Skip to content

Instantly share code, notes, and snippets.

@anubhavg-icpl

anubhavg-icpl/.gitignore

Last active June 18, 2025 14:52
Show Gist options
  • Save anubhavg-icpl/10977d1fc9bac3b0f4778a9a18ebe222 to your computer and use it in GitHub Desktop.
Save anubhavg-icpl/10977d1fc9bac3b0f4778a9a18ebe222 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
.gitignore
osquery-wazuh.sh.x.c
osq
Raw
edr-agent-installer.sh
#!/bin/bash
#
# Linux osquery + Wazuh Agent Installation Script
# Supports both RPM-based (RHEL/CentOS/Fedora) and DEB-based (Ubuntu/Debian) distributions
# Uses direct package installation: dpkg for .deb packages, rpm -ivh for .rpm packages
# Downloads packages from official Wazuh and osquery repositories
# Author: Security Engineering Team
# Version: 1.0
#
set -euo pipefail
# Default values
DEFAULT_WAZUH_VERSION="4.12.0"
DEFAULT_OSQUERY_VERSION="5.17.0"
DEFAULT_WAZUH_MANAGER="127.0.0.1"
DEFAULT_WAZUH_REGISTRATION_SERVER=""
DEFAULT_WAZUH_AGENT_GROUP="default"
DEFAULT_WAZUH_AGENT_NAME=""
DEFAULT_API_KEY=""
DEFAULT_CUSTOM_REPO_URL=""
DEFAULT_LOG_LEVEL="INFO"
DEFAULT_SKIP_SSL_VERIFY="false"
DEFAULT_OSQUERY_CONFIG_REFRESH="300"
DEFAULT_WAZUH_PORT="1514"
# Global variables
SCRIPT_NAME="$(basename "$0")"
LOG_PREFIX="[EDR-INSTALLER]"
TEMP_DIR="/tmp/osquery-wazuh-install-$$"
DISTRO=""
PACKAGE_MANAGER=""
ARCH=""
DISTRO_VERSION="" # Initialize to prevent unbound variable error
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Function to display usage
usage() {
cat << EOF
Usage: $SCRIPT_NAME [OPTIONS]
REQUIRED OPTIONS:
--wazuh-manager MANAGER Wazuh manager server address
OPTIONAL OPTIONS:
--wazuh-version VERSION Wazuh agent version (default: $DEFAULT_WAZUH_VERSION)
--osquery-version VERSION osquery version (default: $DEFAULT_OSQUERY_VERSION)
--wazuh-registration-server SVR Wazuh registration server (default: same as manager)
--wazuh-agent-group GROUP Wazuh agent group (default: $DEFAULT_WAZUH_AGENT_GROUP)
--wazuh-agent-name NAME Wazuh agent name (default: hostname)
--wazuh-port PORT Wazuh manager port (default: $DEFAULT_WAZUH_PORT)
--api-key KEY API key for custom repositories
--custom-repo-url URL Custom repository base URL
--log-level LEVEL Log level: DEBUG|INFO|WARN|ERROR (default: $DEFAULT_LOG_LEVEL)
--skip-ssl-verify Skip SSL certificate verification
--osquery-config-refresh SEC osquery config refresh interval (default: $DEFAULT_OSQUERY_CONFIG_REFRESH)
--dry-run Show what would be done without executing
--help Show this help message
SUPPORTED ARCHITECTURES:
DEB packages: amd64, arm64, i386, armhf, ppc64el
RPM packages: x86_64, aarch64, i386, armv7hl, ppc64le
SUPPORTED DISTRIBUTIONS:
Ubuntu (12+), Debian (7+), Raspbian OS
RHEL (5+), CentOS (5+), Fedora (22+), Oracle Linux (5+)
Amazon Linux (1+), OpenSUSE (42+), SUSE (11+)
NOTE: All packages are downloaded to temporary directory and removed after installation.
