search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
99 stars 90 forks source link

Added support for Vulnerability detection in WIA #2777

Closed c-bordon closed 6 months ago

c-bordon commented 6 months ago
Related issue
close https://github.com/wazuh/wazuh/issues/21413

Description

A function is added to modify the ossec.conf adding the necessary parameters for the Vulnerability detection configuration

Logs example

AIO: https://github.com/wazuh/wazuh/issues/21413#issuecomment-1894268410 Distributed (3 nodes for Wazuh indexer): https://github.com/wazuh/wazuh/issues/21413#issuecomment-1894408237 Distributed (1 node for Wazuh indexer): https://github.com/wazuh/wazuh/issues/21413#issuecomment-1894081252

c-bordon commented 6 months ago

Password tool change testing

[vagrant@amazonlinux-2 ~]$ sudo bash wazuh-install.sh -a
17/01/2024 13:59:13 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
17/01/2024 13:59:13 INFO: Verbose logging redirected to /var/log/wazuh-install.log
17/01/2024 13:59:16 INFO: Verifying that your system meets the recommended minimum hardware requirements.
17/01/2024 13:59:16 INFO: Wazuh web interface port will be 443.
17/01/2024 13:59:17 INFO: Wazuh development repository added.
17/01/2024 13:59:17 INFO: --- Configuration files ---
17/01/2024 13:59:17 INFO: Generating configuration files.
17/01/2024 13:59:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
17/01/2024 13:59:18 INFO: --- Wazuh indexer ---
17/01/2024 13:59:18 INFO: Starting Wazuh indexer installation.
17/01/2024 14:01:19 INFO: Wazuh indexer installation finished.
17/01/2024 14:01:20 INFO: Wazuh indexer post-install configuration finished.
17/01/2024 14:01:20 INFO: Starting service wazuh-indexer.
17/01/2024 14:01:30 INFO: wazuh-indexer service started.
17/01/2024 14:01:30 INFO: Initializing Wazuh indexer cluster security settings.
17/01/2024 14:01:42 INFO: The Wazuh indexer cluster ISM initialized.
17/01/2024 14:01:42 INFO: Wazuh indexer cluster initialized.
17/01/2024 14:01:42 INFO: --- Wazuh server ---
17/01/2024 14:01:42 INFO: Starting the Wazuh manager installation.
17/01/2024 14:03:09 INFO: Wazuh manager installation finished.
17/01/2024 14:03:09 INFO: Wazuh manager vulnerability detection configuration finished.
17/01/2024 14:03:09 INFO: Starting service wazuh-manager.
17/01/2024 14:03:21 INFO: wazuh-manager service started.
17/01/2024 14:03:21 INFO: Starting Filebeat installation.
17/01/2024 14:03:33 INFO: Filebeat installation finished.
17/01/2024 14:03:35 INFO: Filebeat post-install configuration finished.
17/01/2024 14:03:35 INFO: Starting service filebeat.
17/01/2024 14:03:35 INFO: filebeat service started.
17/01/2024 14:03:35 INFO: --- Wazuh dashboard ---
17/01/2024 14:03:35 INFO: Starting Wazuh dashboard installation.
17/01/2024 14:04:43 INFO: Wazuh dashboard installation finished.
17/01/2024 14:04:43 INFO: Wazuh dashboard post-install configuration finished.
17/01/2024 14:04:43 INFO: Starting service wazuh-dashboard.
17/01/2024 14:04:43 INFO: wazuh-dashboard service started.
17/01/2024 14:04:44 INFO: Updating the internal users.
17/01/2024 14:04:48 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
17/01/2024 14:05:24 INFO: Initializing Wazuh dashboard web application.
17/01/2024 14:05:25 INFO: Wazuh dashboard web application initialized.
17/01/2024 14:05:25 INFO: --- Summary ---
17/01/2024 14:05:25 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: PzMB2UaCw5ikB84?5qqCCET8figPc16E
17/01/2024 14:05:25 INFO: Installation finished.

ossec.conf

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://localhost:9200</host>
    </hosts>
    <username>admin</username>
    <password>PzMB2UaCw5ikB84?5qqCCET8figPc16E</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
      <key>/etc/filebeat/certs/wazuh-server-key.pem</key>
    </ssl>
  </indexer>

Screenshot_20240117_094617 Screenshot_20240117_094632

Password changed

[vagrant@amazonlinux-2 ~]$ sudo bash wazuh-passwords-tool.sh -u admin -p TestingPassword1?
17/01/2024 14:06:31 INFO: Updating the internal users.
17/01/2024 14:06:33 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
17/01/2024 14:06:33 INFO: Generating password hash
17/01/2024 14:06:53 WARNING: Password changed. Remember to update the password in the Wazuh dashboard Wazuh server, and Filebeat nodes if necessary, and restart the services.

