From 23543f787c262afe8fc879677e0cb90c5bda6244 Mon Sep 17 00:00:00 2001 From: manuasir Date: Mon, 26 Oct 2020 23:49:18 +0100 Subject: [PATCH 1/4] Adapting to v4.0 --- demo/README.md | 2 +- demo/wazuh_template.yml | 4 +- production/elastic/wazuh_cf_kibana.sh | 2 +- production/wazuh/cluster/wazuh_cf_master.sh | 45 ++------------------- production/wazuh/cluster/wazuh_cf_worker.sh | 12 ++---- 5 files changed, 11 insertions(+), 54 deletions(-) diff --git a/demo/README.md b/demo/README.md index 1f08851..51a2a23 100644 --- a/demo/README.md +++ b/demo/README.md @@ -90,7 +90,7 @@ A parent domain (e.g. mycompany.com) and subdomain (e.g. wazuh) can be specified An example of the installation of a new agent, on a Windows system (automatically registered and configured) using an MSI package would be: - wazuh-agent-3.13.2-1.msi /q ADDRESS=“wazuh.mycompany.com” AUTHD_SERVER=“registration.wazuh.mycompany.com” PASSWORD=“mypassword” AGENT_NAME=“myhostname” PROTOCOL=“TCP” + wazuh-agent-4.0.0-1.msi /q ADDRESS=“wazuh.mycompany.com” AUTHD_SERVER=“registration.wazuh.mycompany.com” PASSWORD=“mypassword” AGENT_NAME=“myhostname” PROTOCOL=“TCP” An example of the registration of a new agent on a Linux system would be: diff --git a/demo/wazuh_template.yml b/demo/wazuh_template.yml index 4810198..7e19257 100644 --- a/demo/wazuh_template.yml +++ b/demo/wazuh_template.yml @@ -255,12 +255,12 @@ Parameters: - 7.9.1_3.13.2 - 7.9.2_3.13.2 ConstraintDescription: Format is ElasticVersion_WazuhVersion - Default: 7.9.2_3.13.2 + Default: 7.9.2_4.0.0 Description: Elastic and Wazuh versions to be installed Type: String Winagentversion: - Default: 3.13.2 + Default: 4.0.0 Description: Wazuh Windows agent version to be installed Type: String diff --git a/production/elastic/wazuh_cf_kibana.sh b/production/elastic/wazuh_cf_kibana.sh index 5a4ecdf..e6e03de 100644 --- a/production/elastic/wazuh_cf_kibana.sh +++ b/production/elastic/wazuh_cf_kibana.sh @@ -323,7 +323,7 @@ default_index="/tmp/default_index.json" cat > ${default_index} << EOF { "changes": { - "defaultIndex": "wazuh-alerts-3.x-*" + "defaultIndex": "wazuh-alerts-4.x-*" } } EOF diff --git a/production/wazuh/cluster/wazuh_cf_master.sh b/production/wazuh/cluster/wazuh_cf_master.sh index d9361b3..ce52a98 100644 --- a/production/wazuh/cluster/wazuh_cf_master.sh +++ b/production/wazuh/cluster/wazuh_cf_master.sh @@ -19,7 +19,6 @@ elb_elastic=$(cat /tmp/wazuh_cf_settings | grep '^ElbElasticDNS:' | cut -d' ' -f eth0_ip=$(/sbin/ifconfig eth0 | grep 'inet' | head -1 | sed -e 's/^[[:space:]]*//' | cut -d' ' -f2) InstallType=$(cat /tmp/wazuh_cf_settings | grep '^InstallType:' | cut -d' ' -f2) branch=$(cat /tmp/wazuh_cf_settings | grep '^Branch:' | cut -d' ' -f2) -api_branch=$(cat /tmp/wazuh_cf_settings | grep '^ApiBranch:' | cut -d' ' -f2) wazuh_major=`echo $wazuh_version | cut -d'.' -f1` wazuh_minor=`echo $wazuh_version | cut -d'.' -f2` wazuh_patch=`echo $wazuh_version | cut -d'.' -f3` @@ -53,7 +52,7 @@ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository -baseurl=https://packages.wazuh.com/3.x/yum/ +baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF elif [[ ${InstallType} == 'sources' ]] @@ -103,28 +102,12 @@ type=rpm-md EOF curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - -# Installing NodeJS -yum -y install nodejs -echo "Installed NodeJS." >> /tmp/deploy.log if [[ ${InstallType} != 'sources' ]] then - # Installing wazuh-manager - yum -y install wazuh-manager-$wazuh_version + yum -y install wazuh-manager-$wazuh_version-1 chkconfig --add wazuh-manager - # Installing wazuh-api - yum -y install wazuh-api-$wazuh_version - chkconfig --add wazuh-api - echo "Installed Wazuh API." >> /tmp/deploy.log -else - API_BRANCH=$api_branch - npm config set user 0 - curl -LO https://github.com/wazuh/wazuh-api/archive/$API_BRANCH.zip - unzip $API_BRANCH.zip - rm -f $API_BRANCH.zip - cd wazuh-api-$API_BRANCH - ./install_api.sh fi