From 0d09a5afc2098eed0ba2ea4bcf9db4c568131372 Mon Sep 17 00:00:00 2001
From: Jose Luis <jose@wazuh.com>
Date: Wed, 5 Apr 2017 16:09:00 -0400
Subject: [PATCH] udpate code with agentless configuration

---
 ansible-wazuh-server/README.md                | 12 +++--
 ansible-wazuh-server/tasks/main.yml           | 50 +++++++++++++++++--
 ansible-wazuh-server/templates/agentless.j2   |  3 ++
 ansible-wazuh-server/templates/api_user.j2    |  3 ++
 .../var-ossec-etc-ossec-server.conf.j2        | 14 ++++++
 .../var-ossec-etc-shared-agent.conf.j2        | 44 ++++++++++++++++
 ansible-wazuh-server/vars/agentless.yml       | 11 ++++
 ansible-wazuh-server/vars/api-user.yml        |  8 ---
 ansible-wazuh-server/vars/api_user.yml        | 11 ++++
 ansible-wazuh-server/vars/main.yml            | 44 ++++++++++++++++
 passwd                                        |  1 -
 user.yml                                      |  6 ---
 12 files changed, 185 insertions(+), 22 deletions(-)
 create mode 100644 ansible-wazuh-server/templates/agentless.j2
 create mode 100644 ansible-wazuh-server/templates/api_user.j2
 create mode 100644 ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2
 create mode 100644 ansible-wazuh-server/vars/agentless.yml
 delete mode 100644 ansible-wazuh-server/vars/api-user.yml
 create mode 100644 ansible-wazuh-server/vars/api_user.yml
 delete mode 100644 passwd
 delete mode 100644 user.yml

diff --git a/ansible-wazuh-server/README.md b/ansible-wazuh-server/README.md
index b70b7c53..1747af9b 100644
--- a/ansible-wazuh-server/README.md
+++ b/ansible-wazuh-server/README.md
@@ -10,7 +10,6 @@ This role will work on:
  * Red Hat
  * Debian
 
-So, you'll need one of those operating systems.. :-)
 
 Role Variables
 --------------
@@ -19,13 +18,20 @@ This role has some variables which you can or need to override.
 ```
 ossec_server_config: []
 ossec_agent_configs: []
+api_user: []
 ```
 
+Vault variables
+----------------
 
+### vars/api_user.yml
 
+```
 ---
-user: "jose:$apr1$XSwG938n$tDxKvaCBx5C/kdU2xXP3K."
-
+user:
+  - "wazuh:$apr1$XSwG938n$tDxKvaCBx5C/kdU2xXP3K."
+  - "wazuh2:$apr1$XSwG938n$tDxKvaCBx5C/kdU2xXP3K."
+```
 
 ###Example setup
 
diff --git a/ansible-wazuh-server/tasks/main.yml b/ansible-wazuh-server/tasks/main.yml
index 799198c9..2f1ea46d 100644
--- a/ansible-wazuh-server/tasks/main.yml
+++ b/ansible-wazuh-server/tasks/main.yml
@@ -41,6 +41,17 @@
     - config
     - rules
 
+- name: Configure the shared-agent.conf
+  template: src=var-ossec-etc-shared-agent.conf.j2
+            dest=/var/ossec/etc/shared/agent.conf
+            owner=ossec
+            group=ossec
+            mode=0640
+  notify: restart wazuh-manager
+  tags:
+    - init
+    - config
+
 - name: Check if client-syslog is enabled
   shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
   register: csyslog_running
@@ -54,6 +65,19 @@
   command: /var/ossec/bin/ossec-control start client-syslog
   when: csyslog_running.stdout == '0' and ossec_server_config.syslog_outputs is defined
 
+- name: Check if ossec-agentlessd is enabled
+  shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo"
+  register: agentless_running
+  changed_when: False
+
+- name: Enable client-syslog if not running and ossec_server_config.syslog_outputs is given
+  command: /var/ossec/bin/ossec-control enable agentless
+  when: agentless_running.stdout == '0' and ossec_server_config.agentless is defined
+
+- name: Start client-syslog if not running and ossec_server_config.syslog_outputs is given
+  command: /var/ossec/bin/ossec-control start agentless
+  when: agentless_running.stdout == '0' and ossec_server_config.agentless is defined
+
 - name: Set ossec deploy facts for Debian
   set_fact:
     ossec_server_config_filename: ossec.conf
@@ -91,13 +115,17 @@
     - init
     - config
 
-- name: Import secret variable file
-  include_vars: "api-user.yml"
+- name: Import api_user secret variable file
+  include_vars: "api_user.yml"
+  no_log: true
+
+- name: Import agentless secret variable file
+  include_vars: "agentless.yml"
   no_log: true
 