EXAMPLES:
# Basic installation (auto-detects architecture and distribution)
$SCRIPT_NAME --wazuh-manager 192.168.1.100
# Custom installation with specific versions
$SCRIPT_NAME --wazuh-manager wazuh.company.com \\
--wazuh-version 4.12.0 \\
--osquery-version 5.17.0 \\
--wazuh-agent-group production \\
--wazuh-agent-name web-server-01
# Installation with custom repository
$SCRIPT_NAME --wazuh-manager wazuh.company.com \\
--custom-repo-url https://repo.company.com \\
--api-key YOUR_API_KEY \\
--skip-ssl-verify
# Dry run to test without installing
$SCRIPT_NAME --wazuh-manager test.company.com \\
--dry-run \\
--log-level DEBUG
EOF
}
# Logging function
log_message() {
local level="$1"
local message="$2"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
case $level in
"ERROR")
echo -e "${RED}$LOG_PREFIX [$timestamp] ERROR: $message${NC}" >&2
;;
"WARN")
echo -e "${YELLOW}$LOG_PREFIX [$timestamp] WARN: $message${NC}" >&2
;;
"INFO")
echo -e "${GREEN}$LOG_PREFIX [$timestamp] INFO: $message${NC}"
;;
"DEBUG")
if [[ "${LOG_LEVEL:-INFO}" == "DEBUG" ]]; then
echo -e "${BLUE}$LOG_PREFIX [$timestamp] DEBUG: $message${NC}"
fi
;;
esac
}
# Error handling
error_exit() {
log_message "ERROR" "$1"
cleanup
exit 1
}
# Cleanup function
cleanup() {
if [[ -d "$TEMP_DIR" ]]; then
# Remove any remaining package files and temporary directory
rm -rf "$TEMP_DIR"
log_message "DEBUG" "Cleaned up temporary directory and any remaining packages: $TEMP_DIR"
fi
}
# Trap for cleanup
trap cleanup EXIT
# Parse command line arguments
parse_arguments() {
while [[ $# -gt 0 ]]; do
case $1 in
--wazuh-manager)
WAZUH_MANAGER="$2"
shift 2
;;
--wazuh-version)
WAZUH_VERSION="$2"
shift 2
;;
--osquery-version)
OSQUERY_VERSION="$2"
shift 2
;;
--wazuh-registration-server)
WAZUH_REGISTRATION_SERVER="$2"
shift 2
;;
--wazuh-agent-group)
WAZUH_AGENT_GROUP="$2"
shift 2
;;
--wazuh-agent-name)
WAZUH_AGENT_NAME="$2"
shift 2
;;
--wazuh-port)
WAZUH_PORT="$2"
shift 2
;;
--api-key)
API_KEY="$2"
shift 2
;;
--custom-repo-url)
CUSTOM_REPO_URL="$2"
shift 2
;;
--log-level)
LOG_LEVEL="$2"
shift 2
;;
--skip-ssl-verify)
SKIP_SSL_VERIFY="true"
shift
;;
--osquery-config-refresh)
OSQUERY_CONFIG_REFRESH="$2"
shift 2
;;
--dry-run)
DRY_RUN="true"
shift
;;
--help)
usage
exit 0
;;
*)
error_exit "Unknown parameter: $1"
;;
esac
done
}
# Validate required parameters
validate_parameters() {
if [[ -z "${WAZUH_MANAGER:-}" ]]; then
error_exit "Wazuh manager is required. Use --wazuh-manager parameter."
