Date: Sun, 25 Sep 2022 05:45:00 GMT From: Jose Alonso Cardenas Marquez <acm@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 844dbce6673f - main - security/wazuh-server: New port: Components for analyze the data received from the agents Message-ID: <202209250545.28P5j0gO024074@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by acm: URL: https://cgit.FreeBSD.org/ports/commit/?id=844dbce6673fbedfaf26f2e26d201dcd63fd8134 commit 844dbce6673fbedfaf26f2e26d201dcd63fd8134 Author: Jose Alonso Cardenas Marquez <acm@FreeBSD.org> AuthorDate: 2022-09-25 05:44:21 +0000 Commit: Jose Alonso Cardenas Marquez <acm@FreeBSD.org> CommitDate: 2022-09-25 05:44:21 +0000 security/wazuh-server: New port: Components for analyze the data received from the agents Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Besides, Wazuh has been fully integrated with the Elastic Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts. --- security/Makefile | 1 + security/wazuh-server/Makefile | 63 +++++++++++++++++++++++++++++ security/wazuh-server/distinfo | 9 +++++ security/wazuh-server/files/pkg-message.in | 64 ++++++++++++++++++++++++++++++ security/wazuh-server/pkg-descr | 9 +++++ security/wazuh-server/pkg-plist | 10 +++++ 6 files changed, 156 insertions(+) diff --git a/security/Makefile b/security/Makefile index 077cac0c38a7..ae14e7767812 100644 --- a/security/Makefile +++ b/security/Makefile @@ -1279,6 +1279,7 @@ SUBDIR += wazuh-agent SUBDIR += wazuh-indexer SUBDIR += wazuh-manager + SUBDIR += wazuh-server SUBDIR += webfwlog SUBDIR += weggli SUBDIR += whatweb diff --git a/security/wazuh-server/Makefile b/security/wazuh-server/Makefile new file mode 100644 index 000000000000..3ccb62b5878c --- /dev/null +++ b/security/wazuh-server/Makefile @@ -0,0 +1,63 @@ +PORTNAME= wazuh +PORTVERSION= 4.3.8 +CATEGORIES= security +MASTER_SITES= LOCAL/acm/${PORTNAME}/:config_samples \ + https://packages.wazuh.com/4.x/filebeat/:wazuh_module \ + https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/:indexer_template +PKGNAMESUFFIX= -server +DIST_SUBDIR= ${PORTNAME}-${DISTVERSION} + +MAINTAINER= acm@FreeBSD.org +COMMENT= Components for analyze the data received from the agents +WWW= https://wazuh.com/ + +LICENSE= GPLv2 + +USES= dos2unix +NO_BUILD= yes + +DOS2UNIX_FILES= ${WRKDIR}/wazuh-template.json + +DISTFILES+= filebeat.yml:config_samples \ + logstash.conf:config_samples \ + wazuh-filebeat-${WAZUH_MODULE_VER}.tar.gz:wazuh_module \ + wazuh-template.json:indexer_template + +SUB_FILES= pkg-message + +ETCDIR= ${PREFIX}/etc/${PORTNAME}${PKGNAMESUFFIX} + +WAZUH_LOCALBASE= /var/ossec +WAZUH_MODULE_VER= 0.2 + +OPTIONS_DEFINE= FILEBEAT LOGSTASH WAZUH-MANAGER +OPTIONS_DEFAULT= FILEBEAT LOGSTASH WAZUH-MANAGER +OPTIONS_SUB= yes + +FILEBEAT_DESC= Install filebeat component +LOGSTASH_DESC= Install logstash component +WAZUH-MANAGER_DESC= Install wazuh manager component + +FILEBEAT_RUN_DEPENDS= filebeat:sysutils/beats7 +LOGSTASH_RUN_DEPENDS= ${LOCALBASE}/logstash/bin/logstash:sysutils/logstash8 +WAZUH-MANAGER_RUN_DEPENDS= ${WAZUH_LOCALBASE}/bin/wazuh-control:security/wazuh-manager + +do-extract: + @${MKDIR} ${WRKSRC} + @cd ${WRKDIR} && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${_DISTDIR}/${PORTNAME}-filebeat-${WAZUH_MODULE_VER}.tar.gz ${EXTRACT_AFTER_ARGS} + ${CP} ${_DISTDIR}/filebeat.yml ${WRKDIR} + ${CP} ${_DISTDIR}/logstash.conf ${WRKDIR} + ${CP} ${_DISTDIR}/wazuh-template.json ${WRKDIR} + +do-install: + ${MKDIR} ${STAGEDIR}${ETCDIR} + ${INSTALL_DATA} ${WRKDIR}/filebeat.yml ${STAGEDIR}${PREFIX}/etc/${PORTNAME}${PKGNAMESUFFIX}/filebeat.yml + ${INSTALL_DATA} ${WRKDIR}/logstash.conf ${STAGEDIR}${PREFIX}/etc/${PORTNAME}${PKGNAMESUFFIX}/logstash.conf + ${INSTALL_DATA} ${WRKDIR}/wazuh-template.json ${STAGEDIR}${PREFIX}/etc/${PORTNAME}${PKGNAMESUFFIX}/wazuh-template.json + + +do-install-FILEBEAT-on: + ${MKDIR} ${STAGEDIR}${PREFIX}/share/beats/filebeat/module/ + @cd ${WRKDIR} && ${COPYTREE_SHARE} wazuh ${STAGEDIR}${PREFIX}/share/beats/filebeat/module/ + +.include <bsd.port.mk> diff --git a/security/wazuh-server/distinfo b/security/wazuh-server/distinfo new file mode 100644 index 000000000000..6ae98dba8cde --- /dev/null +++ b/security/wazuh-server/distinfo @@ -0,0 +1,9 @@ +TIMESTAMP = 1664010727 +SHA256 (wazuh-4.3.8/filebeat.yml) = bbcf6fe806a32b505b0848386d71684868be85965bfb91b117dff15c9de7c247 +SIZE (wazuh-4.3.8/filebeat.yml) = 1120 +SHA256 (wazuh-4.3.8/logstash.conf) = ca461deae2d37d435edcd64f026c03acc4cc8196a0d985b8a6f6bf93039d2ed7 +SIZE (wazuh-4.3.8/logstash.conf) = 