From 9bf7c0a21ebcc68cfe92a116ffc6a226a3a3ed29 Mon Sep 17 00:00:00 2001 From: Brian Zalewski <59970525+ProfessorManhattan@users.noreply.github.com> Date: Sun, 5 May 2024 04:49:41 +0000 Subject: [PATCH] Updated Wazuh agent installation --- docs/getting-started/requirements.md | 12 ++++++- .../post-installx/executable_post-wazuh.sh | 33 ++++++++++++------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/docs/getting-started/requirements.md b/docs/getting-started/requirements.md index 9be5c691..1979b7b5 100644 --- a/docs/getting-started/requirements.md +++ b/docs/getting-started/requirements.md @@ -34,7 +34,17 @@ sudo apt-get install -y bash curl ## macOS -macOS has no special requirements. +### macFUSE Kernel Extensions + +macFUSE requires kernel extensions which are not allowed by default. Before provisioning, enable kernel extensions by booting into the recovery environment. You can enable kernel extensions by: + +1. Shut down system +2. Press and hold the Touch ID or power button to launch the Startup Security Utility +3. In the Startup Security Utility, enable kernel extensions from the Security Policy button +4. Reboot into the main environment +5. Open the System Settings +6. Click on Privacy & Security +7. Enable relevant System Extensions by clicking on "Enable System Extensions..." (Note: If you enable kernel extensions before installing macFUSE, then the option to enable the extensions will not be available yet. You can either manually install macFUSE before running the provisioning process or revisit the settings page and enable them after the kickstart script installs macFUSE) ## Qubes diff --git a/home/dot_local/bin/post-installx/executable_post-wazuh.sh b/home/dot_local/bin/post-installx/executable_post-wazuh.sh index 9cf2616c..bc016d51 100644 --- a/home/dot_local/bin/post-installx/executable_post-wazuh.sh +++ b/home/dot_local/bin/post-installx/executable_post-wazuh.sh @@ -4,18 +4,27 @@ if [ -d /Applications ] && [ -d /System ]; then ### macOS - if ! csrutil status | grep enabled > /dev/null; then - cd /tmp - logg info 'Downloading the macOS Wazuh agent pkg' - curl -sSL https://packages.wazuh.com/4.x/macos/wazuh-agent-4.4.4-1.pkg > wazuh-agent.pkg - sudo launchctl setenv WAZUH_MANAGER "$WAZUH_MANAGER" - logg info 'Installing the Wazuh agent pkg' - sudo installer -pkg wazuh-agent.pkg -target / - sudo chmod 755 /Library/Ossec - sudo chmod 755 /Library/Ossec/bin - rm /tmp/wazuh-agent.pkg - logg info 'Running sudo wazuh-control start' - sudo wazuh-control start + cd /tmp + logg info 'Downloading the macOS Wazuh agent pkg' + if [[ $(uname -m) == 'arm64' ]]; then + PKG_URL="https://packages.wazuh.com/4.x/macos/wazuh-agent-4.7.4-1.arm64.pkg" + else + PKG_URL="https://packages.wazuh.com/4.x/macos/wazuh-agent-4.7.4-1.intel64.pkg" + fi + curl -sSL "$PKG_URL" > wazuh-agent.pkg + log info 'Setting Wazuh launch parameters in /tmp/wazuh_envs' + # https://documentation.wazuh.com/current/user-manual/agent/deployment-variables/deployment-variables-macos.html + echo "WAZUH_MANAGER='$WAZUH_MANAGER'" > /tmp/wazuh_envs + logg info 'Installing the Wazuh agent pkg' + sudo installer -pkg wazuh-agent.pkg -target / + sudo chmod 755 /Library/Ossec + sudo chmod 755 /Library/Ossec/bin + find "/Library/Ossec/bin" -mindepth 1 -maxdepth 1 -type f | while read BIN_FILE; do + sudo chmod +x "$BIN_FILE" + done + rm /tmp/wazuh-agent.pkg + logg info 'Running sudo wazuh-control start' + sudo wazuh-control start else logg warn "Skipping Wazuh Agent installation because System Integrity Protection is enabled. Disabling it requires booting into recovery and running csrutil disable, installing Wazuh Agent normally, and then re-enabling it again in recovery mode." fi