diff --git a/playbooks/wazuh-agent.yml b/playbooks/wazuh-agent.yml index 8c7eaa69..806b07c0 100644 --- a/playbooks/wazuh-agent.yml +++ b/playbooks/wazuh-agent.yml @@ -1,7 +1,7 @@ --- - hosts: roles: - - /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent + - ../roles/wazuh/ansible-wazuh-agent vars: wazuh_managers: - address: @@ -11,6 +11,7 @@ api_proto: 'http' api_user: ansible wazuh_agent_authd: + registration_address: enable: true port: 1515 ssl_agent_ca: null diff --git a/playbooks/wazuh-elastic.yml b/playbooks/wazuh-elastic.yml index eda19931..6c372889 100644 --- a/playbooks/wazuh-elastic.yml +++ b/playbooks/wazuh-elastic.yml @@ -1,5 +1,5 @@ --- - hosts: roles: - - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch + - role: ../roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: '' diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index 16abfcf5..c0c14054 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -2,7 +2,7 @@ - hosts: roles: - - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch + - role: ../roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-1 elasticsearch_bootstrap_node: true @@ -33,7 +33,7 @@ - hosts: roles: - - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch + - role: ../roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-2 single_node: false @@ -46,7 +46,7 @@ - hosts: roles: - - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch + - role: ../roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-3 single_node: false @@ -60,21 +60,21 @@ # - hosts: 172.16.0.162 # roles: -# - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager +# - role: ../roles/wazuh/ansible-wazuh-manager -# - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat +# - role: ../roles/wazuh/ansible-filebeat # filebeat_output_elasticsearch_hosts: 172.16.0.161:9200 # filebeat_xpack_security: true # filebeat_node_name: node-2 # node_certs_generator: false # elasticsearch_xpack_security_password: elastic_pass -# - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch +# - role: ../roles/elastic-stack/ansible-elasticsearch # elasticsearch_network_host: 172.16.0.162 # node_name: node-2 # elasticsearch_bootstrap_node: false # elasticsearch_master_candidate: true -# elasticsearch_discovery_nodes: +# elasticsearch_discovery_nodes: # - 172.16.0.161 # - 172.16.0.162 # elasticsearch_xpack_security: true @@ -83,7 +83,7 @@ # - hosts: 172.16.0.163 # roles: -# - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana +# - role: ../roles/elastic-stack/ansible-kibana # kibana_xpack_security: true # kibana_node_name: node-3 # elasticsearch_network_host: 172.16.0.161 diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index e9261956..47438f98 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -35,7 +35,7 @@ copy: src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}" - mode: '0664' + mode: 0440 when: - not generate_CA - node_certs_generator @@ -45,7 +45,7 @@ copy: src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" dest: "{{ node_certs_source }}/{{ ca_cert_name }}" - mode: '0664' + mode: 0440 when: - not generate_CA - node_certs_generator @@ -100,7 +100,7 @@ file: path: "{{ master_certs_path }}" state: directory - mode: '0700' + mode: 0700 delegate_to: "127.0.0.1" when: - node_certs_generator @@ -109,7 +109,7 @@ file: path: "{{ master_certs_path }}/ca/" state: directory - mode: '0700' + mode: 0700 delegate_to: "127.0.0.1" when: - node_certs_generator @@ -149,6 +149,7 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" @@ -163,6 +164,7 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" @@ -176,7 +178,7 @@ - name: Ensuring folder permissions file: path: "{{ node_certs_destination }}/" - mode: '0774' + mode: 0774 state: directory recurse: yes when: diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 index 06af6322..0b153fd4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 @@ -531,6 +531,9 @@ "sha1_before": { "type": "keyword" }, + "hard_links": { + "type": "keyword" + }, "sha1_after": { "type": "keyword" }, diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index cd25eec2..2ac2cde5 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.6.1 -wazuh_version: 3.11.4 +wazuh_version: 3.12.0 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: @@ -43,8 +43,11 @@ nodejs: repo_dict: debian: "deb" redhat: "rpm" - repo_url_ext: "nodesource.com/setup_8.x" + repo_url_ext: "nodesource.com/setup_10.x" # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.11-7.6 +wazuh_plugin_branch: 3.12-7.6 + +#Nodejs NODE_OPTIONS +node_options: --max-old-space-size=4096 diff --git a/roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml b/roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml index 37cfd7dc..b7ceb87f 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml @@ -14,7 +14,7 @@ get_url: url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" dest: "/tmp/setup_nodejs_repo.sh" - mode: "0700" + mode: 0700 - name: Execute downloaded script to install Nodejs repo command: /tmp/setup_nodejs_repo.sh @@ -63,9 +63,7 @@ chdir: "/tmp/app/build" - name: Install Wazuh Plugin (can take a while) - shell: "/usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}" - environment: - NODE_OPTIONS: "--max-old-space-size=3072" + shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }} args: executable: /bin/bash creates: /usr/share/kibana/plugins/wazuh/package.json diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index c0d663cc..2e39391f 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -28,6 +28,7 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" @@ -41,7 +42,7 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" - mode: '0664' + mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" @@ -65,7 +66,7 @@ - name: Ensuring certificates folder owner file: path: "{{ node_certs_destination }}/" - mode: '0770' + mode: 0770 recurse: yes when: - kibana_xpack_security @@ -78,7 +79,7 @@ dest: /etc/kibana/kibana.yml owner: root group: root - mode: '0664' + mode: 0644 notify: restart kibana tags: configure @@ -117,11 +118,10 @@ - build_from_sources is defined - build_from_sources - - name: Install Wazuh Plugin (can take a while) - shell: "/usr/share/kibana/bin/kibana-plugin install {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip" - environment: - NODE_OPTIONS: "--max-old-space-size=3072" + shell: >- + NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install + {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip args: executable: /bin/bash creates: /usr/share/kibana/plugins/wazuh/package.json @@ -135,6 +135,16 @@ when: - not build_from_sources +- name: Kibana optimization (can take a while) + shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana --optimize + args: + executable: /bin/bash + become: yes + become_user: kibana + changed_when: false + tags: + - skip_ansible_lint + - name: Wait for Elasticsearch port wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} @@ -151,10 +161,15 @@ validate_certs: no status_code: 200, 404 +- name: Create wazuh plugin config directory + file: + path: /usr/share/kibana/optimize/wazuh/config/ + state: directory + - name: Configure Wazuh Kibana Plugin template: src: wazuh.yml.j2 - dest: /usr/share/kibana/plugins/wazuh/wazuh.yml + dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml owner: kibana group: root mode: 0644 diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index ce63503d..d45b06e8 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -5,7 +5,7 @@ dest: "/etc/filebeat/filebeat.yml" owner: root group: root - mode: 0644 + mode: 0400 notify: restart filebeat tags: configure @@ -15,7 +15,7 @@ dest: "/etc/filebeat/wazuh-template.json" owner: root group: root - mode: 0644 + mode: 0400 notify: restart filebeat tags: configure @@ -30,7 +30,7 @@ copy: src: "{{ item }}" dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" - mode: 0644 + mode: 0400 with_items: - "{{ filebeat_ssl_key_file }}" - "{{ filebeat_ssl_certificate_file }}" diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 07bc94ea..4948c252 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -30,6 +30,7 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" @@ -43,6 +44,7 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" @@ -55,7 +57,7 @@ - name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: '0774' + mode: 0774 state: directory recurse: yes when: diff --git a/roles/wazuh/ansible-wazuh-agent/README.md b/roles/wazuh/ansible-wazuh-agent/README.md index 9709d9b3..e43ddb87 100644 --- a/roles/wazuh/ansible-wazuh-agent/README.md +++ b/roles/wazuh/ansible-wazuh-agent/README.md @@ -37,11 +37,12 @@ The following is an example of how this role can be used: api_proto: 'http' api_user: 'ansible' wazuh_agent_authd: + registration_address: 127.0.0.1 enable: true port: 1515 ssl_agent_ca: null ssl_auto_negotiate: 'no' - + License and copyright --------------------- diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index