afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #18 from wazuh/elastic6_wazuh3

Browse Source 
Updating roles to new Elastic Stack and Wazuh versions.
This commit is contained in:
José Luis Ruiz 2018-01-31 11:25:51 +01:00 committed by GitHub
commit 29f1f5ff59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
46 changed files with 1014 additions and 1211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,7 +1,8 @@
*.retry *.retry
wazuh-manager.yml
wazuh-agent.yml wazuh-agent.yml
elk.yml wazuh-elastic_stack-distributed.yml
wazuh-elastic_stack-single.yml
wazuh-elastic.yml wazuh-elastic.yml
wazuh-kibana.yml wazuh-kibana.yml
wazuh-logstash.yml wazuh-logstash.yml
wazuh-manager.yml

2
ansible-role-elasticsearch/defaults/main.yml
View File

@ -4,6 +4,6 @@ elasticsearch_node_name: node-1
elasticsearch_http_port: 9200 elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1 elasticsearch_network_host: 127.0.0.1
elasticsearch_jvm_xms: null elasticsearch_jvm_xms: null
elastic_stack_version: 5.6.4 elastic_stack_version: 6.1.2
elasticsearch_shards: 5 elasticsearch_shards: 5
elasticsearch_replicas: 1 elasticsearch_replicas: 1

2
ansible-role-elasticsearch/tasks/Debian.yml
View File

@ -28,7 +28,7 @@
- name: Debian/Ubuntu | Install Elastic repo - name: Debian/Ubuntu | Install Elastic repo
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo'

4
ansible-role-elasticsearch/tasks/RedHat.yml
View File

@ -15,8 +15,8 @@
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

78
ansible-role-elasticsearch/tasks/main.yml
View File

@ -5,6 +5,49 @@
- import_tasks: Debian.yml - import_tasks: Debian.yml
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Create elasticsearch.service.d folder.
file: path=/etc/systemd/system/elasticsearch.service.d/ state=directory
when:
- ansible_service_mgr == "systemd"
- name: Configure Elasticsearch System Resources.
template:
src: elasticsearch_systemd.conf.j2
dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
owner: root
group: elasticsearch
mode: 0660
notify: restart elasticsearch
tags: configure
when:
- ansible_service_mgr == "systemd"
- name: Debian/Ubuntu | Configure Elasticsearch System Resources.
template:
src: elasticsearch_nonsystemd.j2
dest: /etc/default/elasticsearch
owner: root
group: elasticsearch
mode: 0660
notify: restart elasticsearch
tags: configure
when:
- ansible_service_mgr != "systemd"
- ansible_os_family == "Debian"
- name: RedHat/CentOS/Fedora | Configure Elasticsearch System Resources.
template:
src: elasticsearch_nonsystemd.j2
dest: /etc/sysconfig/elasticsearch
owner: root
group: elasticsearch
mode: 0660
notify: restart elasticsearch
tags: configure
when:
- ansible_service_mgr != "systemd"
- ansible_os_family == "RedHat"
- name: Configure Elasticsearch. - name: Configure Elasticsearch.
template: template:
src: elasticsearch.yml.j2 src: elasticsearch.yml.j2
@ -25,6 +68,10 @@
notify: restart elasticsearch notify: restart elasticsearch
tags: configure tags: configure
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Elasticsearch started and enabled - name: Ensure Elasticsearch started and enabled
service: service:
name: elasticsearch name: elasticsearch
@ -37,31 +84,50 @@
- configure - configure
- init - init
- name: Check for Wazuh template - name: Check for Wazuh Alerts template
uri: uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: GET method: GET
status_code: 200, 404 status_code: 200, 404
register: wazuh_template_exits register: wazuh_alerts_template_exits
tags: init tags: init
- name: Installing Wazuh template - name: Installing Wazuh Alerts template
uri: uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: PUT method: PUT
status_code: 200 status_code: 200
body_format: json body_format: json
body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}" body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}"
when: wazuh_template_exits.status != 200 when: wazuh_alerts_template_exits.status != 200
tags: init tags: init
- name: Injecting sample alert - name: Injecting sample alert
uri: uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-3.x-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample"
method: PUT method: PUT
status_code: 200, 201 status_code: 200, 201
body_format: json body_format: json
body: "{{ lookup('template','alert_sample.json.j2') }}" body: "{{ lookup('template','alert_sample.json.j2') }}"
when: wazuh_alerts_template_exits.status != 200
tags: init
- name: Check for Wazuh Monitoring template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
method: GET
status_code: 200, 404
register: wazuh_monitoring_template_exits
tags: init
- name: Installing Wazuh Monitoring template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic6-template-monitoring.json.j2') }}"
when: wazuh_monitoring_template_exits.status != 200
tags: init tags: init
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"

