#!/bin/bash # Install Wazuh master instance using Cloudformation template # Support for Amazon Linux touch /tmp/log echo "Starting process." > /tmp/log ssh_username=$(cat /tmp/wazuh_cf_settings | grep '^SshUsername:' | cut -d' ' -f2) ssh_password=$(cat /tmp/wazuh_cf_settings | grep '^SshPassword:' | cut -d' ' -f2) elastic_version=$(cat /tmp/wazuh_cf_settings | grep '^Elastic_Wazuh:' | cut -d' ' -f2 | cut -d'_' -f1) wazuh_version=$(cat /tmp/wazuh_cf_settings | grep '^Elastic_Wazuh:' | cut -d' ' -f2 | cut -d'_' -f2) wazuh_server_port=$(cat /tmp/wazuh_cf_settings | grep '^WazuhServerPort:' | cut -d' ' -f2) wazuh_registration_port=$(cat /tmp/wazuh_cf_settings | grep '^WazuhRegistrationPort:' | cut -d' ' -f2) wazuh_api_user=$(cat /tmp/wazuh_cf_settings | grep '^WazuhApiAdminUsername:' | cut -d' ' -f2) wazuh_api_password=$(cat /tmp/wazuh_cf_settings | grep '^WazuhApiAdminPassword:' | cut -d' ' -f2) wazuh_api_port=$(cat /tmp/wazuh_cf_settings | grep '^WazuhApiPort:' | cut -d' ' -f2) wazuh_cluster_key=$(cat /tmp/wazuh_cf_settings | grep '^WazuhClusterKey:' | cut -d' ' -f2) elb_logstash=$(cat /tmp/wazuh_cf_settings | grep '^ElbLogstashDNS:' | cut -d' ' -f2) eth0_ip=$(/sbin/ifconfig eth0 | grep 'inet' | head -1 | sed -e 's/^[[:space:]]*//' | cut -d' ' -f2) splunk_username=$(cat /tmp/wazuh_cf_settings | grep '^KibanaUsername:' | cut -d' ' -f2) splunk_password=$(cat /tmp/wazuh_cf_settings | grep '^KibanaPassword:' | cut -d' ' -f2) splunk_ip=$(cat /tmp/wazuh_cf_settings | grep '^SplunkIP:' | cut -d' ' -f2) WindowsPublicIp=$(cat /tmp/wazuh_cf_settings | grep '^WindowsPublicIp:' | cut -d' ' -f2) VirusTotalKey=$(cat /tmp/wazuh_cf_settings | grep '^VirusTotalKey:' | cut -d' ' -f2) AwsSecretKey=$(cat /tmp/wazuh_cf_settings | grep '^AwsSecretKey:' | cut -d' ' -f2) AwsAccessKey=$(cat /tmp/wazuh_cf_settings | grep '^AwsAccessKey:' | cut -d' ' -f2) SlackHook=$(cat /tmp/wazuh_cf_settings | grep '^SlackHook:' | cut -d' ' -f2) EnvironmentType=$(cat /tmp/wazuh_cf_settings | grep '^EnvironmentType:' | cut -d' ' -f2) echo "Added env vars." >> /tmp/log # Check if running as root if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi # Creating SSH user adduser ${ssh_username} echo "${ssh_username} ALL=(ALL)NOPASSWD:ALL" >> /etc/sudoers usermod --password $(openssl passwd -1 ${ssh_password}) ${ssh_username} sed -i 's|[#]*PasswordAuthentication no|PasswordAuthentication yes|g' /etc/ssh/sshd_config service sshd restart echo "Created SSH user." >> /tmp/log if [[ ${EnvironmentType} == 'staging' ]] then # Adding Wazuh pre_release repository echo -e '[wazuh_pre_release]\ngpgcheck=1\ngpgkey=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh_pre.repo elif [[ ${EnvironmentType} == 'production' ]] then cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF elif [[ ${EnvironmentType} == 'devel' ]] then echo -e '[wazuh_staging]\ngpgcheck=1\ngpgkey=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/staging/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh_staging.repo else echo 'no repo' >> /tmp/stage fi # Configuring Elastic repository rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch elastic_major_version=$(echo ${elastic_version} | cut -d'.' -f1) cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF # Installing wazuh-manager yum -y install wazuh-manager chkconfig --add wazuh-manager manager_config="/var/ossec/etc/ossec.conf" local_rules="/var/ossec/etc/rules/local_rules.xml" # Enable registration service (only for master node) echo "Installed wazuh manager package" >> /tmp/log ### Use case 1: IP reputation wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset -O /var/ossec/etc/lists/alienvault_reputation.ipset wget https://wazuh.com/resources/iplist-to-cdblist.py -O /var/ossec/etc/lists/iplist-to-cdblist.py # Add Windows public IP to the list echo ${WindowsPublicIp} >> /var/ossec/etc/lists/alienvault_reputation.ipset python /var/ossec/etc/lists/iplist-to-cdblist.py /var/ossec/etc/lists/alienvault_reputation.ipset /var/ossec/etc/lists/blacklist-alienvault # Delete ipset and python script rm -rf /var/ossec/etc/lists/alienvault_reputation.ipset rm -rf /var/ossec/etc/lists/iplist-to-cdblist.py /var/ossec/bin/ossec-makelists echo "Updated CDB list ,added Windows agent IP." >> /tmp/log # Change manager protocol to tcp, to be used by Amazon ELB sed -i "s/udp<\/protocol>/tcp<\/protocol>/" ${manager_config} # Set manager port for agent communications sed -i "s/1514<\/port>/${wazuh_server_port}<\/port>/" ${manager_config} # Configuring registration service sed -i '//,/<\/auth>/d' ${manager_config} cat >> ${manager_config} << EOF no ${wazuh_registration_port} no yes 0 yes yes yes HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH no /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key no EOF # Setting password for agents registration echo "Set registration password." > /tmp/log # Installing Python Cryptography module for the cluster pip install cryptography # Configuring cluster section sed -i '//,/<\/cluster>/d' ${manager_config} cat >> ${manager_config} << EOF wazuh wazuh-master master ${wazuh_cluster_key} 1516 0.0.0.0 ${eth0_ip} no no EOF # Disabling agent components and cleaning configuration file sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/ruleset>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/localfile>/d' ${manager_config} sed -i '//d' ${manager_config} sed -i '//d' ${manager_config} sed -i '/^$/d' ${manager_config} # Add ruleset and lists cat >> ${manager_config} << EOF ruleset/decoders ruleset/rules 0215-policy_rules.xml etc/lists/audit-keys etc/lists/amazon/aws-eventnames etc/lists/security-eventchannel etc/lists/blacklist-alienvault etc/decoders etc/rules EOF # Use case: Open-SCAP configuration # Install dependencies yum -y install openscap-scanner # Configure wodles cat >> ${manager_config} << EOF no 1800 1d yes xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common EOF # Add VirusTotal integration if key already set if [ "x${VirusTotalKey}" != "x" ]; then cat >> ${manager_config} << EOF virustotal ${VirusTotalKey} 100200 json EOF fi cat >> ${local_rules} << EOF 550,553,554 ^/tmp File modified or created in /tmp directory. 530 ^ossec: output: 'process list' List of running processes. process_monitor, 100050 nc -l Netcat listening for incoming connections. process_monitor, web|attack|attacks etc/lists/blacklist-alienvault IP address found in AlienVault reputation database. EOF # Slack integration if [ "x${SlackHook}" != "x" ]; then cat >> ${manager_config} << EOF slack ${SlackHook} 10 json EOF fi # AWS integration if key already set if [ "x${AwsAccessKey}" != "x" ]; then cat >> ${manager_config} << EOF no no 30m yes no wazuh-cloudtrail ${AwsAccessKey} ${AwsSecretKey} 2019-MAR-24 wazuh-aws-wodle guardduty ${AwsAccessKey} ${AwsSecretKey} 2019-MAR-24 wazuh-aws-wodle macie ${AwsAccessKey} ${AwsSecretKey} 2019-MAR-24 wazuh-aws-wodle vpc ${AwsAccessKey} ${AwsSecretKey} 2019-MAR-24 ${AwsAccessKey} ${AwsSecretKey} EOF fi UID=$(id -u `whoami`) # Audit rules cat >> /etc/audit/rules.d/audit.rules << EOF -a exit,always -F euid=0 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=0 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=1002 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=1002 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=${UID} -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=${UID} -F arch=b64 -S execve -k audit-wazuh-c EOF auditctl -D auditctl -R /etc/audit/rules.d/audit.rules systemctl restart audit # Localfiles cat >> ${manager_config} << EOF full_command process list ps -e -o pid,uname,command 30 firewall-drop firewall-drop.sh srcip yes firewall-drop local 100100 60 EOF # Vuln detector cat >> ${manager_config} << EOF no 12m 6h yes no 1h no 2010 1h no 1h EOF # Restart wazuh-manager service wazuh-manager restart echo "Restarted Wazuh manager." >> /tmp/log # Installing NodeJS curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - yum -y install nodejs echo "Installed NODEJS." >> /tmp/log # Installing wazuh-api yum -y install wazuh-api chkconfig --add wazuh-api echo "Installed Wazuh API." >> /tmp/log # Configuring Wazuh API user and password cd /var/ossec/api/configuration/auth node htpasswd -b -c user ${wazuh_api_user} ${wazuh_api_password} # Enable Wazuh API SSL and configure listening port api_ssl_dir="/var/ossec/api/configuration/ssl" openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout ${api_ssl_dir}/server.key -out ${api_ssl_dir}/server.crt sed -i "s/config.https = \"no\";/config.https = \"yes\";/" /var/ossec/api/configuration/config.js sed -i "s/config.port = \"55000\";/config.port = \"${wazuh_api_port}\";/" /var/ossec/api/configuration/config.js echo "Setting port and SSL to Wazuh API." >> /tmp/log # Restart wazuh-api service wazuh-api restart echo "Restarted Wazuh API." >> /tmp/log # Installing Filebeat yum -y install filebeat-${elastic_version} chkconfig --add filebeat