Doc::Secure: Difference between revisions
m Protected "Doc::Secure" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)) |
No edit summary |
||
(6 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
Installing the CS secure service is easy, and usually a set and forget operation. | Installing the CS secure service is easy, and usually a set and forget operation. | ||
=== | === RPM based Linux === | ||
Run the following commands, requires sudo access: | Run the following commands, requires sudo access: | ||
<pre> | <pre> | ||
curl -o wazuh-agent-4.9.2-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.9.2-1.x86_64.rpm | |||
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' rpm -ihv wazuh-agent-4.9.2-1.x86_64.rpm | |||
curl -o wazuh-agent-4.9. | |||
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' rpm -ihv wazuh-agent-4.9. | |||
sudo systemctl daemon-reload | sudo systemctl daemon-reload | ||
sudo systemctl enable --now wazuh-agent | sudo systemctl enable --now wazuh-agent | ||
</pre> | </pre> | ||
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code> | |||
=== Other DEB based Linux === | === Other DEB based Linux === | ||
Run the following commands, request sudo access: | Run the following commands, request sudo access: | ||
<pre> | <pre> | ||
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9. | wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.2-1_amd64.deb | ||
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' dpkg -i ./wazuh-agent_4.9. | sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' dpkg -i ./wazuh-agent_4.9.2-1_amd64.deb | ||
sudo systemctl daemon-reload | sudo systemctl daemon-reload | ||
sudo systemctl enable --now wazuh-agent | sudo systemctl enable --now wazuh-agent | ||
</pre> | </pre> | ||
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code> | |||
=== Windows === | === Windows === | ||
Run the following powershell commands, run as administrator: | Run the following powershell commands, run as administrator: | ||
<pre> | <pre> | ||
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9. | Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD='secure' | ||
NET START WazuhSvc | NET START WazuhSvc | ||
</pre> | </pre> | ||
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code> | |||
=== Silicon based Mac === | === Silicon based Mac === | ||
Run the following in a terminal shell, requires administrator access: | Run the following in a terminal shell, requires administrator access: | ||
<pre> | <pre> | ||
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9. | curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.arm64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / | ||
sudo /Library/Ossec/bin/wazuh-control start | sudo /Library/Ossec/bin/wazuh-control start | ||
</pre> | </pre> | ||
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code> | |||
=== Intel based Mac === | === Intel based Mac === | ||
Run the following in a terminal shell, requires administrator access: | Run the following in a terminal shell, requires administrator access: | ||
<pre> | <pre> | ||
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9. | curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.intel64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / | ||
sudo /Library/Ossec/bin/wazuh-control start | sudo /Library/Ossec/bin/wazuh-control start | ||
</pre> | </pre> | ||
* '''Note:''' If you have specific wazuh group that you want to join, you can add <code>WAZUH_AGENT_GROUP='<groupname>'</code> | |||
=== Alerts === | |||
Alerts will be monitored by Techstaff. If you want to get emailed directly when alerts happen, [[Contact Techstaff]]. |
Latest revision as of 08:59, 11 November 2024
Introduction
The department offers a security and vulnerability monitoring service. It is primarily aimed at Linux based machines, but also supports Windows and Mac.
How it Works
The service is based on Wazuh (https://wazuh.com/). It runs a lightweight agent on the endpoint that automatically scans the machine for vulnerabilities, and reports any alerts to our central service. Here are some examples of the type of things wazuh scans for:
- Malware detection
- Known software vulnerabilties
- File Integrity - changes to known system files
- Logs for active threats
Install
Installing the CS secure service is easy, and usually a set and forget operation.
RPM based Linux
Run the following commands, requires sudo access:
curl -o wazuh-agent-4.9.2-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.9.2-1.x86_64.rpm sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' rpm -ihv wazuh-agent-4.9.2-1.x86_64.rpm sudo systemctl daemon-reload sudo systemctl enable --now wazuh-agent
- Note: If you have specific wazuh group that you want to join, you can add
WAZUH_AGENT_GROUP='<groupname>'
Other DEB based Linux
Run the following commands, request sudo access:
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.2-1_amd64.deb sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' dpkg -i ./wazuh-agent_4.9.2-1_amd64.deb sudo systemctl daemon-reload sudo systemctl enable --now wazuh-agent
- Note: If you have specific wazuh group that you want to join, you can add
WAZUH_AGENT_GROUP='<groupname>'
Windows
Run the following powershell commands, run as administrator:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD='secure' NET START WazuhSvc
- Note: If you have specific wazuh group that you want to join, you can add
WAZUH_AGENT_GROUP='<groupname>'
Silicon based Mac
Run the following in a terminal shell, requires administrator access:
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.arm64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / sudo /Library/Ossec/bin/wazuh-control start
- Note: If you have specific wazuh group that you want to join, you can add
WAZUH_AGENT_GROUP='<groupname>'
Intel based Mac
Run the following in a terminal shell, requires administrator access:
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.2-1.intel64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / sudo /Library/Ossec/bin/wazuh-control start
- Note: If you have specific wazuh group that you want to join, you can add
WAZUH_AGENT_GROUP='<groupname>'
Alerts
Alerts will be monitored by Techstaff. If you want to get emailed directly when alerts happen, Contact Techstaff.