将Wazuh与Yara集成失败

Question

我用以下方法配置了agent.conf：

 <agent_config>
    <!-- File integrity monitoring -->
    <syscheck>
        <disabled>no</disabled>
        <!-- Frequency that syscheck is executed default every 12 hours -->
        <frequency>60</frequency>
        <scan_on_start>yes</scan_on_start>
        <!-- Directories to check  (perform all possible verifications) -->
        <directories>/etc,/usr/bin,/usr/sbin</directories>
        <directories>/bin,/sbin,/boot</directories>
        <directories check_all="yes" realtime="yes">/home</directories>
        <directories check_all="yes" realtime="yes">/root</directories>
        <alert_new_files>yes</alert_new_files>
        <!-- Files/directories to ignore -->
        <ignore>/etc/mtab</ignore>
        <ignore>/etc/hosts.deny</ignore>
        <ignore>/etc/mail/statistics</ignore>
        <ignore>/etc/random-seed</ignore>
        <ignore>/etc/random.seed</ignore>
        <ignore>/etc/adjtime</ignore>
        <ignore>/etc/httpd/logs</ignore>
        <ignore>/etc/utmpx</ignore>
        <ignore>/etc/wtmpx</ignore>
        <ignore>/etc/cups/certs</ignore>
        <ignore>/etc/dumpdates</ignore>
        <ignore>/etc/svc/volatile</ignore>
        <!-- File types to ignore -->
        <ignore type="sregex">.log$|.swp$</ignore>
        <!-- Check the file, but never compute the diff -->
        <nodiff>/etc/ssl/private.key</nodiff>
        <skip_nfs>yes</skip_nfs>
        <skip_dev>yes</skip_dev>
        <skip_proc>yes</skip_proc>
        <skip_sys>yes</skip_sys>
        <!-- Nice value for Syscheck process -->
        <process_priority>10</process_priority>
        <!-- Maximum output throughput -->
        <max_eps>100</max_eps>
        <!-- Database synchronization settings -->
        <synchronization>
            <enabled>yes</enabled>
            <interval>5m</interval>
            <max_interval>1h</max_interval>
            <max_eps>10</max_eps>
        </synchronization>
    </syscheck>
    <command>
        <name>yara</name>
        <executable>yara</executable>
        <extra-args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/index.yar</extra-args>
        <timeout_allowed>no</timeout_allowed>
    </command>
    <active-response>
        <command>yara</command>
        <location>local</location>
        <rules_id>550,554</rules_id>
    </active-response>
</agent_config>

如果我通过cmd手动运行Yara就能工作了。FIM确实检测到了新下载的恶意文件，但是Wazuh响应不起作用。在active-response.log中没有找到日志。

下面是存储在yara.sh文件夹中的/var/ossec/active-response/bin：

#!/bin/bash
# Wazuh - Yara active response
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#------------------------- Gather parameters -------------------------#

# Static active response parameters
LOCAL=`dirname $0`

# Extra arguments
read -r INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jg -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jg -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
COMMAND=$(echo $INPUT_JSON | jq -r .command)

# Move to the active response folder
cd $LOCAL
cd ../

# Set LOG_FILE path
PWD=`pwd`
LOG_FILE="${PWD}/../logs/active-responses.log"

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
  echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
  exit
fi

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
  # Send control message to execd
  printf '{"version":1,"origin":{"name":"yara","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

  read RESPONSE
  COMMAND2=$(echo $RESPONSE | jq -r .command)
  if [ ${COMMAND2} != "continue" ]
  then
    echo "wazuh-yara: INFO - Yara active response aborted." >> ${LOG_FILE}
    exit 1;
  fi
fi

#------------------------- Main workflow --------------------------#

# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

if [[ $yara_output != "" ]]
then
  # Iterate every detected rule and append it to the LOG_FILE
  while read -r line; do
  echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
  done <<< "$yara_output"
fi

exit 1;

有什么东西我错过了配置吗？

Answer 1

active-response和command配置块不能在agent.conf文件中，因为这两种配置都是管理器的一部分，因此它们必须位于管理器的ossec.conf中。除了这个更改之外，您还需要修改可执行文件的名称，因为它必须包括文件扩展名(.sh)。

<command>
    <name>yara</name>
    <executable>yara.sh</executable>
    <extra-args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/index.yar</extra-args>
    <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
    <command>yara</command>
    <location>local</location>
    <rules_id>550,554</rules_id>
</active-response>

另外，请注意，yara.sh脚本必须位于要执行Yara集成的所有代理中(在代理的/var/ossec/active-response/bin文件夹中)。

检查文件所有权和权限是否是正确的，分别是750和root:wazuh。还需要在所有代理中安装jq。

如果仍然存在问题，请查看管理器的ossec.log文件，以找到错误日志o警告。您还可以启用负责活动响应的守护进程的调试模式，以便在ossec.log中看到更多的日志。为此，将以下行添加到管理器的/var/ossec/etc/local_internal_options.conf并重新启动服务：

execd.debug=2