74
ansible-role-elasticsearch/templates/alert_sample.json.j2
View File

@ -1,11 +1,7 @@
{ {
"@timestamp": "2015-03-18T15:55:55.000Z", "@timestamp": "2015-03-18T15:55:55.000Z",
"AlertsFile": "sample", "AlertsFile": "sample",
"title": "sample",
"full_log": "sample", "full_log": "sample",
"id": "sample",
"srcuser": "sample",
"srcip": "sample",
"location": "sample", "location": "sample",
"GeoLocation": { "GeoLocation": {
"country_name": "sample", "country_name": "sample",
@ -14,34 +10,50 @@
"agent": { "agent": {
"name": "sample" "name": "sample"
}, },
"audit": { "data": {
"command": "sample", "title": "sample",
"type": "sample", "protocol": "sample",
"egid": "sample", "action": "sample",
"euid": "sample", "srcip": "sample",
"exe": "sample", "dstip": "sample",
"gid": "sample", "srcport": "sample",
"uid": "sample", "dstport": "sample",
"directory": { "srcuser": "sample",
"name": "sample" "dstuser": "sample",
}, "id": "sample",
"file": { "status": "sample",
"mode": "sample", "data": "sample",
"name": "sample" "system_name": "sample",
} "url": "sample",
}, "audit": {
"oscap": { "command": "sample",
"check": { "type": "sample",
"result": "sample", "egid": "sample",
"severity": "sample", "euid": "sample",
"title": "sample" "exe": "sample",
}, "gid": "sample",
"scan": { "uid": "sample",
"id": "sample", "directory": {
"content": "sample", "name": "sample"
"score": 1.55, },
"profile": { "file": {
"mode": "sample",
"name": "sample"
}
},
"oscap": {
"check": {
"result": "sample",
"severity": "sample",
"title": "sample" "title": "sample"
},
"scan": {
"id": "sample",
"content": "sample",
"score": 1.55,
"profile": {
"title": "sample"
}
} }
} }
}, },

6
ansible-role-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -31,17 +31,17 @@ node.name: {{ elasticsearch_node_name }}
# #
# Path to directory where to store the data (separate multiple locations by comma): # Path to directory where to store the data (separate multiple locations by comma):
# #
#path.data: /path/to/data path.data: /var/lib/elasticsearch
# #
# Path to log files: # Path to log files:
# #
#path.logs: /path/to/logs path.logs: /var/log/elasticsearch
# #
# ----------------------------------- Memory ----------------------------------- # ----------------------------------- Memory -----------------------------------
# #
# Lock the memory on startup: # Lock the memory on startup:
# #
#bootstrap.memory_lock: true bootstrap.memory_lock: true
# #
# Make sure that the heap size is set to about half the memory available # Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this # on the system and that the owner of the process is allowed to use this

52
ansible-role-elasticsearch/templates/elasticsearch_nonsystemd.j2 Normal file
View File

@ -0,0 +1,52 @@
# {{ ansible_managed }}
################################
# Elasticsearch
################################
# Elasticsearch home directory
#ES_HOME=/usr/share/elasticsearch
# Elasticsearch Java path
#JAVA_HOME=
# Elasticsearch configuration directory
ES_PATH_CONF=/etc/elasticsearch
# Elasticsearch PID directory
#PID_DIR=/var/run/elasticsearch
# Additional Java OPTS
#ES_JAVA_OPTS=
# Configure restart on package upgrade (true, every other setting will lead to not restarting)
#RESTART_ON_UPGRADE=true
################################
# Elasticsearch service
################################
# SysV init.d
#
# The number of seconds to wait before checking if Elasticsearch started successfully as a daemon process
ES_STARTUP_SLEEP_TIME=5
################################
# System properties
################################
# Specifies the maximum file descriptor number that can be opened by this process
# When using Systemd, this setting is ignored and the LimitNOFILE defined in
# /usr/lib/systemd/system/elasticsearch.service takes precedence
#MAX_OPEN_FILES=65536
# The maximum number of bytes of memory that may be locked into RAM
# Set to "unlimited" if you use the 'bootstrap.memory_lock: true' option
# in elasticsearch.yml.
# When using systemd, LimitMEMLOCK must be set in a unit file such as
# /etc/systemd/system/elasticsearch.service.d/override.conf.
MAX_LOCKED_MEMORY=unlimited
# Maximum number of VMA (Virtual Memory Areas) a process can own
# When using Systemd, this setting is ignored and the 'vm.max_map_count'
# property is set at boot time in /usr/lib/sysctl.d/elasticsearch.conf
#MAX_MAP_COUNT=262144

3
ansible-role-elasticsearch/templates/elasticsearch_systemd.conf.j2 Normal file
View File

