It sucks that you cant create rules by group yet. The devs have submitted a feature request for it on my behalf so hopefully soon 🙂

@wirestyle22 said in Wazuh Manager Install - Ubuntu:

A few things:

The manager label is wrong. It says manger instead of manager.

@IRJ said in Wazuh Manager Install - Ubuntu:

Install Filebeat

There are two entries for "Install Filebeat"

I tried to install Filebeat going command by command and it can't find it.

Thanks I fixed the guide.

What you need to do is this:

#*********************************************************** #Install GPG keys and add repository #*********************************************************** curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list #*********************************************************** # APT Update #*********************************************************** sudo apt update #*********************************************************** #Install Filebeat #*********************************************************** sudo apt install -y filebeat=6.7.1 #*********************************************************** #Download Filebeat config file to forward logs #*********************************************************** sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml #*********************************************************** #Edit Filebeat config file to point to Elastic Server IP (In this lab environment I am using 127.0.0.1) #*********************************************************** sed -i 's/YOUR_ELASTIC_SERVER_IP/192.168.122.181/' /etc/filebeat/filebeat.yml #*********************************************************** #Start Filebeat service and configure it to automatically start at boot #*********************************************************** sudo systemctl daemon-reload sudo systemctl enable filebeat.service sudo systemctl start filebeat.service

make sure to change 192.168.122.181 with your ip or localhost if you are using a single server for wazuh and ELK

@JaredBusch said in Wazuh Agent Install - CentOS:

Why are you disabling agent updates?

Wazuh doesn't understand how to maintain their own repository, so when OSSIM updates their stuff, it breaks Wazuh. It's silly, easily fixable, and I don't have the time to maintain the thing myself.

@DustinB3403 said in How to configure SSH Keys for Nessus:

Isn't this step redundant?

sudo mkdir /home/scan_user/.ssh sudo chown -R scan_user:scan_user /home/scan_user

As ssh-keygen will create these directories and set the ownership?

It certainly does on Fedora.

@IRJ said in Cannot SSH using public key:

RSA key working on Nessus, too. Thanks @DustinB3403 for calming me down

You're welcome.

@IRJ said in Can someone help explain this alias part to me?:

@travisdh1 said in Can someone help explain this alias part to me?:

@IRJ said in Can someone help explain this alias part to me?:

This is actually a decent explanation of what I am trying to do:

https://community.spiceworks.com/topic/108735-scanning-linux-devices-with-non-root-user

That original one, while technically correct, seems purposely made more difficult to me.

Ugh, that 🌶 thread, don't name your custom script the same thing as the program being run, FFS.

This is where I have to ask, what exactly are you trying to accomplish? Just grab system information with dmidecode, or something different?

https://www.tenable.com/blog/configuring-least-privilege-ssh-scans-with-nessus

All right, not the greatest tutorial/how-to ever. You should only need a single user to accomplish this, so the whole group and alias conversation is pointless.

Just follow the rest of that tutorial, adding only the needed programs to the sudoers file.

nessus_user ALL=NOPASSWD: /usr/bin/program1, /usr/bin/program2

@JaredBusch said in Conatainers (Docker) vs VMs - When and Why?:

@Obsolesce said in Conatainers (Docker) vs VMs - When and Why?:

Are there many use cases in the SMB outside of Dev?

Not even in dev really for the SMB. Just use a single VM to do the work. SMB rarely needs to scale.

Other than as you stated, the solution is presented that way. Like UNMS.

Even enterprise rarely need to scale that way. It's more for hosting companies than anything.

Added extra step of renaming file and deleting long garbage file name.

@IRJ said in How to configure automatic updates on Ubuntu 18.04 LTS:

Scripted a bit for anyone interested

FWIW, this line didn't work for me --

sed -i '/Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"/a\\ "${distro_id}:${distro_codename}-updates"; ' /etc/apt/apt.conf.d/50unattended-upgrades

I believe this is due to the line being inserted outside the Unattended-Upgrade::Allowed-Origins grouping.

@black3dynamite said in Cannot boot to LUKS encrypted drive on Ubuntu - freezes after unlocking drive:

@travisdh1 Is it possible that AppArmor installed by default on all ubuntu installation? Having AppArmor and SELinux both active can cause problems.

I'd love to hear a bit more about apparmor. I am not familiar with it at all. This should be a new thread.

@black3dynamite said in NGINX Reverse Proxy Help - Error code: SSL_ERROR_RX_RECORD_TOO_LONG:

In the server block, add ssl_protocols TLSv1.2; and reload nginx

no joy. Incognito mode did not work either.

@dyasny said in KVM/QEMU DNS:

libvirt has dnsmasq built in, to serve DHCP. It can also be configured to serve DNS to the libvirt NAT network, and the host.

This is an example of a working configuration: https://fabianlee.org/2018/10/22/kvm-using-dnsmasq-for-libvirt-dns-resolution/

Pretty cool. Thanks.

My guess is that no, it could not work if the full drive is encrypted. Once you boot into Windows, the drive would be inaccessible as there would be no Linux to decrypt it.

I have not used it, only provided some guidance in SW for that.

@IRJ This would be a heck of a guide if you ever get the time to do it

In case anyone else is interested...

https://copr.fedorainfracloud.org/coprs/paulcarroty/Gnome_3.32/