fi
# Set defaults for optional parameters
WAZUH_VERSION="${WAZUH_VERSION:-$DEFAULT_WAZUH_VERSION}"
OSQUERY_VERSION="${OSQUERY_VERSION:-$DEFAULT_OSQUERY_VERSION}"
WAZUH_REGISTRATION_SERVER="${WAZUH_REGISTRATION_SERVER:-$WAZUH_MANAGER}"
WAZUH_AGENT_GROUP="${WAZUH_AGENT_GROUP:-$DEFAULT_WAZUH_AGENT_GROUP}"
WAZUH_AGENT_NAME="${WAZUH_AGENT_NAME:-$(hostname)}"
WAZUH_PORT="${WAZUH_PORT:-$DEFAULT_WAZUH_PORT}"
API_KEY="${API_KEY:-$DEFAULT_API_KEY}"
CUSTOM_REPO_URL="${CUSTOM_REPO_URL:-$DEFAULT_CUSTOM_REPO_URL}"
LOG_LEVEL="${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}"
SKIP_SSL_VERIFY="${SKIP_SSL_VERIFY:-$DEFAULT_SKIP_SSL_VERIFY}"
OSQUERY_CONFIG_REFRESH="${OSQUERY_CONFIG_REFRESH:-$DEFAULT_OSQUERY_CONFIG_REFRESH}"
DRY_RUN="${DRY_RUN:-false}"
# Validate log level
case "$LOG_LEVEL" in
DEBUG|INFO|WARN|ERROR) ;;
*) error_exit "Invalid log level: $LOG_LEVEL. Use DEBUG, INFO, WARN, or ERROR." ;;
esac
# Validate version formats
if ! echo "$WAZUH_VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
error_exit "Invalid EDR version format: $WAZUH_VERSION"
fi
if ! echo "$OSQUERY_VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
error_exit "Invalid UBA version format: $OSQUERY_VERSION"
fi
# Validate port
if ! echo "$WAZUH_PORT" | grep -qE '^[0-9]+$' || [[ "$WAZUH_PORT" -lt 1 || "$WAZUH_PORT" -gt 65535 ]]; then
error_exit "Invalid EDR port: $WAZUH_PORT"
fi
}
# Detect Linux distribution and architecture
detect_system() {
# Detect base architecture
local base_arch=$(uname -m)
# Initialize DISTRO_VERSION to empty to prevent unbound variable errors
DISTRO_VERSION=""
# Detect distribution
if [[ -f /etc/os-release ]]; then
. /etc/os-release
case "$ID" in
ubuntu|debian|raspbian)
DISTRO="deb"
PACKAGE_MANAGER="apt"
# DEB architecture mapping
case "$base_arch" in
x86_64)
OSQUERY_ARCH="amd64"
WAZUH_ARCH="amd64"
;;
aarch64)
OSQUERY_ARCH="arm64"
WAZUH_ARCH="arm64"
;;
i386|i686)
OSQUERY_ARCH="i386"
WAZUH_ARCH="i386"
;;
armv7l|armhf)
OSQUERY_ARCH="armhf"
WAZUH_ARCH="armhf"
;;
ppc64le)
OSQUERY_ARCH="ppc64el"
WAZUH_ARCH="ppc64el"
;;
*)
error_exit "Unsupported architecture for DEB packages: $base_arch"
;;
esac
;;
rhel|centos|fedora|rocky|almalinux|ol|opensuse*|sles)
DISTRO="rpm"
PACKAGE_MANAGER="yum"
if command -v dnf >/dev/null 2>&1; then
PACKAGE_MANAGER="dnf"
fi
# Check for older distributions that need special packaging
if [[ "$ID" == "centos" && "$VERSION_ID" == "5" ]] ||
[[ "$ID" == "ol" && "$VERSION_ID" == "5" ]] ||
[[ "$ID" =~ ^sles$ && "$VERSION_ID" == "11" ]]; then
DISTRO_VERSION="el5"
fi
# RPM architecture mapping
case "$base_arch" in
x86_64)
OSQUERY_ARCH="x86_64"
WAZUH_ARCH="x86_64"
;;
aarch64)
OSQUERY_ARCH="aarch64"
WAZUH_ARCH="aarch64"
;;
i386|i686)
OSQUERY_ARCH="i386"
WAZUH_ARCH="i386"
;;
armv7l)
OSQUERY_ARCH="armv7hl"
WAZUH_ARCH="armv7hl"
;;
ppc64le)
OSQUERY_ARCH="ppc64le"
WAZUH_ARCH="ppc64le"
;;
*)
error_exit "Unsupported architecture for RPM packages: $base_arch"
;;
esac
;;
amzn)
DISTRO="rpm"
PACKAGE_MANAGER="yum"
if command -v dnf >/dev/null 2>&1; then
PACKAGE_MANAGER="dnf"
fi
