-
Notifications
You must be signed in to change notification settings - Fork 35
/
deploy-wazuh-linux-agent-suite
391 lines (358 loc) · 14.6 KB
/
deploy-wazuh-linux-agent-suite
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
#!/bin/bash
#
# deploy-wazuh-linux-agent-suite
# by Kevin Branch ([email protected])
#
# Deployment script for Wazuh agent and Wazuh-integrated Osquery on Ubuntu/Debian and CentOS/RedHat/Amazon Linux systems.
# After preserving the working Wazuh agent registration key if present, Wazuh/OSSEC agent and/or Osquery are completely purged and then reinstalled,
# with an option to skip Osquery.
# The Wazuh agent self registration process is included, but will be skipped if an existing working registration can be recycled.
# Agent name and group names must match exactly for registration to be recycled. This will keep the same agent id associated with the agent.
#
# Parameters:
#
# -WazuhMgr Required: IP or FQDN of the Wazuh manager for ongoing agent connections.
# -WazuhRegMgr IP or FQDN of the Wazuh manager for agent registration connection if other than above (defaults to WazuhMgr value if not specified)
# -WazuhRegPass Required: password for registration with Wazuh manager (put in quotes).
# -WazuhVer Full version of Wazuh agent to install, like "3.12.3".
# -WazuhAgentName Name under which to register this agent in place of locally detected Linux host name
# -WazuhGroups Comma separated list of Wazuh groups to member this agent. No spaces. Put whole list in quotes. Groups must already exist.
# Do not includes "linux", "ubuntu", or "centos" groups as these are autodetected and will dynamically be inserted as the first groups.
# Also, do not include "osquery" as this will automatically be included unless SkipOsquery is set to "1".
# -WazuhSrc Static download path to fetch Wazuh agent installer. Overrides WazuhVer value.
# -OsqueryVer Full version of Osquery to install.
# -OsquerySrc Static download path to fetch Osquery agent installer. Overrides OsqueryVer value.
# -SkipOsquery Set this flag to skip installing Osquery, which will also result in Osquery being removed if present. Osquery installed by default.
# -help Show command syntax
#
# Example minimal usage:
#
# ./deploy-wazuh-linux-agent-suite -WazuhMgr siem.company.com -WazuhRegPass "self-reg-pw" -WazuhVer 3.13.1 -OsqueryVer 4.3.0
#
# The above would (re)install the latest stable Wazuh agent and Osquery.
# It would also self-register with the specified Wazuh manager using the specified password, unless an existing working registration can be kept.
# The agent would be registered with agent groups "linux,ubuntu,osquery" or "linux,centos,osquery" depending on if this is an rpm or deb system.
#
# Uncomment this line to enable debug output, otherwise output will be less verbose.
#DBG=1
function show_usage() {
LBLU='\033[1;34m'
NC='\033[0m'
printf "\nCommand syntax:\n $0 \n -WazuhMgr ${LBLU}WAZUH_MANAGER${NC}\n [-WazuhRegMgr ${LBLU}WAZUH_REGISTRATION_MANAGER${NC}]\n -WazuhRegPass \"${LBLU}WAZUH_REGISTRATION_PASSWORD${NC}\"\n {-WazuhVer ${LBLU}WAZUH_VERSION${NC} | -WazuhSrc ${LBLU}WAZUH_AGENT_DOWNLOAD_URL${NC}}\n [-WazuhAgentName ${LBLU}WAZUH_AGENT_NAME_OVERRIDE${NC}]\n [-WazuhGroups {${LBLU}LIST_OF_EXTRA_GROUPS${NC} | \"\"}]\n {-OsqueryVer ${LBLU}OSQUERY_VERSION${NC} | -OsquerySrc ${LBLU}OSQUERY_DOWNLOAD_URL${NC} | -SkipOsquery}\n [-help]\n\n"
printf "Example:\n $0 -WazuhMgr ${LBLU}siem.company.org${NC} -WazuhRegPass ${LBLU}\"h58fg3FS###12\"${NC} -WazuhVer ${LBLU}3.13.1${NC} -OsqueryVer ${LBLU}3.4.0${NC} -WazuhGroups ${LBLU}finance,denver${NC}\n\n"
exit 2
}
function check_value() {
