Aide-mémoire Wazuh
Wazuh est une plateforme de sécurité open-source complète qui fournit une protection XDR et SIEM unifiée pour les endpoints et les charges de travail cloud. Il combine la détection d’intrusion, l’évaluation des vulnérabilités, l’évaluation de configuration, la réponse aux incidents, la conformité réglementaire et la surveillance de sécurité cloud dans une seule plateforme.
Installation et Configuration
Installation du Serveur (Manager)
Installation Ubuntu/Debian :
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb
# Update package information
sudo apt-get update
# Install Wazuh manager
sudo apt-get install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-managerInstallation CentOS/RHEL :
# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo
# Install Wazuh manager
sudo yum install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-managerInstallation de l’Agent
Agent Linux :
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb
# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf
# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agentAgent Windows :
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"
# Start Wazuh agent service
NET START WazuhSvcCommandes de Gestion Principales
Opérations du Manager
Gestion de Service :
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager
# Check service status
sudo systemctl status wazuh-manager
# View service logs
sudo journalctl -u wazuh-manager -fGestion des Agents :
# List all agents
sudo /var/ossec/bin/manage_agents -l
# Add new agent
sudo /var/ossec/bin/manage_agents -a
# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID
# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID
# Import agent key
sudo /var/ossec/bin/manage_agents -iGestion de Configuration
Fichier de Configuration Principal :
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf
# Validate configuration
sudo /var/ossec/bin/ossec-logtest
# Reload configuration
sudo systemctl reload wazuh-managerRègles et Décodeurs :
# Custom rules location
/var/ossec/etc/rules/local_rules.xml
# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml
# Test rules and decoders
sudo /var/ossec/bin/ossec-logtestAnalyse et Surveillance des Logs
Surveillance de Logs en Temps Réel
Afficher les Logs Actifs :
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log
# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json
# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID"Commandes d’Analyse de Logs :
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log
# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log
# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.logCréation de Règles Personnalisées
Structure de Règle de Base :
<group name="custom_rules,">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>192.168.1.0/24</srcip>
<description>SSH connection from internal network</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
</group>Exemples de Règles Avancées :
<rule id="100002" level="10" frequency="5" timeframe="300">
<if_matched_sid>5716</if_matched_sid>
<description>Multiple SSH authentication failures</description>
<group>authentication_failures,pci_dss_11.4,</group>
</rule>
<rule id="100003" level="7">
<if_sid>550</if_sid>
<field name="file">/etc/passwd</field>
<description>Critical system file modified</description>
<group>syscheck,pci_dss_11.5,</group>
</rule>Évaluation des Vulnérabilités
Configuration de Détection des Vulnérabilités
Activer la Détection des Vulnérabilités :
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>Commandes de Scan de Vulnérabilités :
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f
# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"
# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.logSurveillance d’Intégrité de Fichiers (FIM)
Configuration FIM
Configuration FIM de Base :
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<directories realtime="yes">/etc</directories>
</syscheck>Options FIM Avancées :
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>Réponse Active
Configuration de Réponse Active
Réponse Active de Base :
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720</rules_id>
<timeout>600</timeout>
</active-response>Script de Réponse Active Personnalisé :
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
case "$ACTION" in
add)
# Block IP address
iptables -I INPUT -s $IP -j DROP
echo "Blocked IP: $IP" >> /var/log/custom-response.log
;;
delete)
# Unblock IP address
iptables -D INPUT -s $IP -j DROP
echo "Unblocked IP: $IP" >> /var/log/custom-response.log
;;
esacGestion d’API
Utilisation de l’API Wazuh
Authentification :
Would you like me to continue with the remaining sections?```bash
Get authentication token
curl -u wazuh:wazuh -k -X GET “https://localhost:55000/security/user/authenticate?raw=true”
Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET “https://localhost:55000/security/user/authenticate?raw=true”)
```bash
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"
```## Configuration du cluster
### Configuration multi-nœuds
**Configuration du nœud maître :**
```xml
<cluster>
<name>wazuh</name>
<node_name>master-node</node_name>
<node_type>master</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
```**Configuration du nœud worker :**
```xml
<cluster>
<name>wazuh</name>
<node_name>worker-node</node_name>
<node_type>worker</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>MASTER_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
```## Réglage des performances
### Paramètres d'optimisation
**Performance du gestionnaire :**
```xml
<global>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>wazuh@localhost</email_from>
<email_to>admin@localhost</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
```**Optimisation de la base de données :**
```bash
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144
# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf
```## Dépannage
### Problèmes courants
**Problèmes de connexion de l'agent :**
```bash
# Check agent status
sudo /var/ossec/bin/agent_control -l
# Test connectivity
sudo /var/ossec/bin/agent_control -R 001
# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent"
```**Problèmes de performance :**
```bash
# Monitor resource usage
top -p $(pgrep -d',' wazuh)
# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*
# Monitor network connections
netstat -tulpn|grep wazuh
```**Analyse des logs :**
```bash
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log
# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v
# Check rule compilation
sudo /var/ossec/bin/ossec-makelists
```## Exemples d'intégration
### Intégration SIEM
**Intégration Splunk :**
```bash
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf
# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart
```**Intégration ELK Stack :**
```yaml
# Filebeat configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/ossec/logs/alerts/alerts.json
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["localhost:9200"]
index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}"
```## Meilleures pratiques de sécurité
### Directives de durcissement
**Configuration SSL/TLS :**
```bash
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /var/ossec/etc/sslmanager.key \
-out /var/ossec/etc/sslmanager.cert
# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert
```**Contrôle d'accès :**
```bash
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user
# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf
```**Sécurité réseau :**
```bash
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000Ce guide complet de Wazuh couvre l’installation, la configuration, la surveillance et les fonctionnalités avancées pour une gestion efficace des informations et des événements de sécurité.