Using wazuh-agent for manage local firewalls (Linux and Windows)
562 views
Skip to first unread message
bars5...@gmail.com
Nov 21, 2022, 6:10:48 AM11/21/22
to Wazuh mailing list
Hi! In some cases needed manage local firewalls. For example, for segmentation or just for centralized firewall management.
i figured out how to solve it:
1. Was created bash script with commands for ufw (Uncomplicated Firewall) with needed firewall configuration.
2. Was created group in wazug-manager which contain server(s) which must have same firewall configuration.
3. Script copied to folder of group and in this way script goes to agent. After that script moved to active-response folder on agent.
4. Was created active-response (command and active response) rule which linked to needed agents (which contains in group) and script name.
5. Created rule fired when this script will changes and in this time script works and install needed firewall rules. Its give me oportunity for centralized change rules. I chenge script and copy this script to group folder and process starts.
6. For control if firewall changed i use control of commnd output "iptables -nL | gzip -n -9 | base64" and active-response fired when base64 changed.
This PoC seems works. I test now. But i have question: may be you can tell me more simplest or another way for this. For example - agent restart every time when new script copied to shared folder of group may be possible use different way for sending script with configuration?
And is wazuh planning develop some module for manage local firewalls (Linux and Windows) ?
i figured out how to solve it:
1. Was created bash script with commands for ufw (Uncomplicated Firewall) with needed firewall configuration.
2. Was created group in wazug-manager which contain server(s) which must have same firewall configuration.
3. Script copied to folder of group and in this way script goes to agent. After that script moved to active-response folder on agent.
4. Was created active-response (command and active response) rule which linked to needed agents (which contains in group) and script name.
5. Created rule fired when this script will changes and in this time script works and install needed firewall rules. Its give me oportunity for centralized change rules. I chenge script and copy this script to group folder and process starts.
6. For control if firewall changed i use control of commnd output "iptables -nL | gzip -n -9 | base64" and active-response fired when base64 changed.
This PoC seems works. I test now. But i have question: may be you can tell me more simplest or another way for this. For example - agent restart every time when new script copied to shared folder of group may be possible use different way for sending script with configuration?
And is wazuh planning develop some module for manage local firewalls (Linux and Windows) ?
Jesus Linares
Nov 21, 2022, 8:03:45 AM11/21/22
to Wazuh mailing list
Hello,
You did a great job with your PoC. It is a bit complicated because Wazuh is not designed as a configuration management tool like Puppet, Ansible, etc and it is not in our nearby roadmap.
> agent restart every time when new script copied to shared folder of group may be possible use different way for sending script with configuration?
At this moment, this is the way to push configuration files in the agents. It is designed in this way because these files must apply in the agent (instead of other applications). But, we are working to do a "reload" instead of a "restart" to apply configurations.
If you want to simplify the process, you could remove the active response. Just run a command in the agent (with wodle command) every X minutes. The command just runs your script. The script could check if it should apply the configuration or not based on some logic. It is like setup a remote "cronjob". But, for detecting if the firewall changes and applying the proper configuration as soon as possible (instead of waiting for the command interval) you must use active response (using the command iptables or file integrity monitoring as the trigger).
I hope it helps.
bars5...@gmail.com
Nov 22, 2022, 3:22:59 AM11/22/22
to Wazuh mailing list
Thank you! You advice for using wodle helps me rebuild manage system.
As result i rebuild our system for manage firewalls:
1. In bash script i add md5 hashing results of command "ufw ststus" and script with rules.
2. This two md5 hashes i use for count md5 as result md5 jash for control (one md5 hash as control as result of hashing 2 hashes).
As result i rebuild our system for manage firewalls:
1. In bash script i add md5 hashing results of command "ufw ststus" and script with rules.
2. This two md5 hashes i use for count md5 as result md5 jash for control (one md5 hash as control as result of hashing 2 hashes).
3. For control after apply firewall rules i recount hashes and create file with name as md5 control hash (from step 2).
4. By wodle script runs every 1 minutes and recount control hash. if founded file, named as recounted control hash all good and other path of script dont work. If file named as control hash dont found script runs and deploy firewall rules.
So, if somebody change firewall rules manually or i add script from wazuh manager-manager rules will set in term about 3 minutes. And dont needed additional checks.
May be its will usefull :)
Same logic can be used for Windows too.
And my proposition is add module for manage local firewalls as additional module of wazuh to roadmap.
понедельник, 21 ноября 2022 г. в 15:03:45 UTC+2, Jesus Linares:
Jesus Linares
Nov 24, 2022, 12:17:33 PM11/24/22
to Wazuh mailing list
I'm glad that it is working.
The combination of commands and active response is very powerful, but it can add some complexity (points of failure) to your solution. Just try to keep it simple if you can afford the trade-offs.
> And my proposition is add module for manage local firewalls as additional module of wazuh to roadmap.
Please, feel free to open a new issue in our repository. Try to describe and give context about your feature request.
Thanks!
Reply all
Reply to author
Forward
0 new messages