Remote Command Execution - Central Configuration
952 views
Skip to first unread message
Leon Scott
Aug 27, 2023, 3:55:12 AM8/27/23
to Wazuh | Mailing List
Hello,
I know this is a stupid question, but it needs clarification in the documentation and in the configuration.
I want to enable remote commands via the Wazuh Server for Windows and Linux endpoints.
I need this to happen when I onboard a Linux endpoint and a Windows Endpoint.
This document refers:
However, before this feature can be used, the agents must be explicitly configured to accept remote commands. This can be done by setting the logcollector.remote_commands in the local_internal_options.conf file on each agent, as shown below:
How do I push this central configuration of local_internal_options.conf to the endpoints related file from the manager. Do I need to add this file to the shared directory in the manager for each group I have created.
Please explain.
Sincerely
Leon
Leon Scott
Aug 27, 2023, 4:05:40 AM8/27/23
to Wazuh | Mailing List
I will try to explain it a little better.
The wazuh manager - which belong to no group executes all commands via the central configuration.
I have duplicated this configuration file in the default group which we will call Linux systems. Commands via woddle or full-commands don't execute in this group.
However, I have another group called Windows which is configured differently, rather obvious really.
I want the manager (Linux) to alter the local_internal_options.conf file in the default group and the Windows group to enable remote commands. Altertering the local_internal_options.conf file on the manager does not seem sufficient.
Everyone else seems to have figured this out, but me, so what am i doing wrong
So, what have I missed.
Sincerely
Leon.
Harshal Paliwal
Aug 27, 2023, 11:09:35 PM8/27/23
to Wazuh | Mailing List
Hi Lean, Thanks for using Wazuh!
As mentioned here "Remote commands may be specified in the centralized configuration, however, they are disabled by default due to security reasons." So, when setting commands in a shared agent configuration you must enable the remote commands in each agent.The remote commands must be enabled from the agent side because by default the Wazuh manager does not have the capability to run arbitrary code unless it is explicitly enabled on the agent side.You may look into using some orchestration tool for that, like Ansible. Here is a guide on how to deploy Wazuh using Ansible, it is not exactly your use case but may be useful as an overview.Let me know if that was the problem you were having.
Regards!
As mentioned here "Remote commands may be specified in the centralized configuration, however, they are disabled by default due to security reasons." So, when setting commands in a shared agent configuration you must enable the remote commands in each agent.The remote commands must be enabled from the agent side because by default the Wazuh manager does not have the capability to run arbitrary code unless it is explicitly enabled on the agent side.You may look into using some orchestration tool for that, like Ansible. Here is a guide on how to deploy Wazuh using Ansible, it is not exactly your use case but may be useful as an overview.Let me know if that was the problem you were having.
Regards!
Reply all
Reply to author
Forward
0 new messages