manager_config="/var/ossec/etc/ossec.conf" @@ -133,10 +116,6 @@ local_rules="/var/ossec/etc/rules/local_rules.xml" echo "Installed wazuh manager package" >> /tmp/deploy.log - -# Change manager protocol to tcp, to be used by Amazon ELB -sed -i "s/udp<\/protocol>/tcp<\/protocol>/" ${manager_config} - # Set manager port for agent communications sed -i "s/1514<\/port>/${wazuh_server_port}<\/port>/" ${manager_config} @@ -168,9 +147,6 @@ EOF echo "${wazuh_registration_password}" > /var/ossec/etc/authd.pass echo "Set registration password." >> /tmp/deploy.log -# Installing Python Cryptography module for the cluster -pip install cryptography - # Configuring cluster section sed -i '//,/<\/cluster>/d' ${manager_config} @@ -193,7 +169,6 @@ cat >> ${manager_config} << EOF EOF # Disabling agent components and cleaning configuration file -sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/ruleset>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} @@ -208,27 +183,13 @@ systemctl restart wazuh-manager systemctl enable wazuh-manager echo "Restarted Wazuh manager." >> /tmp/deploy.log -# Configuring Wazuh API user and password -cd /var/ossec/api/configuration/auth -node htpasswd -b -c user ${wazuh_api_user} ${wazuh_api_password} - -# Enable Wazuh API SSL and configure listening port -api_ssl_dir="/var/ossec/api/configuration/ssl" -openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout ${api_ssl_dir}/server.key -out ${api_ssl_dir}/server.crt -sed -i "s/config.https = \"no\";/config.https = \"yes\";/" /var/ossec/api/configuration/config.js -sed -i "s/config.port = \"55000\";/config.port = \"${wazuh_api_port}\";/" /var/ossec/api/configuration/config.js -echo "Setting port and SSL to Wazuh API." >> /tmp/deploy.log - -# Restart wazuh-api -systemctl restart wazuh-api -echo "Restarted Wazuh API." >> /tmp/deploy.log # Installing Filebeat yum -y install filebeat-${elastic_version} echo "Installed Filebeat" >> /tmp/log # Install Filebeat module -curl -s "https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz" | tar -xvz -C /usr/share/filebeat/module +curl -s "https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz" | tar -xvz -C /usr/share/filebeat/module # Get Filebeat configuration file curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/${TAG}/extensions/filebeat/7.x/filebeat.yml diff --git a/production/wazuh/cluster/wazuh_cf_worker.sh b/production/wazuh/cluster/wazuh_cf_worker.sh index 4cff8e2..c85a853 100644 --- a/production/wazuh/cluster/wazuh_cf_worker.sh +++ b/production/wazuh/cluster/wazuh_cf_worker.sh @@ -38,7 +38,7 @@ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository -baseurl=https://packages.wazuh.com/3.x/yum/ +baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF elif [[ ${InstallType} == 'sources' ]] @@ -88,18 +88,14 @@ type=rpm-md EOF # Installing wazuh-manager -yum -y install wazuh-manager-$wazuh_version +yum -y install wazuh-manager-$wazuh_version-1 systemctl enable wazuh-manager chkconfig --add wazuh-manager manager_config="/var/ossec/etc/ossec.conf" -# Install dependencies -yum -y install openscap-scanner +# Install dependencies echo "Installed wazuh manager package" >> /tmp/log -# Change manager protocol to tcp, to be used by Amazon ELB -sed -i "s/udp<\/protocol>/tcp<\/protocol>/" ${manager_config} - # Set manager ports for agents communication sed -i "s/1514<\/port>/${wazuh_server_port}<\/port>/" ${manager_config} @@ -150,7 +146,7 @@ elastic_minor_version=$(echo ${elastic_version} | cut -d'.' -f2) elastic_patch_version=$(echo ${elastic_version} | cut -d'.' -f3) # Install Filebeat module -curl -s "https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz" | tar -xvz -C /usr/share/filebeat/module +curl -s "https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz" | tar -xvz -C /usr/share/filebeat/module # Get Filebeat configuration file curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/${TAG}/extensions/filebeat/7.x/filebeat.yml