日志分析与HIDS系统之Wazuh安装与使用

Wazuh安装与使用

教材内容

一、安装Wazuh

1、安装必要的库

yum install curl unzip wget libcap net-tools

2、安装RPM源

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

3、添加Repo文件

cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

4、安装wazuh

yum install wazuh-manager

也可以直接离线安装rpm包，默认安装目录：/var/ossec

5、启动wazuh

systemctl start wazuh-manager

首次启动服务时会对当前系统进行全面检查，启动时间相对较长，因为每次启动都会进行SCA检查扫描，可以在配置文件中关闭。

二、Wazuh系统构架

1、整体架构

• Wazuh agent: Installed on endpoints such as laptops, desktops, servers, cloud instances or virtual machines, it provides prevention, detection and response capabilities. It supports Windows, Linux, MacOS, HP-UX, Solaris and AIX platforms.
• Wazuh server: It analyzes data received from the agents, processing it through decoders and rules, and using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. The server is also used to manage the agents, configuring and upgrading them remotely when necessary.
• Elastic Stack: It indexes and stores alerts generated by the Wazuh server. Besides, the integration between Wazuh and Kibana provides a powerful user interface for data visualization and analysis. This interface is also used to manage Wazuh configuration and to monitor its status.

In addition to agent-based monitoring capabilities, the Wazuh platform can monitor agent-less devices such as firewalls, switches, routers, or network IDS, among others. For example, a system log data can be collected via Syslog, and its configuration can be monitored through periodic probing of its data (e.g. via SSH or through an API).

2、客户端

• Log collector: This agent component can read flat log files and Windows events, collecting operating system and application log messages. It does support XPath filters for Windows events and recognizes multi-line formats (e.g. Linux Audit logs). It can also enrich JSON events with additional metadata.
• Command execution: Agents can run authorized commands periodically, collecting their output and reporting it back to the Wazuh server for further analysis. This module can be used to meet different purposes (e.g. monitoring hard disk space left, getting a list of last logged in users, etc.).
• File integrity monitoring (FIM): This module monitors the file system, reporting when files are created, deleted, or modified. It keeps track of file attributes, permissions, ownership, and content. When an event occurs, it captures who, what, and when details in real time. Additionally, this module builds and maintains a database with the state of the monitored files, allowing queries to be run remotely.
• Security configuration assessment (SCA): This component provides continuous configuration assessment, utilizing out-of-the-box checks based on the Center of Internet Security (CIS) benchmarks. Users can also create their own SCA checks to monitor and enforce their security policies.
• System inventory: This agent module periodically runs scans, collecting inventory data such as operating system version, network interfaces, running processes, installed applications, and a list of open ports. Scan results are stored into local SQLite databases that can be queried remotely.
• Malware detection: Using a non-signature based approach, this component is capable of detecting anomalies and possible presence of rootkits. Monitoring system calls, it looks for hidden processes, hidden files, and hidden ports.
• Active response: This module runs automatic actions when threats are detected. Among other things, it can block a network connection, stop a running process, or delete a malicious file. Custom responses can also be created by users when necessary (e.g. run a binary in a sandbox, capture a network connection traffic, scan a file with an antivirus, etc.).
• Containers security monitoring: This agent module is integrated with the Docker Engine API in order to monitor changes in a containerized environment. For example, it detects changes to container images, network configuration, or data volumes. Besides, it alerts on containers running in privileged mode and on users executing commands in a running container.
• Cloud security monitoring: This component monitors cloud providers such as Amazon AWS, Microsoft Azure, or Google GCP. It natively communicates with their APIs. It is capable of detecting changes to the cloud infrastructure (e.g. a new user is created, a security group is modified, a cloud instance is stopped, etc.), and collecting cloud services log data (e.g. AWS Cloudtrail, AWS Macie, AWS GuardDuty, Azure Active Directory, etc.)

3、服务器端

• Agents registration service: It is used to register new agents by provisioning and distributing pre-shared authentication keys that are unique to each agent. This process runs as a network service and supports authentication via TLS/SSL certificates or by providing a fixed password.
• Agents connection service: This is the service that receives data from the agents. It makes use of the pre-shared keys to validate each agent identity and to encrypt the communications between the agent and the Wazuh server. Additionally, this service is used to provide centralized configuration management, being able to push new agent settings remotely.
• Analysis engine: This is the process that performs the data analysis. It utilizes decoders to identify the type of information being processed (e.g. Windows events, SSHD logs, web server logs, etc.) and to extract relevant data elements from the log messages (e.g. source IP address, event ID, username, etc.). Next, by using rules, it identifies specific patterns in the decoded events which could trigger alerts and possibly even call for automated countermeasures (e.g. an IP ban on the firewall).
• Wazuh RESTful API: This service provides an interface to interact with the Wazuh infrastructure. It is used to manage agents and servers configuration settings, to monitor the infrastructure status and overall health, to manage and edit Wazuh decoders and rules, and to query about the state of the monitored endpoints. It is also used by the Wazuh web user interface, which is the Kibana app.
• Wazuh cluster daemon: This service is used to scale Wazuh servers horizontally, deploying them as a cluster. This kind of configuration, in combination with a network load balancer, provides high-availability and load balancing. The Wazuh cluster daemon is what Wazuh servers use to communicate with each other and to keep synchronized.
• Filebeat: It is used to ship events and alerts to Elasticsearch. It reads the output of Wazuh analysis engine and ships events in real time. It also provides load balancing when connected to a multi-node Elasticsearch cluster.

