gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d9bcf1c09b
secubox-openwrt/package/secubox/secubox-app-wazuh/README.md
CyberMind-FR 6f777761e7 feat(wazuh): Add Wazuh security agent package 
New package secubox-app-wazuh provides:
- Wazuh Agent installation and management for ARM64/OpenWrt
- File Integrity Monitoring (FIM) for /etc, /usr/sbin, /etc/config
- Log analysis: syslog, CrowdSec, firewall
- Rootcheck and Security Configuration Assessment
- CrowdSec integration for threat sync
- CLI: wazuhctl with install/configure/register/status commands

Wazuh provides SIEM/XDR capabilities complementing CrowdSec:
- Endpoint detection and response
- Compliance monitoring (PCI-DSS, GDPR, HIPAA)
- Vulnerability detection
- Active response automation

Requires external Wazuh Manager or future secubox-wazuh-manager LXC.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-14 13:28:00 +01:00

3.3 KiB
Raw Blame History

SecuBox Wazuh Agent

Wazuh security monitoring agent for SecuBox. Provides endpoint detection and response (EDR), file integrity monitoring (FIM), log analysis, and SIEM integration.

Features

  • Endpoint Detection: Real-time threat detection on OpenWrt
  • File Integrity Monitoring: Track changes to critical system files
  • Log Analysis: Monitor syslog, CrowdSec, firewall logs
  • Security Configuration Assessment: Compliance checking
  • CrowdSec Integration: Sync threat intelligence
  • Rootcheck: Detect rootkits and malware

Quick Start

# Install Wazuh agent
wazuhctl install

# Configure manager connection
wazuhctl configure 192.168.1.100

# Register with manager
wazuhctl register

# Start agent
wazuhctl start

# Check status
wazuhctl status

CLI Reference

Installation

Command Description
wazuhctl install Download and install Wazuh agent
wazuhctl uninstall Remove Wazuh agent
wazuhctl upgrade Upgrade to latest version

Configuration

Command Description
wazuhctl configure <ip> Configure manager connection
wazuhctl register Register agent with manager
wazuhctl set-name <name> Set agent hostname

Service Control

Command Description
wazuhctl start Start Wazuh agent
wazuhctl stop Stop Wazuh agent
wazuhctl restart Restart agent
wazuhctl status Show agent status

Monitoring

Command Description
wazuhctl info Show agent information
wazuhctl logs [n] Show last n log lines
wazuhctl alerts [n] Show recent alerts

Integration

Command Description
wazuhctl crowdsec-sync Sync CrowdSec alerts
wazuhctl configure-fim Configure FIM directories
wazuhctl configure-sca Enable SCA checks

UCI Configuration

config wazuh 'main'
    option enabled '1'
    option manager_ip '192.168.1.100'
    option manager_port '1514'
    option agent_name 'secubox'
    option protocol 'tcp'

config monitoring 'monitoring'
    option syslog '1'
    option crowdsec_alerts '1'
    option file_integrity '1'
    option rootcheck '1'

config fim 'fim'
    list directories '/etc'
    list directories '/usr/sbin'
    list directories '/etc/config'
    option realtime '1'

Monitored Paths

Default File Integrity Monitoring:

  • /etc - System configuration
  • /etc/config - UCI configuration
  • /etc/init.d - Init scripts
  • /usr/sbin - System binaries

CrowdSec Integration

Wazuh monitors CrowdSec logs for:

  • Ban decisions
  • Alert events
  • Threat patterns

Sync manually: wazuhctl crowdsec-sync

Requirements

  • Wazuh Manager (external server or SecuBox LXC)
  • Network connectivity to manager on port 1514 (TCP/UDP)
  • ~35MB RAM for agent

Architecture

SecuBox (Agent)          Wazuh Manager
+---------------+        +------------------+
| wazuhctl      |        | Wazuh Server     |
| ossec.conf    |------->| OpenSearch       |
| FIM/Rootcheck |        | Dashboard        |
+---------------+        +------------------+

References