afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update ossec.conf in the agent formula

Browse Source
This commit is contained in:
Jose Luis 2017-04-03 15:19:35 -04:00
parent c983438b43
commit 3cc58b30ee
9 changed files with 137 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible-role-elk/tasks/main.yml
View File

@ -56,7 +56,7 @@
command: /bin/bash /usr/share/kibana/bin/kibana-plugin list command: /bin/bash /usr/share/kibana/bin/kibana-plugin list
register: kibanainstalled register: kibanainstalled
- name: Restart Kibana if Wazuh-APP is installed - name: Install Wazuh-APP (can take a while)
shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.2.2.zip && service kibana restart shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.2.2.zip && service kibana restart
when: kibanainstalled.stdout.find('wazuh') == -1 when: kibanainstalled.stdout.find('wazuh') == -1

5
ansible-wazuh-agent/tasks/Debian.yml
View File

@ -21,6 +21,11 @@
apt: update_cache=yes apt: update_cache=yes
when: wazuh_repo.changed when: wazuh_repo.changed
- name: Set Distribution CIS filename for debian
set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt
when: ansible_os_family == "Debian"
- name: Debian/Ubuntu | Install wazuh-agent - name: Debian/Ubuntu | Install wazuh-agent
apt: pkg={{ item }} apt: pkg={{ item }}
state=present state=present

16
ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -14,6 +14,22 @@
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
- name: Set Distribution CIS filename for RHEL5
set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5"
- name: Set Distribution CIS filename for RHEL6
set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
- name: Set Distribution CIS filename for RHEL7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7"
- name: RedHat | Install Wazuh Agent - name: RedHat | Install Wazuh Agent
yum: pkg={{ item }} yum: pkg={{ item }}
state=present state=present

58
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -42,7 +42,7 @@
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml"> <content type="xccdf" path="ssg-rhel-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml"> <content type="xccdf" path="ssg-rhel-6-ds.xml">
{% endif %} {% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
@ -50,4 +50,60 @@
</wodle> </wodle>
{% endif %} {% endif %}
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<syscheck>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ ossec_agent_config.frequency_check }}</frequency>
<scan_on_start>{{ ossec_agent_config.syscheck_scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% for directory in ossec_agent_config.directories %}
<directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
{% endfor %}
<!-- Files/directories to ignore -->
{% for ignore_file in ossec_agent_config.ignore_files %}
<ignore>{{ ignore_file }}</ignore>
{% endfor %}
<!-- Files no diff -->
{% for no_diff in ossec_agent_config.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
</syscheck>
<!-- Files to monitor (localfiles) -->
{% for localfile in ossec_agent_config.localfiles %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
</ossec_config> </ossec_config>

41
ansible-wazuh-agent/vars/main.yml
View File

@ -1,2 +1,43 @@
--- ---
# vars file for ossec-agent # vars file for ossec-agent
ossec_agent_config:
frequency_check: 43200
syscheck_scan_on_start: 'yes'
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- check_all: 'yes'
dirs: /etc,/usr/bin,/usr/sbin
- check_all: 'yes'
dirs: /bin,/sbin
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: 'netstat -tln | grep -v 127.0.0.1 | sort'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
globals:
- '127.0.0.1'
- '192.168.2.1'

10
ansible-wazuh-server/templates/var-ossec-rules-local_rules.xml.j2
View File

@ -18,6 +18,14 @@
<group name="local,syslog,"> <group name="local,syslog,">
<rule id="5703" level="10" frequency="10" timeframe="360" overwrite="yes">
<if_matched_sid>5702</if_matched_sid>
<description>sshd: Possible breakin attempt </description>
<description>(high number of reverse lookup errors).</description>
<group>pci_dss_11.4,</group>
</rule>
<!-- Note that rule id 5711 is defined at the ssh_rules file <!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example - as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere. - since ip 1.1.1.1 shouldn't be used anywhere.
@ -34,7 +42,7 @@
<!-- This example will ignore ssh failed logins for the user name XYZABC. <!-- This example will ignore ssh failed logins for the user name XYZABC.
--> -->
<!-- <!--
<rule id="100020" level="0"> <rule id="100020" level="0" >
<if_sid>5711</if_sid> <if_sid>5711</if_sid>
<user>XYZABC</user> <user>XYZABC</user>
<description>Example of rule that will ignore sshd </description> <description>Example of rule that will ignore sshd </description>

2
ansible-wazuh-server/vars/main.yml
View File

@ -1,6 +1,6 @@
ossec_server_config: ossec_server_config:
mail_to: mail_to:
- me@example.com - jose@wazuh.com
mail_smtp_server: localhost mail_smtp_server: localhost
mail_from: ossec@example.com mail_from: ossec@example.com
frequency_check: 43200 frequency_check: 43200

2
wazuh-agent.yml
View File

@ -1,3 +1,3 @@
- hosts: all:!wazuh-manager - hosts: all:!wazuh-manager
roles: roles:
- { role: ansible-wazuh-agent, ossec_server_ip: 192.168.33.170 } - { role: ansible-wazuh-agent, ossec_server_ip: 192.168.33.169 }

2
wazuh-manager.yml
View File

@ -1,4 +1,4 @@
- hosts: wazuh-manager - hosts: wazuh-manager
roles: roles:
- role: ansible-wazuh-server - role: ansible-wazuh-server
- role: ansible-role-filebeat - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.177:5000' }