afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changes to syscheck options and centralized configuration

Browse Source 
* Perform more checks before enable agentlessd, authd a csyslog output.
* Add a rule and active-respose action to restart agents after
successfully retrieve agent.conf file from the Wazuh manager.
This commit is contained in:
Miguelangel Freitas 2017-08-23 10:32:04 -04:00
parent c50184edbd
commit 106c206087
8 changed files with 117 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ansible-wazuh-agent/defaults/main.yml
View File

@ -7,9 +7,12 @@ wazuh_register_client: false
wazuh_notify_time: null wazuh_notify_time: null
wazuh_time_reconnect: null wazuh_time_reconnect: null
wazuh_agent_config: wazuh_agent_config:
log_format: 'plain'
syscheck: syscheck:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab
- /etc/mnttab - /etc/mnttab

3
ansible-wazuh-agent/tasks/RMDebian.yml
View File

@ -1,4 +1,5 @@
--- ---
- apt_repository: - name: Remove Wazuh repository (and clean up left-over metadata)
apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent state: absent

6
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -25,6 +25,10 @@
{% endif %} {% endif %}
</client> </client>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit> <check_unixaudit>yes</check_unixaudit>
@ -51,6 +55,8 @@
</rootcheck> </rootcheck>
<syscheck> <syscheck>
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours --> <!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency> <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>

10
ansible-wazuh-manager/defaults/main.yml
View File

@ -5,6 +5,7 @@ wazuh_manager_config:
json_output: 'yes' json_output: 'yes'
alerts_log: 'yes' alerts_log: 'yes'
logall: 'no' logall: 'no'
log_format: 'plain'
connection: connection:
- type: 'secure' - type: 'secure'
port: '1514' port: '1514'
@ -52,6 +53,8 @@ wazuh_manager_config:
syscheck: syscheck:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab
- /etc/mnttab - /etc/mnttab
@ -124,6 +127,9 @@ wazuh_manager_config:
expect: 'srcip' expect: 'srcip'
timeout_allowed: 'yes' timeout_allowed: 'yes'
active_responses: active_responses:
- command: 'restart-ossec'
location: 'local'
rules_id: 710001
- command: 'host-deny' - command: 'host-deny'
location: 'local' location: 'local'
level: 6 level: 6
@ -135,10 +141,12 @@ wazuh_manager_config:
wazuh_agent_configs: wazuh_agent_configs:
- type: os - type: os
type_value: linux type_value: Linux
syscheck: syscheck:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab
- /etc/mnttab - /etc/mnttab