# Amazon Linux architecture mapping (same as RPM)
case "$base_arch" in
x86_64)
OSQUERY_ARCH="x86_64"
WAZUH_ARCH="x86_64"
;;
aarch64)
OSQUERY_ARCH="aarch64"
WAZUH_ARCH="aarch64"
;;
ppc64le)
OSQUERY_ARCH="ppc64le"
WAZUH_ARCH="ppc64le"
;;
*)
error_exit "Unsupported architecture for Amazon Linux: $base_arch"
;;
esac
;;
*)
error_exit "Unsupported distribution: $ID"
;;
esac
else
error_exit "Cannot detect Linux distribution"
fi
log_message "INFO" "Detected system: $ID ($DISTRO) - Base arch: $base_arch"
log_message "INFO" "Package architectures - osquery: $OSQUERY_ARCH, Wazuh: $WAZUH_ARCH"
if [[ -n "$DISTRO_VERSION" ]]; then
log_message "INFO" "Special distribution version detected: $DISTRO_VERSION"
fi
}
# Check if running as root
check_root() {
if [[ $EUID -ne 0 ]]; then
error_exit "This script must be run as root"
fi
}
# Check if dry run
execute_command() {
local cmd="$1"
if [[ "$DRY_RUN" == "true" ]]; then
log_message "INFO" "[DRY-RUN] Would execute: $cmd"
else
log_message "DEBUG" "Executing: $cmd"
eval "$cmd"
fi
}
# Download file with retry logic
download_file() {
local url="$1"
local output="$2"
local max_retries=3
local retry_delay=5
local curl_opts="-L --connect-timeout 30 --max-time 300"
if [[ "$SKIP_SSL_VERIFY" == "true" ]]; then
curl_opts="$curl_opts -k"
fi
if [[ -n "$API_KEY" ]]; then
curl_opts="$curl_opts -H 'X-API-KEY: $API_KEY'"
fi
for i in $(seq 1 $max_retries); do
log_message "DEBUG" "Download attempt $i: $url"
if eval "curl $curl_opts -o '$output' '$url'"; then
if [[ -f "$output" && -s "$output" ]]; then
log_message "DEBUG" "Download successful: $output"
return 0
fi
fi
if [[ $i -lt $max_retries ]]; then
log_message "WARN" "Download failed, retrying in ${retry_delay}s..."
sleep $retry_delay
fi
done
error_exit "Failed to download $url after $max_retries attempts"
}
# Install osquery
install_osquery() {
log_message "INFO" "Installing UBA version $OSQUERY_VERSION"
local osquery_url
local osquery_file
if [[ -n "$CUSTOM_REPO_URL" ]]; then
if [[ "$DISTRO" == "deb" ]]; then
osquery_url="$CUSTOM_REPO_URL/osquery_${OSQUERY_VERSION}-1.linux_${OSQUERY_ARCH}.deb"
osquery_file="$TEMP_DIR/osquery_${OSQUERY_VERSION}-1.linux_${OSQUERY_ARCH}.deb"
else
osquery_url="$CUSTOM_REPO_URL/osquery-${OSQUERY_VERSION}-1.linux.${OSQUERY_ARCH}.rpm"
osquery_file="$TEMP_DIR/osquery-${OSQUERY_VERSION}-1.linux.${OSQUERY_ARCH}.rpm"
fi
else
# Use official osquery repository with correct URLs
if [[ "$DISTRO" == "deb" ]]; then
osquery_url="https://pkg.osquery.io/deb/osquery_${OSQUERY_VERSION}-1.linux_${OSQUERY_ARCH}.deb"
osquery_file="$TEMP_DIR/osquery_${OSQUERY_VERSION}-1.linux_${OSQUERY_ARCH}.deb"
else
osquery_url="https://pkg.osquery.io/rpm/osquery-${OSQUERY_VERSION}-1.linux.${OSQUERY_ARCH}.rpm"
osquery_file="$TEMP_DIR/osquery-${OSQUERY_VERSION}-1.linux.${OSQUERY_ARCH}.rpm"
fi
fi
log_message "INFO" "Downloading UBA from: $osquery_url"
download_file "$osquery_url" "$osquery_file"
log_message "INFO" "UBA package downloaded to: $osquery_file"
# Install package using direct package managers
if [[ "$DISTRO" == "deb" ]]; then
