====== 安裝 Wazuh 資安管理平台(Docker) ======
  * 安裝環境
    * VM : 2vCore / 4G RAM / 60G SSD
    * OS : Ubuntu 22.04LTS

===== 安裝方式 =====
  * 安裝 Docker : [[tech/docker]]
  * 設定相關系統參數<cli>
sysctl -w vm.max_map_count=262144
echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
</cli>
  * 安裝 Wazuh v4.7.0 <cli>
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0
cd wazuh-docker/single-node/
docker compose -f generate-indexer-certs.yml run --rm generator
sudo ls -lt config/wazuh_indexer_ssl_certs/
docker compose up -d
</cli>
  * 可以開啟 https://server-ip (admin / SecretPassword) 登入

===== 設定啟用 =====
==== Server 端 ====
  * 其他文件提到修改 /var/ossec/etc/ossec.conf 需要修改 ~/wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf 然後重啟 docker compse
==== Agent 端 ====
=== 安裝 Agent 方式 ===
  * Exp. Wazuh Server IP : 10.20.2.38
== Ubuntu / Debian ==
  * <cli>
apt install lsb-release && wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb && WAZUH_MANAGER='10.20.2.38' dpkg -i ./wazuh-agent_4.7.0-1_amd64.deb
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl restart wazuh-agent
</cli>

== Alpine ==
  * <cli>
wget -O /etc/apk/keys/alpine-devel@wazuh.com-633d7457.rsa.pub https://packages.wazuh.com/key/alpine-devel%40wazuh.com-633d7457.rsa.pub
echo "https://packages.wazuh.com/4.x/alpine/v3.12/main" >> /etc/apk/repositories
apk update
apk add wazuh-agent
export WAZUH_MANAGER="10.20.2.38" && sed -i "s|MANAGER_IP|$WAZUH_MANAGER|g" /var/ossec/etc/ossec.conf
/var/ossec/bin/wazuh-control start
sed -i "s|^https://packages.wazuh.com|#https://packages.wazuh.com|g" /etc/apk/repositories
</cli>

=== 修改 Agent 端設定 ===
  * Linux Agent 主要安裝路徑 /var/ossec
  * 修改 ossec.conf 檔 -> /var/ossec/etc/ossec.conf
  * 修改後重啟 Agent <cli>systemctl restart wazuh-agent</cli>

=== 移除 Agent 方式 ===
  * ref - https://documentation.wazuh.com/current/installation-guide/uninstalling-wazuh/agent.html#uninstalling-linux-agent
== Ubuntu / Debian ==
  * <cli>
apt remove --purge wazuh-agent
</cli>
== alpine ==
  * <cli>
/var/ossec/bin/wazuh-control stop
apk del wazuh-agent
rm -rf /var/ossec
rm /etc/apk/keys/alpine-devel@wazuh.com-633d7457.rsa.pub
sed -i '/packages.wazuh.com/d' /etc/apk/repositories
</cli>

===== 參考網址 =====
  * https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html
  * https://www.youtube.com/watch?v=i68atPbB8uQ
  * https://www.reddit.com/r/Wazuh/comments/16gtsv0/turning_on_vulnerability_scanning_in_a_docker/
  * https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html

{{tag>資安管理}}