Wazuh Agent on GCP

[s...@oblong.com]

Hi,

I have been trying to use Wazuh as a part of security monitoring initiative. Thanks for a really good tool!

Environment: Kubernetes at Google Cloud Platform

Setting up Wazuh with ELK has been easy and really helpful with the Wazuh-Kubernetes repo, thanks a lot for this.

For Wazuh Agent,

1. Agent as DaemonSet: 
   Wazuh-Agent deployment through daemonset is still under research and not recommended based on some helpful links below. Please let me know if this has changed. Even when I mount all the file system into the Wazuh container (Running as a side container through daemonset in all the nodes), some of the agent functionality like executing commands would not be host machine scope rather per container scope (reduced agent functionality with only logs). Is there a good way to accomplish this now with full agent capability?
   Helpers:
   - https://github.com/coveo/wazuh-kubernetes/issues/3
   - https://github.com/wazuh/wazuh-kubernetes/blob/master/instructions.m
2. Agent on a host machine: ( Google COS ==> Google Container Optimized OS )
   When I try to install this at the nodes ( host machine ), GCP uses container optimized OS (minimal linux) for kubernetes deployments by default. This is good as it reduces the attack surface area. Could the wazuh-agent be installed in this type of OS for full capability? I did not investigate more on COS but a number of commands/provision seem missing.

Please help me with any ideas with respect to this configuration for full agent capability.

Thanks,

Sri

[Jesus Linares]

Hi Sri,

I'm glad you are enjoying Wazuh!.

Regarding your question, a Wazuh agent must be installed in the host server, not inside the container of your application. For example, if you run Nginx in a container, it is not a good idea to add the Wazuh agent in the same container. Instead of that, you will have to install the agent in the host and grant enough permissions to read logs (or wherever you need) from the Nginx container.

That said, there are several ways to install the agent in the host (your kubernetes worker node):

• Using traditional packages (rpm, deb, etc): It looks like Google COS is based in Chromium OS and we didn't test an agent in that kind of OS (https://documentation.wazuh.com/current/installation-guide/compatibility_matrix/index.html#agent). Please, let us know if it works or you get errors.
• Using a container for the Wazuh agent (it can be orchestrated using a DaemonSet): I have to test it, but I think it could be the best solution since the container can have a Wazuh support OS and it runs in every node. You will need to review if that container has access to read logs from other ones (volume access).

We are researching how to fit Wazuh in the container world, so any feedback is welcome.

Also, check out the Docker wodle: https://documentation.wazuh.com/current/docker-monitor/monitoring_containers_activity.html.

Regards,

Jesus Linares.