🧩 Machine Centralization
CFor the automatisation, you need to create a virtual machine with Linux. and install puppet https://github.com/puppetlabs/puppet
Structure
[!Note] There is an example, you can do your own directory
/etc/puppetlabs/code/environments/production/modules/
└── wazuh_cti/
├── manifests/
│ └── init.pp # Ton script Puppet principal (class wazuh_cti)
├── files/
│ ├── yara.sh # Script YARA Linux (Active Response)
│ ├── yara.bat # Script YARA Windows
│ ├── rules/
│ │ └── wannacry_rule.yar # Règles YARA générées ou manuelles
│ └── templates/
│ └── ossec.conf.erb # Template de configuration Wazuh agent
Puppet configuration
/etc/puppetlabs/code/environments/production/modules/
Manifest.pp
class wazuh_cti {
$manager_ip = '192.168.100.12'
$deb_url = 'https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.11.2-1_amd64.deb'
$deb_file = 'wazuh-agent_4.11.2-1_amd64.deb'
$deb_path = "/root/${deb_file}"
if $facts['os']['family'] == 'windows' {
# Dossier règles YARA Windows
file { 'yara_rules_dir_win':
path => 'C:/Program Files (x86)/ossec-agent/ruleset/yara',
ensure => directory,
}
# Déploiement de la règle .yar
file { 'wannacry_yar_win':
path => 'C:/Program Files (x86)/ossec-agent/ruleset/yara/wannacry_rule.yar',
ensure => file,
source => 'puppet:///modules/wazuh_cti/rules/wannacry_rule.yar',
require => File['yara_rules_dir_win'],
}
# Déploiement du yara.bat
file { 'yara_bat_script':
path => 'C:/Program Files (x86)/ossec-agent/active-response/yara.bat',
ensure => file,
source => 'puppet:///modules/wazuh_cti/yara.bat',
}
} else {
# Télécharger l'agent
exec { 'download_wazuh_agent':
command => "wget ${deb_url} -O ${deb_path}",
creates => $deb_path,
path => ['/usr/bin', '/bin'],
}
# Installer le paquet avec variable manager IP
exec { 'install_wazuh_agent':
command => "WAZUH_MANAGER=${manager_ip} dpkg -i ${deb_path}",
unless => "dpkg -l | grep wazuh-agent",
path => ['/usr/bin', '/bin'],
require => Exec['download_wazuh_agent'],
}
# Modifier le ossec.conf avec notre template
file { '/var/ossec/etc/ossec.conf':
ensure => file,
content => template('wazuh_cti/ossec.conf.erb'),
owner => 'root',
group => 'wazuh',
mode => '0660',
require => Exec['install_wazuh_agent'],
}
# Authentifier
exec { 'agent_auth':
command => "/var/ossec/bin/agent-auth -m ${manager_ip} || true",
unless => "/usr/bin/test -f /var/ossec/etc/client.keys",
path => ['/usr/bin', '/bin'],
logoutput => true,
require => File['/var/ossec/etc/ossec.conf'],
}
# Activer + démarrer
exec { 'enable_wazuh':
command => 'systemctl enable wazuh-agent',
path => ['/usr/bin', '/bin'],
require => Exec['agent_auth'],
}
exec { 'start_wazuh':
command => 'systemctl start wazuh-agent',
path => ['/usr/bin', '/bin'],
require => Exec['enable_wazuh'],
}
# Dossier des règles YARA
file { '/var/ossec/ruleset/yara':
ensure => directory,
owner => 'root',
group => 'wazuh',
mode => '0750',
}
# Déploiement de la règle YARA
file { '/var/ossec/ruleset/yara/wannacry_rule.yar':
ensure => file,
source => 'puppet:///modules/wazuh_cti/rules/wannacry_rule.yar',
owner => 'root',
group => 'wazuh',
mode => '0750',
require => File['/var/ossec/ruleset/yara'],
}
# ⚙ Script yara.sh
file { '/var/ossec/active-response/bin/yara.sh':
ensure => file,
source => 'puppet:///modules/wazuh_cti/yara.sh',
owner => 'root',
group => 'wazuh',
mode => '0755',
}
file { '/tmp/yara':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/tmp/yara/malware':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
require => File['/tmp/yara'],
}
}
}