Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
Step 1: Basic Installation
My primary recommendation for installation and configuration of Wazuh is to read their primary website, it includes all the steps required for deployment. This includes the ‘all in one deployment’ or a ‘distributed’ deployment in larger environments: see https://documentation.wazuh.com/current/installation-guide/open-distro/index.html
My regular methodoloty is to use the unattended installation, which provides randomized passwords for the entire installation, in the case of the 4.2 version (taking the link from the website)
# curl -so ~/unattended-installation.sh https://packages.wazuh.com/resources/4.2/open-distro/unattended-installation/unattended-installation.sh && bash ~/unattended-installation.sh
Step 2: Moving Mount Points
The second step is to create additional mount points….
Step 3: Retention/Index Management
Wazuh helps you comply with the security standards in which logs are required to be maintained for several months so that they can be provided on the spot in case of an audit.
Being able to quickly access all this information requires storing it on hard disks. Since storage space has a cost and a limit, you may have to delete old data to ensure you can maintain the retention period that you need.
Follow the Wazuh procedure on index management to define appropriate retention periods on the collected data, follow the OpenDistro ILM or the OpenDistro ISM procedure (depending on your deployment type): https://wazuh.com/blog/wazuh-index-management/
Step 4: Delete Old Alerts
I have a cron job running cleaning all the old alerts after 7 days, they take a lot of space on the file-system. Create a new job
/etc/cron.daily/wazuh-cleanup-alert-logs
#!/bin/sh find /var/ossec/logs/alerts/ -type f -mtime +7 -delete
Step 6: Enable Vulnerability Scanning
Make sure that on each of the defined groups in wazuh syscollection has been enabled by defining the following for *UX systems:
<wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <os>yes</os> <packages>yes</packages> </wodle>
For windows system make sure to add the update section
<wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <os>yes</os> <packages>yes</packages> <hotfixes>yes</hotfixes> </wodle>
On the Wazuh Manager define for each of the OS’s the vulnerability scanner. See official documentation for more referencing:
<vulnerability-detector> <enabled>yes</enabled> <interval>5m</interval> <ignore_time>6h</ignore_time> <run_on_start>yes</run_on_start> <!-- Ubuntu OS vulnerabilities --> <provider name="canonical"> <enabled>no</enabled> <os>trusty</os> <os>xenial</os> <os>bionic</os> <os>focal</os> <update_interval>1d</update_interval> </provider> <!-- Debian OS vulnerabilities --> <provider name="debian"> <enabled>yes</enabled> <os>stretch</os> <os>buster</os> <update_interval>1d</update_interval> </provider> <!-- RedHat OS vulnerabilities --> <provider name="redhat"> <enabled>no</enabled> <os>5</os> <os>6</os> <os>7</os> <os>8</os> <update_interval>1d</update_interval> </provider> <!-- Windows OS vulnerabilities --> <provider name="msu"> <enabled>yes</enabled> <update_interval>1d</update_interval> </provider> <!-- Aggregate vulnerabilities --> <provider name="nvd"> <enabled>yes</enabled> <update_from_year>2010</update_from_year> <update_interval>1d</update_interval> </provider> </vulnerability-detector>
Step 7: Wazuh Agent – Linux
Make sure the wazuh package repository is defined on the client by defining /etc/apt/sources.list.d/wazuh.list
deb https://packages.wazuh.com/4.x/apt/ stable main
Execute the following command to update the apt listings, and deploy the agent in a specific Wazuh Group (debian) and register to the Wazuh server
# WAZUH_MANAGER='192.168.0.110' WAZUH_AGENT_GROUP='debian' apt install wazuh-agent
Step 8: Wazuh Agent – Windows
Under windows it is possible to use the PowerShell Invoke-WebRequest to perform an automatic deployment
# Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.5-1.msi -OutFile wazuh-agent-4.2.5.msi; ./wazuh-agent-4.2.5.msi /q WAZUH_MANAGER='192.168.0.110' WAZUH_REGISTRATION_SERVER='192.168.0.110' WAZUH_AGENT_GROUP='windows'