log_message "INFO" "Installing UBA DEB package using dpkg"
execute_command "dpkg -i '$osquery_file'"
# Fix any dependency issues
if [[ "$DRY_RUN" != "true" ]]; then
if ! dpkg -l osquery >/dev/null 2>&1; then
log_message "WARN" "Fixing osquery dependencies"
execute_command "apt-get update"
execute_command "apt-get install -f -y"
fi
fi
else
log_message "INFO" "Installing UBA RPM package using rpm -ivh"
execute_command "rpm -ivh '$osquery_file'"
# Check if installation was successful
if [[ "$DRY_RUN" != "true" ]]; then
if ! rpm -q osquery >/dev/null 2>&1; then
error_exit "osquery RPM installation failed"
fi
fi
fi
# Remove package file after successful installation
if [[ "$DRY_RUN" != "true" ]]; then
rm -f "$osquery_file"
log_message "DEBUG" "Removed osquery package file: $osquery_file"
fi
# Create osquery directories
execute_command "mkdir -p /etc/osquery /var/log/osquery /etc/osquery/packs"
execute_command "chown -R root:root /etc/osquery /var/log/osquery"
execute_command "chmod 755 /etc/osquery /var/log/osquery"
# Create basic osquery configuration
cat > "$TEMP_DIR/osquery.conf" << 'EOF'
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"log_result_events": "true",
"schedule_splay_percent": "10",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"verbose": "false",
"worker_threads": "2",
"enable_monitor": "true",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"host_identifier": "hostname",
"enable_syslog": "true",
"audit_allow_sockets": "true",
"schedule_default_interval": "3600"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"high_load_average": {
"query": "SELECT period, average, '1/5/15 minutes' AS interval FROM load_average WHERE period IN ('1m', '5m', '15m');",
"interval": 900,
"snapshot": true
},
"low_free_memory": {
"query": "SELECT memory_total, memory_free, (CAST(memory_free AS real) / memory_total) * 100 AS memory_free_perc FROM memory_info;",
"interval": 1800
}
},
"packs": {}
}
EOF
execute_command "cp '$TEMP_DIR/osquery.conf' /etc/osquery/osquery.conf"
execute_command "chmod 640 /etc/osquery/osquery.conf"
# Create osquery flags file
cat > "$TEMP_DIR/osquery.flags" << EOF
--config_path=/etc/osquery/osquery.conf
--logger_path=/var/log/osquery
--pidfile=/var/osquery/osqueryd.pidfile
--database_path=/var/osquery/osquery.db
--config_refresh=${OSQUERY_CONFIG_REFRESH}
--disable_logging=false
--utc
EOF
execute_command "cp '$TEMP_DIR/osquery.flags' /etc/osquery/osquery.flags"
execute_command "chmod 640 /etc/osquery/osquery.flags"
# Enable and start osquery service
execute_command "systemctl enable osqueryd"
execute_command "systemctl start osqueryd"
log_message "INFO" "UBA installation completed"
}
# Install Wazuh agent
install_wazuh() {
log_message "INFO" "Installing EDR agent version $WAZUH_VERSION"
local wazuh_url
local wazuh_file
if [[ -n "$CUSTOM_REPO_URL" ]]; then
if [[ "$DISTRO" == "deb" ]]; then
wazuh_url="$CUSTOM_REPO_URL/wazuh-agent_${WAZUH_VERSION}-1_${WAZUH_ARCH}.deb"
wazuh_file="$TEMP_DIR/wazuh-agent_${WAZUH_VERSION}-1_${WAZUH_ARCH}.deb"
else
if [[ -n "$DISTRO_VERSION" ]]; then