if [[ "$1" == "" || "$1" == "-"* ]]; then
show_usage
fi
}
# Named parameter optional default values
WazuhMgr=
WazuhRegMgr=
WazuhRegPass=
WazuhVer=
WazuhSrc=
WazuhAgentName=
WazuhGroups="#NOGROUP#"
OsqueryVer=
OsquerySrc=
SkipOsquery=0
while [ "$1" != "" ]; do
case $1 in
-WazuhMgr ) shift
check_value $1
WazuhMgr=$1
;;
-WazuhRegMgr ) shift
check_value $1
WazuhRegMgr=$1
;;
-WazuhRegPass ) shift
check_value $1
WazuhRegPass=$1
;;
-WazuhVer ) shift
check_value $1
WazuhVer="$1"
;;
-WazuhSrc ) shift
check_value $1
WazuhSrc="$1"
;;
-WazuhAgentName ) shift
check_value $1
WazuhAgentName="$1"
;;
-WazuhGroups ) if [[ "$2" == "" ]]; then
shift
WazuhGroups=""
elif [[ "$2" == "-"* ]]; then
WazuhGroups=""
else
shift
WazuhGroups="$1"
fi
;;
-OsqueryVer ) shift
check_value $1
OsqueryVer="$1"
;;
-OsquerySrc ) shift
check_value $1
OsquerySrc="$1"
;;
-SkipOsquery ) # no shift
SkipOsquery=1
;;
-help ) show_usage
;;
* ) show_usage
esac
shift
done
if [ "$WazuhGroups" == "#NOGROUP#" ]; then
GROUPS_SKIPPED=1
WazuhGroups=""
else
GROUPS_SKIPPED=0
fi
if [ -f /etc/nsm/securityonion.conf ]; then
echo -e "\n*** This deploy script cannot be used on a system where Security Onion is installed."
show_usage
exit 2
fi
if [[ `grep server /etc/ossec-init.conf` ]]; then
echo -e "\n*** This deploy script cannot be used on a system where Wazuh manager is already installed."
show_usage
exit 2
fi
if [ "$WazuhMgr" == "" ]; then
echo -e "\n*** WazuhMgr variable must be used to specify the FQDN or IP of the Wazuh manager to which the agent shall retain a connection."
show_usage
exit 2
fi
if [ "$WazuhRegPass" == "" ]; then
echo -e "\n*** WazuhRegPass variable must be used to specify the password to use for agent registration."
show_usage
exit 2
fi
if [ "$WazuhVer" == "" -a "$WazuhSrc" == "" ]; then
echo -e "\n*** Must use '-WazuhVer' or '-WazuhSrc' to specify which Wazuh agent to (re)install (and possibly download first)."
show_usage
exit 2
fi
if [ "$WazuhVer" != "" -a "$WazuhSrc" != "" ]; then
echo -e "\n*** Must use either '-WazuhVer' or '-WazuhSrc' (not both) to specify which Wazuh agent to (re)install (and possibly download first)."
show_usage
exit 2
fi
if [ "$WazuhRegMgr" == "" ]; then
WazuhRegMgr="$WazuhMgr"
fi
# Split Linux into two basic categories: deb and rpm, and work up the full set of Wazuh agent groups including dynamically set prefix plus custom extras.
# Among other things, this affects the automatically assigned starting set of agent group names to include "ubuntu" or "centos".
# This needs to be refined, but reflects the Linux flavors I actually work with.
WazuhGroupsPrefix="linux,linux-local,"
if [[ -f /etc/os-release && `grep -i debian /etc/os-release` ]]; then
LinuxFamily="deb"
WazuhGroupsPrefix="${WazuhGroupsPrefix}ubuntu,"
else
LinuxFamily="rpm"
WazuhGroupsPrefix="${WazuhGroupsPrefix}centos,"
fi
if [ $SkipOsquery == 0 ]; then
WazuhGroupsPrefix="${WazuhGroupsPrefix}osquery,osquery-local,"
fi
WazuhGroupsPrefix="${WazuhGroupsPrefix}org,"
WazuhGroups="${WazuhGroupsPrefix}$WazuhGroups"
# If there were no additional groups, strip off the trailing comma in the list.
WazuhGroups=`echo $WazuhGroups | sed 's/,$//'`
if [ "$WazuhSrc" == "" ]; then
if [ "$LinuxFamily" == "deb" ]; then
WazuhSrc="https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-agent/wazuh-agent_$WazuhVer-1_amd64.deb"
else
WazuhSrc="https://packages.wazuh.com/3.x/yum/wazuh-agent-$WazuhVer-1.x86_64.rpm"
fi
fi
if [ "$OsqueryVer" == "" -a $SkipOsquery == 0 -a "$OsquerySrc" == "" ]; then
echo -e "\n*** Must use '-OsqueryVer' or '-OsquerySrc' or '-SkipOsquery' to indicate if/how to handle Osquery (re)installation/removal."