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://localhost:9200</host>
    </hosts>
    <username>admin</username>
    <password>TestingPassword1?</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
      <key>/etc/filebeat/certs/wazuh-server-key.pem</key>
    </ssl>
  </indexer>
c-bordon commented 6 months ago

Distributed test password tool

environment: Wazuh indexer node: Amazon Linux 2 Wazuh manager: Ubuntu Jammy Wazuh worker: Ubuntu Focal Wazuh dashboard: Centos 7

Wazuh indexer:

[vagrant@amazonlinux-2 ~]$ sudo bash wazuh-install.sh -wi indexer-1
17/01/2024 14:42:14 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
17/01/2024 14:42:14 INFO: Verbose logging redirected to /var/log/wazuh-install.log
17/01/2024 14:42:16 INFO: Verifying that your system meets the recommended minimum hardware requirements.
17/01/2024 14:42:18 INFO: Wazuh development repository added.
17/01/2024 14:42:18 INFO: --- Wazuh indexer ---
17/01/2024 14:42:18 INFO: Starting Wazuh indexer installation.
17/01/2024 14:44:31 INFO: Wazuh indexer installation finished.
17/01/2024 14:44:31 INFO: Wazuh indexer post-install configuration finished.
17/01/2024 14:44:31 INFO: Starting service wazuh-indexer.
17/01/2024 14:44:42 INFO: wazuh-indexer service started.
17/01/2024 14:44:42 INFO: Initializing Wazuh indexer cluster security settings.
17/01/2024 14:44:43 INFO: Wazuh indexer cluster initialized.
17/01/2024 14:44:43 INFO: Installation finished.
[vagrant@amazonlinux-2 ~]$ sudo bash wazuh-install.sh --start-cluster
17/01/2024 14:45:01 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
17/01/2024 14:45:01 INFO: Verbose logging redirected to /var/log/wazuh-install.log
17/01/2024 14:45:03 INFO: Verifying that your system meets the recommended minimum hardware requirements.
17/01/2024 14:45:06 INFO: Wazuh indexer cluster security configuration initialized.
17/01/2024 14:45:07 INFO: The Wazuh indexer cluster ISM initialized.
17/01/2024 14:45:08 INFO: Updating the internal users.
17/01/2024 14:45:09 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
17/01/2024 14:45:15 INFO: Wazuh indexer cluster started.

Wazuh manager:

vagrant@ubuntu22:~$ sudo bash wazuh-install.sh -ws server-1
17/01/2024 14:45:37 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
17/01/2024 14:45:37 INFO: Verbose logging redirected to /var/log/wazuh-install.log
17/01/2024 14:45:59 INFO: Verifying that your system meets the recommended minimum hardware requirements.
17/01/2024 14:46:02 INFO: --- Dependencies ----
17/01/2024 14:46:02 INFO: Installing apt-transport-https.
17/01/2024 14:46:12 INFO: Wazuh development repository added.
17/01/2024 14:46:13 INFO: --- Wazuh server ---
17/01/2024 14:46:13 INFO: Starting the Wazuh manager installation.
17/01/2024 14:48:06 INFO: Wazuh manager installation finished.
17/01/2024 14:48:06 INFO: Wazuh manager vulnerability detection configuration finished.
17/01/2024 14:48:06 INFO: Starting service wazuh-manager.
17/01/2024 14:48:23 INFO: wazuh-manager service started.
17/01/2024 14:48:23 INFO: Starting Filebeat installation.
17/01/2024 14:48:35 INFO: Filebeat installation finished.
17/01/2024 14:48:37 INFO: Filebeat post-install configuration finished.
17/01/2024 14:48:59 INFO: Starting service filebeat.
17/01/2024 14:48:59 INFO: filebeat service started.
17/01/2024 14:48:59 INFO: Installation finished.

ossec.conf

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://192.168.56.244:9200</host>
    </hosts>
    <username>admin</username>
    <password>a9a9iU4?MBIl1qaxR8jB?xFV.bfjEDyV</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/server-1.pem</certificate>
      <key>/etc/filebeat/certs/server-1-key.pem</key>
    </ssl>
  </indexer>

Wazuh worker:

vagrant@ubuntu20:~$ sudo bash wazuh-install.sh -ws server-2
17/01/2024 14:54:22 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
17/01/2024 14:54:22 INFO: Verbose logging redirected to /var/log/wazuh-install.log
17/01/2024 14:54:39 INFO: Verifying that your system meets the recommended minimum hardware requirements.
17/01/2024 14:54:42 INFO: --- Dependencies ----
17/01/2024 14:54:42 INFO: Installing apt-transport-https.
17/01/2024 14:54:52 INFO: Wazuh development repository added.
17/01/2024 14:54:52 INFO: --- Wazuh server ---
17/01/2024 14:54:52 INFO: Starting the Wazuh manager installation.
17/01/2024 14:56:42 INFO: Wazuh manager installation finished.
17/01/2024 14:56:42 INFO: Wazuh manager vulnerability detection configuration finished.
17/01/2024 14:56:42 INFO: Starting service wazuh-manager.
17/01/2024 14:57:02 INFO: wazuh-manager service started.
17/01/2024 14:57:02 INFO: Starting Filebeat installation.
17/01/2024 14:57:14 INFO: Filebeat installation finished.
17/01/2024 14:57:16 INFO: Filebeat post-install configuration finished.
17/01/2024 14:57:34 INFO: Starting service filebeat.
17/01/2024 14:57:35 INFO: filebeat service started.
17/01/2024 14:57:35 INFO: Installation finished.

