#!/bin/bash # Install Wazuh worker instance using Cloudformation template # Support for Amazon Linux touch /tmp/log echo "Starting process." >> /tmp/log ssh_username=$(cat /tmp/wazuh_cf_settings | grep '^SshUsername:' | cut -d' ' -f2) ssh_password=$(cat /tmp/wazuh_cf_settings | grep '^SshPassword:' | cut -d' ' -f2) elastic_version=$(cat /tmp/wazuh_cf_settings | grep '^Elastic_Wazuh:' | cut -d' ' -f2 | cut -d'_' -f1) wazuh_version=$(cat /tmp/wazuh_cf_settings | grep '^Elastic_Wazuh:' | cut -d' ' -f2 | cut -d'_' -f2) wazuh_server_port=$(cat /tmp/wazuh_cf_settings | grep '^WazuhServerPort:' | cut -d' ' -f2) wazuh_cluster_key=$(cat /tmp/wazuh_cf_settings | grep '^WazuhClusterKey:' | cut -d' ' -f2) wazuh_master_ip=$(cat /tmp/wazuh_cf_settings | grep '^WazuhMasterIP:' | cut -d' ' -f2) elb_logstash=$(cat /tmp/wazuh_cf_settings | grep '^ElbLogstashDNS:' | cut -d' ' -f2) VirusTotalKey=$(cat /tmp/wazuh_cf_settings | grep '^VirusTotalKey:' | cut -d' ' -f2) AwsSecretKey=$(cat /tmp/wazuh_cf_settings | grep '^AwsSecretKey:' | cut -d' ' -f2) AwsAccessKey=$(cat /tmp/wazuh_cf_settings | grep '^AwsAccessKey:' | cut -d' ' -f2) SlackHook=$(cat /tmp/wazuh_cf_settings | grep '^SlackHook:' | cut -d' ' -f2) EnvironmentType=$(cat /tmp/wazuh_cf_settings | grep '^EnvironmentType:' | cut -d' ' -f2) # Check if running as root if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi # Creating SSH user adduser ${ssh_username} echo "${ssh_username} ALL=(ALL)NOPASSWD:ALL" >> /etc/sudoers usermod --password $(openssl passwd -1 ${ssh_password}) ${ssh_username} sed -i 's|[#]*PasswordAuthentication no|PasswordAuthentication yes|g' /etc/ssh/sshd_config service sshd restart echo "Created SSH user." >> /tmp/log if [[ ${EnvironmentType} == 'staging' ]] then # Adding Wazuh pre_release repository echo -e '[wazuh_pre_release]\ngpgcheck=1\ngpgkey=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh_pre.repo elif [[ ${EnvironmentType} == 'production' ]] then cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF elif [[ ${EnvironmentType} == 'devel' ]] then echo -e '[wazuh_staging]\ngpgcheck=1\ngpgkey=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/staging/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh_staging.repo else echo 'no repo' >> /tmp/stage fi # Configuring Elastic repository rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch elastic_major_version=$(echo ${elastic_version} | cut -d'.' -f1) cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF # Installing wazuh-manager yum -y install wazuh-manager chkconfig --add wazuh-manager manager_config="/var/ossec/etc/ossec.conf" # Install dependencies yum -y install openscap-scanner echo "Installed wazuh manager package" >> /tmp/log # Change manager protocol to tcp, to be used by Amazon ELB sed -i "s/udp<\/protocol>/tcp<\/protocol>/" ${manager_config} # Set manager ports for agents communication sed -i "s/1514<\/port>/${wazuh_server_port}<\/port>/" ${manager_config} # Installing Python Cryptography module for the cluster pip install cryptography echo "Installed cryptography with pip" >> /tmp/log # Configuring cluster section sed -i '//,/<\/cluster>/d' ${manager_config} cat >> ${manager_config} << EOF wazuh wazuh-worker worker ${wazuh_cluster_key} 1516 0.0.0.0 ${wazuh_master_ip} no no EOF # Restart for receiving cluster data service wazuh-manager restart # Wait for cluster information to be received (rules,lists...) sleep 60 # Disabling agent components and cleaning configuration file sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/ruleset>/d' ${manager_config} sed -i '//,/<\/auth>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/wodle>/d' ${manager_config} sed -i '//,/<\/localfile>/d' ${manager_config} sed -i '//d' ${manager_config} sed -i '//d' ${manager_config} sed -i '/^$/d' ${manager_config} # Add ruleset and lists cat >> ${manager_config} << EOF ruleset/decoders ruleset/rules 0215-policy_rules.xml etc/lists/audit-keys etc/lists/amazon/aws-eventnames etc/lists/security-eventchannel etc/lists/blacklist-alienvault etc/decoders etc/rules EOF cat >> ${manager_config} << EOF no 1800 1d

yes

xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common EOF # Add VirusTotal integration if key already set if [ "x${VirusTotalKey}" != "x" ]; then cat >> ${manager_config} << EOF virustotal ${VirusTotalKey} 100200 json EOF fi # Slack integration if [ "x${SlackHook}" != "x" ]; then cat >> ${manager_config} << EOF slack ${SlackHook} 10 json EOF fi # AWS integration if key already set if [ "x${AwsAccessKey}" != "x" ]; then cat >> ${manager_config} << EOF no no 30m yes no wazuh-cloudtrail ${AwsAccessKey} ${AwsSecretKey} 2019-MAR-24 wazuh-aws-wodle guardduty ${AwsAccessKey} ${AwsSecretKey} 2019-MAR-24 wazuh-aws-wodle macie ${AwsAccessKey} ${AwsSecretKey} 2019-MAR-24 wazuh-aws-wodle vpc XXXX XXXX 2019-MAR-24 XXXX XXXX EOF fi UID=$(id -u `whoami`) # Audit rules cat >> /etc/audit/rules.d/audit.rules << EOF -a exit,always -F euid=0 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=0 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=1002 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=1002 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=1003 -F arch=b64 -S execve -k audit-wazuh-c -a exit,always -F euid=${UID} -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid=${UID} -F arch=b64 -S execve -k audit-wazuh-c EOF auditctl -D auditctl -R /etc/audit/rules.d/audit.rules systemctl restart audit # Localfiles cat >> ${manager_config} << EOF full_command process list ps -e -o pid,uname,command 30 firewall-drop firewall-drop.sh srcip yes

firewall-drop local 100100 60

EOF # Vuln detector cat >> ${manager_config} << EOF no 12m 6h yes no 1h no 2010 1h no 1h EOF echo "Cluster configuration" >> /tmp/log # Restart wazuh-manager service wazuh-manager restart # Installing Filebeat yum -y install filebeat chkconfig --add filebeat echo "Installed Filebeat" >> /tmp/log # Configuring Filebeat curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.9/extensions/filebeat/filebeat.yml sed -i "s/YOUR_ELASTIC_SERVER_IP/${elb_logstash}/" /etc/filebeat/filebeat.yml service filebeat start echo "Started Filebeat" >> /tmp/log echo "Done" >> /tmp/log