# Special handling for older distributions (CentOS 5, Oracle Linux 5, SUSE 11)
wazuh_url="$CUSTOM_REPO_URL/wazuh-agent-${WAZUH_VERSION}-1.${DISTRO_VERSION}.${WAZUH_ARCH}.rpm"
wazuh_file="$TEMP_DIR/wazuh-agent-${WAZUH_VERSION}-1.${DISTRO_VERSION}.${WAZUH_ARCH}.rpm"
else
wazuh_url="$CUSTOM_REPO_URL/wazuh-agent-${WAZUH_VERSION}-1.${WAZUH_ARCH}.rpm"
wazuh_file="$TEMP_DIR/wazuh-agent-${WAZUH_VERSION}-1.${WAZUH_ARCH}.rpm"
fi
fi
else
# Use official Wazuh repository with correct URLs
if [[ "$DISTRO" == "deb" ]]; then
wazuh_url="https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_${WAZUH_VERSION}-1_${WAZUH_ARCH}.deb"
wazuh_file="$TEMP_DIR/wazuh-agent_${WAZUH_VERSION}-1_${WAZUH_ARCH}.deb"
else
if [[ -n "$DISTRO_VERSION" ]]; then
# Special handling for older distributions (CentOS 5, Oracle Linux 5, SUSE 11)
wazuh_url="https://packages.wazuh.com/4.x/yum/wazuh-agent-${WAZUH_VERSION}-1.${DISTRO_VERSION}.${WAZUH_ARCH}.rpm"
wazuh_file="$TEMP_DIR/wazuh-agent-${WAZUH_VERSION}-1.${DISTRO_VERSION}.${WAZUH_ARCH}.rpm"
else
wazuh_url="https://packages.wazuh.com/4.x/yum/wazuh-agent-${WAZUH_VERSION}-1.${WAZUH_ARCH}.rpm"
wazuh_file="$TEMP_DIR/wazuh-agent-${WAZUH_VERSION}-1.${WAZUH_ARCH}.rpm"
fi
fi
fi
log_message "INFO" "Downloading EDR agent from: $wazuh_url"
download_file "$wazuh_url" "$wazuh_file"
log_message "INFO" "EDR agent package downloaded to: $wazuh_file"
# Set environment variables for Wazuh installation
export WAZUH_MANAGER="$WAZUH_MANAGER"
export WAZUH_REGISTRATION_SERVER="$WAZUH_REGISTRATION_SERVER"
export WAZUH_AGENT_GROUP="$WAZUH_AGENT_GROUP"
export WAZUH_AGENT_NAME="$WAZUH_AGENT_NAME"
# Install package using direct package managers
if [[ "$DISTRO" == "deb" ]]; then
log_message "INFO" "Installing EDR agent DEB package using dpkg"
execute_command "WAZUH_MANAGER='$WAZUH_MANAGER' WAZUH_REGISTRATION_SERVER='$WAZUH_REGISTRATION_SERVER' WAZUH_AGENT_GROUP='$WAZUH_AGENT_GROUP' WAZUH_AGENT_NAME='$WAZUH_AGENT_NAME' dpkg -i '$wazuh_file'"
# Fix any dependency issues
if [[ "$DRY_RUN" != "true" ]]; then
if ! dpkg -l wazuh-agent >/dev/null 2>&1; then
log_message "WARN" "Fixing Wazuh agent dependencies"
execute_command "apt-get update"
execute_command "apt-get install -f -y"
fi
fi
else
log_message "INFO" "Installing EDR agent RPM package using rpm -ivh"
execute_command "WAZUH_MANAGER='$WAZUH_MANAGER' WAZUH_REGISTRATION_SERVER='$WAZUH_REGISTRATION_SERVER' WAZUH_AGENT_GROUP='$WAZUH_AGENT_GROUP' WAZUH_AGENT_NAME='$WAZUH_AGENT_NAME' rpm -ivh '$wazuh_file'"
# Check if installation was successful
if [[ "$DRY_RUN" != "true" ]]; then
if ! rpm -q wazuh-agent >/dev/null 2>&1; then
error_exit "EDR agent RPM installation failed"
fi
fi
fi
# Remove package file after successful installation
if [[ "$DRY_RUN" != "true" ]]; then
rm -f "$wazuh_file"
log_message "DEBUG" "Removed EDR agent package file: $wazuh_file"
fi
log_message "INFO" "EDR agent installation completed"
}
# Configure Wazuh osquery integration
configure_wazuh_osquery() {
log_message "INFO" "Configuring EDR + UBA integration"
local ossec_conf="/var/ossec/etc/ossec.conf"
