afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #481 from wazuh/feature-manager-unnest

Browse Source 
Feature manager configuration unnest
This commit is contained in:
Manuel J. Bernal 2020-11-09 17:46:33 +01:00 committed by GitHub
commit 54f5d84e35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 485 additions and 372 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

643
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -4,6 +4,12 @@ wazuh_manager_version: 4.0.0-1
wazuh_manager_fqdn: "wazuh-server" wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present wazuh_manager_package_state: present
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
# Custom packages installation # Custom packages installation
wazuh_custom_packages_installation_manager_enabled: false wazuh_custom_packages_installation_manager_enabled: false
wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
@ -35,85 +41,50 @@ wazuh_manager_sources_installation:
user_ca_store: null user_ca_store: null
threads: "2" threads: "2"
# wazuh_api_users: wazuh_manager_repo:
# - username: custom-user
# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)
wazuh_manager_config:
repo:
apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
yum: 'https://packages.wazuh.com/4.x/yum/' yum: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
json_output: 'yes'
alerts_log: 'yes'
logall: 'no' ##########################################
logall_json: 'no' ### Wazuh-OSSEC
log_format: 'plain' ##########################################
api:
bind_addr: 0.0.0.0 # groups to create
port: 55000 agent_groups: []
behind_proxy_server: no
https: yes ## Global
https_key: "api/configuration/ssl/server.key" wazuh_manager_json_output: 'yes'
https_cert: "api/configuration/ssl/server.crt" wazuh_manager_alerts_log: 'yes'
https_use_ca: False wazuh_manager_logall: 'no'
https_ca: "api/configuration/ssl/ca.crt" wazuh_manager_logall_json: 'no'
logging_level: "info"
logging_path: "logs/api.log" wazuh_manager_email_notification: 'no'
cors: no wazuh_manager_mailto:
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
use_only_authd: no
drop_privileges: yes
experimental_features: no
cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'yes'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
email_notification: 'no'
mail_to:
- 'admin@example.net' - 'admin@example.net'
mail_smtp_server: smtp.example.wazuh.com
mail_from: ossecm@example.wazuh.com wazuh_manager_email_smtp_server: smtp.example.wazuh.com
mail_maxperhour: 12 wazuh_manager_email_from: ossecm@example.wazuh.com
mail_queue_size: 131072 wazuh_manager_email_maxperhour: 12
email_log_source: 'alerts.log' wazuh_manager_email_queue_size: 131072
extra_emails: wazuh_manager_email_log_source: 'alerts.log'
wazuh_manager_globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
## Alerts
wazuh_manager_log_level: 3
wazuh_manager_email_level: 12
## Logging
wazuh_manager_log_format: 'plain'
## Email alerts
wazuh_manager_extra_emails:
- enable: false - enable: false
mail_to: 'recipient@example.wazuh.com' mail_to: 'recipient@example.wazuh.com'
format: full format: full
@ -123,7 +94,17 @@ wazuh_manager_config:
do_not_delay: false do_not_delay: false
do_not_group: false do_not_group: false
rule_id: null rule_id: null
reports:
## Remote
wazuh_manager_connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
## Reports
wazuh_manager_reports:
- enable: false - enable: false
category: 'syscheck' category: 'syscheck'
title: 'Daily report: File changes' title: 'Daily report: File changes'
@ -135,7 +116,100 @@ wazuh_manager_config:
srcip: null srcip: null
user: null user: null
showlogs: null showlogs: null
syscheck:
## Woodles
wazuh_manager_rootcheck:
frequency: 43200
wazuh_manager_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_manager_ciscat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
wazuh_manager_osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
wazuh_manager_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_manager_monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
## SCA
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Vulnerability Detector
wazuh_manager_vulnerability_detector:
enabled: 'no'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
## Syscheck
wazuh_manager_syscheck:
disable: 'no' disable: 'no'
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
@ -176,113 +250,9 @@ wazuh_manager_config:
sync_interval: '5m' sync_interval: '5m'
sync_max_interval: '1h' sync_max_interval: '1h'
sync_max_eps: 10 sync_max_eps: 10
rootcheck:
frequency: 43200 ## Command
openscap: wazuh_manager_commands:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
vulnerability_detector:
enabled: 'no'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
log_level: 3
email_level: 12
localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
commands:
- name: 'disable-account' - name: 'disable-account'
executable: 'disable-account.sh' executable: 'disable-account.sh'
expect: 'user' expect: 'user'
@ -318,98 +288,233 @@ wazuh_manager_config:
executable: 'netsh-win-2016.cmd' executable: 'netsh-win-2016.cmd'
expect: 'srcip' expect: 'srcip'
timeout_allowed: 'yes' timeout_allowed: 'yes'