echo "Installed Filebeat." >> /tmp/log # Configuring Filebeat curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.9/extensions/filebeat/filebeat.yml sed -i "s/YOUR_ELASTIC_SERVER_IP/${elb_logstash}/" /etc/filebeat/filebeat.yml service filebeat restart echo "Restarted Filebeat." >> /tmp/log # Disable repositories sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo # Setting up Splunk Forwarder yum -y install wget # download splunkforwarder echo 'Downloading Splunk Forwarder...' wget -O splunkforwarder-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.3&product=universalforwarder&filename=splunkforwarder-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm&wget=true' &> /dev/null # install splunkforwarder echo 'Installing Splunk Forwarder...' yum install splunkforwarder-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm -y -q &> /dev/null echo "Setting up Splunk forwarder..." # props.conf curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.9/extensions/splunk/props.conf # inputs.conf curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.9/extensions/splunk/inputs.conf # set hostname sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf touch /opt/splunkforwarder/etc/system/local/user-seed.conf # create credential file touch /opt/splunk/etc/system/local/user-seed.conf # add admin user cat > /opt/splunk/etc/system/local/user-seed.conf <<\EOF [user_info] USERNAME = ${splunk_username} PASSWORD = ${splunk_password} EOF echo "Starting Splunk..." # accept license /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt &> /dev/null # forward to index /opt/splunkforwarder/bin/splunk add forward-server ${splunk_ip}:9997 -auth admin:changeme &> /dev/null # restart service /opt/splunkforwarder/bin/splunk restart &> /dev/null echo "Done with Splunk." >> /tmp/log # Creating groups /var/ossec/bin/agent_groups -a -g apache -q /var/ossec/bin/agent_groups -a -g redhat -q /var/ossec/bin/agent_groups -a -g windows -q /var/ossec/bin/agent_groups -a -g mysql -q # Give time to the instances dependencies to be properly installed sleep 360 # Write RHEL7 shared config redhat_conf='/var/ossec/etc/shared/redhat/agent.conf' sed -i '//,/<\/agent_config>/d' ${redhat_conf} cat >> ${redhat_conf} << EOF 10m 5 yes no no 43200 yes /usr/bin,/usr/sbin /bin,/sbin,/boot /etc/cron* /home,/root /tmp /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/random.seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile .log$|.tmp$|.swp$|.viminfo$ /etc/ssl/private.key yes no yes yes yes no no yes no no 60 /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt yes no 1800 1d yes xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common no 1h yes yes yes yes yes yes yes no yes /usr/bin /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf no command df -P 360 full_command netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d netstat listening ports 360 full_command last -n 20 360 apache /var/log/httpd/error_log* apache /var/log/httpd/access_log* audit /var/log/audit/audit.log syslog /var/ossec/logs/active-responses.log syslog /var/log/messages syslog /var/log/secure syslog /var/log/maillog syslog /var/log/suricata/eve.json full_command process list ps -e -o pid,uname,command 30 EOF # Write Windows shared config windows_conf='/var/ossec/etc/shared/windows/agent.conf' sed -i '//,/<\/agent_config>/d' ${windows_conf} cat >> ${windows_conf} << EOF no 1h yes yes yes yes no yes C:\ProgramData\osquery\osqueryd C:\ProgramData\osquery\log\osqueryd.results.log C:\ProgramData\osquery\osquery.conf no C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log iis yes C:\Santiago EOF # Write apache shared config apache_conf='/var/ossec/etc/shared/apache/agent.conf' sed -i '//,/<\/agent_config>/d' ${apache_conf} cat >> ${apache_conf} << EOF no 43200 yes /etc/httpd .log$|.tmp$|.swp$|.viminfo$ EOF # Write mysql shared config mysql_conf='/var/ossec/etc/shared/mysql/agent.conf' sed -i '//,/<\/agent_config>/d' ${mysql_conf} cat >> ${mysql_conf} << EOF /var/lib/mysql EOF # Attach agents to groups rhel_id=`/var/ossec/bin/manage_agents -l | grep RHEL | cut -d':' -f2 | cut -d ',' -f1` #windows_id = /var/ossec/bin/manage_agents -l | grep Windows | cut -d':' -f2 | cut -d ',' -f1 /var/ossec/bin/agent_groups -a -g redhat -i ${rhel_id} -q /var/ossec/bin/agent_groups -a -g mysql -i ${rhel_id} -q /var/ossec/bin/agent_groups -a -g apache -i ${rhel_id} -q #/var/ossec/bin/agent_groups -a -g windows -i ${windows_id} -q