afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

udpate code with agentless configuration

Browse Source
This commit is contained in:
Jose Luis 2017-04-05 16:09:00 -04:00
parent f2aaa49465
commit 0d09a5afc2
12 changed files with 185 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ansible-wazuh-server/README.md
View File

@ -10,7 +10,6 @@ This role will work on:
* Red Hat * Red Hat
* Debian * Debian
So, you'll need one of those operating systems.. :-)
Role Variables Role Variables
-------------- --------------
@ -19,13 +18,20 @@ This role has some variables which you can or need to override.
``` ```
ossec_server_config: [] ossec_server_config: []
ossec_agent_configs: [] ossec_agent_configs: []
api_user: []
``` ```
Vault variables
----------------
### vars/api_user.yml
```
--- ---
user: "jose:$apr1$XSwG938n$tDxKvaCBx5C/kdU2xXP3K." user:
- "wazuh:$apr1$XSwG938n$tDxKvaCBx5C/kdU2xXP3K."
- "wazuh2:$apr1$XSwG938n$tDxKvaCBx5C/kdU2xXP3K."
```
###Example setup ###Example setup

50
ansible-wazuh-server/tasks/main.yml
View File

@ -41,6 +41,17 @@
- config - config
- rules - rules
- name: Configure the shared-agent.conf
template: src=var-ossec-etc-shared-agent.conf.j2
dest=/var/ossec/etc/shared/agent.conf
owner=ossec
group=ossec
mode=0640
notify: restart wazuh-manager
tags:
- init
- config
- name: Check if client-syslog is enabled - name: Check if client-syslog is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo" shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
register: csyslog_running register: csyslog_running
@ -54,6 +65,19 @@
command: /var/ossec/bin/ossec-control start client-syslog command: /var/ossec/bin/ossec-control start client-syslog
when: csyslog_running.stdout == '0' and ossec_server_config.syslog_outputs is defined when: csyslog_running.stdout == '0' and ossec_server_config.syslog_outputs is defined
- name: Check if ossec-agentlessd is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo"
register: agentless_running
changed_when: False
- name: Enable client-syslog if not running and ossec_server_config.syslog_outputs is given
command: /var/ossec/bin/ossec-control enable agentless
when: agentless_running.stdout == '0' and ossec_server_config.agentless is defined
- name: Start client-syslog if not running and ossec_server_config.syslog_outputs is given
command: /var/ossec/bin/ossec-control start agentless
when: agentless_running.stdout == '0' and ossec_server_config.agentless is defined
- name: Set ossec deploy facts for Debian - name: Set ossec deploy facts for Debian
set_fact: set_fact:
ossec_server_config_filename: ossec.conf ossec_server_config_filename: ossec.conf
@ -91,13 +115,17 @@
- init - init
- config - config
- name: Import secret variable file - name: Import api_user secret variable file
include_vars: "api-user.yml" include_vars: "api_user.yml"
no_log: true
- name: Import agentless secret variable file
include_vars: "agentless.yml"
no_log: true no_log: true
- name: Wazuh-api User - name: Wazuh-api User
copy: template:
content: "{{user}}" src: api_user.j2
dest: "/var/ossec/api/configuration/auth/user" dest: "/var/ossec/api/configuration/auth/user"
owner: root owner: root
group: root group: root
@ -105,6 +133,20 @@
no_log: true no_log: true
notify: restart wazuh-api notify: restart wazuh-api
- name: Agentless Credentials
template:
src: agentless.j2
dest: "/var/ossec/agentless/.passlist2"
owner: root
group: root
mode: 0644
no_log: true
when: agentless_passlist is defined
- name: Encode the secret
shell: /usr/bin/base64 /var/ossec/agentless/.passlist2 > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist2
when: agentless_passlist is defined
- name: Ensure Wazuh Manager, wazuh api and ossec-authd service is started and enabled - name: Ensure Wazuh Manager, wazuh api and ossec-authd service is started and enabled
service: service:
name: "{{ item }}" name: "{{ item }}"

3
ansible-wazuh-server/templates/agentless.j2 Normal file
View File

@ -0,0 +1,3 @@
{% for agentless in agentless_passlist %}
{{ agentless.host }}|{{ agentless.passwd }}
{% endfor %}

3
ansible-wazuh-server/templates/api_user.j2 Normal file
View File

@ -0,0 +1,3 @@
{% for user in api_user %}
{{ user }}
{% endfor %}

14
ansible-wazuh-server/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -147,6 +147,20 @@
</wodle> </wodle>
{% endif %} {% endif %}
{% if ossec_server_config.agentless is defined %}
{% for agentless in ossec_server_config.agentless %}
<agentless>
<type>{{ agentless.type }}</type>
<frequency>{{ agentless.frequency }}</frequency>
<host>{{ agentless.host }}</host>
<state>{{ agentless.state }}</state>
{% if agentless.arguments is defined %}
<arguments>{{ agentless.arguments }}</arguments>
{% endif %}
</agentless>
{% endfor %}
{% endif %}
<global> <global>
{% for white_list in ossec_server_config.globals %} {% for white_list in ossec_server_config.globals %}