 - name: Wazuh-api User
-  copy:
-    content: "{{user}}"
+  template:
+    src: api_user.j2
     dest: "/var/ossec/api/configuration/auth/user"
     owner: root
     group: root
@@ -105,6 +133,20 @@
   no_log: true
   notify: restart wazuh-api
 
+- name: Agentless Credentials
+  template:
+    src: agentless.j2
+    dest: "/var/ossec/agentless/.passlist2"
+    owner: root
+    group: root
+    mode: 0644
+  no_log: true
+  when: agentless_passlist is defined
+
+- name: Encode the secret
+  shell: /usr/bin/base64 /var/ossec/agentless/.passlist2 > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist2
+  when: agentless_passlist is defined
+
 - name: Ensure Wazuh Manager, wazuh api and ossec-authd service is started and enabled
   service:
     name: "{{ item }}"
diff --git a/ansible-wazuh-server/templates/agentless.j2 b/ansible-wazuh-server/templates/agentless.j2
new file mode 100644
index 00000000..64081b96
--- /dev/null
+++ b/ansible-wazuh-server/templates/agentless.j2
@@ -0,0 +1,3 @@
+{% for agentless in agentless_passlist %}
+{{ agentless.host }}|{{ agentless.passwd }}
+{% endfor %}
diff --git a/ansible-wazuh-server/templates/api_user.j2 b/ansible-wazuh-server/templates/api_user.j2
new file mode 100644
index 00000000..5a7dffcb
--- /dev/null
+++ b/ansible-wazuh-server/templates/api_user.j2
@@ -0,0 +1,3 @@
+{% for user in api_user %}
+{{ user }}
+{% endfor %}
diff --git a/ansible-wazuh-server/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-server/templates/var-ossec-etc-ossec-server.conf.j2
index 59ee7862..dd45dd32 100644
--- a/ansible-wazuh-server/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-server/templates/var-ossec-etc-ossec-server.conf.j2
@@ -147,6 +147,20 @@
 </wodle>
 {% endif %}
 
+{% if ossec_server_config.agentless is defined %}
+{% for agentless in ossec_server_config.agentless %}
+  <agentless>
+    <type>{{ agentless.type }}</type>
+    <frequency>{{ agentless.frequency }}</frequency>
+    <host>{{ agentless.host }}</host>
+    <state>{{ agentless.state }}</state>
+    {% if agentless.arguments is defined %}
+      <arguments>{{ agentless.arguments }}</arguments>
+    {% endif %}
+  </agentless>
+  
+{% endfor %}
+{% endif %}
 
