0

I am trying to make a server hardening script for my work, part of it is to install wazuh-agent on the servers that will be connected to a SIEM manager.

The script has 2 parts, one where it adds the repo entry - that works fine.

The second part installs the wazuh agent (code below). When I run the commands on the shell, they work fine but with the script it gives me the following error.

import os 
import subprocess

wazuhrepofile = "/etc/yum.repos.d/wazuh.repo"
wazuh = "wazuh-agent"
wazuhmanager = 'WAZUHMANAGER="10.0.0.2"'

def install_wazuh(wazuh, wazuhmanager, wazuhrepofile):
    subprocess.run([wazuhmgr ,'yum', 'install', '-y', wazuh], check=True)
    print("Wazuh Agent Installed")
    subprocess.run(['systemctl', 'daemon-reload'], check=True)
    print("Daemon Reloaded")
    subprocess.run(['systemctl', 'enable', wazuh])
    print("Wazuh Agent Enabled")
    subprocess.run(['systemctl', 'start', wazuh], check=True)
    print("Wazuh-Agent Service Started!")
    subprocess.run(['sed', '-i', '"s/^enabled=1/enabled=0/"', wazuhrepofile])


install_wazuh(wazuh, wazuhmgr, wazuhrepofile)

and the following is the error [run error]

1

hj-
  • 1
  • 2
  • in your first subprocess call there is an extra wazuhmgr variable that seems useless. It should stard by directly by 'yum' ... – Malo Jan 01 '22 at 18:03
  • Looks like You're trying to run a command with an env variable `WAZUHMANAGER="10.0.0.2"`. I think that `subprocess.run` expects a command as the first argument. Check this thread to find out how to run a command with a modified environment: https://stackoverflow.com/questions/2231227/python-subprocess-popen-with-a-modified-environment – Maciej Czarnecki Jan 01 '22 at 18:07
  • thanks man I'll check that out. I figured out a easy fix for now, instead of running a shell command - used a file.replace(old,new) to correct the file. – hj- Jan 01 '22 at 19:15

1 Answers1

0

hj. Thanks for choosing Wazuh.

As it was stated, subprocess.run accepts a series of parameters, but it seems that the first one needs to be an actual command instead of a variable assignment.

What you are doing is passing the Manager IP to have the Agent auto-enroll to the Manager. Another possible way, would be to install the Agent and then use the agent-auth located on the /var/ossec/bin/ folder. This commands also allows the Agent to pass an Agent Name to the Manager, so it will show with on the alerts and the UI, for easier identification.

the command is: /var/ossec/bin/agent-auth -m MANAGER-IP -A AGENT-NAME

For more information on agent registration visit here and for info on agent-auth tool, here

In case you have any further questions, don't hesitate to ask. Cheers

Andres Micalizzi
  • 29
  • 4