44
ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2 Normal file
View File

@ -0,0 +1,44 @@
{% for item in ossec_agent_configs %}
<agent_config {{ item.type }}="{{ item.type_value }}">
<syscheck>
<!-- Directories to check (perform all possible verifications) -->
{% for directory in item.directories %}
<directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
{% endfor %}
<!-- files we don't watch/ignore -->
<frequency>{{ item.frequency_check }}</frequency>
{% for ignore_file in item.ignore_files %}
<ignore>{{ ignore_file }}</ignore>
{% endfor %}
</syscheck>
<!-- Files to monitor (localfiles) -->
{% for localfile in item.localfiles %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.command is defined %}
<command>{{ localfile.command }}</command>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
{% if item.cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ item.cis_distribution_filename }}</system_audit>
{% else %}
{# none specified so install all #}
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
{% endif %}
</rootcheck>
</agent_config>
{% endfor %}

11
ansible-wazuh-server/vars/agentless.yml Normal file
View File

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
65316634333362393962623133616234373639323463366332336331373337313066393962333231
3931646633633136653736666533346562353435336333360a306161343039363533623766393264
30323539616462636238393861386463366434636333323361623035393038663263633964353335
3432363337386631630a313835643062363666356464663130353533386234383430356633303037
61653338636435626464353031333865646165663635303030396131366565303439353039303831
37636462383933306138663130353966666162356435323862376635333635303931333765663335
38336634396236336239636330626638303865373565653262616563613336353838303931316464
37666634633131343537396565376265633064353835656639303962643735376564623935356466
66623837356137326635613132383834663436366635396234333965393338383565393938393331
3062373862333862323138373637653531373262346139323732

8
ansible-wazuh-server/vars/api-user.yml
View File

@ -1,8 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
36386266366539623939353066643064616263636338323237666633366233373764333432373330
3463386532373033623136363164386638663066656535620a343863326564396361663265363831
33333665666364363661366337663761653732323166653564396466346464656238616564636434
3535626161313834360a636664353431373563383964626463663335643430316235313638663930
66386530343630613531663434386339366233306663376639333235376365366436663831376161
64336436303035333234636361303439313237393436373538333862373839366265666438353061
373032306536613230343261303761663664

11
ansible-wazuh-server/vars/api_user.yml Normal file
View File

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
30626565633363656662393332653964653565376238633538323230333934613934323231343262
6130313831653766333463653765643336313864373934620a646139336334346165346163633262
36333031313434623439663839323036323533623235653536376534636137636334396233636236
6238653531316136620a633361333130313335393333313861316233623037306131653733623661
37363163346361366631623530323166373861623366633633396164326331376664666665646236
64333738326538303063653266623930613130383637663864336664646361663935343231383965
34303734333031373161376435373538613262373037386430333933383639323965356336383563
34666431343136376132633632393938653965613236396333626430643538353533313131353338
37373138396435623230306262303934396164303238346563363230663032316334613262336235
3235313265333561366130393966643632333735623761643261

44
ansible-wazuh-server/vars/main.yml
View File

@ -26,6 +26,21 @@ ossec_server_config:
dirs: /etc,/usr/bin,/usr/sbin dirs: /etc,/usr/bin,/usr/sbin
- check_all: 'yes' - check_all: 'yes'
dirs: /bin,/sbin dirs: /bin,/sbin
agentless:
- type: ssh_integrity_check_linux
frequency: 36000
host: root@example.net
state: periodic
arguments: '/bin /etc/ /sbin'
- type: ssh_integrity_check_linux
frequency: 36000
host: root@example.net
state: periodic
arguments: '/bin /etc/ /sbin'
- type: ssh_integrity_check_linux
frequency: 36000
host: root@example.net
state: periodic
localfiles: localfiles:
- format: 'syslog' - format: 'syslog'
location: '/var/log/messages' location: '/var/log/messages'
@ -79,3 +94,32 @@ ossec_server_config:
location: 'local' location: 'local'
level: 6 level: 6
timeout: 600 timeout: 600
ossec_agent_configs:
- type: os
type_value: linux
frequency_check: 79200
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/svc/volatile
directories:
- check_all: yes
dirs: /etc,/usr/bin,/usr/sbin
- check_all: yes
dirs: /bin,/sbin
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'apache'
location: '/var/log/httpd/error_log'
- format: 'apache'
location: '/var/log/httpd/access_log'
- format: 'apache'
location: '/var/ossec/logs/active-responses.log'

1
passwd
View File

@ -1 +0,0 @@
test

6
user.yml
View File

@ -1,6 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
66616434393463353338336137323935333863353166656135643764626431396331383331353339
3637383166363739306238306465303232623239376263630a613838376432373733633838616632
35636137636665663039336436363962356533353033386239336362343965656361393738316536
3838303338383764610a376232313734643737623330396335383062653136656136633934336135
3336