Deploy Wazuh Security Platform on Linux using Puppet

Posted on 42 views

Nowadays, due to increased cyber threats, there is a high need to perform real-time monitoring of systems. This helps one detect threats as soon as they occur and act accordingly.

The Wazuh Security Platform is a free and open-source platform that can be used to perform the real-time monitoring and analysis of systems. It provides lightweight OS-level-based security using multi-platform agents. It helps collect, aggregate, index, and analyze the security data which may contain system intrusions or abnormalities.

The Wazuh Security Platform can be used to protect workloads on public and private clouds as well as on-premise data centers. Its main functions revolve around:

  • Endpoint Security with Configuration Assessment, Extended Detection and Response, and File Integrity Monitoring
  • Security Operations that include; Malware Detection, Log Data Analysis, Audit, Compliance e.t.c
  • Cloud Security by offering posture management, Workload protection, and Container security
  • Threat Intelligence through Threat hunting, IT Hygiene, and Vulnerability Detection

The Wazuh solution consists of the following components:

  • Wazuh Server – It analyzes the data received from the agents. It processes this data through decoders and rules.
  • Wazuh dashboard – a web-based UI for visualizing the data analysis.
  • Wazuh indexer – this is a full-text search and analytics engine with high scalability. It is used to index and store alerts from the Wazuh server
  • Wazuh agents – installed on endpoints. These are desktops, laptops, servers, cloud instances, or virtual machines.

There are two deployments for the Wazuh Security Platform, i.e:

  • All-in-one deployment, where the Wazuh stack components are installed on a single server. This can be best explained using the diagram below

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet

  • Distributed deployment where components are installed on separate hosts. This installation method provides high availability and scalability of the Wazuh Security Platform.

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet-1

This guide provides steps on how to deploy the Wazuh Security Platform on Linux using Puppet.

Step 1 – Install and Configure Puppet on Linux

Puppet is an automation tool developed by Puppet Labs. It can be used to easily configure, manage and deploy the Wazuh Security Platform.

To be able to proceed, you need to have the Puppet server and agent installed and configured to communicate. The guides below can help you achieve this.

After the installation, verify if the Puppet server and Agent can communicate.

$ sudo /opt/puppetlabs/bin/puppet agent -t
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetnode.example.com
Info: Certificate Request fingerprint (SHA256): FC:ED:2C:5C:5E:45:E9:A3:41:96:84:0C:46:F7:40:D3:E2:BE:1E:B3:04:14:7E:5C:BA:75:64:90:DC:53:2A:DC
Info: Downloaded certificate for puppetnode.example.com from https://puppetmaster.example.com:8140/puppet-ca/v1
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetnode.example.com
Info: Applying configuration version '1653589224'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.03 seconds

Step 2 – Install the Wazuh Puppet module.

Proceed and install the Wazuh Puppet module that will be used for the deployment. The command below can be used to install the Wazuh Puppet module.

$ sudo /opt/puppetlabs/bin/puppet module install wazuh-wazuh
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ wazuh-wazuh (v4.3.1)
  ├── puppet-nodejs (v7.0.1)
  ├── puppet-selinux (v3.4.1)
  ├── puppetlabs-apt (v7.7.1)
  ├─┬ puppetlabs-concat (v6.4.0)
  │ └── puppetlabs-translate (v2.2.0)
  ├── puppetlabs-firewall (v2.8.1)
  ├─┬ puppetlabs-powershell (v4.1.0)
  │ └── puppetlabs-pwshlib (v0.10.1)
  └── puppetlabs-stdlib (v6.6.0)

Step 3 – Install the Wazuh stack via Puppet

The Wazuh stack consisting of the Wazuh manager, Wazuh indexer, Wazuh dashboard, and Filebeat can be deployed using the manifest created as shown.

sudo vim /etc/puppetlabs/code/environments/production/manifests/init.pp

The manifest will contain the below lines:

node "puppetnode.example.com" 
 class  'wazuh::manager':
 
 class  'wazuh::indexer':
 
 class  'wazuh::filebeat_oss':
 
 class  'wazuh::dashboard':
 

Replace puppetnode.example.com with the hostname/IP address of the Puppet agent that you want to act as the Wazuh server.

Run the manifest:

sudo /opt/puppetlabs/bin/puppet agent -t

Execution output:

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet-2-1024x569

On the Wazuh server, allow the below ports through the firewall.

sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --add-port=514/udp --permanent
sudo firewall-cmd --add-port=1514/udp --permanent
sudo firewall-cmd --add-port=1515/udp --permanent
sudo firewall-cmd --add-port=1514/tcp --permanent
sudo firewall-cmd --add-port=1515/tcp --permanent
sudo firewall-cmd --reload

Step 4 – Install the Wazuh agent via Puppet

To install the Wazuh agent, we need to create a manifest. Here, we will have the manifest as created with the command:

sudo vim /etc/puppetlabs/code/environments/production/manifests/wazuh-agent.pp

Add the below lines to the file:

node "puppetnode2.example.com" 
  class  "wazuh::agent":
    wazuh_register_endpoint => "",
    wazuh_reporting_endpoint => ""
  

Remember, puppetnode2.example.com is the IP address/domain name of the node on which you want to run the Wazuh agent service and MANAGER_IP is the IP address of the Wazuh server.

Run the manifest using the command:

sudo /opt/puppetlabs/bin/puppet agent -t

Sample Output:

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet-3

Step 5 – Access the Wazuh Dashboard

The Wazuh dashboard can now be accessed using the URL https://wazuh_server_IP.

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet-4

Log in using the username as admin and a preferred password. On successful login, you will see the below dashboard.

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet-5-1024x715

Click on the Wazuh agents to check the status.

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet-7-1024x499

Click on the agent to see dashboards.

Deploy-Wazuh-Security-Platform-on-Linux-using-Puppet-6-1068x746

Voila!

You have successfully deployed the Wazuh Security Platform on Linux using Puppet. Perform the real-time monitoring and analysis of systems using Wazuh. I hope this was helpful.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.