afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changes to syscheck options and centralized configuration

Browse Source 
* Perform more checks before enable agentlessd, authd a csyslog output.
* Add a rule and active-respose action to restart agents after
successfully retrieve agent.conf file from the Wazuh manager.
This commit is contained in:
Miguelangel Freitas 2017-08-23 10:32:04 -04:00
parent c50184edbd
commit 106c206087
8 changed files with 117 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ansible-wazuh-agent/defaults/main.yml
View File

@ -7,9 +7,12 @@ wazuh_register_client: false
wazuh_notify_time: null
wazuh_time_reconnect: null
wazuh_agent_config:
log_format: 'plain'
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab

3
ansible-wazuh-agent/tasks/RMDebian.yml
View File

@ -1,4 +1,5 @@
---
- apt_repository:
- name: Remove Wazuh repository (and clean up left-over metadata)
apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent

6
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -25,6 +25,10 @@
{% endif %}
</client>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
@ -51,6 +55,8 @@
</rootcheck>
<syscheck>
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>

10
ansible-wazuh-manager/defaults/main.yml
View File

@ -5,6 +5,7 @@ wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
log_format: 'plain'
connection:
- type: 'secure'
port: '1514'
@ -52,6 +53,8 @@ wazuh_manager_config:
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
@ -124,6 +127,9 @@ wazuh_manager_config:
expect: 'srcip'
timeout_allowed: 'yes'
active_responses:
- command: 'restart-ossec'
location: 'local'
rules_id: 710001
- command: 'host-deny'
location: 'local'
level: 6
@ -135,10 +141,12 @@ wazuh_manager_config:
wazuh_agent_configs:
- type: os
type_value: linux
type_value: Linux
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab

125
ansible-wazuh-manager/tasks/main.yml
View File

@ -63,7 +63,7 @@
- name: Configure the shared-agent.conf
template: src=var-ossec-etc-shared-agent.conf.j2
dest=/var/ossec/etc/shared/agent.conf
owner=root
owner=ossec
group=ossec
mode=0640
notify: restart wazuh-manager
@ -71,65 +71,80 @@
- init
- config
- name: Check if client-syslog is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
register: csyslog_running
changed_when: False
- name: Enable client-syslog
command: /var/ossec/bin/ossec-control enable client-syslog
when:
- csyslog_running.stdout == '0'
- wazuh_manager_config.syslog_outputs.server is not none
- name: Start client-syslog
command: /var/ossec/bin/ossec-control start client-syslog
when:
- csyslog_running.stdout == '0'
- wazuh_manager_config.syslog_outputs.server is not none
- name: Check if ossec-agentlessd is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo"
register: agentless_running
changed_when: False
- name: Enable ossec-agentlessd
command: /var/ossec/bin/ossec-control enable agentless
when: agentless_running.stdout == '0' and agentless_creeds is defined
- name: Start ossec-agentlessd
command: /var/ossec/bin/ossec-control start agentless
when: agentless_running.stdout == '0' and agentless_creeds is defined
- name: Check if ossec-authd is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-authd is running' | xargs echo"
register: authd_running
changed_when: False
- name: Enable ossec-authd
command: /var/ossec/bin/ossec-control enable auth
when:
- authd_running.stdout == '0'
- wazuh_manager_config.authd.enable == true
- name: Start ossec-authd
command: /var/ossec/bin/ossec-control start auth
when:
- authd_running.stdout == '0'
- wazuh_manager_config.authd.enable == true
- name: Retrieving Agentless Credentials
include_vars: agentless_creeds.yml
tags:
- config
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
tags:
- config
- name: Retrieving Agentless Credentials
include_vars: agentless_creeds.yml
- name: Retrieving Wazuh-api User Credentials
include_vars: wazuh_api_creds.yml
tags:
- config
- name: Retrieving Wazuh-api User Credentials
include_vars: wazuh_api_creds.yml
- name: Check if syslog output is enabled
set_fact: syslog_output=true
when: item.server is not none
with_items:
- "{{ wazuh_manager_config.syslog_outputs }}"
tags:
- config
- name: Check if client-syslog is enabled
shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: csyslog_enabled
tags:
- config
- name: Enable client-syslog
command: /var/ossec/bin/ossec-control enable client-syslog
notify: restart wazuh-manager
when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output == true
tags:
- config
- name: Check if ossec-agentlessd is enabled
shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: agentlessd_enabled
tags:
- config
- name: Enable ossec-agentlessd
command: /var/ossec/bin/ossec-control enable agentless
notify: restart wazuh-manager
when:
- agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout
- agentless_creeds is defined
tags:
- config
- name: Check if ossec-authd is enabled
shell: "grep -c 'ossec-authd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: authd_enabled
tags:
- config
- name: Enable ossec-authd
command: /var/ossec/bin/ossec-control enable auth
notify: restart wazuh-manager
when:
- authd_enabled.stdout == '0' or "skipped" in authd_enabled.stdout
- wazuh_manager_config.authd.enable == true
tags:
- config
@ -164,7 +179,7 @@
notify: restart wazuh-manager
when:
- wazuh_manager_config.authd.use_password is defined
- wazuh_manager_config.authd.use_password == true
- wazuh_manager_config.authd.use_password == 'yes'
tags:
- config
@ -178,6 +193,8 @@
no_log: true
notify: restart wazuh-api
when: wazuh_api_user is defined
tags:
- config
- name: Agentless Hosts & Passwd
template:
@ -188,10 +205,14 @@
mode: 0644
no_log: true
when: agentless_creeds is defined
tags:
- config
- name: Encode the secret
shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
when: agentless_creeds is defined
tags:
- config
- name: Ensure Wazuh Manager, wazuh api service is started and enabled
service:

12
ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks:False
#jinja2: trim_blocks: False
<!--
Wazuh - Manager - Default configuration
More info at: https://documentation.wazuh.com
@ -22,6 +22,10 @@
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
</global>
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% if wazuh_manager_config.authd.enable == true %}
<auth>
<disabled>no</disabled>
@ -95,11 +99,11 @@
</alerts>
<remote>
{% for connection in wazuh_manager_config.connection %}
{% for connection in wazuh_manager_config.connection %}
<connection>{{ connection.type }}</connection>
<port>{{ connection.port }}</port>
<protocol>{{ connection.protocol }}</protocol>
{% endfor %}
{% endfor %}
</remote>
<rootcheck>
@ -128,6 +132,8 @@
</rootcheck>
<syscheck>
<auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>

3
ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -1,7 +1,10 @@
#jinja2: trim_blocks: False
{% if wazuh_agent_configs is defined %}
{% for agent_config in wazuh_agent_configs %}
<agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
<syscheck>
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start>

12
ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
View File

@ -1,5 +1,17 @@
<!-- Local rules -->
<!--
Used with active-response to restart an agent when agent.conf file
is successfully retrieved.
-->
<group name="local,ossec,">
<rule id="710001" level="1">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/shared/agent.conf</match>
<description>agent.conf was modified</description>
</rule>
</group>
<!-- Modify it at your will. -->
<!-- Example -->