@ -0,0 +1,3 @@
# {{ ansible_managed }}
[Service]
LimitMEMLOCK=infinity

31
ansible-role-elasticsearch/templates/jvm.options.j2
View File

@ -18,6 +18,9 @@
## ##
################################################################ ################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
# Xms represents the initial size of total heap space # Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space # Xmx represents the maximum size of total heap space
{% if elasticsearch_jvm_xms is not none %} {% if elasticsearch_jvm_xms is not none %}
@ -50,18 +53,15 @@
## optimizations ## optimizations
# disable calls to System#gc
-XX:+DisableExplicitGC
# pre-touch memory pages used by the JVM during initialization # pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch -XX:+AlwaysPreTouch
## basic ## basic
# force the server VM (remove on 32-bit client JVMs) # force the server VM
-server -server
# explicitly set the stack size (reduce to 320k on 32-bit client JVMs) # explicitly set the stack size
-Xss1m -Xss1m
# set to headless, just in case # set to headless, just in case
@ -73,8 +73,9 @@
# use our provided JNA always versus the system one # use our provided JNA always versus the system one
-Djna.nosys=true -Djna.nosys=true
# use old-style file permissions on JDK9 # turn off a JDK optimization that throws away stack traces for common
-Djdk.io.permissionsUseCanonicalPath=true # exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
# flags to configure Netty # flags to configure Netty
-Dio.netty.noUnsafe=true -Dio.netty.noUnsafe=true
@ -84,7 +85,6 @@
# log4j 2 # log4j 2
-Dlog4j.shutdownHookEnabled=false -Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true -Dlog4j2.disable.jmx=true
-Dlog4j.skipJansi=true
## heap dumps ## heap dumps
@ -94,7 +94,7 @@
# specify an alternative path for heap dumps # specify an alternative path for heap dumps
# ensure the directory exists and has sufficient space # ensure the directory exists and has sufficient space
#-XX:HeapDumpPath=${heap.dump.path} -XX:HeapDumpPath=/var/lib/elasticsearch
## GC logging ## GC logging
@ -109,10 +109,9 @@
# ensure the directory exists # ensure the directory exists
#-Xloggc:${loggc} #-Xloggc:${loggc}
# Elasticsearch 5.0.0 will throw an exception on unquoted field names in JSON. # By default, the GC log file will not rotate.
# If documents were already indexed with unquoted fields in a previous version # By uncommenting the lines below, the GC log file
# of Elasticsearch, some operations may throw errors. # will be rotated every 128MB at most 32 times.
# #-XX:+UseGCLogFileRotation
# WARNING: This option will be removed in Elasticsearch 6.0.0 and is provided #-XX:NumberOfGCLogFiles=32
# only for migration purposes. #-XX:GCLogFileSize=128M
#-Delasticsearch.json.allow_unquoted_field_names=true

597
ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 → ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2
View File

@ -1,6 +1,6 @@
{ {
"order": 0, "order": 0,
"template": "wazuh*", "template": "wazuh-alerts-3.x-*",
"settings": { "settings": {
"index.refresh_interval": "5s", "index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }}, "number_of_shards": {{ elasticsearch_shards }},
@ -51,9 +51,13 @@
} }
} }
}, },
"dstuser": { "cluster": {
"type": "keyword", "properties": {
"doc_values": "true" "name": {
"type": "keyword",
"doc_values": "true"
}
}
}, },
"AlertsFile": { "AlertsFile": {
"type": "keyword", "type": "keyword",
@ -302,319 +306,308 @@
} }
} }
}, },
"srcip": { "data": {
"type": "keyword", "properties": {
"doc_values": "true" "protocol": {
}, "type": "keyword",
"protocol": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "action": {
}, "type": "keyword",
"action": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "srcip": {
}, "type": "keyword",
"dstip": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "dstip": {
}, "type": "keyword",
"dstport": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "srcport": {
}, "type": "keyword",
"srcuser": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
}, },
"program_name": { "program_name": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": { "command": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": { "type": {
"type": "text" "type": "text"
}, },
"title": { "title": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
} }
} }
} }

34
ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 Normal file
View File

@ -0,0 +1,34 @@
{
"order": 0,
"template": "wazuh-monitoring*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh-agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

2
ansible-role-filebeat/tasks/Debian.yml
View File

@ -12,6 +12,6 @@
- name: Debian/Ubuntu | Add Filebeat repository. - name: Debian/Ubuntu | Add Filebeat repository.
apt_repository: apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
update_cache: yes update_cache: yes

4
ansible-role-filebeat/tasks/RedHat.yml
View File

@ -2,7 +2,7 @@
- name: RedHat/CentOS/Fedora | Install Filebeats repo - name: RedHat/CentOS/Fedora | Install Filebeats repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

4
ansible-role-filebeat/tasks/main.yml
View File

@ -13,6 +13,10 @@
- import_tasks: config.yml - import_tasks: config.yml
when: filebeat_create_config when: filebeat_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Filebeat is started and enabled at boot. - name: Ensure Filebeat is started and enabled at boot.
service: service:
name: filebeat name: filebeat

3
ansible-role-kibana/defaults/main.yml
View File

@ -3,4 +3,5 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1" elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0" kibana_server_host: "0.0.0.0"
kibana_server_port: "5601" kibana_server_port: "5601"
elastic_stack_version: 5.6.4 elastic_stack_version: 6.1.2
wazuh_version: 3.1.0

2
ansible-role-kibana/tasks/Debian.yml
View File

@ -12,7 +12,7 @@
- name: Debian/Ubuntu | Install Elastic repo - name: Debian/Ubuntu | Install Elastic repo
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo'

