Updated Wazuh agent installation

This commit is contained in:
Brian Zalewski 2024-05-05 04:49:41 +00:00
parent c3b6f6b084
commit 9bf7c0a21e
2 changed files with 32 additions and 13 deletions

View file

@ -34,7 +34,17 @@ sudo apt-get install -y bash curl
## macOS
macOS has no special requirements.
### macFUSE Kernel Extensions
macFUSE requires kernel extensions which are not allowed by default. Before provisioning, enable kernel extensions by booting into the recovery environment. You can enable kernel extensions by:
1. Shut down system
2. Press and hold the Touch ID or power button to launch the Startup Security Utility
3. In the Startup Security Utility, enable kernel extensions from the Security Policy button
4. Reboot into the main environment
5. Open the System Settings
6. Click on Privacy & Security
7. Enable relevant System Extensions by clicking on "Enable System Extensions..." (Note: If you enable kernel extensions before installing macFUSE, then the option to enable the extensions will not be available yet. You can either manually install macFUSE before running the provisioning process or revisit the settings page and enable them after the kickstart script installs macFUSE)
## Qubes

View file

@ -4,18 +4,27 @@
if [ -d /Applications ] && [ -d /System ]; then
### macOS
if ! csrutil status | grep enabled > /dev/null; then
cd /tmp
logg info 'Downloading the macOS Wazuh agent pkg'
curl -sSL https://packages.wazuh.com/4.x/macos/wazuh-agent-4.4.4-1.pkg > wazuh-agent.pkg
sudo launchctl setenv WAZUH_MANAGER "$WAZUH_MANAGER"
logg info 'Installing the Wazuh agent pkg'
sudo installer -pkg wazuh-agent.pkg -target /
sudo chmod 755 /Library/Ossec
sudo chmod 755 /Library/Ossec/bin
rm /tmp/wazuh-agent.pkg
logg info 'Running sudo wazuh-control start'
sudo wazuh-control start
cd /tmp
logg info 'Downloading the macOS Wazuh agent pkg'
if [[ $(uname -m) == 'arm64' ]]; then
PKG_URL="https://packages.wazuh.com/4.x/macos/wazuh-agent-4.7.4-1.arm64.pkg"
else
PKG_URL="https://packages.wazuh.com/4.x/macos/wazuh-agent-4.7.4-1.intel64.pkg"
fi
curl -sSL "$PKG_URL" > wazuh-agent.pkg
log info 'Setting Wazuh launch parameters in /tmp/wazuh_envs'
# https://documentation.wazuh.com/current/user-manual/agent/deployment-variables/deployment-variables-macos.html
echo "WAZUH_MANAGER='$WAZUH_MANAGER'" > /tmp/wazuh_envs
logg info 'Installing the Wazuh agent pkg'
sudo installer -pkg wazuh-agent.pkg -target /
sudo chmod 755 /Library/Ossec
sudo chmod 755 /Library/Ossec/bin
find "/Library/Ossec/bin" -mindepth 1 -maxdepth 1 -type f | while read BIN_FILE; do
sudo chmod +x "$BIN_FILE"
done
rm /tmp/wazuh-agent.pkg
logg info 'Running sudo wazuh-control start'
sudo wazuh-control start
else
logg warn "Skipping Wazuh Agent installation because System Integrity Protection is enabled. Disabling it requires booting into recovery and running csrutil disable, installing Wazuh Agent normally, and then re-enabling it again in recovery mode."
fi