Skip to content

Latest commit

 

History

History
161 lines (88 loc) · 5.09 KB

macos-agent.md

File metadata and controls

161 lines (88 loc) · 5.09 KB

MacOS enrollment Guide

This guide walks you through the process of enrolling a MacOS system with the Wazuh Manager. By following these steps, you will install and configure necessary components, ensuring secure communication between the Wazuh Agent and the Wazuh Manager.

Prerequisites

  • Administrator Privileges: Ensure you have sudo access.

  • Homebrew: Have Homebrew be installed

  • Dependencies: Have curl, jq and gsed installed. You can install them with this command

    brew install curl jq gnu-sed

  • Internet Connectivity: Verify that the system is connected to the internet.

Step by step process

Step 1: Download and Run the Setup Script

Download the setup script from the repository and run it to configure the Wazuh agent with the necessary parameters for secure communication with the Wazuh Manager.

curl -SL --progress-bar https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-agent/main/scripts/setup-agent.sh | WAZUH_MANAGER=manager.wazuh.adorsys.team bash

Components Installed by the Script:

1. Wazuh Agent: Monitors your endpoint and sends data to the Wazuh Manager. The agent is installed and configured to connect to the specified manager (WAZUH_MANAGER).

2. OAuth2 Authentication Client: Adds certificate-based OAuth2 authentication for secure communications.

3. Wazuh Agent Status: Provides real-time health and connection status of the agent.

4. Yara: Enables advanced file-based malware detection by integrating Yara rules into Wazuh.

5. Snort: Adds network intrusion detection capabilities to monitor suspicious traffic.

Step 2: Enroll Agent to Manager

1. Generate the Enrollment URL

Run the following command to start the enrollment process:

sudo /Library/Ossec/bin/wazuh-cert-oauth2-client o-auth2

This command will generate a URL. Copy the link and paste it into your web browser.

2. Authentication via browser

  • i. Login: You will be prompted to log in page,Log in using Active directories: Adorsys GIS or adorsys GmbH & CO KG, which will generate an authentication token using Keycloak.

  • ii. Two-Factor Authentication: For first-time logins, authentication via an authenticator is required.

  • iii. Token generation: After a successful authentication, a token will be generated. Copy the token and return to the command line.

3. Complete the Enrollment

Return to the command line, paste the token, and follow the prompts to complete the enrollment process.

4. Reboot your Device

Reboot your device to apply the changes.

Step 3: Validate Agent Installation

After completing the agent enrollment, verify that the agent is properly connected and functioning:

1. Check the Agent Status:

Look for the Wazuh icon in the system tray to confirm that the agent is running and connected.

2. Validate Other Tools Installation

  • YARA
  yara -v
  sudo ls -l /Library/Ossec/ruleset/yara/rules
  • Snort
  snort -V

3. Check the Wazuh Manager Dashboard:

Ping an admin for confirmation that the agent appears in the Wazuh Manager dashboard.

Troubleshooting

  • If the enrollment URL fails to generate, check internet connectivity and script permissions.

  • For errors during authentication, ensure Active Directory credentials are correct and two-factor authentication is set up.

  • If the wazuh agent status app doesn't show you as Active and Connected, check the logs for examination

    sudo tail -f /Library/Ossec/logs/ossec.log

Uninstall Agent

1. Uninstall on User's Machine:

  • Use this command to uninstall

    curl -SL --progress-bar https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-agent/main/scripts/uninstall-agent.sh | bash

  • Reboot the user's machine

2. Remove Agent from Wazuh Manager:

Shell into the master manager node and use this command to remove agent from wazuh manager's database

/var/ossec/bin/manage_agents -r <AGENT_ID>

Additional Resources