From 2651bc53868dd533e1759bba0961372876271f68 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 9 Mar 2020 14:57:12 +0100 Subject: [PATCH 01/15] Revert "Merge pull request #381 from wazuh/remove_windows_md5_check" This reverts commit 4cc3e077a01750a8386fd486dc7a72dd790a01c2, reversing changes made to 52a81af988a00abd60483f1ccacab34ddd2c9b76. --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 1 + roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index fbb278eb..c7014e2a 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -60,6 +60,7 @@ wazuh_winagent_config: auth_path: C:\Program Files\ossec-agent\agent-auth.exe # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe + md5: 87ce22038688efb44d95f9daff472056 wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.11.4-1.msi wazuh_winagent_package_name: wazuh-agent-3.11.4-1.msi wazuh_agent_config: diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml index 0b844d0a..dc9b8fe0 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml @@ -30,6 +30,15 @@ when: - not wazuh_package_downloaded.stat.exists +- name: Windows | Verify the Wazuh Agent installer + win_stat: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" + get_checksum: true + checksum_algorithm: md5 + register: wazuh_agent_status + failed_when: + - wazuh_agent_status.stat.checksum != wazuh_winagent_config.md5 + - name: Windows | Install Agent if not already installed win_package: path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" From 14e2a6bb4730e4e6068a4a474b8bcec5dee293bb Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Mar 2020 16:46:01 +0100 Subject: [PATCH 02/15] Bump versions to 3.12.0_7.6.1 --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 10 +++++----- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index e930eae7..7223db60 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.6.1 -wazuh_version: 3.11.4 +wazuh_version: 3.12.0 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 05b0fe8b..b2808488 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.11.4-1 +wazuh_agent_version: 3.12.0-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "https://s3-us-west-1.amazonaw wazuh_agent_sources_installation: enabled: false - branch: "v3.11.4" + branch: "v3.12.0" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -63,9 +63,9 @@ wazuh_winagent_config: # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True - md5: 87ce22038688efb44d95f9daff472056 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.11.4-1.msi -wazuh_winagent_package_name: wazuh-agent-3.11.4-1.msi + md5: 91efaefae4e1977670eab0c768a22a93 +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.0-1.msi +wazuh_winagent_package_name: wazuh-agent-3.12.0-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 8b4151de..a4ce627f 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.11.4-1 +wazuh_manager_version: 3.12.0-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.11.4" + branch: "v3.12.0" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.11.4" + branch: "v3.12.0" update: "y" remove: "y" directory: null From dfc7bbf4b36fd33e29beebb479076ac7ab15e6bf Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 24 Mar 2020 18:21:46 +0100 Subject: [PATCH 03/15] Updates to adapt ossec.conf templates to Wazuh v3.12 default ones --- .../ansible-wazuh-agent/defaults/main.yml | 136 +++++------------- .../var-ossec-etc-ossec-agent.conf.j2 | 28 +++- 2 files changed, 61 insertions(+), 103 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index b2808488..75c21d3c 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -87,8 +87,17 @@ wazuh_agent_config: scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' - win_audit_interval: 300 + win_audit_interval: 60 skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 ignore: - /etc/mtab - /etc/hosts.deny @@ -114,106 +123,39 @@ wazuh_agent_config: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' + checks: '' - dirs: /bin,/sbin,/boot - checks: 'check_all="yes"' + checks: '' win_directories: - - dirs: '%WINDIR%\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\system.