Fully-fledged Wazuh (OSSEC HIDS + Elastic stack) installation with Linux and Windows Wazuh agents and osquery, via Ansible and Vagrant.
- Install Vagrant
- Run
vagrant up
Careful: no firewall has been setup, your Terraform servers are listening on a public IP by default with NO KIBANA or ELASTIC AUTHENTICATION
- Set your
terraform.tfvars
- Install Terraform plugin for your cloud provider
terraform apply
- Install Ansible Terraform dynamic inventory binary at adammck/terraform-inventory
- Set some variable due to a plugin issue:
export TF_STATE=./;
(see adammck/terraform-inventory#144) - Run the Ansible playbooks
Get-Service OssecSvc
on Windows hosts: service is stopped after the playbook played.- Troubleshoot Windows osquery bugs
On MacOS Catalina, trying to use Ansible with WinRM, if you get:
objc[11628]: +[NSNumber initialize] may have been in progress in another thread when fork() was called.
objc[11628]: +[NSNumber initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state
You need to set some variable: export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
See ansible/ansible#32499
- https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html#vulnerability-detection
- https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html
- https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
- Troubleshoot Windows osquery bugs
- Add Powershell command execution logging and alerting
- Setup X-pack auth config + HTTPS/TLS certs everywhere
- Active response
- add minotring of node modules security output recurring task (npm audit)
- integrate other tools/sysinternals into ansible playbooks: https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
- with a script to suspend all processes and dump RAM and disk (sysinternals) as an action response
- VirusTotal API / Malice / Cuckoo integration
- Suricata integration
- Multi-cluster / load-balanced Ansible playbook
- K8s/Helm ?
- WAF / CI/CD for application security?
- more robust osquery configuration for Linux? https://github.com/palantir/osquery-configuration