From 3925e17e813690a07a964433d3e2fbf56aae6a5f Mon Sep 17 00:00:00 2001 From: manuasir Date: Tue, 27 Oct 2020 18:51:32 +0100 Subject: [PATCH 2/4] Adapt to v4.x --- production/elastic/wazuh_cf_kibana.sh | 2 +- production/wazuh/cluster/wazuh_cf_master.sh | 14 ++++++++++++++ production/wazuh/cluster/wazuh_cf_worker.sh | 1 + production/wazuh_template.yml | 16 +++++++++------- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/production/elastic/wazuh_cf_kibana.sh b/production/elastic/wazuh_cf_kibana.sh index e6e03de..adf2698 100644 --- a/production/elastic/wazuh_cf_kibana.sh +++ b/production/elastic/wazuh_cf_kibana.sh @@ -232,7 +232,7 @@ echo "Setcap executed" >> /tmp/deploy.log get_plugin_url(){ if [[ ${InstallType} == 'packages' ]] then - plugin_url="https://packages.wazuh.com/wazuhapp/wazuhapp-${wazuh_major}.${wazuh_minor}.${wazuh_patch}_${elastic_major_version}.${elastic_minor_version}.${elastic_patch_version}.zip" + plugin_url="https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${wazuh_major}.${wazuh_minor}.${wazuh_patch}_${elastic_major_version}.${elastic_minor_version}.${elastic_patch_version}.zip" elif [[ ${InstallType} == 'sources' ]] then BRANCH="$wazuh_major.$wazuh_minor-$elastic_major_version.$elastic_minor_version" diff --git a/production/wazuh/cluster/wazuh_cf_master.sh b/production/wazuh/cluster/wazuh_cf_master.sh index ce52a98..078f23f 100644 --- a/production/wazuh/cluster/wazuh_cf_master.sh +++ b/production/wazuh/cluster/wazuh_cf_master.sh @@ -55,6 +55,7 @@ name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF +yum install wazuh-manager -y elif [[ ${InstallType} == 'sources' ]] then @@ -183,6 +184,19 @@ systemctl restart wazuh-manager systemctl enable wazuh-manager echo "Restarted Wazuh manager." >> /tmp/deploy.log +# API configuration +# ensure the API is running +systemctl restart wazuh-api + +# get token + +TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true") + +# Change default password +curl -k -X PUT "https://localhost:55000/security/users/1" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"password":$ssh_password}' + +# get new token +TOKEN=$(curl -u wazuh:$ssh_password -k -X GET "https://localhost:55000/security/user/authenticate?raw=true") # Installing Filebeat yum -y install filebeat-${elastic_version} diff --git a/production/wazuh/cluster/wazuh_cf_worker.sh b/production/wazuh/cluster/wazuh_cf_worker.sh index c85a853..e57bdc4 100644 --- a/production/wazuh/cluster/wazuh_cf_worker.sh +++ b/production/wazuh/cluster/wazuh_cf_worker.sh @@ -41,6 +41,7 @@ name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF +yum install wazuh-manager -y elif [[ ${InstallType} == 'sources' ]] then diff --git a/production/wazuh_template.yml b/production/wazuh_template.yml index b2e7d6d..bac36b7 100644 --- a/production/wazuh_template.yml +++ b/production/wazuh_template.yml @@ -171,8 +171,10 @@ Parameters: - 7.8.0_3.13.1 - 7.9.1_3.13.2 - 7.9.2_3.13.2 + - 7.9.2_4.0.0 + ConstraintDescription: Format is ElasticVersion_WazuhVersion - Default: 7.9.2_3.13.2 + Default: 7.9.2_4.0.0 Description: Elastic and Wazuh versions to be installed Type: String WazuhInstanceType: @@ -533,7 +535,7 @@ Resources: group: root /tmp/wazuh_cf_bootstrap_elastic.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_bootstrap_elastic.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_bootstrap_elastic.sh mode: '000700' owner: root group: root @@ -612,7 +614,7 @@ Resources: group: root /tmp/wazuh_cf_elastic.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_elastic.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_elastic.sh mode: '000700' owner: root group: root @@ -691,7 +693,7 @@ Resources: group: root /tmp/wazuh_cf_elastic.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_elastic.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_elastic.sh mode: '000700' owner: root group: root @@ -992,7 +994,7 @@ Resources: group: root /tmp/wazuh_cf_kibana.