migrate to git.charlotte.sh

2025-04-19 23:42:08 -04:00 · 2025-04-19 23:42:08 -04:00 · fbd588721e
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
--- a/net-sec-controls-sec350/osquery_project/04_wazuh_integration.md
+++ b/net-sec-controls-sec350/osquery_project/04_wazuh_integration.md
@ -0,0 +1,107 @@
+|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
+|-|-|-|-|-|-|-|
+
+# Wazuh Integration
+
+## Requirements
+- Wazuh manager installed and configured on the wazuh server
+- Wazuh agent installed and connected on WEB01
+- osquery already installed on WEB01 ([installation guide](02_install_rocky.md))
+- root privileges
+
+## Configure osquery on web01
+### on WEB01
+- create osquery configuration file. if already created with defaults, edit it
+```json
+> sudo nano /etc/osquery/osquery.conf
+{
+  "options": {
+    "logger_path": "/var/log/osquery",
+    "disable_logging": "false",
+    "schedule_splay_percent": "10",
+    "utc": "true"
+  },
+  "schedule": {
+    "system_info": {
+      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
+      "interval": 300
+    },
+    "processes": {
+      "query": "SELECT pid, name, path, cmdline FROM processes;",
+      "interval": 300
+    },
+    "logged_in_users": {
+      "query": "SELECT user, host, time FROM logged_in_users;",
+      "interval": 300
+    },
+    "firewall_status": {
+      "query": "SELECT * FROM shell WHERE command = 'firewall-cmd --state';",
+      "interval": 300
+    }
+  },
+...
+```
+
+- create log directories with correct permissions for storing osquery results
+```bash
+sudo mkdir -p /var/log/osquery
+sudo chown -R root:root /var/log/osquery
+sudo chmod -R 755 /var/log/osquery
+```
+
+- restart osqueryd
+```bash
+sudo systemctl restart osqueryd
+sudo systemctl status osqueryd
+```
+
+## Configure WEB01 -> Wazuh integration
+### On WEB01
+- configure Wazuh agent to monitor osquery logs
+```xml
+> sudo nano /var/ossec/etc/ossec.conf
+
+# Add these blocks inside the <ossec_config> section
+# make sure this wodle is NOT disabled, as this service is disabled by default
+
+<wodle name="osquery">
+  <disabled>no</disabled>
+  <run_daemon>yes</run_daemon>
+  <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+  <config_path>/etc/osquery/osquery.conf</config_path>
+  <add_labels>yes</add_labels>
+</wodle>
+
+
+<localfile>
+  <log_format>json</log_format>
+  <location>/var/log/osquery/osqueryd.results.log</location>
+</localfile>
+```
+
+- restart wazuh agent
+```bash
+sudo systemctl restart wazuh-agent
+sudo systemctl status wazuh-agent
+```
+
+## Validation
+### on WEB01
+- Run a manual query to generate an immediate log entry
+```
+sudo osqueryi --json "SELECT * FROM processes LIMIT 5;" > /var/log/osquery/osqueryd.results.log
+```
+- Check if Wazuh detected it
+```
+sudo tail -f /var/ossec/logs/ossec.log
+```
+### on Wazuh Server
+- Go to Modules Menu -> Security Events -> Events
+- In left panel, add rule.groups: osquery
+![image](../../assets/54a8264b-ffac-4f98-be7d-5d1abce24233.png)
+
+
+___
+|[<<<<](03_client_app.md)|[>>>>](05_demonstration.md)|
+|-|-|
+