安裝 Wazuh 資安管理平台(Docker)
- 安裝環境
- VM : 2vCore / 4G RAM / 60G SSD
- OS : Ubuntu 22.04LTS
安裝方式
- 安裝 Docker : Docker 語法與操作整理
- 設定相關系統參數
sysctl -w vm.max_map_count=262144 echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
- 安裝 Wazuh v4.7.0
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0 cd wazuh-docker/single-node/ docker compose -f generate-indexer-certs.yml run --rm generator sudo ls -lt config/wazuh_indexer_ssl_certs/ docker compose up -d
- 可以開啟 https://server-ip (admin / SecretPassword) 登入
設定啟用
Server 端
- 其他文件提到修改 /var/ossec/etc/ossec.conf 需要修改 ~/wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf 然後重啟 docker compse
Agent 端
安裝 Agent 方式
- Exp. Wazuh Server IP : 10.20.2.38
Ubuntu / Debian
apt install lsb-release && wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb && WAZUH_MANAGER='10.20.2.38' dpkg -i ./wazuh-agent_4.7.0-1_amd64.deb systemctl daemon-reload systemctl enable wazuh-agent systemctl restart wazuh-agent
Alpine
wget -O /etc/apk/keys/[email protected] https://packages.wazuh.com/key/alpine-devel%40wazuh.com-633d7457.rsa.pub echo "https://packages.wazuh.com/4.x/alpine/v3.12/main" >> /etc/apk/repositories apk update apk add wazuh-agent export WAZUH_MANAGER="10.20.2.38" && sed -i "s|MANAGER_IP|$WAZUH_MANAGER|g" /var/ossec/etc/ossec.conf /var/ossec/bin/wazuh-control start sed -i "s|^https://packages.wazuh.com|#https://packages.wazuh.com|g" /etc/apk/repositories
修改 Agent 端設定
- Linux Agent 主要安裝路徑 /var/ossec
- 修改 ossec.conf 檔 → /var/ossec/etc/ossec.conf
- 修改後重啟 Agent
systemctl restart wazuh-agent
移除 Agent 方式
Ubuntu / Debian
apt remove --purge wazuh-agent