if [[ ! -f "$ossec_conf" ]]; then
error_exit "Wazuh configuration file not found: $ossec_conf"
fi
# Backup original configuration
execute_command "cp '$ossec_conf' '${ossec_conf}.backup.$(date +%Y%m%d_%H%M%S)'"
# Create osquery wodle configuration
cat > "$TEMP_DIR/osquery_wodle.xml" << EOF
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>no</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
EOF
# Add osquery wodle to ossec.conf if not already present
if ! grep -q '<wodle name="osquery">' "$ossec_conf"; then
# Find the closing </ossec_config> tag and insert before it
execute_command "sed -i '/<\/ossec_config>/i\\' '$ossec_conf'"
execute_command "sed -i '/<\/ossec_config>/e cat '$TEMP_DIR/osquery_wodle.xml'" '$ossec_conf'
else
log_message "WARN" "UBA wodle already configured in ossec.conf"
# Update existing osquery wodle to ensure correct configuration
execute_command "sed -i '/<wodle name=\"osquery\">/,/<\/wodle>/{s/<disabled>yes<\/disabled>/<disabled>no<\/disabled>/g; s/<run_daemon>yes<\/run_daemon>/<run_daemon>no<\/run_daemon>/g;}' '$ossec_conf'"
fi
# Configure Wazuh manager details
execute_command "sed -i 's/<server>.*<\/server>/<server>${WAZUH_MANAGER}<\/server>/g' '$ossec_conf'"
execute_command "sed -i 's/<port>.*<\/port>/<port>${WAZUH_PORT}<\/port>/g' '$ossec_conf'"
# Add remote commands configuration if not present
local internal_options="/var/ossec/etc/local_internal_options.conf"
if [[ ! -f "$internal_options" ]] || ! grep -q "wazuh_command.remote_commands=1" "$internal_options"; then
execute_command "echo 'wazuh_command.remote_commands=1' >> '$internal_options'"
execute_command "echo 'logcollector.remote_commands=1' >> '$internal_options'"
execute_command "echo 'sca.remote_commands=1' >> '$internal_options'"
fi
log_message "INFO" "EDR + UBA integration configured"
}
# Start and enable services
start_services() {
log_message "INFO" "Starting and enabling services"
# Verify packages are installed before starting services
if [[ "$DRY_RUN" != "true" ]]; then
if [[ "$DISTRO" == "deb" ]]; then
if ! dpkg -l osquery >/dev/null 2>&1; then
error_exit "uba package not properly installed"
fi
if ! dpkg -l wazuh-agent >/dev/null 2>&1; then
error_exit "edr-agent package not properly installed"
fi
else
if ! rpm -q osquery >/dev/null 2>&1; then
error_exit "uba package not properly installed"
fi
if ! rpm -q wazuh-agent >/dev/null 2>&1; then
error_exit "edr-agent package not properly installed"
fi
fi
log_message "INFO" "Package installation verification successful"
fi
# Start and enable osquery
execute_command "systemctl daemon-reload"
execute_command "systemctl enable osqueryd"
execute_command "systemctl restart osqueryd"
# Start and enable Wazuh agent
execute_command "systemctl enable wazuh-agent"
execute_command "systemctl restart wazuh-agent"
# Wait for services to start
sleep 5
# Verify services are running
if [[ "$DRY_RUN" != "true" ]]; then
if systemctl is-active --quiet osqueryd; then
log_message "INFO" "uba service is running"
else
error_exit "uba service failed to start"