ossec.conf

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://192.168.56.244:9200</host>
    </hosts>
    <username>admin</username>
    <password>a9a9iU4?MBIl1qaxR8jB?xFV.bfjEDyV</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/server-1.pem</certificate>
      <key>/etc/filebeat/certs/server-1-key.pem</key>
    </ssl>
  </indexer>

Wazuh dashboard:

[vagrant@centos-7 ~]$ sudo bash wazuh-install.sh -wd dashboard-1
17/01/2024 14:58:05 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
17/01/2024 14:58:05 INFO: Verbose logging redirected to /var/log/wazuh-install.log
17/01/2024 14:58:12 INFO: --- Dependencies ---
17/01/2024 14:58:12 INFO: Installing lsof.
17/01/2024 14:58:25 INFO: Verifying that your system meets the recommended minimum hardware requirements.
17/01/2024 14:58:25 INFO: Wazuh web interface port will be 443.
17/01/2024 14:58:28 INFO: Wazuh development repository added.
17/01/2024 14:58:28 INFO: --- Wazuh dashboard ----
17/01/2024 14:58:28 INFO: Starting Wazuh dashboard installation.
17/01/2024 15:00:01 INFO: Wazuh dashboard installation finished.
17/01/2024 15:00:01 INFO: Wazuh dashboard post-install configuration finished.
17/01/2024 15:00:01 INFO: Starting service wazuh-dashboard.
17/01/2024 15:00:01 INFO: wazuh-dashboard service started.
17/01/2024 15:00:14 INFO: Initializing Wazuh dashboard web application.
17/01/2024 15:00:15 INFO: Wazuh dashboard web application initialized.
17/01/2024 15:00:15 INFO: --- Summary ---
17/01/2024 15:00:15 INFO: You can access the web interface https://192.168.56.249:443
    User: admin
    Password: a9a9iU4?MBIl1qaxR8jB?xFV.bfjEDyV
17/01/2024 15:00:15 INFO: --- Dependencies ---
17/01/2024 15:00:15 INFO: Removing lsof.
17/01/2024 15:00:15 INFO: Installation finished.

--- User admin password updated

Wazuh indexer:

[vagrant@amazonlinux-2 ~]$ sudo bash wazuh-passwords-tool.sh -u admin -p TestingPassword1?
17/01/2024 15:02:31 INFO: Updating the internal users.
17/01/2024 15:02:33 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
17/01/2024 15:02:33 INFO: Generating password hash
17/01/2024 15:02:36 WARNING: Password changed. Remember to update the password in the Wazuh dashboard Wazuh server, and Filebeat nodes if necessary, and restart the services.

Wazuh manager:

vagrant@ubuntu22:~$ echo TestingPassword1? | sudo filebeat keystore add password --stdin --force
Successfully updated the keystore
vagrant@ubuntu22:~$ sudo systemctl restart filebeat
vagrant@ubuntu22:~$ sudo sed -i 's/<password>.*<\/password>/<password>TestingPassword1?<\/password>/g' /var/ossec/etc/ossec.conf
vagrant@ubuntu22:~$ sudo systemctl restart wazuh-manager

ossec.conf

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://192.168.56.244:9200</host>
    </hosts>
    <username>admin</username>
    <password>TestingPassword1?</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/server-1.pem</certificate>
      <key>/etc/filebeat/certs/server-1-key.pem</key>
    </ssl>
  </indexer>

Wazuh worker:

vagrant@ubuntu20:~$ echo TestingPassword1? | sudo filebeat keystore add password --stdin --force
Successfully updated the keystore
vagrant@ubuntu20:~$ sudo systemctl restart filebeat
vagrant@ubuntu20:~$ sudo sed -i 's/<password>.*<\/password>/<password>TestingPassword1?<\/password>/g' /var/ossec/etc/ossec.conf
vagrant@ubuntu20:~$ sudo systemctl restart wazuh-manager

ossec.conf

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://192.168.56.244:9200</host>
    </hosts>
    <username>admin</username>
    <password>TestingPassword1?</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/server-1.pem</certificate>
      <key>/etc/filebeat/certs/server-1-key.pem</key>
    </ssl>
  </indexer>