4
ansible-role-kibana/tasks/RedHat.yml
View File

@ -2,8 +2,8 @@
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

20
ansible-role-kibana/tasks/main.yml
View File

@ -9,6 +9,10 @@
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags: configure tags: configure
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Kibana configuration - name: Kibana configuration
template: template:
src: kibana.yml.j2 src: kibana.yml.j2
@ -26,16 +30,20 @@
register: wazuh_app_verify register: wazuh_app_verify
tags: install tags: install
- name: Upgrading Wazuh-APP - name: Removing old Wazuh-APP
shell: "{{ item }}" command: /usr/share/kibana/bin/kibana-plugin remove wazuh
when: wazuh_app_verify.stdout == "0"
tags: install
- name: Removing bundles
file: path=/usr/share/kibana/optimize/bundles state=absent
when: wazuh_app_verify.stdout == "0" when: wazuh_app_verify.stdout == "0"
with_items:
- /usr/share/kibana/bin/kibana-plugin remove wazuh
- rm -rf /usr/share/kibana/optimize/bundles
tags: install tags: install
- name: Install Wazuh-APP (can take a while) - name: Install Wazuh-APP (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.1_{{ elastic_stack_version }}.zip" shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip"
environment:
NODE_OPTIONS: "--max-old-space-size=3072"
args: args:
creates: /usr/share/kibana/plugins/wazuh/package.json creates: /usr/share/kibana/plugins/wazuh/package.json
notify: restart kibana notify: restart kibana

2
ansible-role-logstash/defaults/main.yml
View File

@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200" elasticsearch_http_port: "9200"
elasticsearch_shards: 5 elasticsearch_shards: 5
elasticsearch_replicas: 1 elasticsearch_replicas: 1
elastic_stack_version: 5.6.4 elastic_stack_version: 6.1.2
logstash_ssl: false logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash logstash_ssl_dir: /etc/pki/logstash

2
ansible-role-logstash/tasks/Debian.yml
View File

@ -31,7 +31,7 @@
- name: Debian/Ubuntu | Install Elasticsearch repo - name: Debian/Ubuntu | Install Elasticsearch repo
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo'

4
ansible-role-logstash/tasks/RedHat.yml
View File

@ -15,8 +15,8 @@
- name: RedHat/CentOS/Fedora | Install Logstash repo - name: RedHat/CentOS/Fedora | Install Logstash repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

8
ansible-role-logstash/tasks/config.yml
View File

@ -1,12 +1,4 @@
--- ---
- name: Logstash template
template:
src: wazuh-elastic5-template.json.j2
dest: /etc/logstash/wazuh-elastic5-template.json
owner: root
group: root
tags: configure
- name: Ensure Logstash SSL key pair directory exists. - name: Ensure Logstash SSL key pair directory exists.
file: file:
path: "{{ logstash_ssl_dir }}" path: "{{ logstash_ssl_dir }}"

4
ansible-role-logstash/tasks/main.yml
View File

@ -8,6 +8,10 @@
- import_tasks: config.yml - import_tasks: config.yml
when: logstash_create_config when: logstash_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Logstash started and enabled - name: Ensure Logstash started and enabled
service: service:
name: logstash name: logstash

22
ansible-role-logstash/templates/01-wazuh.conf.j2
View File

@ -25,10 +25,21 @@ input {
} }
} }
{% endif %} {% endif %}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter { filter {
geoip { geoip {
source => "srcip" source => "@src_ip"
target => "GeoLocation" target => "GeoLocation"
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
} }
@ -37,17 +48,14 @@ filter {
target => "@timestamp" target => "@timestamp"
} }
mutate { mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"] remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
} }
} }
output { output {
#stdout { codec => rubydebug } #stdout { codec => rubydebug }
elasticsearch { elasticsearch {
hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"] hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"]
index => "wazuh-alerts-%{+YYYY.MM.dd}" index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh" document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
template_name => "wazuh"
template_overwrite => true
} }
} }

622
ansible-role-logstash/templates/wazuh-elastic5-template.json.j2
View File

@ -1,622 +0,0 @@
{
"order": 0,
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

35
ansible-wazuh-agent/defaults/main.yml
View File

@ -1,7 +1,10 @@
--- ---
wazuh_manager_ip: null wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
wazuh_profile: null wazuh_profile: null
wazuh_manager_proto: tcp wazuh_auto_restart: 'yes'
wazuh_agent_authd: wazuh_agent_authd:
enable: false enable: false
port: 1515 port: 1515
@ -13,10 +16,10 @@ wazuh_notify_time: null
wazuh_time_reconnect: null wazuh_time_reconnect: null
wazuh_winagent_config: wazuh_winagent_config:
install_dir: 'C:\wazuh-agent\' install_dir: 'C:\wazuh-agent\'
version: '2.1.1' version: '3.1.0'
revision: '1' revision: '1'
repo: https://packages.wazuh.com/windows/ repo: https://packages.wazuh.com/3.x/windows/
md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f md5: 484900d5006a50304bbf284917d7fa14
wazuh_agent_config: wazuh_agent_config:
log_format: 'plain' log_format: 'plain'
syscheck: syscheck:
@ -56,6 +59,28 @@ wazuh_agent_config:
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: '/var/ossec/wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls:
disable: 'yes'
interval: '1d'
run_on_start: 'yes'
args:
- 'mincvss 5'
- 'antiquity-limit 20'
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
localfiles: localfiles:
- format: 'syslog' - format: 'syslog'
location: '/var/log/messages' location: '/var/log/messages'