   <global>
 {% for white_list in ossec_server_config.globals %}
diff --git a/ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2 b/ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2
new file mode 100644
index 00000000..607631c9
--- /dev/null
+++ b/ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2
@@ -0,0 +1,44 @@
+{% for item in ossec_agent_configs %}
+<agent_config {{ item.type }}="{{ item.type_value }}">
+  <syscheck>
+  <!-- Directories to check (perform all possible verifications) -->
+{% for directory in item.directories %}
+  <directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
+{% endfor %}
+    <!-- files we don't watch/ignore -->
+    <frequency>{{ item.frequency_check }}</frequency>
+    {% for ignore_file in item.ignore_files %}
+    <ignore>{{ ignore_file }}</ignore>
+    {% endfor %}
+  </syscheck>
+
+  <!-- Files to monitor (localfiles) -->
+{% for localfile in item.localfiles %}
+  <localfile>
+     <log_format>{{ localfile.format }}</log_format>
+     {% if localfile.command is defined %}
+     <command>{{ localfile.command }}</command>
+     {% else %}
+     <location>{{ localfile.location }}</location>
+     {% endif %}
+  </localfile>
+{% endfor %}
+
+  <rootcheck>
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+    {% if item.cis_distribution_filename is defined %}
+    <system_audit>/var/ossec/etc/shared/{{ item.cis_distribution_filename }}</system_audit>
+    {% else %}
+    {# none specified so install all #}
+    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
+    {% endif %}
+  </rootcheck>
+
+</agent_config>
+{% endfor %}
diff --git a/ansible-wazuh-server/vars/agentless.yml b/ansible-wazuh-server/vars/agentless.yml
new file mode 100644
index 00000000..48547f0e
--- /dev/null
+++ b/ansible-wazuh-server/vars/agentless.yml
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+65316634333362393962623133616234373639323463366332336331373337313066393962333231
+3931646633633136653736666533346562353435336333360a306161343039363533623766393264
+30323539616462636238393861386463366434636333323361623035393038663263633964353335
+3432363337386631630a313835643062363666356464663130353533386234383430356633303037
+61653338636435626464353031333865646165663635303030396131366565303439353039303831
+37636462383933306138663130353966666162356435323862376635333635303931333765663335
+38336634396236336239636330626638303865373565653262616563613336353838303931316464
+37666634633131343537396565376265633064353835656639303962643735376564623935356466
+66623837356137326635613132383834663436366635396234333965393338383565393938393331
+3062373862333862323138373637653531373262346139323732
diff --git a/ansible-wazuh-server/vars/api-user.yml b/ansible-wazuh-server/vars/api-user.yml
deleted file mode 100644
index 402d6226..00000000
--- a/ansible-wazuh-server/vars/api-user.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36386266366539623939353066643064616263636338323237666633366233373764333432373330
-3463386532373033623136363164386638663066656535620a343863326564396361663265363831
-33333665666364363661366337663761653732323166653564396466346464656238616564636434
-3535626161313834360a636664353431373563383964626463663335643430316235313638663930
-66386530343630613531663434386339366233306663376639333235376365366436663831376161
-64336436303035333234636361303439313237393436373538333862373839366265666438353061
-373032306536613230343261303761663664
diff --git a/ansible-wazuh-server/vars/api_user.yml b/ansible-wazuh-server/vars/api_user.yml
new file mode 100644
index 00000000..69a973c8
--- /dev/null
+++ b/ansible-wazuh-server/vars/api_user.yml
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+30626565633363656662393332653964653565376238633538323230333934613934323231343262
+6130313831653766333463653765643336313864373934620a646139336334346165346163633262
+36333031313434623439663839323036323533623235653536376534636137636334396233636236
+6238653531316136620a633361333130313335393333313861316233623037306131653733623661
+37363163346361366631623530323166373861623366633633396164326331376664666665646236
+64333738326538303063653266623930613130383637663864336664646361663935343231383965
+34303734333031373161376435373538613262373037386430333933383639323965356336383563
+34666431343136376132633632393938653965613236396333626430643538353533313131353338
+37373138396435623230306262303934396164303238346563363230663032316334613262336235
+3235313265333561366130393966643632333735623761643261
diff --git a/ansible-wazuh-server/vars/main.yml b/ansible-wazuh-server/vars/main.yml
index de8f74b5..ab842e29 100644
--- a/ansible-wazuh-server/vars/main.yml
+++ b/ansible-wazuh-server/vars/main.yml
@@ -26,6 +26,21 @@ ossec_server_config:
       dirs: /etc,/usr/bin,/usr/sbin
     - check_all: 'yes'
       dirs: /bin,/sbin
+  agentless:
+    - type: ssh_integrity_check_linux
+      frequency: 36000
+      host: root@example.net
+      state: periodic
+      arguments: '/bin /etc/ /sbin'
+    - type: ssh_integrity_check_linux
+      frequency: 36000
+      host: root@example.net
+      state: periodic
+      arguments: '/bin /etc/ /sbin'
+    - type: ssh_integrity_check_linux
+      frequency: 36000
+      host: root@example.net
+      state: periodic
   localfiles:
     - format: 'syslog'
       location: '/var/log/messages'
@@ -79,3 +94,32 @@ ossec_server_config:
       location: 'local'
       level: 6
       timeout: 600
+
+ossec_agent_configs:
+  - type: os
+    type_value: linux
+    frequency_check: 79200
+    ignore_files:
+      - /etc/mtab
+      - /etc/mnttab
+      - /etc/hosts.deny
+      - /etc/mail/statistics
+      - /etc/svc/volatile
+    directories:
+      - check_all: yes
+        dirs: /etc,/usr/bin,/usr/sbin
+      - check_all: yes
+        dirs: /bin,/sbin
+    localfiles:
+      - format: 'syslog'
+        location: '/var/log/messages'
+      - format: 'syslog'
+        location: '/var/log/secure'
+      - format: 'syslog'
+        location: '/var/log/maillog'
+      - format: 'apache'
+        location: '/var/log/httpd/error_log'
+      - format: 'apache'
+        location: '/var/log/httpd/access_log'
+      - format: 'apache'
+        location: '/var/ossec/logs/active-responses.log'
diff --git a/passwd b/passwd
deleted file mode 100644
index 9daeafb9..00000000
--- a/passwd
+++ /dev/null
@@ -1 +0,0 @@
-test
diff --git a/user.yml b/user.yml
deleted file mode 100644
index 88f26781..00000000
--- a/user.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-66616434393463353338336137323935333863353166656135643764626431396331383331353339
-3637383166363739306238306465303232623239376263630a613838376432373733633838616632
-35636137636665663039336436363962356533353033386239336362343965656361393738316536
-3838303338383764610a376232313734643737623330396335383062653136656136633934336135
-3336