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\win.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cmd.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\lsass.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\winrm.vbs' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cmd.exe' - checks: 'check_all="yes"' + - dirs: '%WINDIR%' + checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' + - dirs: '%WINDIR%\SysNative' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| + net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" + - dirs: '%WINDIR%\SysNative\drivers\etc%' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\SysNative\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\SysNative' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%WINDIR%\System32' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| + netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" - dirs: '%WINDIR%\System32\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\winrm.vbs' - checks: 'check_all="yes"' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\System32\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\System32' + checks: 'recursion_level="0" restrict="winrm.vbs$"' - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' - checks: 'check_all="yes" realtime="yes"' + checks: 'realtime="yes"' + windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 0c640cdc..28b6828a 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -61,7 +61,6 @@ yes {% endif %} {% if ansible_os_family == "Windows" %} - ./shared/win_audit_rcl.txt ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt {% endif %} @@ -186,13 +185,13 @@ {% if wazuh_agent_config.sca.skip_nfs | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.day | length > 0 %} + {% if wazuh_agent_config.sca.day | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.wday | length > 0 %} + {% if wazuh_agent_config.sca.wday | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.time | length > 0 %} + {% if wazuh_agent_config.sca.time | length > 0 %} {% endif %} @@ -246,8 +245,11 @@ {% for no_diff in wazuh_agent_config.syscheck.no_diff %} {{ no_diff }} {% endfor %} - + {{ wazuh_agent_config.syscheck.skip_nfs }} + {{ wazuh_agent_config.syscheck.skip_dev }} + {{ wazuh_agent_config.syscheck.skip_proc }} + {{ wazuh_agent_config.syscheck.skip_sys }} {% endif %} {% if ansible_os_family == "Windows" %} @@ -274,6 +276,20 @@ {{ wazuh_agent_config.syscheck.win_audit_interval }} {% endif %} + + + {{ wazuh_agent_config.syscheck.process_priority }} + + + {{ wazuh_agent_config.syscheck.max_eps }} + + + + {{ wazuh_agent_config.syscheck.sync_enabled }} + {{ wazuh_agent_config.syscheck.interval }} + {{ wazuh_agent_config.syscheck.max_interval }} + {{ wazuh_agent_config.syscheck.max_eps }} + {% endif %} @@ -292,7 +308,7 @@ {% if ansible_system == "Linux" %} {% for localfile in wazuh_agent_config.localfiles.linux %} - + {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} From 2cdc6fd7310990f74d4ae410b0cff152206e024a Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 24 Mar 2020 18:31:13 +0100 Subject: [PATCH 04/15] Updated elasticsearch template --- .../templates/wazuh-elastic7-template-alerts.json.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 index 06af6322..0b153fd4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 @@ -531,6 +531,9 @@ "sha1_before": { "type": "keyword" }, + "hard_links": { + "type": "keyword" + }, "sha1_after": { "type": "keyword" }, From bee5986b0301bbdbd2b229389fac4dc88ab1ee23 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Mar 2020 20:24:59 +0100 Subject: [PATCH 05/15] Bump branch when building from sources --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 7223db60..2ac2cde5 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -47,7 +47,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.11-7.6 +wazuh_plugin_branch: 3.12-7.6 #Nodejs NODE_OPTIONS node_options: --max-old-space-size=4096 From c872140f28e54abda5c7cf8f8dccc3537e3a3dbb Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Mar 2020 20:25:38 +0100 Subject: [PATCH 