Posts

ads

Wazuh Server Detecting unauthorized processes

  Wazuh Server Detecting unauthorized processes Ubuntu endpoint Take the following steps to configure command monitoring and query a list of all running processes on the Ubuntu endpoint. Add the following configuration block to the Wazuh agent  nano/var/ossec/etc/ossec.conf file. This allows to periodically get a list of running processes: <ossec_config>   <localfile>     <log_format>full_command</log_format>     <alias>process list</alias>     <command>ps -e -o pid,uname,command</command>     <frequency>30</frequency>   </localfile> </ossec_config> Restart the Wazuh agent to apply the changes: $ sudo systemctl restart wazuh-agent Install Netcat and the required dependencies: $ sudo apt install ncat nmap -y   Wazuh server Add the following rules to the /var/ossec/etc/rules/local_rules....

Remove agents using the CLI Wazuh Server

  Remove agents using the CLI Wazuh Server The  /var/ossec/bin/manage_agents  tool can also remove Wazuh agents using the command line interface (CLI). Run the following command on the Wazuh server: Sudo   /var/ossec/bin/manage_agents   You can run the following command on the Wazuh server and specifiy the Wazuh agent ID by using the -r option. Replace <WAZUH_AGENT_ID> with the agent ID of the Wazuh agent: /var/ossec/bin/manage_agents -r <WAZUH_AGENT_ID> (agent id)

Wazuh File integrity monitoring

  Wazuh File integrity monitoring:- Edit the Wazuh agent /var/ossec/etc/ossec.conf   <directories check_all="yes" report_changes="yes" realtime="yes">/root</directories>     <directories check_all="yes" report_changes="yes" realtime="yes">/code/config</directories>     <directories check_all="yes" report_changes="yes" realtime="yes">/usr/</directories>     <directories check_all="yes" report_changes="yes" realtime="yes">/home/ubuntu</directories>   sudo systemctl restart wazuh-agent     https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html      

Slack Integration Wazuh Server : Alerts in Critical, High, and Medium Slack Channels

  Slack Integration Wazuh Server : Alerts in Critical, High, and Medium Slack Channels 1. Set Up a Slack App: Go to the Slack API website and log in to your workspace. Navigate to “Your Apps” and click on “Create New App.” Enter a name for your app (e.g., “Wazuh Alerts”) and select the workspace where you want to install the app. Create three channels named “Critical”, “High” and “Medium”. In the app settings, go to “Incoming Webhooks” and enable it. Click on “Add New Webhook to Workspace” to generate a webhook URL. Note down this URL for the three channels, as you’ll need it later. https://api.slack.com/apps   Edit Wazuh Configuration File: Edit /var/ossec/etc/ossec.conf in the Wazuh server and include a configuration block such as the following. <integration> <name>slack</name> <hook_url>https://hooks.slack.c...

Step-by-step setup of Wazuh SIEM/FIM tools on Ubuntu Server

Image
  Step-by-step setup of Wazuh SIEM/FIM tools on Ubuntu Server FIM -- File integrity monitoring  SIEM -- Security Information and Event Management   Server and Clinet same network   Hardware Configuration 4 CPU and 8/16GB RAM requred 1.     sudo apt update 2.     curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a --ignore-check systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager systemctl daemon-reload systemctl enable wazuh-dashboard systemctl start wazuh-dashboard   timedatectl list-timezones sudo timedatectl set-timezone Asia/Kolkata   User: admin     Password: nKRW5.IuBfTXOtcRDLQ1JRx?1Ef.17P?   3.     With this, your Wazuh server is ready. Copy the provided credentials from the terminal, enter the server IP into your browser, and proceed to login. Navigate to  htt...

How to install and configure OSSEC server and client

How to install and configure OSSEC server and client sudo timedatectl set-timezone Asia/Calcutta Asia/Calcutta   1. sudo apt-get update && sudo apt-get upgrade -y 2. sudo apt-get install build-essential libevent-dev zlib1g-dev libssl-dev unzip wget -y 3. sudo apt-get install libpcre2-dev 4. sudo apt-get install libsystemd-dev 5. wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz 6. tar -xvzf 3.7.0.tar.gz 7. cd ossec-hids-3.7.0 8. sudo ./install.sh 9. sudo /var/ossec/bin/ossec-control start   Configure OSSEC nano /var/ossec/etc/ossec.conf Update below <global>     <email_notification>yes</email_notification>     <email_to>root@localhost</email_to>     <smtp_server>127.0.0.1</smtp_server>     <email_from>ossecm@localhost</email_from> </global>   <global>     <emai...

Allow locked Remote Desktop Ubuntu

  Remote Connection with Local login (Original Answer) GNOME Shell Extension: Allow locked Remote Desktop The solution below is for problem with screen lock and the new GNOME Remote Desktop in Ubuntu 22.04 that allows RDP (and legacy VNC) protocol for remote desktop sharing.  If someone is physically near your your computer they will see your activities on the connected monitor and thus be able to collect sensitive information. You will need a GNOME Shell extension to solve this problem. First, install install  gnome-shell-extension-manager  with this command: sudo apt install gnome-shell-extension-manager The open the newly installed app called  Extension  in the GUI. Within this app, search for and install the  Allow locked Remote Desktop  GNOME Shell extension. Now you will be able to remotely connect to this computer even when the screen is locked. You will still need to be logged in locally first.