Changes to syscheck options and centralized configuration

* Perform more checks before enable agentlessd, authd a csyslog output. * Add a rule and active-respose action to restart agents after successfully retrieve agent.conf file from the Wazuh manager.
2017-08-23 10:32:04 -04:00 · 2017-08-23 10:32:04 -04:00 · 106c206087
commit 106c206087
parent c50184edbd
8 changed files with 117 additions and 57 deletions
--- a/ansible-wazuh-agent/defaults/main.yml
+++ b/ansible-wazuh-agent/defaults/main.yml
@ -7,9 +7,12 @@ wazuh_register_client: false
 wazuh_notify_time: null
 wazuh_time_reconnect: null
 wazuh_agent_config:
  log_format: 'plain'
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    ignore:
      - /etc/mtab
      - /etc/mnttab
--- a/ansible-wazuh-agent/tasks/RMDebian.yml
+++ b/ansible-wazuh-agent/tasks/RMDebian.yml
@ -1,4 +1,5 @@
 ---
- apt_repository:
+- name: Remove Wazuh repository (and clean up left-over metadata)
  apt_repository:
    repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
    state: absent
--- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@ -25,6 +25,10 @@
    {% endif %}
  </client>
  <logging>
    <log_format>{{ wazuh_agent_config.log_format }}</log_format>
  </logging>
  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit>
@ -51,6 +55,8 @@
  </rootcheck>
  <syscheck>
    <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
    <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
    <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@ -5,6 +5,7 @@ wazuh_manager_config:
  json_output: 'yes'
  alerts_log: 'yes'
  logall: 'no'
  log_format: 'plain'
  connection:
    - type: 'secure'
      port: '1514'
@ -52,6 +53,8 @@ wazuh_manager_config:
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    ignore:
      - /etc/mtab
      - /etc/mnttab
@ -124,6 +127,9 @@ wazuh_manager_config:
      expect: 'srcip'
      timeout_allowed: 'yes'
  active_responses:
    - command: 'restart-ossec'
      location: 'local'
      rules_id: 710001
    - command: 'host-deny'
      location: 'local'
      level: 6
@ -135,10 +141,12 @@ wazuh_manager_config:
 wazuh_agent_configs:
  - type: os
-    type_value: linux
+    type_value: Linux
    syscheck:
      frequency: 43200
      scan_on_start: 'yes'
      auto_ignore: 'no'
      alert_new_files: 'yes'
      ignore:
      - /etc/mtab
      - /etc/mnttab
--- a/ansible-wazuh-manager/tasks/main.yml
+++ b/ansible-wazuh-manager/tasks/main.yml
@ -63,7 +63,7 @@
 - name: Configure the shared-agent.conf
  template: src=var-ossec-etc-shared-agent.conf.j2
            dest=/var/ossec/etc/shared/agent.conf
-            owner=root
+            owner=ossec
            group=ossec
            mode=0640
  notify: restart wazuh-manager
@ -71,65 +71,80 @@
    - init
    - config
- name: Check if client-syslog is enabled
+- name: Retrieving Agentless Credentials
-  shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
+  include_vars: agentless_creeds.yml
-  register: csyslog_running
+  tags:
-  changed_when: False
+    - config
 - name: Enable client-syslog
  command: /var/ossec/bin/ossec-control enable client-syslog
  when:
    - csyslog_running.stdout == '0'
    - wazuh_manager_config.syslog_outputs.server is not none
 - name: Start client-syslog
  command: /var/ossec/bin/ossec-control start client-syslog
  when:
    - csyslog_running.stdout == '0'
    - wazuh_manager_config.syslog_outputs.server is not none
 - name: Check if ossec-agentlessd is enabled
  shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo"
  register: agentless_running
  changed_when: False
 - name: Enable ossec-agentlessd
  command: /var/ossec/bin/ossec-control enable agentless
  when: agentless_running.stdout == '0' and agentless_creeds is defined
 - name: Start ossec-agentlessd
  command: /var/ossec/bin/ossec-control start agentless
  when: agentless_running.stdout == '0' and agentless_creeds is defined
 - name: Check if ossec-authd is enabled
  shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-authd is running' | xargs echo"
  register: authd_running
  changed_when: False
 - name: Enable ossec-authd
  command: /var/ossec/bin/ossec-control enable auth
  when:
    - authd_running.stdout == '0'
    - wazuh_manager_config.authd.enable == true
 - name: Start ossec-authd
  command: /var/ossec/bin/ossec-control start auth
  when:
    - authd_running.stdout == '0'
    - wazuh_manager_config.authd.enable == true
 - name: Retrieving authd Credentials
  include_vars: authd_pass.yml
  tags:
    - config
- name: Retrieving Agentless Credentials
+- name: Retrieving Wazuh-api User Credentials
-  include_vars: agentless_creeds.yml
+  include_vars: wazuh_api_creds.yml
  tags:
    - config
- name: Retrieving Wazuh-api User Credentials
+- name: Check if syslog output is enabled
-  include_vars: wazuh_api_creds.yml
+  set_fact: syslog_output=true
  when: item.server is not none
  with_items:
    - "{{ wazuh_manager_config.syslog_outputs }}"
  tags:
    - config
 - name: Check if client-syslog is enabled
  shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
  args:
    removes: /var/ossec/bin/.process_list
  changed_when: False
  register: csyslog_enabled
  tags:
    - config
 - name: Enable client-syslog
  command: /var/ossec/bin/ossec-control enable client-syslog
  notify: restart wazuh-manager
  when:
    - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
    - syslog_output is defined and syslog_output == true
  tags:
    - config
 - name: Check if ossec-agentlessd is enabled
  shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
  args:
    removes: /var/ossec/bin/.process_list
  changed_when: False
  register: agentlessd_enabled
  tags:
    - config
 - name: Enable ossec-agentlessd
  command: /var/ossec/bin/ossec-control enable agentless
  notify: restart wazuh-manager
  when:
    - agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout
    - agentless_creeds is defined
  tags:
    - config
 - name: Check if ossec-authd is enabled
  shell: "grep -c 'ossec-authd' /var/ossec/bin/.process_list | xargs echo"
  args:
    removes: /var/ossec/bin/.process_list
  changed_when: False
  register: authd_enabled
  tags:
    - config
 - name: Enable ossec-authd
  command: /var/ossec/bin/ossec-control enable auth
  notify: restart wazuh-manager
  when:
    - authd_enabled.stdout == '0' or "skipped" in authd_enabled.stdout
    - wazuh_manager_config.authd.enable == true
  tags:
    - config
@ -164,7 +179,7 @@
  notify: restart wazuh-manager
  when:
    - wazuh_manager_config.authd.use_password is defined
-    - wazuh_manager_config.authd.use_password == true
+    - wazuh_manager_config.authd.use_password == 'yes'
  tags:
    - config
@ -178,6 +193,8 @@
  no_log: true
  notify: restart wazuh-api
  when: wazuh_api_user is defined
  tags:
    - config
 - name: Agentless Hosts & Passwd
  template:
@ -188,10 +205,14 @@
    mode: 0644
  no_log: true
  when: agentless_creeds is defined
  tags:
    - config
 - name: Encode the secret
  shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
  when: agentless_creeds is defined
  tags:
    - config
 - name: Ensure Wazuh Manager, wazuh api service is started and enabled
  service:
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@ -22,6 +22,10 @@
    <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
  </global>
  <logging>
    <log_format>{{ wazuh_manager_config.log_format }}</log_format>
  </logging>
 {% if wazuh_manager_config.authd.enable == true %}
  <auth>
    <disabled>no</disabled>
@ -128,6 +132,8 @@
  </rootcheck>
  <syscheck>
    <auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>
    <alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
    <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
--- a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
@ -1,7 +1,10 @@
 #jinja2: trim_blocks: False
 {% if wazuh_agent_configs is defined %}
 {% for agent_config in wazuh_agent_configs %}
 <agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
  <syscheck>
    <auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
    <alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>{{ agent_config.syscheck.frequency }}</frequency>
    <scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start>
--- a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
@ -1,5 +1,17 @@
 <!-- Local rules -->
 <!--
 Used with active-response to restart an agent when agent.conf file
 is successfully retrieved.
 -->
 <group name="local,ossec,">
  <rule id="710001" level="1">
    <if_group>syscheck</if_group>
    <match>/var/ossec/etc/shared/agent.conf</match>
    <description>agent.conf was modified</description>
  </rule>
 </group>
 <!-- Modify it at your will. -->
 <!-- Example -->