fi
if systemctl is-active --quiet wazuh-agent; then
log_message "INFO" "EDR agent service is running"
else
error_exit "EDR agent service failed to start"
fi
fi
}
# Display installation summary
display_summary() {
log_message "INFO" "Installation Summary:"
log_message "INFO" "===================="
log_message "INFO" "Distribution: $DISTRO (uba: $OSQUERY_ARCH, EDR: $WAZUH_ARCH)"
if [[ -n "$DISTRO_VERSION" ]]; then
log_message "INFO" "Distribution version: $DISTRO_VERSION"
fi
log_message "INFO" "UBA version: $OSQUERY_VERSION"
log_message "INFO" "EDR agent version: $WAZUH_VERSION"
log_message "INFO" "XDR manager: $WAZUH_MANAGER:$WAZUH_PORT"
log_message "INFO" "EDR agent name: $WAZUH_AGENT_NAME"
log_message "INFO" "EDR agent group: $WAZUH_AGENT_GROUP"
if [[ "$DRY_RUN" != "true" ]]; then
log_message "INFO" ""
log_message "INFO" "Installed Package Versions:"
if [[ "$DISTRO" == "deb" ]]; then
local osquery_installed=$(dpkg -l osquery 2>/dev/null | grep '^ii' | awk '{print $3}' || echo "Not installed")
local wazuh_installed=$(dpkg -l wazuh-agent 2>/dev/null | grep '^ii' | awk '{print $3}' || echo "Not installed")
else
local osquery_installed=$(rpm -q osquery --queryformat '%{VERSION}-%{RELEASE}' 2>/dev/null || echo "Not installed")
local wazuh_installed=$(rpm -q wazuh-agent --queryformat '%{VERSION}-%{RELEASE}' 2>/dev/null || echo "Not installed")
fi
log_message "INFO" "uba: $osquery_installed"
log_message "INFO" "edr-agent: $wazuh_installed"
log_message "INFO" ""
log_message "INFO" "Service Status:"
log_message "INFO" "uba: $(systemctl is-active osqueryd)"
log_message "INFO" "EDR agent: $(systemctl is-active wazuh-agent)"
log_message "INFO" ""
log_message "INFO" "Configuration files:"
log_message "INFO" "- uba config: /etc/osquery/osquery.conf"
log_message "INFO" "- uba flags: /etc/osquery/osquery.flags"
log_message "INFO" "- EDR config: /var/ossec/etc/ossec.conf"
log_message "INFO" "- uba logs: /var/log/osquery/"
log_message "INFO" "- EDR logs: /var/ossec/logs/"
fi
}
# Main execution function
main() {
log_message "INFO" "Starting uba and EDR installation"
parse_arguments "$@"
validate_parameters
check_root
detect_system
# Validate architecture support after system detection
if [[ "$DISTRO" == "deb" ]]; then
case "$OSQUERY_ARCH" in
amd64|arm64|i386|armhf) ;;
*)
log_message "WARN" "uba may not support $OSQUERY_ARCH architecture for DEB packages"
;;
esac
else
case "$OSQUERY_ARCH" in
x86_64|aarch64|i386) ;;
*)
log_message "WARN" "uba may not support $OSQUERY_ARCH architecture for RPM packages"
;;
esac
fi
# Create temporary directory for package downloads
mkdir -p "$TEMP_DIR"
log_message "INFO" "Created temporary directory for package downloads: $TEMP_DIR"
# Install components
install_osquery
install_wazuh
configure_wazuh_osquery
start_services
display_summary
log_message "INFO" "Installation completed successfully!"
log_message "INFO" "All temporary packages have been removed from $TEMP_DIR"
}
# Execute main function with all arguments
main "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment