Wazuh is a security platform that combines XDR and SIEM for monitoring and protecting endpoints and cloud workloads [Link]. Virtually any platform has a respective agent available: Linux, Windows, MacOS, SOlaris, HPUX, and AIX
Bare minimal requirements (start small and expand as needed):
- 2 vCPU
- 4 GB of RAM
- 50 GB of Storage
Even though the minimum requirements that I recommended are half of the official documentation, I manage to monitor over 50 end points with it at 2.5% avg CPU utilisation and 65 to 85% of RAM. The key of my use case it the fact that I monitor Linux end points that have no users playing around. Only stand alone servers with their automatic loads. This reduce the amount of event to the minimum.
INSTALLATION
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
It may take some time but when the installation is completed, it will print the generated password for the Admin account:
INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.3
INFO: Verbose logging redirected to /var/log/wazuh-install.log
INFO: Wazuh web interface port will be 443.
INFO: --- Dependencies ----
INFO: Installing apt-transport-https.
INFO: Wazuh repository added.
INFO: --- Configuration files ---
INFO: Generating configuration files.
INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
INFO: --- Wazuh indexer ---
INFO: Starting Wazuh indexer installation.
INFO: Wazuh indexer installation finished.
INFO: Wazuh indexer post-install configuration finished.
INFO: Starting service wazuh-indexer.
INFO: wazuh-indexer service started.
INFO: Initializing Wazuh indexer cluster security settings.
INFO: Wazuh indexer cluster initialized.
INFO: --- Wazuh server ---
INFO: Starting the Wazuh manager installation.
INFO: Wazuh manager installation finished.
INFO: Starting service wazuh-manager.
INFO: wazuh-manager service started.
INFO: Starting Filebeat installation.
INFO: Filebeat installation finished.
INFO: Filebeat post-install configuration finished.
INFO: Starting service filebeat.
INFO: filebeat service started.
INFO: --- Wazuh dashboard ---
INFO: Starting Wazuh dashboard installation.
INFO: Wazuh dashboard installation finished.
INFO: Wazuh dashboard post-install configuration finished.
INFO: Starting service wazuh-dashboard.
INFO: wazuh-dashboard service started.
INFO: Initializing Wazuh dashboard web application.
INFO: Wazuh dashboard web application initialized.
INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
User: admin
Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
24/03/2024 14:23:29 INFO: Installation finished.
Navigate to the URL using the newly created credentials.
SETTING UP AGENTS
After logging in to the Dashboard, click on Add Agent.
Select the platform + architecture of the end point to be monitored, provide the server address (ideally a local name that points to the server, in case it changes IP), and the group (in my case I left the default).
Note that it will not perform any thing other than compose a command line that can be copied and executed on the hosts.
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.3-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.10' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent_4.7.3-1_amd64.deb
Unfortunately, after setting up the agent it does not start or enable on boot automatically. So, run the following command too.
sudo systemctl daemon-reload && sudo systemctl enable wazuh-agent && sudo systemctl start wazuh-agent
It may take a few seconds to change to Active Agents.
All good, now!
MONITORING END-POINTS
By clicking any Agent (end-point), events will start to be populated. Note that right after they are joined, a series of checks will happen (not too resources intense).
Then, new events will be created as they happen in the server.
A summary of the current status of the Agent. It classify each “issue/event” with a respective TTP (Tactic, Technique, and Procedure) from the Mitre and correlate to the compliance regulations.
See example:
Note: it will flag a lot of false positives that will need thorough understanding of the system and its applications to define what is normal operation from what needs investigation. For example, users/admin logins will be recorded as events. System patches will cause a massive number of events. An so on…
Vulnerability Detector and Security Configuration Assessment (SCA) comes disabled by default. Enable them!
Feel free to enable all the individual repositories of vulnerability. In the example above, I enabled for Canonical (Ubuntu).
Here is where the real work start!
BONUS
For MS Windows endpoints, check out BLUESPAWN [Link]. It is another open-source EDR.