show_usage
exit 2
fi
if [ "$OsqueryVer" != "" -a "$OsquerySrc" != "" ]; then
echo -e "\n*** Cannot specify both '-OsqueryVer' and '-OsquerySrc'."
show_usage
exit 2
fi
if [ "$OsquerySrc" == "" ]; then
if [ "$LinuxFamily" == "deb" ]; then
OsquerySrc="https://pkg.osquery.io/deb/osquery_${OsqueryVer}_1.linux.amd64.deb"
else
OsquerySrc="https://pkg.osquery.io/rpm/osquery-${OsqueryVer}-1.linux.x86_64.rpm"
fi
fi
# If no custom agent name specified, use the internal Linux hostname.
if [ "$WazuhAgentName" == "" ]; then
WazuhAgentName=`hostname`
fi
cd ~
# Take note if agent is already connected to a Wazuh manager and collect relevant data
ALREADY_CONNECTED=0
if [[ `cat /var/ossec/var/run/ossec-agentd.state 2> /dev/null | grep "'connected'"` ]]; then
ALREADY_CONNECTED=1
OLDNAME=`cut -d" " -f2 /var/ossec/etc/client.keys 2> /dev/null`
CURR_GROUPS=`echo \`grep "<\!-- Source file: " /var/ossec/etc/shared/merged.mg | cut -d" " -f4 | cut -d/ -f1 \` | sed 's/ /,/g'`
rm -f /tmp/client.keys 2> /dev/null
cp -p /var/ossec/etc/client.keys /tmp/
fi
if [ $DBG ]; then
echo -e "\nWazuhMgr: $WazuhMgr"
echo "WazuhRegMgr: $WazuhRegMgr"
echo "WazuhRegPass: $WazuhRegPass"
echo "WazuhVer: $WazuhVer"
echo "WazuhAgentName: $WazuhAgentName"
echo "WazuhSrc: $WazuhSrc"
echo "OsqueryVer: $OsqueryVer"
echo "OsquerySrc: $OsquerySrc"
echo "SkipOsquery: $SkipOsquery"
echo "ALREADY_CONNECTED: $ALREADY_CONNECTED"
echo "OLDNAME: $OLDNAME"
echo "WazuhGroups: $WazuhGroups"
echo "CURR_GROUPS: $CURR_GROUPS"
echo -e "GROUPS_SKIPPED: $GROUPS_SKIPPED\n"
fi
# Shut down and clean out any previous Wazuh or OSSEC agent
systemctl stop wazuh-agent 2> /dev/null
systemctl stop ossec-hids-agent 2> /dev/null
systemctl stop ossec-agent 2> /dev/null
service wazuh-agent stop 2> /dev/null
service ossec-hids-agent stop 2> /dev/null
service stop ossec-agent stop 2> /dev/null
yum -y erase wazuh-agent 2> /dev/null
yum -y erase ossec-hids-agent 2> /dev/null
yum -y erase ossec-agent 2> /dev/null
apt-get -y purge wazuh-agent 2> /dev/null
apt-get -y purge ossec-hids-agent 2> /dev/null
apt-get -y purge ossec-agent 2> /dev/null
kill -kill `ps auxw | grep "/var/ossec/bin" | grep -v grep | awk '{print $2}'` 2> /dev/null
rm -rf /var/ossec /etc/ossec-init.conf 2> /dev/null
# Dynamically generate a Wazuh config profile name for the major and minor version of a given Linux distro, like ubuntu14, ubuntu 14.04.