06/15] Update path for wazuh.yml --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index efd16de5..2e39391f 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -161,10 +161,15 @@ validate_certs: no status_code: 200, 404 +- name: Create wazuh plugin config directory + file: + path: /usr/share/kibana/optimize/wazuh/config/ + state: directory + - name: Configure Wazuh Kibana Plugin template: src: wazuh.yml.j2 - dest: /usr/share/kibana/plugins/wazuh/wazuh.yml + dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml owner: kibana group: root mode: 0644 From 52f4907847affe4b4edde48838434b4ed480e386 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 24 Mar 2020 18:21:46 +0100 Subject: [PATCH 07/15] Updates to adapt ossec.conf templates to Wazuh v3.12 default ones --- .../ansible-wazuh-agent/defaults/main.yml | 136 +++++------------- .../var-ossec-etc-ossec-agent.conf.j2 | 28 +++- 2 files changed, 61 insertions(+), 103 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 05b0fe8b..2e5bf4f0 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -87,8 +87,17 @@ wazuh_agent_config: scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' - win_audit_interval: 300 + win_audit_interval: 60 skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 ignore: - /etc/mtab - /etc/hosts.deny @@ -114,106 +123,39 @@ wazuh_agent_config: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' + checks: '' - dirs: /bin,/sbin,/boot - checks: 'check_all="yes"' + checks: '' win_directories: - - dirs: '%WINDIR%\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\system.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\win.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cmd.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\lsass.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\winrm.vbs' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cmd.exe' - checks: 'check_all="yes"' + - dirs: '%WINDIR%' + checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' + - dirs: '%WINDIR%\SysNative' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| + net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" + - dirs: '%WINDIR%\SysNative\drivers\etc%' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\SysNative\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\SysNative' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%WINDIR%\System32' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| + netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" - dirs: '%WINDIR%\System32\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\winrm.vbs' - checks: 'check_all="yes"' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\System32\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\System32' + checks: 'recursion_level="0" restrict="winrm.vbs$"' - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' - checks: 'check_all="yes" realtime="yes"' + checks: 'realtime="yes"' + windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 0c640cdc..28b6828a 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -61,7 +61,6 @@ yes {% endif %} {% if ansible_os_family == "Windows" %} - ./shared/win_audit_rcl.txt ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt {% endif %} @@ -186,13 +185,13 @@ {% if wazuh_agent_config.sca.skip_nfs | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.day | length > 0 %} + {% if wazuh_agent_config.sca.day | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.wday | length > 0 %} + {% if wazuh_agent_config.sca.wday | length > 0 %} yes {% endif %} - {% if wazuh_agent_config.sca.time | length > 0 %} + {% if wazuh_agent_config.sca.time | length > 0 %} {% endif %} @@ -246,8 +245,11 @@ {% for no_diff in wazuh_agent_config.syscheck.no_diff %} {{ no_diff }} {% endfor %} - + {{ wazuh_agent_config.syscheck.skip_nfs }} + {{ wazuh_agent_config.syscheck.skip_dev }} + {{ wazuh_agent_config.syscheck.skip_proc }} + {{ wazuh_agent_config.syscheck.skip_sys }} {% endif %} {% if ansible_os_family == "Windows" %} @@ -274,6 +276,20 @@ {{ wazuh_agent_config.syscheck.win_audit_interval }} {% endif %} + + + {{ wazuh_agent_config.syscheck.process_priority }} + + + {{ wazuh_agent_config.syscheck.max_eps }} + + + + {{ wazuh_agent_config.syscheck.sync_enabled }} + {{ wazuh_agent_config.syscheck.interval }} + {{ wazuh_agent_config.syscheck.max_interval }} + {{ wazuh_agent_config.syscheck.max_eps }} + {% endif %} @@ -292,7 +308,7 @@ {% if ansible_system == "Linux" %} {% for localfile in wazuh_agent_config.localfiles.linux %} - + {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} From f625f0b310fe3a15d11a970535121d8de3426f34 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 12:49:49 +0100 Subject: [PATCH 08/15] Updating manager configuration templates and vars --- .../ansible-wazuh-agent/defaults/main.yml | 4 --- .../ansible-wazuh-manager/defaults/main.yml | 19 +++++++---- .../var-ossec-etc-ossec-server.conf.j2 | 33 ++++++++++++++++--- 3 files changed, 40 insertions(+), 16 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 2e5bf4f0..7df27cc9 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -111,11 +111,7 @@ wazuh_agent_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug - - /dev/core ignore_linux_type: - - '^/proc' - '.log$|.swp$' ignore_win: - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 8b4151de..ffd2925c 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -105,7 +105,7 @@ wazuh_manager_config: authd: enable: true port: 1515 - use_source_ip: 'yes' + use_source_ip: 'no' force_insert: 'yes' force_time: 0 purge: 'yes' @@ -166,24 +166,29 @@ wazuh_manager_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug - - /dev/core ignore_linux_type: - - '^/proc' - '.log$|.swp$' no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' + checks: '' - dirs: /bin,/sbin,/boot - checks: 'check_all="yes"' + checks: '' auto_ignore_frequency: frequency: 'frequency="10"' timeframe: 'timeframe="3600"' value: 'no' skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 rootcheck: frequency: 43200 openscap: diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index d4340c9b..1a6b59c7 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -245,13 +245,13 @@ {% if wazuh_manager_config.sca.skip_nfs | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.day | length > 0 %} + {% if wazuh_manager_config.sca.day | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.wday | length > 0 %} + {% if wazuh_manager_config.sca.wday | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.time | length > 0 %} + {% if wazuh_manager_config.sca.time | length > 0 %} {% endif %} @@ -332,6 +332,29 @@ {% if wazuh_manager_config.syscheck.skip_nfs is defined %} {{ wazuh_manager_config.syscheck.skip_nfs }} {% endif %} + {% if wazuh_manager_config.syscheck.skip_dev is defined %} + {{ wazuh_manager_config.syscheck.skip_dev }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_proc is defined %} + {{ wazuh_manager_config.syscheck.skip_proc }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_sys is defined %} + {{ wazuh_manager_config.syscheck.skip_sys }} + {% endif %} + + + {{ wazuh_agent_config.syscheck.process_priority }} + + + {{ wazuh_agent_config.syscheck.max_eps }} + + + + {{ wazuh_agent_config.syscheck.sync_enabled }} + {{ wazuh_agent_config.syscheck.interval }} + {{ wazuh_agent_config.syscheck.max_interval }} + {{ wazuh_agent_config.syscheck.max_eps }} + @@ -470,7 +493,7 @@ {% endfor %} {% endif -%} -{% if ansible_os_family == "RedHat" %} +{% if ansible_os_family == "RedHat" %} {% for localfile in wazuh_manager_config.localfiles.centos %} @@ -578,7 +601,7 @@ {% endif %} {% if wazuh_manager_config.authd.ciphers is not none %} {{wazuh_manager_config.authd.ciphers}} - {% endif %} + {% endif %} {% if wazuh_manager_config.authd.ssl_agent_ca is not none %} /var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}} {% endif %} From 245f4e7d6badda72c716bceada8198df2500f701 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 15:33:55 +0100 Subject: [PATCH 09/15] jinja template fixes --- .../templates/var-ossec-etc-ossec-agent.conf.j2 | 6 +++--- .../templates/var-ossec-etc-ossec-server.conf.j2 | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 28b6828a..ee71769e 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -286,9 +286,9 @@ {{ wazuh_agent_config.syscheck.sync_enabled }} - {{ wazuh_agent_config.syscheck.interval }} - {{ wazuh_agent_config.syscheck.max_interval }} - {{ wazuh_agent_config.syscheck.max_eps }} + {{ wazuh_agent_config.syscheck.sync_interval }} + {{ wazuh_agent_config.syscheck.sync_max_interval }} + {{ wazuh_agent_config.syscheck.sync_max_eps }} {% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 1a6b59c7..88620e7d 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -351,9 +351,9 @@ {{ wazuh_agent_config.syscheck.sync_enabled }} - {{ wazuh_agent_config.syscheck.interval }} - {{ wazuh_agent_config.syscheck.max_interval }} - {{ wazuh_agent_config.syscheck.max_eps }} + {{ wazuh_agent_config.syscheck.sync_interval }} + {{ wazuh_agent_config.syscheck.sync_max_interval }} + {{ wazuh_agent_config.syscheck.sync_max_eps }} From 0019c7fdf28b83d57d6994567b7dc1803b211af2 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 12:49:49 +0100 Subject: [PATCH 10/15] Updating manager configuration templates and vars --- .../ansible-wazuh-agent/defaults/main.yml | 4 --- .../ansible-wazuh-manager/defaults/main.yml | 19 +++++++---- .../var-ossec-etc-ossec-server.conf.j2 | 33 ++++++++++++++++--- 3 files changed, 40 insertions(+), 16 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 75c21d3c..953da95e 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -111,11 +111,7 @@ wazuh_agent_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug - - /dev/core ignore_linux_type: - - '^/proc' - '.log$|.swp$' ignore_win: - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index a4ce627f..db4f8841 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -105,7 +105,7 @@ wazuh_manager_config: authd: enable: true port: 1515 - use_source_ip: 'yes' + use_source_ip: 'no' force_insert: 'yes' force_time: 0 purge: 'yes' @@ -166,24 +166,29 @@ wazuh_manager_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug - - /dev/core ignore_linux_type: - - '^/proc' - '.log$|.swp$' no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' + checks: '' - dirs: /bin,/sbin,/boot - checks: 'check_all="yes"' + checks: '' auto_ignore_frequency: frequency: 'frequency="10"' timeframe: 'timeframe="3600"' value: 'no' skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 rootcheck: frequency: 43200 openscap: diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index d4340c9b..1a6b59c7 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -245,13 +245,13 @@ {% if wazuh_manager_config.sca.skip_nfs | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.day | length > 0 %} + {% if wazuh_manager_config.sca.day | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.wday | length > 0 %} + {% if wazuh_manager_config.sca.wday | length > 0 %} yes {% endif %} - {% if wazuh_manager_config.sca.time | length > 0 %} + {% if wazuh_manager_config.sca.time | length > 0 %} {% endif %} @@ -332,6 +332,29 @@ {% if wazuh_manager_config.syscheck.skip_nfs is defined %} {{ wazuh_manager_config.syscheck.skip_nfs }} {% endif %} + {% if wazuh_manager_config.syscheck.skip_dev is defined %} + {{ wazuh_manager_config.syscheck.skip_dev }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_proc is defined %} + {{ wazuh_manager_config.syscheck.skip_proc }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_sys is defined %} + {{ wazuh_manager_config.syscheck.skip_sys }} + {% endif %} + + + {{ wazuh_agent_config.syscheck.process_priority }} + + + {{ wazuh_agent_config.syscheck.max_eps }} + + + + {{ wazuh_agent_config.syscheck.sync_enabled }} + {{ wazuh_agent_config.syscheck.interval }} + {{ wazuh_agent_config.syscheck.max_interval }} + {{ wazuh_agent_config.syscheck.max_eps }} + @@ -470,7 +493,7 @@ {% endfor %} {% endif -%} -{% if ansible_os_family == "RedHat" %} +{% if ansible_os_family == "RedHat" %} {% for localfile in wazuh_manager_config.localfiles.centos %} @@ -578,7 +601,7 @@ {% endif %} {% if wazuh_manager_config.authd.ciphers is not none %} {{wazuh_manager_config.authd.ciphers}} - {% endif %} + {% endif %} {% if