-
Notifications
You must be signed in to change notification settings - Fork 35
/
deploy-wazuh-amazon-linux-v1-docker-host
91 lines (77 loc) · 2.42 KB
/
deploy-wazuh-amazon-linux-v1-docker-host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/bash
#
# Amazon Linux install and self-register of Wazuh GTIS SIEM agent
#
# Dynamic named parameters
environment=${environment:-}
app_name=${app_name:-}
waz_ver=${waz_ver:-3.12.3}
waz_mgr=${waz_mgr:-}
waz_reg_mgr=${waz_reg_mgr:-}
waz_pwd=${waz_pwd:-}
waz_grps=${waz_grps:-docker-aws-hosts}
while [ $# -gt 0 ]; do
if [[ $1 == *"--"* ]]; then
param="${1/--/}"
declare $param="$2"
# echo $1 $2 // Optional to see the parameter:value result
fi
shift
done
## End Dyamic named parameters
INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
LABEL_ENV=$environment
LABEL_APP=$app_name
WAZ_AGENT_NAME="$LABEL_APP-$LABEL_ENV-$INSTANCE_ID"
cd ~
# Dynamically generate a Wazuh config profile name for the major and minor version of a given Linux distro, like ubuntu14, ubuntu 14.04.
CFG_PROFILE=`. /etc/os-release; echo $ID\`echo $VERSION_ID | cut -d. -f1\`, $ID\`echo $VERSION_ID\``
# Wazuh Agent download/install/register
yum -y -q install wget
wget -q -O /tmp/wazuh-agent-$waz_ver-1.x86_64.rpm https://packages.wazuh.com/3.x/yum/wazuh-agent-$waz_ver-1.x86_64.rpm
yum -y install /tmp/wazuh-agent-$waz_ver-1.x86_64.rpm
rm -f /tmp/wazuh-agent-$waz_ver-1.x86_64.rpm
/var/ossec/bin/agent-auth -m $waz_reg_mgr -P "$waz_pwd" -G "$waz_grps" -A $WAZ_AGENT_NAME
#
# Dynamically generate ossec.conf
#
echo "
<ossec_config>
<client>
<server>
<address>$waz_mgr</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>$CFG_PROFILE</config-profile>
<notify_time>60</notify_time>
<time-reconnect>180</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
<active-response>
<disabled>yes</disabled>
</active-response>
<labels>
<label key=\"instance-id\">$INSTANCE_ID</label>
<label key=\"env\">$LABEL_ENV</label>
<label key=\"app\">$LABEL_APP</label>
</labels>
<logging>
<log_format>json</log_format>
</logging>
</ossec_config>
" > /var/ossec/etc/ossec.conf
#
# Generate local_internal_options.conf
#
echo "
logcollector.remote_commands=1
wazuh_command.remote_commands=1
sca.remote_commands=1
" > /var/ossec/etc/local_internal_options.conf
yum -y install python27-pip
/usr/bin/pip-2.7 install docker
echo -e '#!/bin/bash\nservice wazuh-agent stop; rm -rf /var/ossec/logs/*; service wazuh-agent start' > /etc/cron.daily/flush-logs;
service crond restart
service wazuh-agent restart