38
ansible-wazuh-agent/tasks/Debian.yml
View File

@ -10,7 +10,7 @@
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
state: present state: present
update_cache: yes update_cache: yes
@ -19,8 +19,38 @@
cis_distribution_filename: cis_debian_linux_rcl.txt cis_distribution_filename: cis_debian_linux_rcl.txt
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Debian/Ubuntu | Setting webupd8 repository
apt_repository:
repo: 'ppa:webupd8team/java'
codename: 'xenial'
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Debian/Ubuntu | Oracle Java 8 installer
apt: name=oracle-java8-installer state=present update_cache=yes
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Debian/Ubuntu | Install OpenScap - name: Debian/Ubuntu | Install OpenScap
package: name={{ item }} state=present package: name={{ item }} state=present update_cache=yes
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
with_items: with_items:
- libopenscap8 - libopenscap8
@ -31,15 +61,15 @@
- name: Debian/Ubuntu | Get OpenScap installed version - name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8" shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
register: openscap_version register: openscap_version
when: wazuh_agent_config.openscap.disable == 'no'
changed_when: true changed_when: true
when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- config - config
- name: Debian/Ubuntu | Check OpenScap version - name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
register: openscap_version_valid register: openscap_version_valid
when: wazuh_agent_config.openscap.disable == 'no'
changed_when: true changed_when: true
when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- config - config

18
ansible-wazuh-agent/tasks/Linux.yml
View File

@ -39,7 +39,7 @@
- name: Linux | Register agent - name: Linux | Register agent
shell: > shell: >
/var/ossec/bin/agent-auth /var/ossec/bin/agent-auth
-m {{ wazuh_manager_ip }} -m {{ wazuh_managers.0.address }}
-p {{ wazuh_agent_authd.port }} -p {{ wazuh_agent_authd.port }}
{% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is not none %} {% if wazuh_agent_authd.ssl_agent_ca is not none %}
@ -52,7 +52,7 @@
when: when:
- wazuh_agent_authd.enable == true - wazuh_agent_authd.enable == true
- check_keys.stat.size == 0 - check_keys.stat.size == 0
- wazuh_manager_ip is not none - wazuh_managers.0.address is not none
tags: tags:
- config - config
@ -61,10 +61,22 @@
when: when:
- wazuh_agent_authd.enable == true - wazuh_agent_authd.enable == true
- check_keys.stat.size == 0 - check_keys.stat.size == 0
- wazuh_manager_ip is not none - wazuh_managers.0.address is not none
tags: tags:
- config - config
- name: Linux | Vuls integration deploy (runs in background, can take a while)
command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
args:
creates: /var/ossec/wodles/vuls/config.toml
async: 3600
poll: 0
when:
- wazuh_agent_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle'
tags:
- init
- name: Linux | Installing agent configuration (ossec.conf) - name: Linux | Installing agent configuration (ossec.conf)
template: src=var-ossec-etc-ossec-agent.conf.j2 template: src=var-ossec-etc-ossec-agent.conf.j2
dest=/var/ossec/etc/ossec.conf dest=/var/ossec/etc/ossec.conf

46
ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -1,30 +1,44 @@
--- ---
- name: CentOS | Install Wazuh repository - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: CentOS-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'CentOS' when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Wazuh repository - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Fedora-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'Fedora' when:
- ansible_distribution_major_version|int < 5
- name: RedHat | Install Wazuh repository - name: RedHat/CentOS/Fedora | download Oracle Java RPM
yum_repository: get_url:
name: wazuh_repo url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm
description: CentOS-$releasever - Wazuh dest: /tmp/jdk-8-linux-x64.rpm
baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH register: oracle_java_task_rpm_download
gpgcheck: yes when:
when: ansible_distribution == 'RedHat' - wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
tags:
- init
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jdk-8-linux-x64.rpm state=present
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
- oracle_java_task_rpm_download is defined
tags:
- init
- name: Set Distribution CIS filename for RHEL5 - name: Set Distribution CIS filename for RHEL5
set_fact: set_fact:

4
ansible-wazuh-agent/tasks/Windows.yml
View File

@ -53,7 +53,7 @@
- name: Windows | Register agent - name: Windows | Register agent
win_shell: > win_shell: >
{{ wazuh_winagent_config.install_dir }}agent-auth.exe {{ wazuh_winagent_config.install_dir }}agent-auth.exe
-m {{ wazuh_manager_ip }} -m {{ wazuh_managers.0.address }}
-p {{ wazuh_agent_authd.port }} -p {{ wazuh_agent_authd.port }}
{% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
args: args:
@ -63,7 +63,7 @@
when: when:
- wazuh_agent_authd.enable == true - wazuh_agent_authd.enable == true
- check_windows_key.stat.exists == false - check_windows_key.stat.exists == false
- wazuh_manager_ip is not none - wazuh_managers.0.address is not none
tags: tags:
- config - config