wazuh_manager_config.authd.ssl_agent_ca is not none %} /var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}} {% endif %} From 6b57e195b868dc74183c020abe614c55118a7007 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 15:33:55 +0100 Subject: [PATCH 11/15] jinja template fixes --- .../templates/var-ossec-etc-ossec-agent.conf.j2 | 6 +++--- .../templates/var-ossec-etc-ossec-server.conf.j2 | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 28b6828a..ee71769e 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -286,9 +286,9 @@ {{ wazuh_agent_config.syscheck.sync_enabled }} - {{ wazuh_agent_config.syscheck.interval }} - {{ wazuh_agent_config.syscheck.max_interval }} - {{ wazuh_agent_config.syscheck.max_eps }} + {{ wazuh_agent_config.syscheck.sync_interval }} + {{ wazuh_agent_config.syscheck.sync_max_interval }} + {{ wazuh_agent_config.syscheck.sync_max_eps }} {% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 1a6b59c7..88620e7d 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -351,9 +351,9 @@ {{ wazuh_agent_config.syscheck.sync_enabled }} - {{ wazuh_agent_config.syscheck.interval }} - {{ wazuh_agent_config.syscheck.max_interval }} - {{ wazuh_agent_config.syscheck.max_eps }} + {{ wazuh_agent_config.syscheck.sync_interval }} + {{ wazuh_agent_config.syscheck.sync_max_interval }} + {{ wazuh_agent_config.syscheck.sync_max_eps }} From 1d6988768f5da3f8fa5bad0c047188e5f8726dab Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 16:23:46 +0100 Subject: [PATCH 12/15] Minor jinja template fixes --- .../templates/var-ossec-etc-ossec-server.conf.j2 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 88620e7d..998900b2 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -343,17 +343,17 @@ {% endif %} - {{ wazuh_agent_config.syscheck.process_priority }} + {{ wazuh_manager_config.syscheck.process_priority }} - {{ wazuh_agent_config.syscheck.max_eps }} + {{ wazuh_manager_config.syscheck.max_eps }} - {{ wazuh_agent_config.syscheck.sync_enabled }} - {{ wazuh_agent_config.syscheck.sync_interval }} - {{ wazuh_agent_config.syscheck.sync_max_interval }} - {{ wazuh_agent_config.syscheck.sync_max_eps }} + {{ wazuh_manager_config.syscheck.sync_enabled }} + {{ wazuh_manager_config.syscheck.sync_interval }} + {{ wazuh_manager_config.syscheck.sync_max_interval }} + {{ wazuh_manager_config.syscheck.sync_max_eps }} From ec9a4b61c7e8f5d94a69dd00b710a3274c3e6dec Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 17:57:38 +0100 Subject: [PATCH 13/15] v3.12 changelog --- CHANGELOG.md | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 213cb432..60673b65 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,25 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.12.0_7.6.1] + +### Added + +- Update to Wazuh v3.12.0 +- Added registration address variable to wazuh-agent playbook ([@Zenidd](https://github.com/Zenidd)) [PR#392](https://github.com/wazuh/wazuh-ansible/pull/392) + +### Changed + +- Bump NodeJS version to 10.x ([@manuasir](https://github.com/manuasir)) [PR#386](https://github.com/wazuh/wazuh-ansible/pull/386) +- Add flag to enable/disable Windows MD5 check ([@jm404](https://github.com/jm404)) [PR#383](https://github.com/wazuh/wazuh-ansible/pull/383) +- Rule paths are now relative to playbooks. ([@Zenidd ](https://github.com/Zenidd)) [PR#393](https://github.com/wazuh/wazuh-ansible/pull/393) + +### Fixed + +- Removed bad formed XML comments. ([@manuasir](https://github.com/manuasir)) [PR#391](https://github.com/wazuh/wazuh-ansible/pull/391) +- NodeJS node_options variable and Kibana plugin optimization fix. ([@Zenidd](https://github.com/Zenidd)) [PR#385](https://github.com/wazuh/wazuh-ansible/pull/385) +- Restrictive permissions for certificate files. ([@Zenidd](https://github.com/Zenidd)) [PR#382](https://github.com/wazuh/wazuh-ansible/pull/382) + ## [v3.11.4_7.6.1] ### Added @@ -70,7 +89,7 @@ All notable changes to this project will be documented in this file. - Added support for environments with low disk space ([@xr09](https://github.com/xr09)) [PR#281](https://github.com/wazuh/wazuh-ansible/pull/281) - Add parameters to configure