三、基础使用

1、文档结构

默认安装目录位于：/var/ossec

active-response：主动响应的脚本
agentless：使用非代理模式连接其他服务器（SSH）
bin：OSSEC核心执行程序
etc：配置文件
logs：日志文件夹，也是预警数据的核心文件夹
queue：临时处理队列
rules：检测规则
stats：统计数据
tmp var等：一些内部目录，暂时不需要关心

2、查看日志

/var/ossec/logs/alerts/alerts.json  # 通常json格式的预警不适合用于直接查看，而主要是用于分析和展示
/var/ossec/logs/alerts/alerts.log    # 而.log的预警信息则更多适用于直接查看，而非分析和展示

3、小试牛刀

（1）SSH登录失败

尝试通过SSH以错误的密码远程登录wazuh所在主机，测试Wazuh是否会预警。利用 tail -f alerts.log 或 tail -f alerts.json 查看日志

通过日志输出可以看到，SSH登录失败触发了ID为：5716的日志，日志级别为5级（在Wazuh中，级别越高，表示越严重）

** Alert 1639246820.548062: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Dec 12 02:20:20 centqiang->/var/log/secure
Rule: 5716 (level 5) -> 'sshd: authentication failed.'
Src IP: 192.168.112.1
Src Port: 36164
User: root
Dec 12 02:20:19 centqiang sshd[2970]: Failed password for root from 192.168.112.1 port 36164 ssh2



{"timestamp":"2021-12-12T02:20:20.609+0800","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"centqiang"},"manager":{"name":"centqiang"},"id":"1639246820.548062","full_log":"Dec 12 02:20:19 centqiang sshd[2970]: Failed password for root from 192.168.112.1 port 36164 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 12 02:20:19","hostname":"centqiang"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.112.1","srcport":"36164","dstuser":"root"},"location":"/var/log/secure"}

（2）SSH连续登录失败

当SSH连续登录失败时，便触发了ID为5720，级别为10的新规则。

** Alert 1639248156.555552: - syslog,sshd,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Dec 12 02:42:36 centqiang->/var/log/secure
Rule: 5720 (level 10) -> 'sshd: Multiple authentication failures.'
Src IP: 192.168.112.1
Src Port: 37523
User: root
Dec 12 02:42:35 centqiang sshd[10719]: Failed password for root from 192.168.112.1 port 37523 ssh2
Dec 12 02:42:34 centqiang sshd[10719]: Failed password for root from 192.168.112.1 port 37523 ssh2
Dec 12 02:42:30 centqiang sshd[10715]: Failed password for root from 192.168.112.1 port 37516 ssh2
Dec 12 02:42:27 centqiang sshd[10715]: Failed password for root from 192.168.112.1 port 37516 ssh2
Dec 12 02:42:27 centqiang sshd[10715]: Failed password for root from 192.168.112.1 port 37516 ssh2
Dec 12 02:42:24 centqiang sshd[10711]: Failed password for root from 192.168.112.1 port 37509 ssh2
Dec 12 02:42:24 centqiang sshd[10711]: Failed password for root from 192.168.112.1 port 37509 ssh2
Dec 12 02:42:21 centqiang sshd[10711]: Failed password for root from 192.168.112.1 port 37509 ssh2

（3）根据ID查找规则文件

ls | xargs grep 5720

4、熟悉配置文件

/var/ossec/etc/ossec.conf

以其中一项配置项为例：

<!-- Log analysis -->
<localfile>
    <log_format>command</log_format>  表示命令一条一条的执行
    <command>df -P</command>
    <frequency>360</frequency>
</localfile>

<localfile>    
	<log_format>full_command</log_format>    表示命令多条一起执行
	<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>    
	<alias>netstat listening ports</alias>    
	<frequency>360</frequency>
</localfile>

表示第6分钟（360秒）检查一次系统的端口开放情况

5、熟悉规则库

（1）解码器

解码器用于识别日志文件的特征，以决定是哪一类日志，匹配哪一条规则

/var/ossec/ruleset/decoders

（2）规则库

/var/ossec/ruleset/rules

Linux 自带的有审计文件 /var/log/audit/audit.log