AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Consider replacing RKhunter with Wazuh #19

New Issue
Open
opened 2022-05-23 09:38:33 -05:00 by DarkFeather · 1 comment
DarkFeather commented 2022-05-23 09:38:33 -05:00
Owner
Copy Link

Relevant links:

Relevant links: * https://community.graylog.org/t/how-to-create-input-to-receive-wazuh-hids-logs/18715 * https://documentation.wazuh.com/current/index.html
DarkFeather added the
On-hold
RFC
 labels 2022-05-23 09:38:45 -05:00
DarkFeather added this to the Kanban project 2022-08-04 00:40:39 -05:00
DarkFeather commented 2025-10-09 10:52:41 -05:00
Author
Owner
Copy Link

Wazuh could replace a number of tools that we are aggregating inside AniNIX/Sharingan:

  • lynis
  • arch-audit
  • graylog+elasticsearch+mongodb
  • rkhunter
  • AIDE

However, the agent is heavy, wanting gigs of storage, two cores, and a gig of memory. This is a tradeoff, at the moment -- the syslog aggregation would be the same, but we are using daily inspections with our host tool stack to reduce persistent resource utilization. This makes our current stack more cost-effective. We can revisit this as resources become cheaper.

Deployment details: https://documentation.wazuh.com/current/deployment-options/docker/index.html

Example deployment on Arch:
https://wix-doc.com/blog/2024-05-01-secure-your-arch-linux-with-wazuh/

Note, agent-based security tools tend to require privileged access for the agents, which makes remote access to the dashboard a major issue. In our deployment, agents file data via syslog to the aggregator which prevents compromise of the aggregator from infecting servers. Examples of why this is bad:

Wazuh could replace a number of tools that we are aggregating inside AniNIX/Sharingan: * lynis * arch-audit * graylog+elasticsearch+mongodb * rkhunter * AIDE However, the agent is heavy, wanting gigs of storage, two cores, and a gig of memory. This is a tradeoff, at the moment -- the syslog aggregation would be the same, but we are using daily inspections with our host tool stack to reduce persistent resource utilization. This makes our current stack more cost-effective. We can revisit this as resources become cheaper. Deployment details: https://documentation.wazuh.com/current/deployment-options/docker/index.html Example deployment on Arch: https://wix-doc.com/blog/2024-05-01-secure-your-arch-linux-with-wazuh/ Note, agent-based security tools tend to require privileged access for the agents, which makes remote access to the dashboard a major issue. In our deployment, agents file data via syslog to the aggregator which prevents compromise of the aggregator from infecting servers. Examples of why this is bad: * https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh * https://cybersecuritynews.com/crowdstrike-falcon-windows-sensor-vulnerability * https://www.techtarget.com/whatis/feature/Explaining-the-largest-IT-outage-in-history-and-whats-next
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Blocked
There are functional or technical reasons this can't be implemented yet
Duplicate
Another issue or PR already describes this issue
On-hold
Evaluated but not enough resources to complete now
Peer-review
Being reviewed for quality prior to merge
RFC
More information and feedback is needed
Wontfix
Not a bug -- way it works
Blocked
There are functional or technical reasons this can't be implemented yet
Duplicate
Another issue or PR already describes this issue
In-progress
Being worked.
On-hold
Evaluated but not enough resources to complete now
Peer-review
Being reviewed for quality prior to merge
RFC
More information and feedback is needed
Wontfix
Not a bug -- way it works
No Label
On-hold
RFC
Milestone
No items
No Milestone
Projects
Clear projects
No project Kanban
Assignees
Clear assignees
DarkFeather jml project2501
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: AniNIX/Kapisi#19
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?