an Elasticsearch coordinating node ([@jm404](https://github.com/jm404)) [PR#292](https://github.com/wazuh/wazuh-ansible/pull/292) - + ### Changed @@ -121,7 +140,7 @@ All notable changes to this project will be documented in this file. ### Added -- Update to Wazuh v3.10.0 +- Update to Wazuh v3.10.0 ### Changed @@ -143,14 +162,14 @@ All notable changes to this project will be documented in this file. ## [v3.9.5_7.2.1] -### Added +### Added - Update to Wazuh v3.9.5 - Update to Elastic Stack to v7.2.1 ## [v3.9.4_7.2.0] -### Added +### Added - Support for registring agents behind NAT [@jheikki100](https://github.com/jheikki100) [#208](https://github.com/wazuh/wazuh-ansible/pull/208) @@ -164,7 +183,7 @@ All notable changes to this project will be documented in this file. ## [v3.9.3_7.2.0] -### Added +### Added - Update to Wazuh v3.9.3 ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) - Added Versioning Control for Wazuh stack's components installation, so now it's possible to specify which package to install for wazuh-manager, wazuh-agent, Filebeat, Elasticsearch and Kibana. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) - Fixes for Molecule testing issues. Issues such as Ansible-Lint and None-Idempotent tasks. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) @@ -174,7 +193,7 @@ All notable changes to this project will be documented in this file. ## [v3.9.2_7.1.1] -### Added +### Added - Update to Wazuh v3.9.2 - Support for Elastic 7 @@ -182,13 +201,13 @@ All notable changes to this project will be documented in this file. ## [v3.9.2_6.8.0] -### Added +### Added - Update to Wazuh v3.9.2 ## [v3.9.1] -### Added +### Added - Update to Wazuh v3.9.1 - Support for ELK v6.8.0 @@ -216,7 +235,7 @@ All notable changes to this project will be documented in this file. ## [v3.8.2] -### Changed +### Changed - Update to Wazuh version v3.8.2. ([#150](https://github.com/wazuh/wazuh-ansible/pull/150)) @@ -316,4 +335,3 @@ Roles: - ansible-filebeat: This role is prepared to install filebeat on the host that runs it. - ansible-wazuh-manager: With this role we will install Wazuh manager and Wazuh API on the host that runs it. - ansible-wazuh-agent: Using this role we will install Wazuh agent on the host that runs it and is able to register it. - From 02d945bed402b9d0a7ebfe69130841d29013a2b8 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 18:07:29 +0100 Subject: [PATCH 14/15] Empty custom agent packages url --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 953da95e..8041962f 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -5,8 +5,8 @@ wazuh_agent_version: 3.12.0-1 # Custom packages installation wazuh_custom_packages_installation_agent_enabled: false -wazuh_custom_packages_installation_agent_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-agent_3.12.0-0.3319fimreworksqlite_amd64.deb" -wazuh_custom_packages_installation_agent_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-agent-3.12.0-0.3319fimreworksqlite.x86_64.rpm" +wazuh_custom_packages_installation_agent_deb_url: "" +wazuh_custom_packages_installation_agent_rpm_url: "" # Sources installation From f518635a11142d673ad18ac5f44071615f6a68b7 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 25 Mar 2020 18:20:30 +0100 Subject: [PATCH 15/15] Changelog minor fix --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60673b65..520661ef 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ All notable changes to this project will be documented in this file. - Bump NodeJS version to 10.x ([@manuasir](https://github.com/manuasir)) [PR#386](https://github.com/wazuh/wazuh-ansible/pull/386) - Add flag to enable/disable Windows MD5 check ([@jm404](https://github.com/jm404)) [PR#383](https://github.com/wazuh/wazuh-ansible/pull/383) - Rule paths are now relative to playbooks. ([@Zenidd ](https://github.com/Zenidd)) [PR#393](https://github.com/wazuh/wazuh-ansible/pull/393) +- Add the option to create agent groups and add an agent to 1 or more group. ([@rshad](https://github.com/rshad)) [PR#361](https://github.com/wazuh/wazuh-ansible/pull/361) + ### Fixed