1913 +SHA256 (wazuh-4.3.8/wazuh-filebeat-0.2.tar.gz) = 51af98bc607f9bd07f5a748184dfe4699527190537ac7470a97e30a2d1373b00 +SIZE (wazuh-4.3.8/wazuh-filebeat-0.2.tar.gz) = 1120 +SHA256 (wazuh-4.3.8/wazuh-template.json) = 1aaa36efdb86e75d3636556856c62f2490cf2597b2cc4ecfcf3985b2a715c73b +SIZE (wazuh-4.3.8/wazuh-template.json) = 58530 diff --git a/security/wazuh-server/files/pkg-message.in b/security/wazuh-server/files/pkg-message.in new file mode 100644 index 000000000000..ebb3cd769a4e --- /dev/null +++ b/security/wazuh-server/files/pkg-message.in @@ -0,0 +1,64 @@ +[ +{ type: install + message: <<EOM +Wazuh server components were installed + +1) Wazuh server componenets are based on Wazuh manager and Filebeat projects. + This guide help you to adapt wazuh configuration for it works on FreeBSD + using apps are part of ports tree. We are using an alternative way to + configure wazuh server components on FreeBSD. It is necessary configure + logstash between filebeat and opensearch because FreeBSD does not include + versions lesser or equal to 7.16.x of Filebeat into ports tree. + +2) Do not forget take a look to wazuh-manager post install message to configure + the wazuh-server component. + + # pkg info -D -x wazuh-manager | less + +3) Copy %%PREFIX%%/etc/wazuh-server/filebeat.yml to %%PREFIX%%/etc/beats/ + directory + +4) Copy %%PREFIX%%/etc/wazuh-server/logstash.yml and %%PREFIX%%/etc/wazuh-server/wazuh-template.json + files to %%PREFIX%%/etc/logstash/ directory + +5) You can use my own version of wazuh certificates generator for generate + root, admin, indexer, server and dashboard certificates used by wazuh + components. + + https://people.freebsd.org/~acm/ports/wazuh/wazuh-gen-certs.tar.gz + +6) Edit filebeat.yml and logstash.yml files and changes options accord to your + setup. For example host, ssl, filter, etc. Sample files can give you a good + guide about that. + +7) Install logstash-output-opensearch plugin + + # cd %%PREFIX%%/logstash/bin + # sh -c "JAVA_HOME=%%PREFIX%%/openjdk11 ./logstash-plugin install logstash-output-opensearch" + +8) Check if logstash-output-opensearch plugin was installed + + # sh -c "JAVA_HOME=%%PREFIX%%/openjdk11 ./logstash-plugin list | grep logstash-output-opensearch" + +9) Add Filebeat and Logstash to /etc/rc.conf + + # sysrc filebeat_enable="YES" + # sysrc logstash_enable="YES" + +10) Start Filebeat and Logstash services + + # service filebeat start + # service logstash start + +11) You can look more useful information at the following link: + + https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html + + Take on mind wazuh arquitecture on FreeBSD is configurated not similar like + you can read at wazuh guide. Some times you could decided configure logstash + on another host. If it is your case you must adapt some points in this guide. + +12) Enjoy it +EOM +} +] diff --git a/security/wazuh-server/pkg-descr b/security/wazuh-server/pkg-descr new file mode 100644 index 000000000000..4486bd750b8c --- /dev/null +++ b/security/wazuh-server/pkg-descr @@ -0,0 +1,9 @@ +Wazuh is a free and open source platform used for threat prevention, detection, +and response. It is capable of protecting workloads across on-premises, +virtualized, containerized, and cloud-based environments. + +Wazuh solution consists of an endpoint security agent, deployed to the +monitored systems, and a management server, which collects and analyzes data +gathered by the agents. Besides, Wazuh has been fully integrated with the +Elastic Stack, providing a search engine and data visualization tool that +allows users to navigate through their security alerts. diff --git a/security/wazuh-server/pkg-plist b/security/wazuh-server/pkg-plist new file mode 100644 index 000000000000..990f54e5a5a8 --- /dev/null +++ b/security/wazuh-server/pkg-plist @@ -0,0 +1,10 @@ +%%ETCDIR%%/filebeat.yml +%%ETCDIR%%/logstash.conf +%%ETCDIR%%/wazuh-template.json +%%FILEBEAT%%share/beats/filebeat/module/wazuh/alerts/config/alerts.yml +%%FILEBEAT%%share/beats/filebeat/module/wazuh/alerts/ingest/pipeline.json +%%FILEBEAT%%share/beats/filebeat/module/wazuh/alerts/manifest.yml +%%FILEBEAT%%share/beats/filebeat/module/wazuh/archives/config/archives.yml +%%FILEBEAT%%share/beats/filebeat/module/wazuh/archives/ingest/pipeline.json +%%FILEBEAT%%share/beats/filebeat/module/wazuh/archives/manifest.yml +%%FILEBEAT%%share/beats/filebeat/module/wazuh/module.yml
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202209250545.28P5j0gO024074>