批量更新Wazuh主机配置文件和漏洞库
批量更新Wazuh主机配置文件和漏洞库
综述
相比较单机版本,群集化的Wazuh需要处理的第一个问题就是如何保证ossec.conf文件和漏洞库的统一配置、统一更新、统一下发。以下将使用简单的Ansible命令和Shell脚本实现前述功能。
建立共享
部署Nginx
# 在wazuh-master上安装Nginx
yum install -y nginx
mkdir -p /var/www/wazuh
chown -R nginx:nginx /var/www/wazuh下载更新
# 下载离线文件
cd /var/www/wazuh/
# 下载Ubuntu 20.04的漏洞种子
wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2
# 下载RHEL 7 8的漏洞种子文件
wget https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
# 下载微软CVE文件
wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
# 下载Redhat的安全数据Json文件
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
chmod +x ./*.sh
mkdir redhat
./rh-generator.sh redhat/
# 下载NVD的安全数据库(CVE)
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
chmod +x ./*.sh
mkdir nvd
./nvd-generator.sh 2010 nvd/页面发布
# 配置nginx文件
vim /etc/nginx/nginx.conf
# 在server{}中修改增补如下配置
root /var/www/wazuh;
location / {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
定时更新
在/opt/wazuh/目录下建立wazuhupdate.sh文件
#!/bin/bash
cd /var/www/wazuh/
rm -rf *.bz2
rm *.gz
# 下载Ubuntu 20.04的漏洞种子
wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2
# 下载RHEL 6/7/8的漏洞种子
wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
# 下载微软漏洞文件
wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
#下载Redhat的安全数据Json文件
/bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat
# 下载NVD的安全数据库(CVE)
/bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd
# 更新文件权限
chown -R nginx:nginx /var/www/wazuh
# 重启服务,更新数据库
systemctl restart wazuh-manager.service建立定时文件
#检查crond.service运行状态
systemctl status crond.service
crontab -e
# 每周一、四下午6点半执行脚本进行升级
30 18 * * 1,4 /bin/bash /opt/wazuh/wazuhupdate.sh
批量下发
- 安装配置Ansbile
yum install -y centos-release-ansible-29.noarch
yum install -y ansible
# 因主机默认设置不允许root使用ssh登录,需要切换到普通用户目录
cd ~
mkdir ansible
cd ansible
touch .inventory
cat > .inventory <<EOF
[master]
192.168.79.60
[worker]
192.168.79.61
192.168.79.62
EOF
ssh-keygen
ssh-copy-id sujx@192.168.79.60
ssh-copy-id sujx@192.168.79.61
ssh-copy-id sujx@192.168.79.62
ansible all -m ping
[sujx@WazuhNode0 ansible]$ ansible worker -m ping
192.168.79.62 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
192.168.79.61 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
} - 建立批量更新脚本
# 在每台Worker主机上建立相应脚本
mkdir /opt/wazuh
touch /opt/wazuh/cluster.sh
cat > /opt/wazuh/cluster.sh <<EOF
#!/bin/bash
cd ~
# 配置文件
wget http://192.168.79.60/conf/ossec.conf
# 自定义规则文件
# wget http://192.168.79.60/conf/0015-ossec_rules.xml
# 替换主机名
workername=$(hostname -s)
sed -i "s/vlnx000000/$workername/g" ~/ossec.conf
# 替换配置文件
rm -Rf /var/ossec/etc/ossec.conf
mv ~/ossec.conf /var/ossec/etc/
chown root:ossec /var/ossec/etc/ossec.conf
# 更新自定义文件
# rm -Rf /var/ossec/ruleset/rules/0015-ossec_rules.xml
# mv ~/0015-ossec_rules.xml /var/ossec/ruleset/rules/
# chown root:ossec /var/ossec/ruleset/rules/0015-ossec_rules.xml
# Reset The Service
systemctl restart wazuh-manager.service
EOF
chmod +x /opt/wazuh/cluster.sh - 建立worker配置文件
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os url="http://192.168.79.60/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<update_interval>1d</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1d</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os url="http://192.168.79.60/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os url="http://192.168.79.60/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os url="http://192.168.79.60/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<url start="1" end="25">http://192.168.79.60/redhat/redhat-feed[-].json</url>
<update_interval>1d</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<url>http://192.168.79.60/msu-updates.json.gz</url>
<update_interval>1d</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<url start="2010" end="2021">http://192.168.79.60/nvd/nvd-feed[-].json.gz</url>
<update_interval>1d</update_interval>
</provider>
</vulnerability-detector>
<cluster>
<name>wazuh</name>
<node_name>vln000000</node_name>
<node_type>worker</node_type>
<key>d84691d111f86e70e8ed7eff80cde39e</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>192.168.79.60</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
……
略 - 使用Ansible触发更新
# 每个Worker上创建目录
ansible worker -a 'mkdir /opt/wazuh'
# 复制脚本到worker上
ansible worker -m copy -a "src=/opt/wazuh/cluster.sh dest=/opt/wazuh owner=root group=root mode=0744"
# 每个worker执行脚本
ansible worker -a '/bin/sh /opt/wazuh/cluster.sh'
All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.