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_kibana.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_kibana.sh mode: '000700' owner: root group: root @@ -1075,7 +1077,7 @@ Resources: group: root /tmp/wazuh_cf_master.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/wazuh/cluster/wazuh_cf_master.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/wazuh/cluster/wazuh_cf_master.sh mode: '000700' owner: root group: root @@ -1158,7 +1160,7 @@ Resources: group: root /tmp/wazuh_cf_worker.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/wazuh/cluster/wazuh_cf_worker.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/wazuh/cluster/wazuh_cf_worker.sh mode: '000700' owner: root group: root From 06b669131ef74c7ce1e050e3a2c92f8fcc4ad3b9 Mon Sep 17 00:00:00 2001 From: manuasir Date: Tue, 27 Oct 2020 19:47:16 +0100 Subject: [PATCH 3/4] Fix app url --- production/elastic/wazuh_cf_kibana.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/production/elastic/wazuh_cf_kibana.sh b/production/elastic/wazuh_cf_kibana.sh index adf2698..1af19af 100644 --- a/production/elastic/wazuh_cf_kibana.sh +++ b/production/elastic/wazuh_cf_kibana.sh @@ -232,7 +232,7 @@ echo "Setcap executed" >> /tmp/deploy.log get_plugin_url(){ if [[ ${InstallType} == 'packages' ]] then - plugin_url="https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${wazuh_major}.${wazuh_minor}.${wazuh_patch}_${elastic_major_version}.${elastic_minor_version}.${elastic_patch_version}.zip" + plugin_url="https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${wazuh_major}.${wazuh_minor}.${wazuh_patch}_${elastic_major_version}.${elastic_minor_version}.${elastic_patch_version}-1.zip" elif [[ ${InstallType} == 'sources' ]] then BRANCH="$wazuh_major.$wazuh_minor-$elastic_major_version.$elastic_minor_version" From c3bad1aed3cc0164694b72afd77a7c2c09583b2a Mon Sep 17 00:00:00 2001 From: manuasir Date: Tue, 27 Oct 2020 22:38:21 +0100 Subject: [PATCH 4/4] Adding master as provisioning branch --- production/wazuh_template.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/production/wazuh_template.yml b/production/wazuh_template.yml index bac36b7..036eb58 100644 --- a/production/wazuh_template.yml +++ b/production/wazuh_template.yml @@ -535,7 +535,7 @@ Resources: group: root /tmp/wazuh_cf_bootstrap_elastic.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_bootstrap_elastic.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_bootstrap_elastic.sh mode: '000700' owner: root group: root @@ -614,7 +614,7 @@ Resources: group: root /tmp/wazuh_cf_elastic.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_elastic.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_elastic.sh mode: '000700' owner: root group: root @@ -693,7 +693,7 @@ Resources: group: root /tmp/wazuh_cf_elastic.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_elastic.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_elastic.sh mode: '000700' owner: root group: root @@ -994,7 +994,7 @@ Resources: group: root /tmp/wazuh_cf_kibana.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/elastic/wazuh_cf_kibana.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/elastic/wazuh_cf_kibana.sh mode: '000700' owner: root group: root @@ -1077,7 +1077,7 @@ Resources: group: root /tmp/wazuh_cf_master.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/wazuh/cluster/wazuh_cf_master.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/wazuh/cluster/wazuh_cf_master.sh mode: '000700' owner: root group: root @@ -1160,7 +1160,7 @@ Resources: group: root /tmp/wazuh_cf_worker.sh: source: !Sub >- - https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/feature-adapt-4.0/production/wazuh/cluster/wazuh_cf_worker.sh + https://raw.githubusercontent.com/wazuh/wazuh-cloudformation/master/production/wazuh/cluster/wazuh_cf_worker.sh mode: '000700' owner: root group: root