuration de la détection de vulnérabilité ** Vulnérabilité activée Détection:** 
<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <min_full_scan_interval>6h</min_full_scan_interval>
  <run_on_start>yes</run_on_start>

  <provider name="canonical">
    <enabled>yes</enabled>
    <os>trusty</os>
    <os>xenial</os>
    <os>bionic</os>
    <os>focal</os>
    <update_interval>1h</update_interval>
  </provider>
</vulnerability-detector>
** Commandes de numérisation de vulnérabilité :** 
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f

# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"

# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log
## Surveillance de l'intégrité des dossiers (IMF) ### FIM Configuration **Basic FIM Configuration:** 
<syscheck>
  <disabled>no</disabled>
  <frequency>43200</frequency>
  <scan_on_start>yes</scan_on_start>

  <directories>/etc,/usr/bin,/usr/sbin</directories>
  <directories>/bin,/sbin,/boot</directories>

  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>

  <directories realtime="yes">/etc</directories>
</syscheck>
**Advanced FIM Options** 
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>
## Réponse active ### Configuration de la réponse active **Réponse active de base :** 
<active-response>
  <disabled>no</disabled>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>5720</rules_id>
  <timeout>600</timeout>
</active-response>
**Script de réponse active personnalisée:** 
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh

ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

case "$ACTION" in
  add)
    # Block IP address
    iptables -I INPUT -s $IP -j DROP
    echo "Blocked IP: $IP" >> /var/log/custom-response.log
    ;;
  delete)
    # Unblock IP address
    iptables -D INPUT -s $IP -j DROP
    echo "Unblocked IP: $IP" >> /var/log/custom-response.log
    ;;
esac
## Gestion de l'API ### API Wazuh Utilisation **Authentification:** 
# Get authentication token
curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"

# Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
**Points de fin d'API communs:** 
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"

# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"
## Configuration du groupe ### Configuration multinoeud ** Configuration du nœud maître :** 
<cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>NODE_IP</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
** Configuration du nœud de travail:** 
<cluster>
  <name>wazuh</name>
  <node_name>worker-node</node_name>
  <node_type>worker</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>MASTER_IP</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
## Analyse des performances ### Paramètres d'optimisation **Gestionnaire Rendement :** 
<global>
  <logall>no</logall>
  <logall_json>no</logall_json>
  <email_notification>no</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from>wazuh@localhost</email_from>
  <email_to>admin@localhost</email_to>
  <email_maxperhour>12</email_maxperhour>
  <email_log_source>alerts.log</email_log_source>
  <agents_disconnection_time>10m</agents_disconnection_time>
  <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
** Optimisation de la base de données :** 
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144

# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf
## Dépannage ### Questions communes ** Problèmes de connexion avec l'agent :** 
# Check agent status
sudo /var/ossec/bin/agent_control -l

# Test connectivity
sudo /var/ossec/bin/agent_control -R 001

# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent"
**Questions relatives au rendement :** 
# Monitor resource usage
top -p $(pgrep -d',' wazuh)

# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*

# Monitor network connections
netstat -tulpn|grep wazuh
**Analyse du journal :** 
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log

# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v

# Check rule compilation
sudo /var/ossec/bin/ossec-makelists
## Exemples d'intégration ### SIEM Intégration **Intégration des morceaux:** 
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf

# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart
** Intégration des piles d'ELK :** 
# Filebeat configuration
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/ossec/logs/alerts/alerts.json
  json.keys_under_root: true
  json.add_error_key: true

output.elasticsearch:
  hosts: ["localhost:9200"]
  index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}"
## Pratiques exemplaires en matière de sécurité ### Lignes directrices pour le durcissement **SSL/TLS Configuration** 
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /var/ossec/etc/sslmanager.key \
  -out /var/ossec/etc/sslmanager.cert

# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert
** Contrôle d'accès :** 
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user

# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf
**Sécurité du réseau:** 
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000

Cette Wazuh trichehep couvre l'installation, la configuration, la surveillance et les fonctionnalités avancées pour une gestion efficace des informations de sécurité et des événements.