c7014e2a..953da95e 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.11.4-1 +wazuh_agent_version: 3.12.0-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "https://s3-us-west-1.amazonaw wazuh_agent_sources_installation: enabled: false - branch: "v3.11.4" + branch: "v3.12.0" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -43,9 +43,11 @@ wazuh_profile_centos: 'centos, centos7, centos7.6' wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' wazuh_auto_restart: 'yes' wazuh_agent_authd: + registration_address: 127.0.0.1 enable: false port: 1515 agent_name: null + groups: [] ssl_agent_ca: null ssl_agent_cert: null ssl_agent_key: null @@ -60,9 +62,10 @@ wazuh_winagent_config: auth_path: C:\Program Files\ossec-agent\agent-auth.exe # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe - md5: 87ce22038688efb44d95f9daff472056 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.11.4-1.msi -wazuh_winagent_package_name: wazuh-agent-3.11.4-1.msi + check_md5: True + md5: 91efaefae4e1977670eab0c768a22a93 +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.0-1.msi +wazuh_winagent_package_name: wazuh-agent-3.12.0-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' @@ -84,8 +87,17 @@ wazuh_agent_config: scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' - win_audit_interval: 300 + win_audit_interval: 60 skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 ignore: - /etc/mtab - /etc/hosts.deny @@ -99,11 +111,7 @@ wazuh_agent_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug - - /dev/core ignore_linux_type: - - '^/proc' - '.log$|.swp$' ignore_win: - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' @@ -111,106 +119,39 @@ wazuh_agent_config: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' + checks: '' - dirs: /bin,/sbin,/boot - checks: 'check_all="yes"' + checks: '' win_directories: - - dirs: '%WINDIR%\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\system.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\win.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cmd.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\lsass.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\winrm.vbs' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cmd.exe' - checks: 'check_all="yes"' + - dirs: '%WINDIR%' + checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' + - dirs: '%WINDIR%\SysNative' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| + net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" + - dirs: '%WINDIR%\SysNative\drivers\etc%' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\SysNative\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\SysNative' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%WINDIR%\System32' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| + netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" - dirs: '%WINDIR%\System32\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\winrm.vbs' - checks: 'check_all="yes"' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\System32\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\System32' + checks: 'recursion_level="0" restrict="winrm.vbs$"' - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' - checks: 'check_all="yes" realtime="yes"' + checks: 'realtime="yes"' + windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index c1c701fc..9528aa33 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -68,7 +68,7 @@ {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %} -A {{ wazuh_agent_authd.agent_name }} {% endif %} - -m {{ wazuh_managers.0.address }} + -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} {% if wazuh_agent_nat %} -I "any" {% endif %} {% if authd_pass is defined %} -P {{ authd_pass }} {% endif %} @@ -82,19 +82,22 @@ -k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" {% endif %} {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} + {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %} + -G "{{ wazuh_agent_authd.groups | join(',') }}" + {% endif %} register: agent_auth_output notify: restart wazuh-agent vars: agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none - name: Linux | Verify agent registration shell: echo {{ agent_auth_output }} | grep "Valid key created" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none when: wazuh_agent_authd.enable tags: @@ -109,7 +112,7 @@ - name: Linux | Create the agent key via rest-API uri: - url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/" + url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/" validate_certs: false method: POST body: '{"name":"{{ agent_name }}"}' @@ -126,13 +129,15 @@ agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none become: false ignore_errors: true - name: Linux | Retieve new agent data via rest-API uri: - url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" + url: >- + "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address + }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" validate_certs: false method: GET return_content: true @@ -140,7 +145,7 @@ password: "{{ api_pass }}" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none - newagent_api.json.error == 0 register: newagentdata_api delegate_to: localhost @@ -158,7 +163,7 @@ register: manage_agents_output when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none - newagent_api.changed notify: restart wazuh-agent diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml index dc9b8fe0..38b4e8ac 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml @@ -38,6 +38,9 @@ register: wazuh_agent_status failed_when: - wazuh_agent_status.stat.checksum != wazuh_winagent_config.md5 + when: + - wazuh_winagent_config.check_md5 + - name: Windows | Install Agent if not already installed win_package: @@ -59,7 +62,7 @@ - name: Windows | Register agent win_shell: > {{ wazuh_agent_win_auth_path }} - -m {{ wazuh_managers.0.address }} + -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} {% if wazuh_agent_authd.agent_name is defined %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %} @@ -68,7 +71,7 @@ when: - wazuh_agent_authd.enable - not check_windows_key.stat.exists or check_windows_key.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none tags: - config diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml index 69934631..73b3e6ce 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml @@ -76,7 +76,7 @@ dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf" owner: root group: root - mode: '644' + mode: 0644 changed_when: false - name: Executing "install.sh" script to build and install the Wazuh Agent diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 128ba142..ee71769e 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -61,7 +61,6 @@ yes {% endif %} {% if ansible_os_family == "Windows" %} - ./shared/win_audit_rcl.txt ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt {% endif %} @@ -186,13 +185,13 @@ {% if wazuh_agent_config.sca.skip_nfs | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.day | length > 0 %} + {% if wazuh_agent_config.sca.day | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.wday | length > 0 %} + {% if wazuh_agent_config.sca.wday | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.time | length > 0 %} + {% if wazuh_agent_config.sca.time | length > 0 %} {% endif %} @@ -203,7 +202,6 @@ no - {{ wazuh_agent_config.syscheck.frequency }} {% if ansible_system == "Linux" %} {{ wazuh_agent_config.syscheck.scan_on_start }} @@ -247,8 +245,11 @@ {% for no_diff in wazuh_agent_config.syscheck.no_diff %} {{ no_diff }} {% endfor %} - + {{ wazuh_agent_config.syscheck.skip_nfs }} + {{ wazuh_agent_config.syscheck.skip_dev }} + {{ wazuh_agent_config.syscheck.skip_proc }} + {{ wazuh_agent_config.syscheck.skip_sys }} {% endif %} {% if ansible_os_family == "Windows" %} @@ -275,6 +276,20 @@ {{ wazuh_agent_config.syscheck.win_audit_interval }} {% endif %} + + + {{ wazuh_agent_config.syscheck.process_priority }} + + + {{ wazuh_agent_config.syscheck.max_eps }} + + + + {{ wazuh_agent_config.syscheck.sync_enabled }} + {{ wazuh_agent_config.syscheck.sync_interval }} + {{ wazuh_agent_config.syscheck.sync_max_interval }} + {{ wazuh_agent_config.syscheck.sync_max_eps }} + {% endif %} @@ -293,7 +308,7 @@ {% if ansible_system == "Linux" %} {% for localfile in wazuh_agent_config.localfiles.linux %} - + {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 0da6165c..db4f8841 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.11.4-1 +wazuh_manager_version: 3.12.0-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.11.4" + branch: "v3.12.0" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.11.4" + branch: "v3.12.0" update: "y" remove: "y" directory: null @@ -105,7 +105,7 @@ wazuh_manager_config: authd: enable: true port: 1515 - use_source_ip: 'yes' + use_source_ip: 'no' force_insert: 'yes' force_time: 0 purge: 'yes' @@ -166,24 +166,29 @@ wazuh_manager_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug - - /dev/core