I’m having a TrueNAS Scale NAS, and I’m integrating it into my ZTN.
For that I would need mutliple things.
The first one would be to set up a proper functioning wazuh agent on it, which seems to be nearly impossible as my research suggests.
The second and most important thing is to deny EVERY incoming connection. I don’t care if it comes from the Gateway or if it is SSH, HTTS (443, 80), SMB or even a ping. Everything that comes should get denied.
A ZT-Connector will be deployed in a LXC or Docker container which than connects via a VPN tunnel to the ZT-Console.
A user would then connect via the ZT-Client to the Console and see the TrueNAS instance and through a STUN system and NAT traversal they build up a P2P connection EVEN if all ports are blocked.
This system works.
So my questions are how can I deny everything, and how can I install properly a wazuh agent?
There was a feature request to add wazuh agent to truenas, but it was closed because it got not enough interest. You should be able to install it as a docker container though.
You should be able to install it as a docker container though.
I’m talking about the wazuh agent, not the server component.
Wazuh is a SIEM and XDR, and it collects security relevant information about a system and reports them back to the server and if something happens the wazuh server can act on the system over the wazuh agent to counterpart attacks.
A Wazuh agent inside a docker container is like installing an AV inside a VM to protect your host os.
I find it a complete fucking joke that you can’t install your own packages and software on TrueNAS …
Well truenas is designed as an appliance os. If you don’t like that approach, it’s propably not the right fit for your usecase.
If you’re ok with going into unsupported territory you can enable developer mode and remove the restriction. That way you can install packages to truenas.
But if you encounter problems you’re on your own. And changes and additional packages will get removed during system updates.
Well truenas is designed as an appliance os. If you don’t like that approach
Appliance doesn’t mean restrictions.
it’s propably not the right fit for your usecase.
The problem is that TrueNAS is the only NAS system that works probably.
OMV or even UnRaid or just a complete joke.
The only other thing I could do is spin up Almalinux and build on that my own NAS OS.
If you’re ok with going into unsupported territory you can enable developer mode and remove the restriction. That way you can install packages to truenas.
And Updates or TrueNAS itself just removes or breaks the package.
Actually, in this instance, it does. Perhaps “Appliance doesn’t automatically mean restrictions” would be better wording.
TrueNAS software is more like firmware, than an OS distro. Lots of people think / want a NAS that is an application on top of an OS distro. This is not TrueNAS, (as it currently exists).
Yes. TrueNAS was not designed for Internet facing. Enterprise Data Center users either have firewall boxes, firewall switches or don’t need such on their internal networks.
I’ve worked in Data Centers that literally had every router be a firewall. Only same sub-net, (and segment of sub-net), could talk to any port on another server.
Actually, in this instance, it does. Perhaps “Appliance doesn’t automatically mean restrictions” would be better wording.
Okay I go with you.
But then I would also go the route and say TrueNAS is a software that you MUST use with hardware from truenas.
Otherwise it is a headache if you look into things that are more a combination of hard and software like Secure boot.
I’ve worked in Data Centers that literally had every router be a firewall. Only same sub-net, (and segment of sub-net), could talk to any port on another server.
This might be true if you are looking back in time, but nowadays, we try to accomplish a Zero Trust Infrastructure. Which in it’s core means that every connection must be to be authenticated.
A large part of the monitoring done by the Wazuh Agent is through system logs, so you can still get decent coverage by forwarding syslog from TrueNAS to your Wazuh server. Especially if you have time to set up some custom descriptors / rules (which is true for the full agent as well.
Edit: There’s of course some additional risk in customizing your configuration / it may not meet compliance requirements / etc.
A large part of the monitoring done by the Wazuh Agent is through system logs, so you can still get decent coverage by forwarding syslog from TrueNAS to your Wazuh server. Especially if you have time to set up some custom descriptors / rules (which is true for the full agent as well.
While this is true some of the checks are not covered by the syslog afaik or active response which is also not that easy.
For example the FIM checks wouldn’t work.
This might be a solution for logs and analytics of some basic SIEM function, however it doesn’t cover the full scope of it.
Don’t get me wrong, it is better than nothing and I will try your solution if it isn’t possible at all to install a wazuh agent.
