Wazuh 치트시트
Wazuh는 엔드포인트 및 클라우드 워크로드를 위한 통합된 XDR 및 SIEM 보호를 제공하는 포괄적인 오픈 소스 보안 플랫폼입니다. 단일 플랫폼에서 침입 탐지, 취약성 평가, 구성 평가, 인시던트 대응, 규정 준수 및 클라우드 보안 모니터링을 결합합니다.
설치 및 설정
서버 설치 (관리자)
Ubuntu/Debian 설치:
# Download and install Wazuh repository
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-keyring/wazuh-keyring_4.7.0-1_all.deb
sudo dpkg -i ./wazuh-keyring_4.7.0-1_all.deb
# Update package information
sudo apt-get update
# Install Wazuh manager
sudo apt-get install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-managerCentOS/RHEL 설치:
# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# Add Wazuh repository
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1'|sudo tee /etc/yum.repos.d/wazuh.repo
# Install Wazuh manager
sudo yum install wazuh-manager
# Enable and start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager에이전트 설치
Linux 에이전트:
# Download and install agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
sudo dpkg -i wazuh-agent_4.7.0-1_amd64.deb
# Configure manager IP
sudo sed -i "s/MANAGER_IP/YOUR_MANAGER_IP/" /var/ossec/etc/ossec.conf
# Enable and start agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agentWindows 에이전트:
# Download and install Windows agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi -OutFile wazuh-agent.msi
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="YOUR_MANAGER_IP"
# Start Wazuh agent service
NET START WazuhSvc핵심 관리 명령
관리자 작업
서비스 관리:
# Start/stop/restart Wazuh manager
sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager
# Check service status
sudo systemctl status wazuh-manager
# View service logs
sudo journalctl -u wazuh-manager -f에이전트 관리:
# List all agents
sudo /var/ossec/bin/manage_agents -l
# Add new agent
sudo /var/ossec/bin/manage_agents -a
# Remove agent
sudo /var/ossec/bin/manage_agents -r AGENT_ID
# Extract agent key
sudo /var/ossec/bin/manage_agents -e AGENT_ID
# Import agent key
sudo /var/ossec/bin/manage_agents -i구성 관리
주 구성 파일:
# Edit main configuration
sudo nano /var/ossec/etc/ossec.conf
# Validate configuration
sudo /var/ossec/bin/ossec-logtest
# Reload configuration
sudo systemctl reload wazuh-manager규칙 및 디코더:
# Custom rules location
/var/ossec/etc/rules/local_rules.xml
# Custom decoders location
/var/ossec/etc/decoders/local_decoder.xml
# Test rules and decoders
sudo /var/ossec/bin/ossec-logtest로그 분석 및 모니터링
실시간 로그 모니터링
활성 로그 보기:
# Monitor alerts in real-time
sudo tail -f /var/ossec/logs/alerts/alerts.log
# Monitor JSON alerts
sudo tail -f /var/ossec/logs/alerts/alerts.json
# Monitor specific agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent ID"로그 분석 명령:
# Search for specific patterns
sudo grep "pattern" /var/ossec/logs/alerts/alerts.log
# Count alerts by severity
sudo grep -c "Rule: " /var/ossec/logs/alerts/alerts.log
# Filter alerts by time range
sudo awk '/2024-01-01/,/2024-01-02/' /var/ossec/logs/alerts/alerts.log사용자 정의 규칙 생성
기본 규칙 구조:
<group name="custom_rules,">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>192.168.1.0/24</srcip>
<description>SSH connection from internal network</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
</group>고급 규칙 예시:
<rule id="100002" level="10" frequency="5" timeframe="300">
<if_matched_sid>5716</if_matched_sid>
<description>Multiple SSH authentication failures</description>
<group>authentication_failures,pci_dss_11.4,</group>
</rule>
<rule id="100003" level="7">
<if_sid>550</if_sid>
<field name="file">/etc/passwd</field>
<description>Critical system file modified</description>
<group>syscheck,pci_dss_11.5,</group>
</rule>취약성 평가
취약성 탐지 설정
취약성 탐지 활성화:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>취약성 스캔 명령:
# Manual vulnerability scan
sudo /var/ossec/bin/wazuh-modulesd -f
# Check vulnerability database status
sudo /var/ossec/bin/wazuh-db .vulnerability sql "SELECT * FROM vuln_metadata;"
# View vulnerability alerts
sudo grep "vulnerability" /var/ossec/logs/alerts/alerts.log파일 무결성 모니터링 (FIM)
FIM 구성
기본 FIM 설정:
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<directories realtime="yes">/etc</directories>
</syscheck>고급 FIM 옵션:
<directories check_all="yes" realtime="yes" report_changes="yes">/etc/passwd</directories>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>액티브 대응
