In this article we are going to show How to install Wazuh HIDS with Docker on CentOS 7. Wazuh is a free, open-source and enterprise ready fork of OSSec HIDS that goes one step forward and gather and visualize lots of hosts security information. It has been built as a stack of Wazuh, Elastic search and Kibana.

Here is our environment:

OS: CentOS 7 linux on VMWare
Firewall: firewalld
Selinux: Enforcing
Server IP address: 192.168.175.128
Client IP Address: 192.168.175.129

There are 3 ways to install Wazuh stack:

• Distribution Packages
• Docker container
• Kubernetes

Here we will install Wazuh stack by using docker containers and in the next article we will install it by using distribution packages and Kubernetes.

1- Install docker

Docker requires a 64-bit operating system running kernel version 3.10 or higher. So first we check the two things:

 uname -r

and the output is:

3.10.0-229.el7.x86_64

Now we run the following command to install latest Docker version:

 curl -sSL https://get.docker.com/ | sh

Then we start and enable docker service:

 systemctl start docker
 systemctl enable docker

1.1- Install Docker compose

Docker compose is a utility to deploy docker files. so we must install it:

 curl -L "https://github.com/docker/compose/releases/download/1.28.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

then we make it executable:

 chmod +x /usr/local/bin/docker-compose

Now we check if docker compose being executed successfully by checking its version:

 docker-compose --version

and the output is:

docker-compose version 1.28.3

2- Install Wazuh server

Before installing Wazuh server, we should consider these points:

• System memory: Because we install Wazuh stack on single host, for the best performance, system should have at least 6 GB memory.
• Maximum map count:max_map_count contains the maximum number of memory map areas a process may have. Memory map areas are used as a side-effect of calling malloc, directly by mmap, mprotect, and madvise, and also when loading shared libraries.

Now we increase maximum map count and make it permanent by issuing these commands:

 echo "vm.max_map_count=262144" >> /etc/sysctl.conf

sysctl -p

2.1- Clone Wazuh repository:

Wazuh repository has been hosted on Git. so first we install git and then clone Wazuh repository:

 yum install git
 git clone https://github.com/wazuh/wazuh-docker.git -b v4.1.2 --depth=1

this will download latest Wazuh files in the current path that called wazuh-docker

2.2- Configure SElinux

To prevent SElinux break Wazuh operation we must set proper policy on wazuh-docker directory:

 chcon -R system_u:object_r:admin_home_t:s0 wazuh-docker/

2.3- Replace demo certificates

This docker deployment contains 3 node. by issuing the following command, it will generate related certificates per node.

 docker-compose -f ~/wazuh-docker/generate-opendistro-certs.yml run --rm generator

2.4- Setup SSL certificates for Kibana

There is a bash script that will do it for us automatically:

 bash ./wazuh-docker/production_cluster/kibana_ssl/generate-self-signed-cert.sh

2.5- Setup SSL on the Nginx load balancer

Also there is another bash script for Nginx certificate generation:

 bash ./wazuh-docker/production_cluster/nginx/ssl/generate-self-signed-cert.sh

2.6- Start Wazuh

Now to start Wazuh stack, we come up their Docker images by the following command:

 docker-compose -f wazuh-docker/production-cluster.yml up -d

after some times, the system will be listening on the following ports:

1514 Wazuh TCP
1515 Wazuh TCP
514 Wazuh UDP
55000 Wazuh API
9200 Elasticsearch HTTP
443 Kibana HTTPS

3- Install Wazuh agent

To gather information about hosts, Wazuh agent must be installed on each host. The agent is available for the following operating systems:

AIX
HP-UX
Linux
macOS
Solaris
Windows

Here we install agent for Linux. Installation step is as easy as issuing the following command:

sudo WAZUH_MANAGER='192.168.175.128' yum install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.2-1.x86_64.rpm

and remember to replace 192.168.175.128 with your own IP.