-
Notifications
You must be signed in to change notification settings - Fork 35
/
deploy-wazuh-amzn2-docker-host
109 lines (98 loc) · 3.59 KB
/
deploy-wazuh-amzn2-docker-host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/bash
#
# Amazon Linux 2 install and self-register of Wazuh GTIS SIEM agent
#
# Dynamic named parameters
environment=${environment:-}
app_name=${app_name:-}
waz_ver=${waz_ver:-4.5.4}
waz_mgr=${waz_mgr:-}
waz_pwd=${waz_pwd:-}
waz_grps=${waz_grps:-docker-aws-hosts}
while [ $# -gt 0 ]; do
if [[ $1 == *"--"* ]]; then
param="${1/--/}"
declare $param="$2"
fi
shift
done
## End Dyamic named parameters
INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
LABEL_ENV=$environment
LABEL_APP=$app_name
WAZ_AGENT_NAME="$LABEL_APP-$LABEL_ENV-$INSTANCE_ID"
cd ~
# Dynamically generate a Wazuh config profile name for the major and minor version of a given Linux distro, like ubuntu14, ubuntu 14.04.
CFG_PROFILE="redhat,amzn,amzn2"
# Wazuh Agent download/install/register
curl -s https://packages.wazuh.com/4.x/yum/wazuh-agent-$waz_ver-1.x86_64.rpm > /tmp/wazuh-agent-$waz_ver-1.x86_64.rpm
yum -y install /tmp/wazuh-agent-$waz_ver-1.x86_64.rpm
rm -f /tmp/wazuh-agent-$waz_ver-1.x86_64.rpm
/var/ossec/bin/agent-auth -m $waz_mgr -P "$waz_pwd" -G "$waz_grps" -A $WAZ_AGENT_NAME
#
# Dynamically generate ossec.conf
#
echo "
<ossec_config>
<client>
<server>
<address>$waz_mgr</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>$CFG_PROFILE</config-profile>
<notify_time>30</notify_time>
<time-reconnect>120</time-reconnect>
<auto_restart>yes</auto_restart>
</client>
<active-response>
<disabled>yes</disabled>
</active-response>
<labels>
<label key=\"instance-id\">$INSTANCE_ID</label>
<label key=\"env\">$LABEL_ENV</label>
<label key=\"app\">$LABEL_APP</label>
</labels>
<logging>
<log_format>plain</log_format>
</logging>
<agent-upgrade>
<ca_verification>
<enabled>yes</enabled>
<ca_store>etc/wpk_root.pem</ca_store>
<ca_store>etc/bnc_wpk_root.pem</ca_store>
</ca_verification>
</agent-upgrade>
</ossec_config>
" > /var/ossec/etc/ossec.conf
# Supply BNC code signing cert
echo "-----BEGIN CERTIFICATE-----
MIIDNzCCAh+gAwIBAgIURDCxvmgAH12XqdEdQH/CKgy0+CIwDQYJKoZIhvcNAQEL
BQAwKzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAklOMQ8wDQYDVQQKDAZCTkMgQ0Ew
HhcNMjIxMDAzMjExNzU5WhcNMzIwOTMwMjExNzU5WjArMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCSU4xDzANBgNVBAoMBkJOQyBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANpnhmd+2mUHCjzqvwHx6KeYSaQa2IFNXoQHlj70vMSBm7dH
GebtQSCF1W3XlRwCW6lK6MitSnPSx8D9ct8QvI7cWYvcjZ1OcY3Vv69rfM5akqi4
J1wlWn2HkLmoEdoMwNAQD9c+3XCS9KRC6VcIW7XH+029iTisPNP+X1vFeFCyjz68
SxpL7Ili5GrcDaCWD7Rw7fZjkyTIOrm80vAVGPuXMpSYbdFCwk12j0TQuVovg9bG
b0ykvZBuNrhzfw/KVoxNmsnagZ1gZgMyRJFaje2RmwQu719lu+qoVunzoMZnt/bj
WlLvPENSrYvjhO7+LEVE+uHPgZb5IhAM3GTXpQECAwEAAaNTMFEwHQYDVR0OBBYE
FPT8KA/lCLNFutMi+d3RVX8gCpBzMB8GA1UdIwQYMBaAFPT8KA/lCLNFutMi+d3R
VX8gCpBzMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEdHaQzB
4t6ICDqaoClIlukZPnPOBX3vIaXSTucdX5s0bX0wGNngG+FKM7Ka/jY51YyfCFOr
6J6v0GSIFmTeOX/G4zoy+daxd1sIkMq16urBHxWepanhKmM2UnIrVEqaD2Jjgt30
yuIVJyENaCrXhdH82HndaVEUR8aGnEVUmgPpg+9pRAh8sQUu7LCENI+HP+uaa29c
e1A3jj1X98UOy+58chxEHtyaZy06v3vz4UNWgJf/LGBMT7wO3c8TsTT5KmgHR460
zraxbhmzb4JAji0bZuYlldSjhizRCpJjroFjWHluDUa9Oqi5La52o+rpRVwT53bY
O7bM4haWNBQkxEU=
-----END CERTIFICATE-----
" > /var/ossec/etc/bnc_wpk_root.pem
chown root:wazuh /var/ossec/etc/bnc_wpk_root.pem
# Meet Wazuh docker listener prereqs
yum -y install python3-pip
/usr/bin/pip3 install docker
# Set up daily log flushing via cron
echo -e '#!/bin/bash\nsystemctl stop wazuh-agent; rm -rf /var/ossec/logs/*; systemctl start wazuh-agent' > /etc/cron.daily/flush-logs
chmod 744 /etc/cron.daily/flush-logs
systemctl restart crond
systemctl restart wazuh-agent