# No plain distro name like "ubuntu" alone is included because we use agent groups at that level, not config profiles.
CFG_PROFILE=`. /etc/os-release; echo $ID\`echo $VERSION_ID | cut -d. -f1\`, $ID\`echo $VERSION_ID\``
#
# Branch between Ubuntu and CentOS for Wazuh agent installation steps
#
if [ "$LinuxFamily" == "deb" ]; then
# Wazuh Agent remove/download/install
rm -f /tmp/wazuh-agent_$WazuhVer-1_amd64.deb 2> /dev/null
wget -O /tmp/wazuh-agent_$WazuhVer-1_amd64.deb $WazuhSrc
dpkg -i /tmp/wazuh-agent_$WazuhVer-1_amd64.deb
rm -f /tmp/wazuh-agent_$WazuhVer-1_amd64.deb
else
# Wazuh Agent remove/download/install
rm -f /tmp/wazuh-agent-$WazuhVer-1.x86_64.rpm 2> /dev/null
wget -O /tmp/wazuh-agent-$WazuhVer-1.x86_64.rpm $WazuhSrc
yum -y install /tmp/wazuh-agent-$WazuhVer-1.x86_64.rpm
rm -f /tmp/wazuh-agent-$WazuhVer-1.x86_64.rpm
fi
#
# If we can safely skip self registration and just restore the backed up client.keys file, then do so. Otherwise, self-register.
# This should keep us from burning through so many agent ID numbers.
# Furthermore, when re-registering, if -WazuhGroups was not specified and an existing set of group memberships is detected and the agent is presently connected,
# then preserve those groups during the re-registration instead of rebuilding a standard group list.
#
SKIP_REG=0
if [ "$ALREADY_CONNECTED" == "yes" ]; then
echo "Agent is presently connected..."
echo "Current registered agent name is $OLDNAME and new target name is: $WazuhAgentName"
if [ "$WazuhAgentName" == "$OLDNAME" ]; then
echo "Old and new agent registration names match."
if [ "$CURR_GROUPS" == "$WazuhGroups" ]; then
echo -e "Old and new agent group memberships match.\nWill skip self-registration and just restore client.keys backup instead..."
SKIP_REG=1
else
echo "Current groups: $CURR_GROUPS and target groups: $WazuhGroups do not match."
fi
fi
fi
if [ $SKIP_REG == 0 ]; then
if [ $GROUPS_SKIPPED == 1 -a "$CURR_GROUPS" != "" -a $ALREADY_CONNECTED == 1 ]; then
/var/ossec/bin/agent-auth -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$CURR_GROUPS" -A "$WazuhAgentName"
else
/var/ossec/bin/agent-auth -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$WazuhGroups" -A "$WazuhAgentName"
fi
else
cp -p /tmp/client.keys /var/ossec/etc/
fi
#
# Remove Osquery if present. If not set to be skipped, then next download and install it.
#
if [ "$LinuxFamily" == "deb" ]; then
dpkg --purge osquery 2> /dev/null
rm -rf /var/osquery /var/log/osquery /usr/share/osquery
rm -f osquery.deb 2> /dev/null
if [ $SkipOsquery == 0 ]; then
wget -O osquery.deb $OsquerySrc
dpkg -i osquery.deb
rm -f osquery.deb 2> /dev/null
fi
else
yum -y erase osquery 2> /dev/null
rm -rf /var/osquery /var/log/osquery /usr/share/osquery
rm -f osquery.rpm 2> /dev/null
if [ $SkipOsquery == 0 ]; then
wget -O osquery.rpm $OsquerySrc
yum -y install osquery.rpm
rm -f osquery.rpm 2> /dev/null
fi
fi
#
# Dynamically generate ossec.conf
#
echo "
<ossec_config>
<client>
<server>
<address>$WazuhMgr</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>$CFG_PROFILE</config-profile>
<notify_time>30</notify_time>
<time-reconnect>180</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
<logging>
<log_format>plain, json</log_format>
</logging>
</ossec_config>
" > /var/ossec/etc/ossec.conf
#
# Dynamically generate local_internal_options.conf
#
echo "
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1
# Wazuh Command Module - If it should accept remote commands from the manager
wazuh_command.remote_commands=1
# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
# Local policies ignore this option
sca.remote_commands=1
" > /var/ossec/etc/local_internal_options.conf
# Restart the Wazuh agent (and Osquery subagent)
if [[ `which systemctl 2> /dev/null` ]]; then
systemctl restart wazuh-agent
else
service wazuh-agent restart
fi
echo "Waiting 15 seconds before checking connection status to manager..."
sleep 15
if [[ `cat /var/ossec/logs/ossec.log | grep "Connected to the server "` ]]; then
echo "Agent has successfully reported into the manager."
exit 0
else
echo "Something appears to have gone wrong. Agent is not connected to the manager."
exit 1
fi