Doc::Secure: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
Carnold (talk | contribs)
Created page with "== Introduction == The department offers a security and vulnerability monitoring service. It is primarily aimed at Linux based machines, but also supports Windows and Mac. == How it Works == The service is based on Wazuh (https://wazuh.com/). It runs a lightweight agent on the endpoint that automatically scans the machine for vulnerabilities, and reports any alerts to our central service. Here are some examples of the type of things wazuh scans for: * Malware detectio..."
 
Carnold (talk | contribs)
No edit summary
 
(10 intermediate revisions by the same user not shown)
Line 12: Line 12:
Installing the CS secure service is easy, and usually a set and forget operation.
Installing the CS secure service is easy, and usually a set and forget operation.


=== Redhat, Rocky, or CentOS based Linux ===
=== RPM based Linux ===
Run the following commands, requires sudo access:
Run the following commands, requires sudo access:
<pre>
<pre>
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
curl -o wazuh-agent-4.9.2-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.9.2-1.x86_64.rpm
sudo cat > /etc/yum.repos.d/wazuh.repo << EOF
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' rpm -ihv wazuh-agent-4.9.2-1.x86_64.rpm
[wazuh]
sudo systemctl daemon-reload
gpgcheck=1
sudo systemctl enable --now wazuh-agent
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
</pre>
enabled=1
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code>
name=EL-\$releasever - Wazuh
 
baseurl=https://packages.wazuh.com/4.x/yum/
=== Other DEB based Linux ===
protect=1
Run the following commands, request sudo access:
EOF
<pre>
sudo WAZUH_MANAGER='wazuh.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' yum install wazuh-agent
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.2-1_amd64.deb
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' dpkg -i ./wazuh-agent_4.9.2-1_amd64.deb
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
</pre>
</pre>
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code>


== Ubuntu or Debian based Linux ===
=== Windows ===
Run the following commands, requires sudo access:
Run the following powershell commands, run as administrator:
<pre>
<pre>
sudo curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD='secure'  
sudo echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
NET START WazuhSvc
sudo apt update
sudo WAZUH_MANAGER='wazuh.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' apt install wazuh-agent
</pre>
</pre>
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code>


=== Other RPM based Linux ===
=== Silicon based Mac ===
Run the following commands, requires sudo access:
Run the following in a terminal shell, requires administrator access:
<pre>
<pre>
curl -o wazuh-agent-4.9.0-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.9.0-1.x86_64.rpm
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.arm64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
sudo WAZUH_MANAGER='wazuh.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' rpm -ihv wazuh-agent-4.9.0-1.x86_64.rpm
sudo /Library/Ossec/bin/wazuh-control start
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
</pre>
</pre>
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code>


=== Other DEB based Linux ===
=== Intel based Mac ===
Run the following commands, request sudo access:
Run the following in a terminal shell, requires administrator access:
<pre>
<pre>
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.intel64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
sudo WAZUH_MANAGER='wazuh.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' dpkg -i ./wazuh-agent_4.9.0-1_amd64.deb
sudo /Library/Ossec/bin/wazuh-control start
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
</pre>
</pre>
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code>
=== Alerts ===
Alerts will be monitored by Techstaff.  If you want to get emailed directly when alerts happen, [[Contact Techstaff]].

Latest revision as of 08:59, 11 November 2024

Introduction

The department offers a security and vulnerability monitoring service. It is primarily aimed at Linux based machines, but also supports Windows and Mac.

How it Works

The service is based on Wazuh (https://wazuh.com/). It runs a lightweight agent on the endpoint that automatically scans the machine for vulnerabilities, and reports any alerts to our central service. Here are some examples of the type of things wazuh scans for:

  • Malware detection
  • Known software vulnerabilties
  • File Integrity - changes to known system files
  • Logs for active threats

Install

Installing the CS secure service is easy, and usually a set and forget operation.

RPM based Linux

Run the following commands, requires sudo access:

curl -o wazuh-agent-4.9.2-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.9.2-1.x86_64.rpm
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' rpm -ihv wazuh-agent-4.9.2-1.x86_64.rpm
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
  • Note: If you have specific wazuh group that you want to join, you can add WAZUH_AGENT_GROUP='<groupname>'

Other DEB based Linux

Run the following commands, request sudo access:

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.2-1_amd64.deb
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' dpkg -i ./wazuh-agent_4.9.2-1_amd64.deb
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
  • Note: If you have specific wazuh group that you want to join, you can add WAZUH_AGENT_GROUP='<groupname>'

Windows

Run the following powershell commands, run as administrator:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD='secure' 
NET START WazuhSvc
  • Note: If you have specific wazuh group that you want to join, you can add WAZUH_AGENT_GROUP='<groupname>'

Silicon based Mac

Run the following in a terminal shell, requires administrator access:

curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.arm64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
sudo /Library/Ossec/bin/wazuh-control start
  • Note: If you have specific wazuh group that you want to join, you can add WAZUH_AGENT_GROUP='<groupname>'

Intel based Mac

Run the following in a terminal shell, requires administrator access:

curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.intel64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
sudo /Library/Ossec/bin/wazuh-control start
  • Note: If you have specific wazuh group that you want to join, you can add WAZUH_AGENT_GROUP='<groupname>'

Alerts

Alerts will be monitored by Techstaff. If you want to get emailed directly when alerts happen, Contact Techstaff.