ignore_linux_type: - - '^/proc' - '.log$|.swp$' no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' + checks: '' - dirs: /bin,/sbin,/boot - checks: 'check_all="yes"' + checks: '' auto_ignore_frequency: frequency: 'frequency="10"' timeframe: 'timeframe="3600"' value: 'no' skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 rootcheck: frequency: 43200 openscap: @@ -409,3 +414,5 @@ nodejs: debian: "deb" redhat: "rpm" repo_url_ext: "nodesource.com/setup_10.x" + +agent_groups: [] # groups to create diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml index c83aaff1..e019d2f9 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml @@ -60,7 +60,7 @@ path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" state: directory - # When downloading "v3.11.0" extracted folder name is 3.11.0. + # When downloading "v3.11.0" extracted folder name is 3.11.0. # Explicitly creating the folder with proper naming and striping first level in .tar.gz file @@ -91,7 +91,7 @@ dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf" owner: root group: root - mode: '644' + mode: 0644 - name: Executing "install.sh" script to build and install the Wazuh Manager shell: ./install.sh > /tmp/build_wazuh_manager_log.txt @@ -167,7 +167,7 @@ dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf" owner: root group: root - mode: '644' + mode: 0644 - name: Execute Wazuh API installation script shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index 8ef1c2cb..eaabdb77 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -18,7 +18,7 @@ get_url: url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" dest: /etc/nodejs.sh - mode: '0775' + mode: 0775 changed_when: false - name: Run NodeJS bash script @@ -351,6 +351,14 @@ tags: - config +- name: Create agent groups + command: "/var/ossec/bin/agent_groups -a -g {{ item }} -q" + with_items: + - "{{ agent_groups }}" + when: + - ( agent_groups is defined) and ( agent_groups|length > 0) + tags: molecule-idempotence-notest + - include_tasks: "RMRedHat.yml" when: - ansible_os_family == "RedHat" or ansible_os_family == "Amazon" diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 43853bec..998900b2 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -245,13 +245,13 @@ {% if wazuh_manager_config.sca.skip_nfs | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.day | length > 0 %} + {% if wazuh_manager_config.sca.day | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.wday | length > 0 %} + {% if wazuh_manager_config.sca.wday | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.time | length > 0 %} + {% if wazuh_manager_config.sca.time | length > 0 %} {% endif %} @@ -295,7 +295,6 @@ {{ wazuh_manager_config.syscheck.disable }} {{ wazuh_manager_config.syscheck.alert_new_files }} - {{ wazuh_manager_config.syscheck.frequency }} {{ wazuh_manager_config.syscheck.scan_on_start }} @@ -333,6 +332,29 @@ {% if wazuh_manager_config.syscheck.skip_nfs is defined %} {{ wazuh_manager_config.syscheck.skip_nfs }} {% endif %} + {% if wazuh_manager_config.syscheck.skip_dev is defined %} + {{ wazuh_manager_config.syscheck.skip_dev }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_proc is defined %} + {{ wazuh_manager_config.syscheck.skip_proc }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_sys is defined %} + {{ wazuh_manager_config.syscheck.skip_sys }} + {% endif %} + + + {{ wazuh_manager_config.syscheck.process_priority }} + + + {{ wazuh_manager_config.syscheck.max_eps }} + + + + {{ wazuh_manager_config.syscheck.sync_enabled }} + {{ wazuh_manager_config.syscheck.sync_interval }} + {{ wazuh_manager_config.syscheck.sync_max_interval }} + {{ wazuh_manager_config.syscheck.sync_max_eps }} + @@ -471,7 +493,7 @@ {% endfor %} {% endif -%} -{% if ansible_os_family == "RedHat" %} +{% if ansible_os_family == "RedHat" %} {% for localfile in wazuh_manager_config.localfiles.centos %} @@ -579,7 +601,7 @@ {% endif %} {% if wazuh_manager_config.authd.ciphers is not none %} {{wazuh_manager_config.authd.ciphers}} - {% endif %} + {% endif %} {% if wazuh_manager_config.authd.ssl_agent_ca is not none %} /var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}} {% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index 00fdcd01..f300f22a 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -8,7 +8,6 @@ {{ agent_config.syscheck.auto_ignore }} {% endif %} {{ agent_config.syscheck.alert_new_files }} - {{ agent_config.syscheck.frequency }} {{ agent_config.syscheck.scan_on_start }}