Updated ossec.conf template to support macOS

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -40,6 +40,7 @@ authd_pass: ''
 wazuh_api_reachable_from_agent: yes
 wazuh_profile_centos: 'centos, centos7, centos7.6'
 wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
+wazuh_profile_macos: 'darwin, darwin21, darwin21.1'
 wazuh_auto_restart: 'yes'
 
 wazuh_notify_time: '10'
@@ -230,6 +231,11 @@ wazuh_agent_syscheck:
       checks: ''
     - dirs: /bin,/sbin,/boot
       checks: ''
+  macos_directories:
+    - dirs: /etc,/usr/bin,/usr/sbin
+      checks: ''
+    - dirs: /bin,/sbin
+      checks: ''
   win_directories:
     - dirs: '%WINDIR%'
       checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
@@ -332,6 +338,17 @@ wazuh_agent_localfiles:
       command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
       alias: 'netstat listening ports'
       frequency: '360'
+  macos:
+    - format: 'full_command'
+      command: netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u
+      alias: 'netstat listening ports'
+      frequency: '360'
+    - format: 'macos'
+      location: 'macos'
+      query:
+        type: 'trace,log,activity'
+        level: 'info'
+        value: (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")
   windows:
     - format: 'eventlog'
       location: 'Application'
@@ -355,6 +372,7 @@ wazuh_agent_active_response:
   ar_disabled: 'no'
   ca_store: "{{ wazuh_dir }}/etc/wpk_root.pem"
   ca_store_win: 'wpk_root.pem'
+  ca_store_macos: 'etc/wpk_root.pem'
   ca_verification: 'yes'
 
 ## Logging

roles/wazuh/ansible-wazuh-agent/handlers/main.yml

@@ -4,3 +4,6 @@
 
 - name: Windows | Restart Wazuh Agent
   win_service: name=WazuhSvc start_mode=auto state=restarted
+
+- name: macOS | Restart Wazuh Agent
+  command: /Library/Ossec/bin/wazuh-control restart

roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2

@@ -30,6 +30,9 @@
     <config-profile>{{ wazuh_profile_ubuntu }}</config-profile>
     {% endif %}
     {% endif %}
+    {% if ansible_system == "Darwin" %}
+    <config-profile>{{ wazuh_profile_macos }}</config-profile>
+    {% endif %}
     {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
     <notify_time>{{ wazuh_notify_time }}</notify_time>
     <time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
@@ -91,7 +94,7 @@
   {% if wazuh_agent_config.rootcheck is defined %}
   <rootcheck>
     <disabled>no</disabled>
-    {% if ansible_system == "Linux" %}
+    {% if ansible_system == "Linux" or ansible_system == "Darwin" %}
     <check_files>yes</check_files>
     <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
@@ -103,10 +106,14 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
 
+    {% if ansible_system == "Darwin" %}
+    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
+    {% else %}
     <rootkit_files>{{ wazuh_dir }}/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>{{ wazuh_dir }}/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-    <skip_nfs>yes</skip_nfs>
     {% endif %}
+    <skip_nfs>yes</skip_nfs>
     {% if ansible_os_family == "Windows" %}
     <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
     <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
@@ -179,6 +186,7 @@
   </wodle>
   {% endif %}
 
+  {% if ansible_system != "Darwin" %}
   <wodle name="cis-cat">
     <disabled>{{ wazuh_agent_config.cis_cat.disable }}</disabled>
     <timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
@@ -193,6 +201,7 @@
     {% endif %}
     <ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
   </wodle>
+  {% endif %}
 
   <!-- Osquery integration -->
   <wodle name="osquery">
@@ -249,13 +258,18 @@
   <syscheck>
     <disabled>no</disabled>
     <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
-    {% if ansible_system == "Linux" %}
+    {% if ansible_system == "Linux" or ansible_system == "Darwin" %}
     <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
     <!-- Directories to check  (perform all possible verifications) -->
     {% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
     {% for directory in wazuh_agent_config.syscheck.directories %}
     <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
     {% endfor %}
+    {% elif ansible_system == "Darwin" %}
+    {% for directory in wazuh_agent_config.syscheck.macos_directories %}
+    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
+    {% endfor %}
+    {% endif %}
     {% endif %}
     {% endif %}
 
@@ -267,7 +281,7 @@
     {% endif %}
 
     <!-- Files/directories to ignore -->
-    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
+    {% if wazuh_agent_config.syscheck.ignore is defined and (ansible_system == "Linux" or ansible_system == "Darwin") %}    
     {% for ignore in wazuh_agent_config.syscheck.ignore %}
     <ignore>{{ ignore }}</ignore>
     {% endfor %}
@@ -286,7 +300,7 @@
     {% endfor %}
     {% endif %}
 
-    {% if ansible_system == "Linux" %}
+    {% if ansible_system == "Linux" or ansible_system == "Darwin" %}
     <!-- Files no diff -->
     {% for no_diff in wazuh_agent_config.syscheck.no_diff %}
     <nodiff>{{ no_diff }}</nodiff>
@@ -363,6 +377,27 @@
   {% endfor %}
   {% endif %}
 
+  {% if ansible_system == "Darwin" %}
+  {% for localfile in wazuh_agent_config.localfiles.macos %}
+
+  <localfile>
+    <log_format>{{ localfile.format }}</log_format>
+    {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+    <command>{{ localfile.command }}</command>
+    <frequency>{{ localfile.frequency }}</frequency>
+    {% if localfile.alias is defined %}
+    <alias>{{ localfile.alias }}</alias>
+    {% endif %}
+  {% else %}
+    <location>{{ localfile.location }}</location>
+    {% if localfile.format == 'macos' %}
+    <query type="{{ localfile.query.type }}" level="{{ localfile.query.level }}">{{ localfile.query.value }}</query>
+    {% endif %}
+  {% endif %}
+  </localfile>
+  {% endfor %}
+  {% endif %}
+
   {% if ansible_os_family == "Debian" %}
   {% for localfile in wazuh_agent_config.localfiles.debian %}
 
@@ -439,7 +474,15 @@
 
   <active-response>
     <disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
-    <ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
+    <ca_store>
+    {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}
+    {% else %}
+    {% if ansible_system == "Darwin" %}{{ wazuh_agent_config.active_response.ca_store_macos }}
+    {% else %}
+    {{ wazuh_agent_config.active_response.ca_store }}
+    {% endif %}
+    {% endif %}
+    </ca_store>
     <ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
   </active-response>