64
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -7,22 +7,27 @@
<ossec_config> <ossec_config>
<client> <client>
{% if wazuh_manager_ip is not none %}
<server-ip>{{ wazuh_manager_ip }}</server-ip> {% for manager in wazuh_managers %}
{% else %} <server>
<server-ip>SERVER-IP</server-ip> <address>{{ manager.address }}</address>
{% endif %} {% if manager.port is defined %}
<port>{{ manager.port }}</port>
{% endif %}
{% if manager.protocol is defined %}
<protocol>{{ manager.protocol }}</protocol>
{% endif %}
</server>
{% endfor %}
{% if wazuh_profile is not none %} {% if wazuh_profile is not none %}
<config-profile>{{ wazuh_profile }}</config-profile> <config-profile>{{ wazuh_profile }}</config-profile>
{% endif %} {% endif %}
<protocol>{{ wazuh_manager_proto }}</protocol>
{% if wazuh_manager_port is defined %}
<port>{{ wazuh_manager_port }}</port>
{% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time> <notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect> <time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %} {% endif %}
<auto_restart>{{ wazuh_auto_restart }}</auto_restart>
</client> </client>
<logging> <logging>
@ -112,7 +117,7 @@
{% endif %} {% endif %}
</syscheck> </syscheck>
{% if wazuh_agent_config.openscap.disable == 'no' and ansible_system == "Linux"%} {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap"> <wodle name="open-scap">
<disabled>no</disabled> <disabled>no</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout> <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
@ -122,13 +127,17 @@
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml"> <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
{% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %} {% elif ansible_distribution == 'Debian' %}
{% if ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %} {% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml"> <content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
<content type="oval" path="cve-debian-8-oval.xml"/>
{% endif %}
{% elif ansible_distribution_release == 'stretch' %}
<content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %} {% endif %}
<content type="oval" path="cve-debian-oval.xml"/>
{% elif ansible_distribution == 'CentOS' %} {% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml"> <content type="xccdf" path="ssg-centos-7-ds.xml">
@ -161,6 +170,37 @@
</wodle> </wodle>
{% endif %} {% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.cis_cat.disable == 'no' %}
<wodle name="cis-cat">
<disabled>no</disabled>
<timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
<java_path>/usr/bin</java_path>
{% else %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{{ wazuh_agent_config.cis_cat.ciscat_path }}</ciscat_path>
{% for benchmark in wazuh_agent_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
</wodle>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
<wodle name="command">
<disabled>no</disabled>
<tag>Wazuh-VULS</tag>
<command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_agent_config.vuls.args %} --{{ arg }}{% endfor %}</command>
<interval>{{ wazuh_agent_config.vuls.interval }}</interval>
<ignore_output>yes</ignore_output>
<run_on_start>{{ wazuh_agent_config.vuls.run_on_start }}</run_on_start>
</wodle>
{% endif %}
<!-- Files to monitor (localfiles) --> <!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_agent_config.localfiles %} {% for localfile in wazuh_agent_config.localfiles %}
<localfile> <localfile>

21
ansible-wazuh-manager/.kitchen.yml
View File

@ -1,21 +0,0 @@
---
driver:
name: vagrant
provision_command: sed -i '/tsflags=nodocs/d' /etc/yum.conf
provisioner:
name: ansible_playbook
ansible_yum_repo: "http://mirror.logol.ru/epel/6/x86_64/epel-release-6-8.noarch.rpm"
hosts: localhost
require_chef_for_busser: false
require_ruby_for_busser: true
platforms:
- name: centos-7.2
- name: ubuntu-14.04
verifier:
ruby_bindir: '/usr/bin'
suites:
- name: default

37
ansible-wazuh-manager/defaults/main.yml
View File

@ -6,6 +6,20 @@ wazuh_manager_config:
alerts_log: 'yes' alerts_log: 'yes'
logall: 'no' logall: 'no'
log_format: 'plain' log_format: 'plain'
cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- '172.17.0.2'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no'
connection: connection:
- type: 'secure' - type: 'secure'
port: '1514' port: '1514'
@ -79,9 +93,32 @@ wazuh_manager_config:
rootcheck: rootcheck:
frequency: 43200 frequency: 43200
openscap: openscap:
disable: 'no'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: '/var/ossec/wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls:
disable: 'yes'
interval: '1d'
run_on_start: 'yes'
args:
- 'mincvss 5'
- 'antiquity-limit 20'
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
log_level: 1 log_level: 1
email_level: 12 email_level: 12
localfiles: localfiles:

85
ansible-wazuh-manager/molecule.yml
View File

@ -1,85 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
ansible:
group_vars:
ossec:
ossec_server_config:
mail_to:
- me@example.com
mail_smtp_server: localhost
mail_from: ossec@example.com
frequency_check: 72000
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
directories:
- check_all: 'yes'
dirs: /etc,/usr/bin,/usr/sbin
- check_all: 'yes'
dirs: /bin,/sbin
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
globals:
- '127.0.0.1'
- '192.168.2.1'
connection: 'secure'
log_level: 1
email_level: 7
commands:
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
active_responses:
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
localfiles:
- format: 'syslog'
location: '/var/log/messages'
ossec_agent_configs:
- type: os
type_value: linux
frequency_check: 79200
ignore_files:
- /etc/mtab
- /etc/mnttab
localfiles:
- format: 'syslog'
location: '/var/log/messages'
directories:
- check_all: yes
dirs: /etc,/usr/bin,/usr/sbin
docker:
containers:
- name: ansible-ossec-server-centos
ansible_groups:
- ossec
image: milcom/centos7-systemd
image_version: latest
privileged: True
- name: ansible-ossec-server-debian
ansible_groups:
- ossec
image: maint/debian-systemd
image_version: latest
privileged: True
# - name: ansible-ossec-server-ubuntu
# ansible_groups:
# - ossec
# image: rastasheep/ubuntu-sshd
# image_version: 16.04
# privileged: True
verifier:
name: testinfra

37
ansible-wazuh-manager/tasks/Debian.yml
View File

@ -10,7 +10,7 @@
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
state: present state: present
update_cache: yes update_cache: yes
@ -27,8 +27,39 @@
set_fact: set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt cis_distribution_filename: cis_debian_linux_rcl.txt
- name: Debian/Ubuntu | Setting webupd8 repository
apt_repository:
repo: 'ppa:webupd8team/java'
codename: 'xenial'
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Debian/Ubuntu | Oracle Java 8 installer
apt: name=oracle-java8-installer state=present update_cache=yes
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Debian/Ubuntu | Install OpenScap - name: Debian/Ubuntu | Install OpenScap
package: name={{ item }} state=present package: name={{ item }} state=present update_cache=yes
when: wazuh_manager_config.openscap.disable == 'no'
with_items: with_items:
- libopenscap8 - libopenscap8
- xsltproc - xsltproc
@ -37,6 +68,7 @@
- name: Debian/Ubuntu | Get OpenScap installed version - name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8" shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version register: openscap_version
changed_when: true changed_when: true
tags: tags:
@ -44,6 +76,7 @@
- name: Debian/Ubuntu | Check OpenScap version - name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version_valid register: openscap_version_valid
changed_when: true changed_when: true
tags: tags:

93
ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -6,7 +6,8 @@
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64 baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Nodejs repo - name: Fedora | Install Nodejs repo
yum_repository: yum_repository:
@ -17,49 +18,99 @@
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'Fedora' when: ansible_distribution == 'Fedora'
- name: CentOS | Install Wazuh repo - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: CentOS-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'CentOS' when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Wazuh repo - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Fedora-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'Fedora' when:
- ansible_distribution_major_version|int < 6
- name: RedHat | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'RedHat'
- name: RedHat/CentOS/Fedora | Install openscap - name: RedHat/CentOS/Fedora | Install openscap
package: name=openscap-scanner state=present package: name=openscap-scanner state=present
tags: tags:
- init - init
- name: CentOS 6 | Install Software Collections (SCL) Repository
package: name=centos-release-scl state=present
when:
- ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL)
command: yum-config-manager --enable {{ item }}
with_items:
- rhui-REGION-rhel-server-rhscl
- rhel-server-rhscl-6-rpms
when:
- ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install Python 2.7
package: name=python27 state=present
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module
shell: pip2.7 install cryptography
environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install python-cryptography module
package: name=python-cryptography state=present
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url:
url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm
dest: /tmp/jdk-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
tags:
- init
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jdk-8-linux-x64.rpm state=present
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
- oracle_java_task_rpm_download is defined
tags:
- init
- name: Set Distribution CIS filename for RHEL5/CentOS-5 - name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact: set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5" when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5'
- name: Set Distribution CIS filename for RHEL6/CentOS-6 - name: Set Distribution CIS filename for RHEL6/CentOS-6
set_fact: set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6" when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 - name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact: set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7" when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'