125
ansible-wazuh-manager/tasks/main.yml
View File

@ -63,7 +63,7 @@
- name: Configure the shared-agent.conf - name: Configure the shared-agent.conf
template: src=var-ossec-etc-shared-agent.conf.j2 template: src=var-ossec-etc-shared-agent.conf.j2
dest=/var/ossec/etc/shared/agent.conf dest=/var/ossec/etc/shared/agent.conf
owner=root owner=ossec
group=ossec group=ossec
mode=0640 mode=0640
notify: restart wazuh-manager notify: restart wazuh-manager
@ -71,65 +71,80 @@
- init - init
- config - config
- name: Check if client-syslog is enabled - name: Retrieving Agentless Credentials
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo" include_vars: agentless_creeds.yml
register: csyslog_running tags:
changed_when: False - config
- name: Enable client-syslog
command: /var/ossec/bin/ossec-control enable client-syslog
when:
- csyslog_running.stdout == '0'
- wazuh_manager_config.syslog_outputs.server is not none
- name: Start client-syslog
command: /var/ossec/bin/ossec-control start client-syslog
when:
- csyslog_running.stdout == '0'
- wazuh_manager_config.syslog_outputs.server is not none
- name: Check if ossec-agentlessd is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo"
register: agentless_running
changed_when: False
- name: Enable ossec-agentlessd
command: /var/ossec/bin/ossec-control enable agentless
when: agentless_running.stdout == '0' and agentless_creeds is defined
- name: Start ossec-agentlessd
command: /var/ossec/bin/ossec-control start agentless
when: agentless_running.stdout == '0' and agentless_creeds is defined
- name: Check if ossec-authd is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-authd is running' | xargs echo"
register: authd_running
changed_when: False
- name: Enable ossec-authd
command: /var/ossec/bin/ossec-control enable auth
when:
- authd_running.stdout == '0'
- wazuh_manager_config.authd.enable == true
- name: Start ossec-authd
command: /var/ossec/bin/ossec-control start auth
when:
- authd_running.stdout == '0'
- wazuh_manager_config.authd.enable == true
- name: Retrieving authd Credentials - name: Retrieving authd Credentials
include_vars: authd_pass.yml include_vars: authd_pass.yml
tags: tags:
- config - config
- name: Retrieving Agentless Credentials - name: Retrieving Wazuh-api User Credentials
include_vars: agentless_creeds.yml include_vars: wazuh_api_creds.yml
tags: tags:
- config - config
- name: Retrieving Wazuh-api User Credentials - name: Check if syslog output is enabled
include_vars: wazuh_api_creds.yml set_fact: syslog_output=true
when: item.server is not none
with_items:
- "{{ wazuh_manager_config.syslog_outputs }}"
tags:
- config
- name: Check if client-syslog is enabled
shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: csyslog_enabled
tags:
- config
- name: Enable client-syslog
command: /var/ossec/bin/ossec-control enable client-syslog
notify: restart wazuh-manager
when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output == true
tags:
- config
- name: Check if ossec-agentlessd is enabled
shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: agentlessd_enabled
tags:
- config
- name: Enable ossec-agentlessd
command: /var/ossec/bin/ossec-control enable agentless
notify: restart wazuh-manager
when:
- agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout
- agentless_creeds is defined
tags:
- config
- name: Check if ossec-authd is enabled
shell: "grep -c 'ossec-authd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: authd_enabled
tags:
- config
- name: Enable ossec-authd
command: /var/ossec/bin/ossec-control enable auth
notify: restart wazuh-manager
when:
- authd_enabled.stdout == '0' or "skipped" in authd_enabled.stdout
- wazuh_manager_config.authd.enable == true
tags: tags:
- config - config
@ -164,7 +179,7 @@
notify: restart wazuh-manager notify: restart wazuh-manager
when: when:
- wazuh_manager_config.authd.use_password is defined - wazuh_manager_config.authd.use_password is defined
- wazuh_manager_config.authd.use_password == true - wazuh_manager_config.authd.use_password == 'yes'
tags: tags:
- config - config
@ -178,6 +193,8 @@
no_log: true no_log: true
notify: restart wazuh-api notify: restart wazuh-api
when: wazuh_api_user is defined when: wazuh_api_user is defined
tags:
- config
- name: Agentless Hosts & Passwd - name: Agentless Hosts & Passwd
template: template:
@ -188,10 +205,14 @@
mode: 0644 mode: 0644
no_log: true no_log: true
when: agentless_creeds is defined when: agentless_creeds is defined
tags:
- config
- name: Encode the secret - name: Encode the secret
shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
when: agentless_creeds is defined when: agentless_creeds is defined
tags:
- config
- name: Ensure Wazuh Manager, wazuh api service is started and enabled - name: Ensure Wazuh Manager, wazuh api service is started and enabled
service: service:

12
ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks:False #jinja2: trim_blocks: False
<!-- <!--
Wazuh - Manager - Default configuration Wazuh - Manager - Default configuration
More info at: https://documentation.wazuh.com More info at: https://documentation.wazuh.com
@ -22,6 +22,10 @@
<email_from>{{ wazuh_manager_config.mail_from }}</email_from> <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
</global> </global>
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% if wazuh_manager_config.authd.enable == true %} {% if wazuh_manager_config.authd.enable == true %}
<auth> <auth>
<disabled>no</disabled> <disabled>no</disabled>
@ -95,11 +99,11 @@
</alerts> </alerts>
<remote> <remote>
{% for connection in wazuh_manager_config.connection %} {% for connection in wazuh_manager_config.connection %}
<connection>{{ connection.type }}</connection> <connection>{{ connection.type }}</connection>
<port>{{ connection.port }}</port> <port>{{ connection.port }}</port>
<protocol>{{ connection.protocol }}</protocol> <protocol>{{ connection.protocol }}</protocol>
{% endfor %} {% endfor %}
</remote> </remote>
<rootcheck> <rootcheck>
@ -128,6 +132,8 @@
</rootcheck> </rootcheck>
<syscheck> <syscheck>
<auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours --> <!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency> <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>

3
ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -1,7 +1,10 @@
#jinja2: trim_blocks: False
{% if wazuh_agent_configs is defined %} {% if wazuh_agent_configs is defined %}
{% for agent_config in wazuh_agent_configs %} {% for agent_config in wazuh_agent_configs %}
<agent_config {{ agent_config.type }}="{{ agent_config.type_value }}"> <agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
<syscheck> <syscheck>
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours --> <!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ agent_config.syscheck.frequency }}</frequency> <frequency>{{ agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start>

12
ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
View File

@ -1,5 +1,17 @@
<!-- Local rules --> <!-- Local rules -->
<!--
Used with active-response to restart an agent when agent.conf file
is successfully retrieved.
-->
<group name="local,ossec,">
<rule id="710001" level="1">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/shared/agent.conf</match>
<description>agent.conf was modified</description>
</rule>
</group>
<!-- Modify it at your will. --> <!-- Modify it at your will. -->
<!-- Example --> <!-- Example -->