액티브 대응 구성
기본 액티브 대응:
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720</rules_id>
<timeout>600</timeout>
</active-response>사용자 정의 액티브 대응 스크립트:
#!/bin/bash
# /var/ossec/active-response/bin/custom-response.sh
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
case "$ACTION" in
add)
# Block IP address
iptables -I INPUT -s $IP -j DROP
echo "Blocked IP: $IP" >> /var/log/custom-response.log
;;
delete)
# Unblock IP address
iptables -D INPUT -s $IP -j DROP
echo "Unblocked IP: $IP" >> /var/log/custom-response.log
;;
esacAPI 관리
Wazuh API 사용
인증:
Would you like me to continue with the remaining sections or translations?```bash
Get authentication token
curl -u wazuh:wazuh -k -X GET “https://localhost:55000/security/user/authenticate?raw=true”
Use token for API calls
TOKEN=$(curl -u wazuh:wazuh -k -X GET “https://localhost:55000/security/user/authenticate?raw=true”)
```bash
# Get all agents
curl -k -X GET "https://localhost:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get agent information
curl -k -X GET "https://localhost:55000/agents/001?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get alerts
curl -k -X GET "https://localhost:55000/security/events?pretty=true" -H "Authorization: Bearer $TOKEN"
# Get rules
curl -k -X GET "https://localhost:55000/rules?pretty=true" -H "Authorization: Bearer $TOKEN"
```## 클러스터 구성
### 다중 노드 설정
**마스터 노드 구성:**
```xml
<cluster>
<name>wazuh</name>
<node_name>master-node</node_name>
<node_type>master</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
```**워커 노드 구성:**
```xml
<cluster>
<name>wazuh</name>
<node_name>worker-node</node_name>
<node_type>worker</node_type>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>MASTER_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
```## 성능 튜닝
### 최적화 설정
**관리자 성능:**
```xml
<global>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>wazuh@localhost</email_from>
<email_to>admin@localhost</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
```**데이터베이스 최적화:**
```bash
# Optimize database performance
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144
# Adjust memory settings
echo 'wazuh soft nofile 65536' >> /etc/security/limits.conf
echo 'wazuh hard nofile 65536' >> /etc/security/limits.conf
```## 문제 해결
### 일반적인 문제
**에이전트 연결 문제:**
```bash
# Check agent status
sudo /var/ossec/bin/agent_control -l
# Test connectivity
sudo /var/ossec/bin/agent_control -R 001
# Check agent logs
sudo tail -f /var/ossec/logs/ossec.log|grep "Agent"
```**성능 문제:**
```bash
# Monitor resource usage
top -p $(pgrep -d',' wazuh)
# Check disk usage
du -sh /var/ossec/logs/*
du -sh /var/ossec/queue/*
# Monitor network connections
netstat -tulpn|grep wazuh
```**로그 분석:**
```bash
# Check for errors
sudo grep -i error /var/ossec/logs/ossec.log
# Monitor queue status
sudo /var/ossec/bin/wazuh-logtest-legacy -v
# Check rule compilation
sudo /var/ossec/bin/ossec-makelists
```## 통합 예시
### SIEM 통합
**Splunk 통합:**
```bash
# Configure Splunk forwarder
echo "monitor:///var/ossec/logs/alerts/alerts.json" >> /opt/splunkforwarder/etc/apps/search/local/inputs.conf
# Restart Splunk forwarder
sudo /opt/splunkforwarder/bin/splunk restart
```**ELK 스택 통합:**
```yaml
# Filebeat configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/ossec/logs/alerts/alerts.json
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["localhost:9200"]
index: "wazuh-alerts-%\\\\{+yyyy.MM.dd\\\\}"
```## 보안 모범 사례
### 강화 지침
**SSL/TLS 구성:**
```bash
# Generate SSL certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /var/ossec/etc/sslmanager.key \
-out /var/ossec/etc/sslmanager.cert
# Set proper permissions
sudo chmod 600 /var/ossec/etc/sslmanager.key
sudo chmod 644 /var/ossec/etc/sslmanager.cert
```**접근 제어:**
```bash
# Create dedicated user
sudo useradd -r -s /bin/false wazuh-user
# Set file permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod -R 750 /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*.conf
```**네트워크 보안:**
```bash
# Configure firewall rules
sudo ufw allow from AGENT_NETWORK to any port 1514
sudo ufw allow from AGENT_NETWORK to any port 1515
sudo ufw allow from ADMIN_NETWORK to any port 55000
```</div>
이 포괄적인 Wazuh 치트시트는 효과적인 보안 정보 및 이벤트 관리를 위한 설치, 구성, 모니터링 및 고급 기능을 다룹니다.