63
ansible-wazuh-manager/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- import_tasks: "RedHat.yml" - import_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5
- import_tasks: "Debian.yml" - import_tasks: "Debian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
@ -11,6 +11,27 @@
- wazuh-manager - wazuh-manager
- wazuh-api - wazuh-api
- expect - expect
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags:
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state=latest
with_items:
- wazuh-manager
- expect
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
tags: tags:
- init - init
@ -89,7 +110,7 @@
- name: Configure the shared-agent.conf - name: Configure the shared-agent.conf
template: src=var-ossec-etc-shared-agent.conf.j2 template: src=var-ossec-etc-shared-agent.conf.j2
dest=/var/ossec/etc/shared/agent.conf dest=/var/ossec/etc/shared/default/agent.conf
owner=ossec owner=ossec
group=ossec group=ossec
mode=0640 mode=0640
@ -108,8 +129,10 @@
tags: tags:
- config - config
- name: Retrieving Wazuh-api User Credentials - name: Retrieving Wazuh-API User Credentials
include_vars: wazuh_api_creds.yml include_vars: wazuh_api_creds.yml
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags: tags:
- config - config
@ -189,6 +212,18 @@
- init - init
- config - config
- name: Linux | Vuls integration deploy (runs in background, can take a while)
command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
args:
creates: /var/ossec/wodles/vuls/config.toml
async: 3600
poll: 0
when:
- wazuh_manager_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle'
tags:
- init
- name: Configure ossec.conf - name: Configure ossec.conf
template: src=var-ossec-etc-ossec-server.conf.j2 template: src=var-ossec-etc-ossec-server.conf.j2
dest=/var/ossec/etc/ossec.conf dest=/var/ossec/etc/ossec.conf
@ -215,7 +250,7 @@
tags: tags:
- config - config
- name: Wazuh-api User - name: Wazuh-API User
template: template:
src: api_user.j2 src: api_user.j2
dest: "/var/ossec/api/configuration/auth/user" dest: "/var/ossec/api/configuration/auth/user"
@ -224,7 +259,9 @@
mode: 0750 mode: 0750
no_log: true no_log: true
notify: restart wazuh-api notify: restart wazuh-api
when: wazuh_api_user is defined when:
- wazuh_api_user is defined
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags: tags:
- config - config
@ -263,7 +300,7 @@
tags: tags:
- config - config
- name: Ensure Wazuh Manager, wazuh api service is started and enabled - name: Ensure Wazuh Manager, wazuh API service is started and enabled
service: service:
name: "{{ item }}" name: "{{ item }}"
enabled: yes enabled: yes
@ -273,6 +310,20 @@
- wazuh-api - wazuh-api
tags: tags:
- config - config
environment:
LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- name: Ensure Wazuh Manager is started and enabled (EL5)
service:
name: wazuh-manager
enabled: yes
state: started
tags:
- config
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"

68
ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -22,6 +22,23 @@
<email_from>{{ wazuh_manager_config.mail_from }}</email_from> <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
</global> </global>
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
<node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
<node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
<key>{{ wazuh_manager_config.cluster.key }}</key>
<interval>{{ wazuh_manager_config.cluster.interval }}</interval>
<port>{{ wazuh_manager_config.cluster.port }}</port>
<bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
<nodes>
{% for node in wazuh_manager_config.cluster.nodes %}
<node>{{ node }}</node>
{% endfor %}
</nodes>
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
<logging> <logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format> <log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging> </logging>
@ -120,12 +137,12 @@
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency> <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> <system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %} {% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit> <system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
{% endif %} {% endif %}
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
@ -158,6 +175,7 @@
{% endfor %} {% endfor %}
</syscheck> </syscheck>
{% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %}
<wodle name="open-scap"> <wodle name="open-scap">
<disabled>no</disabled> <disabled>no</disabled>
<timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout> <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
@ -167,13 +185,17 @@
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml"> <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
{% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %} {% elif ansible_distribution == 'Debian' %}
{% if ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %} {% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml"> <content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
<content type="oval" path="cve-debian-8-oval.xml"/>
{% endif %}
{% elif ansible_distribution_release == 'stretch' %}
<content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %} {% endif %}
<content type="oval" path="cve-debian-oval.xml"/>
{% elif ansible_distribution == 'CentOS' %} {% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml"> <content type="xccdf" path="ssg-centos-7-ds.xml">
@ -204,6 +226,38 @@
</content> </content>
{% endif %} {% endif %}
</wodle> </wodle>
{% endif %}
{% if wazuh_manager_config.cis_cat.disable == 'no' %}
<wodle name="cis-cat">
<disabled>no</disabled>
<timeout>{{ wazuh_manager_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_manager_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_manager_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_manager_config.cis_cat.install_java == 'yes' %}
<java_path>/usr/bin</java_path>
{% else %}
<java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
{% for benchmark in wazuh_manager_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
</wodle>
{% endif %}
{% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
<wodle name="command">
<disabled>no</disabled>
<tag>Wazuh-VULS</tag>
<command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_manager_config.vuls.args %} --{{ arg }}{% endfor %}</command>
<interval>{{ wazuh_manager_config.vuls.interval }}</interval>
<ignore_output>yes</ignore_output>
<run_on_start>{{ wazuh_manager_config.vuls.run_on_start }}</run_on_start>
</wodle>
{% endif %}
{% if agentless_creeds is defined %} {% if agentless_creeds is defined %}
{% for agentless in agentless_creeds %} {% for agentless in agentless_creeds %}

2
ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -69,7 +69,7 @@
<frequency>{{ agent_config.rootcheck.frequency }}</frequency> <frequency>{{ agent_config.rootcheck.frequency }}</frequency>
{% if agent_config.rootcheck.cis_distribution_filename is not none %} {% if agent_config.rootcheck.cis_distribution_filename is not none %}
<system_audit>/var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit> <system_audit>/var/ossec/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
{% endif %} {% endif %}
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
</rootcheck> </rootcheck>

0
wazuh-elastic_stack.yml → wazuh-elastic_stack-distributed.yml
View File

7
wazuh-elastic_stack-single.yml Normal file
View File

@ -0,0 +1,7 @@
- hosts: wazuh-ELK-single
roles:
- { role: ansible-wazuh-manager }
- { role: ansible-role-elasticsearch, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-logstash, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-kibana, elasticsearch_network_host: 'localhost' }