Doc::Secure: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
Carnold (talk | contribs)
No edit summary
Carnold (talk | contribs)
m Protected "Doc::Secure" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))
(No difference)

Revision as of 09:11, 17 October 2024

Introduction

The department offers a security and vulnerability monitoring service. It is primarily aimed at Linux based machines, but also supports Windows and Mac.

How it Works

The service is based on Wazuh (https://wazuh.com/). It runs a lightweight agent on the endpoint that automatically scans the machine for vulnerabilities, and reports any alerts to our central service. Here are some examples of the type of things wazuh scans for:

  • Malware detection
  • Known software vulnerabilties
  • File Integrity - changes to known system files
  • Logs for active threats

Install

Installing the CS secure service is easy, and usually a set and forget operation.

Redhat, Rocky, or CentOS based Linux

Run the following commands, requires sudo access:

sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
sudo cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' yum install wazuh-agent

Ubuntu or Debian based Linux

Run the following commands, requires sudo access:

sudo curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
sudo echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' apt install wazuh-agent

Other RPM based Linux

Run the following commands, requires sudo access:

curl -o wazuh-agent-4.9.0-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.9.0-1.x86_64.rpm
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' rpm -ihv wazuh-agent-4.9.0-1.x86_64.rpm
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent

Other DEB based Linux

Run the following commands, request sudo access:

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb
sudo WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD=$'secure' dpkg -i ./wazuh-agent_4.9.0-1_amd64.deb
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent

Windows

Run the following powershell commands, run as administrator:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='secure.cs.vt.edu' WAZUH_REGISTRATION_PASSWORD='secure'
NET START WazuhSvc

Silicon based Mac

Run the following in a terminal shell, requires administrator access:

curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.0-1.arm64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'\n" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
sudo /Library/Ossec/bin/wazuh-control start

Intel based Mac

Run the following in a terminal shell, requires administrator access:

curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.0-1.intel64.pkg && echo "WAZUH_MANAGER='secure.cs.vt.edu' && WAZUH_REGISTRATION_PASSWORD='secure'\n" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
sudo /Library/Ossec/bin/wazuh-control start