Difference between revisions of "Using Wazuh for SIEM and vulnerability assessment"
Jump to navigation
Jump to search
(Created page with " == Install Wazuh == <pre> curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a </pre> == Install Agents == * Log into portal * Add...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 19: | Line 19: | ||
sudo systemctl enable wazuh-agent | sudo systemctl enable wazuh-agent | ||
sudo systemctl start wazuh-agent | sudo systemctl start wazuh-agent | ||
| + | </pre> | ||
| + | |||
| + | == Edit the configuration == | ||
| + | |||
| + | <pre> | ||
| + | # if you need to do on a client node (defaults should be good however) | ||
| + | vi /var/ossec/etc/ossec.conf | ||
| + | service wazuh-agent restart | ||
| + | </pre> | ||
| + | |||
| + | == Enable the vulnerability detection == | ||
| + | On the Admin UI | ||
| + | # Management -> Configuration -> Edit Configuration | ||
| + | # Set vulnerability-detector to yes | ||
| + | |||
| + | <pre> | ||
| + | <vulnerability-detector> | ||
| + | <enabled>yes</enabled> | ||
| + | <interval>5m</interval> | ||
| + | <min_full_scan_interval>6h</min_full_scan_interval> | ||
| + | <run_on_start>yes</run_on_start> | ||
| + | </pre> | ||
| + | |||
| + | Set the OS's to enabled that you want to check | ||
| + | |||
| + | <pre> | ||
| + | <!-- Ubuntu OS vulnerabilities --> | ||
| + | <provider name="canonical"> | ||
| + | <enabled>yes</enabled> | ||
| + | <os>trusty</os> | ||
| + | <os>xenial</os> | ||
| + | <os>bionic</os> | ||
| + | <os>focal</os> | ||
| + | <os>jammy</os> | ||
| + | <update_interval>1d</update_interval> | ||
| + | </provider> | ||
</pre> | </pre> | ||
Latest revision as of 15:00, 22 March 2023
Install Wazuh
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Install Agents
- Log into portal
- Add agents
- In this environment is provided the following commands to install the agent (which gets added to the default group and communicates back with the wazuh master service)
curl -so wazuh-agent-4.3.10.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.10-1_amd64.deb && sudo WAZUH_MANAGER='192.168.11.132' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.10.deb sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
Edit the configuration
# if you need to do on a client node (defaults should be good however) vi /var/ossec/etc/ossec.conf service wazuh-agent restart
Enable the vulnerability detection
On the Admin UI
- Management -> Configuration -> Edit Configuration
- Set vulnerability-detector to yes
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
Set the OS's to enabled that you want to check
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1d</update_interval>
</provider>