批量更新Wazuh主机配置文件和漏洞库

综述

相比较单机版本,群集化的Wazuh需要处理的第一个问题就是如何保证ossec.conf文件和漏洞库的统一配置、统一更新、统一下发。以下将使用简单的Ansible命令和Shell脚本实现前述功能。

2021.07 摄于天津北辰·天津西站

建立共享

  1. 部署Nginx

    1
    2
    3
    4
    # 在wazuh-master上安装Nginx
    yum install -y nginx
    mkdir -p /var/www/wazuh
    chown -R nginx:nginx /var/www/wazuh

  2. 下载更新

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    # 下载离线文件
    cd /var/www/wazuh/

    # 下载Ubuntu 20.04的漏洞种子
    wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2

    # 下载RHEL 7 8的漏洞种子文件
    wget https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
    wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
    wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2

    # 下载微软CVE文件
    wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

    # 下载Redhat的安全数据Json文件
    wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
    chmod +x ./*.sh
    mkdir redhat
    ./rh-generator.sh redhat/

    # 下载NVD的安全数据库(CVE)
    wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
    chmod +x ./*.sh
    mkdir nvd
     ./nvd-generator.sh 2010 nvd/

  3. 页面发布

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    # 配置nginx文件 
    vim /etc/nginx/nginx.conf
    # 在server{}中修改增补如下配置
            root         /var/www/wazuh;
        
            location / {
                    autoindex on;
                    autoindex_exact_size off;
                    autoindex_localtime on;
            }

定时更新

  1. 在/opt/wazuh/目录下建立wazuhupdate.sh文件

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    #!/bin/bash

    cd /var/www/wazuh/
    rm -rf *.bz2
    rm *.gz

    # 下载Ubuntu 20.04的漏洞种子
    wget -N https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2

    # 下载RHEL 6/7/8的漏洞种子
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
    wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2

    # 下载微软漏洞文件
    wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

    #下载Redhat的安全数据Json文件
    /bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat

    # 下载NVD的安全数据库(CVE)
    /bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd

    # 更新文件权限
    chown -R nginx:nginx /var/www/wazuh

    # 重启服务,更新数据库
    systemctl restart wazuh-manager.service

  2. 建立定时文件

    1
    2
    3
    4
    5
    #检查crond.service运行状态
    systemctl status crond.service 
    crontab -e
    # 每周一、四下午6点半执行脚本进行升级
    30 18 * * 1,4 /bin/bash /opt/wazuh/wazuhupdate.sh

批量下发

  1. 安装配置Ansbile
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    yum install -y centos-release-ansible-29.noarch 
    yum install -y ansible

    # 因主机默认设置不允许root使用ssh登录,需要切换到普通用户目录
    cd ~
    mkdir ansible
    cd ansible
    touch .inventory
    cat > .inventory <<EOF
    [master]
    192.168.79.60
    [worker]
    192.168.79.61
    192.168.79.62
    EOF

    ssh-keygen
    ssh-copy-id sujx@192.168.79.60
    ssh-copy-id sujx@192.168.79.61
    ssh-copy-id sujx@192.168.79.62

    ansible all -m ping
    [sujx@WazuhNode0 ansible]$ ansible worker -m ping
    192.168.79.62 | SUCCESS => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/libexec/platform-python"
        },
        "changed": false,
        "ping": "pong"
    }
    192.168.79.61 | SUCCESS => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/libexec/platform-python"
        },
        "changed": false,
        "ping": "pong"
    }
  2. 建立批量更新脚本
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    # 在每台Worker主机上建立相应脚本
    mkdir /opt/wazuh
    touch /opt/wazuh/cluster.sh
    cat > /opt/wazuh/cluster.sh <<EOF
    #!/bin/bash

    cd ~

    # 配置文件
    wget http://192.168.79.60/conf/ossec.conf
    # 自定义规则文件
    # wget http://192.168.79.60/conf/0015-ossec_rules.xml

    # 替换主机名
    workername=$(hostname -s)
    sed -i "s/vlnx000000/$workername/g" ~/ossec.conf

    # 替换配置文件
    rm -Rf /var/ossec/etc/ossec.conf
    mv ~/ossec.conf /var/ossec/etc/
    chown root:ossec /var/ossec/etc/ossec.conf

    # 更新自定义文件
    # rm -Rf /var/ossec/ruleset/rules/0015-ossec_rules.xml
    # mv ~/0015-ossec_rules.xml /var/ossec/ruleset/rules/
    # chown root:ossec /var/ossec/ruleset/rules/0015-ossec_rules.xml


    # Reset The Service
    systemctl restart wazuh-manager.service
    EOF

    chmod +x /opt/wazuh/cluster.sh
  3. 建立worker配置文件
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    <vulnerability-detector>
      <enabled>no</enabled>
      <interval>5m</interval>
      <ignore_time>6h</ignore_time>
      <run_on_start>yes</run_on_start>
       
      <!-- Ubuntu OS vulnerabilities -->
      <provider name="canonical">
        <enabled>yes</enabled>
        <os url="http://192.168.79.60/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- Debian OS vulnerabilities -->
      <provider name="debian">
        <enabled>no</enabled>
        <os>stretch</os>
        <os>buster</os>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- RedHat OS vulnerabilities -->
      <provider name="redhat">
        <enabled>yes</enabled>
        <os url="http://192.168.79.60/rhel-6-including-unpatched.oval.xml.bz2">6</os>
        <os url="http://192.168.79.60/rhel-7-including-unpatched.oval.xml.bz2">7</os>
        <os url="http://192.168.79.60/rhel-8-including-unpatched.oval.xml.bz2">8</os>
        <url start="1" end="25">http://192.168.79.60/redhat/redhat-feed[-].json</url>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- Windows OS vulnerabilities -->
      <provider name="msu">
        <enabled>yes</enabled>
        <url>http://192.168.79.60/msu-updates.json.gz</url>
        <update_interval>1d</update_interval>
      </provider>
       
      <!-- Aggregate vulnerabilities -->
      <provider name="nvd">
        <enabled>yes</enabled>
        <url start="2010" end="2021">http://192.168.79.60/nvd/nvd-feed[-].json.gz</url>
        <update_interval>1d</update_interval>
      </provider>
    </vulnerability-detector>
       
    <cluster>
      <name>wazuh</name>
      <node_name>vln000000</node_name>
      <node_type>worker</node_type>
      <key>d84691d111f86e70e8ed7eff80cde39e</key>
      <port>1516</port>
      <bind_addr>0.0.0.0</bind_addr>
      <nodes>
          <node>192.168.79.60</node>
      </nodes>
      <hidden>no</hidden>
      <disabled>no</disabled>
    </cluster>
    ……

  4. 使用Ansible触发更新
    1
    2
    3
    4
    5
    6
    # 每个Worker上创建目录
    ansible worker -a 'mkdir /opt/wazuh'
    # 复制脚本到worker上
    ansible worker -m copy -a "src=/opt/wazuh/cluster.sh dest=/opt/wazuh owner=root group=root mode=0744"
    # 每个worker执行脚本
    ansible worker -a '/bin/sh /opt/wazuh/cluster.sh'