ruleset:
## Localfile
wazuh_manager_localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
## Syslog outputs
wazuh_manager_syslog_outputs:
- server: null
port: null
format: null
## Integrations
wazuh_manager_integrations:
# slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
# pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
## Labels
wazuh_manager_labels:
enable: false
list:
- key: Env
value: Production
## Ruleset
wazuh_manager_ruleset:
rules_path: 'custom_ruleset/rules/' rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/' decoders_path: 'custom_ruleset/decoders/'
cdb_lists: cdb_lists:
- 'audit-keys' - 'audit-keys'
- 'security-eventchannel' - 'security-eventchannel'
- 'amazon/aws-eventnames' - 'amazon/aws-eventnames'
rule_exclude:
wazuh_manager_rule_exclude:
- '0215-policy_rules.xml' - '0215-policy_rules.xml'
syslog_outputs:
- server: null ## Auth
port: null wazuh_manager_authd:
format: null enable: true
integrations: port: 1515
#slack use_source_ip: 'no'
- name: null force_insert: 'yes'
hook_url: '<hook_url>' force_time: 0
alert_level: 10 purge: 'yes'
alert_format: 'json' use_password: 'no'
rule_id: null limit_maxagents: 'yes'
#pagerduty ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
- name: null ssl_agent_ca: null
api_key: '<api_key>' ssl_verify_host: 'no'
alert_level: 12 ssl_manager_cert: 'sslmanager.cert'
monitor_aws: ssl_manager_key: 'sslmanager.key'
disabled: 'yes' ssl_auto_negotiate: 'no'
interval: '10m'
run_on_start: 'yes' ## Cluster
skip_on_error: 'yes' wazuh_manager_cluster:
s3: disable: 'yes'
- name: null name: 'wazuh'
bucket_type: null node_name: 'manager_01'
path: null node_type: 'master'
only_logs_after: null key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
access_key: null port: '1516'
secret_key: null bind_addr: '0.0.0.0'
labels: nodes:
enable: false - 'manager'
list: hidden: 'no'
- key: Env
value: Production ## Wazuh API setup
wazuh_manager_api:
bind_addr: 0.0.0.0
port: 55000
behind_proxy_server: no
https: yes
https_key: "api/configuration/ssl/server.key"
https_cert: "api/configuration/ssl/server.crt"
https_use_ca: False
https_ca: "api/configuration/ssl/ca.crt"
logging_level: "info"
logging_path: "logs/api.log"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
use_only_authd: no
drop_privileges: yes
experimental_features: no
# wazuh_api_users:
# - username: custom-user
# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)
# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo,
# we should also cover the case for partial settings in inventory variables overlayed on top of role's
# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false.
#
# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions:
# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour
#
wazuh_manager_config_overlay: true
## Other/Wrappers
wazuh_manager_config_defaults:
repo: '{{ wazuh_manager_repo }}'
json_output: '{{ wazuh_manager_json_output }}'
alerts_log: '{{ wazuh_manager_alerts_log }}'
logall: '{{ wazuh_manager_logall }}'
logall_json: '{{ wazuh_manager_logall_json }}'
log_format: '{{ wazuh_manager_log_format }}'
api: '{{ wazuh_manager_api }}'
cluster: '{{ wazuh_manager_cluster }}'
connection: '{{ wazuh_manager_connection }}'
authd: '{{ wazuh_manager_authd }}'
email_notification: '{{ wazuh_manager_email_notification }}'
mail_to: '{{ wazuh_manager_mailto }}'
mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}'
mail_from: '{{ wazuh_manager_email_from }}'
mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}'
mail_queue_size: '{{ wazuh_manager_email_queue_size }}'
email_log_source: '{{ wazuh_manager_email_log_source }}'
extra_emails: '{{ wazuh_manager_extra_emails }}'
reports: '{{ wazuh_manager_reports}}'
syscheck: '{{ wazuh_manager_syscheck }}'
rootcheck: '{{ wazuh_manager_rootcheck }}'
openscap: '{{ wazuh_manager_openscap }}'
cis_cat: '{{ wazuh_manager_ciscat }}'
osquery: '{{ wazuh_manager_osquery }}'
syscollector: '{{ wazuh_manager_syscollector }}'
sca: '{{ wazuh_manager_sca }}'
vulnerability_detector: '{{ wazuh_manager_vulnerability_detector }}'
log_level: '{{ wazuh_manager_log_level }}'
email_level: '{{ wazuh_manager_email_level }}'
localfiles: '{{ wazuh_manager_localfiles }}'
globals: '{{ wazuh_manager_globals }}'
commands: '{{ wazuh_manager_commands }}'
ruleset: '{{ wazuh_manager_ruleset }}'
rule_exclude: '{{ wazuh_manager_rule_exclude }}'
syslog_outputs: '{{ wazuh_manager_syslog_outputs }}'
integrations: '{{ wazuh_manager_integrations }}'
monitor_aws: '{{ wazuh_manager_monitor_aws }}'
labels: '{{ wazuh_manager_labels }}'
# shared-agent.conf
# shared_agent_config: # shared_agent_config:
# - type: os # - type: os
# type_value: Linux # type_value: Linux
# syscheck: # syscheck:
# frequency: 43200 # frequency: 43200
# scan_on_start: 'yes' # scan_on_start: 'yes'
# ignore: # ignore:
# - /etc/mtab # - /etc/mtab
# - /etc/mnttab # - /etc/mnttab
# - /etc/hosts.deny # - /etc/hosts.deny
# - /etc/mail/statistics # - /etc/mail/statistics
# - /etc/svc/volatile # - /etc/svc/volatile
# no_diff: # no_diff:
# - /etc/ssl/private.key # - /etc/ssl/private.key
# rootcheck: # rootcheck:
# frequency: 43200 # frequency: 43200
# cis_distribution_filename: null # cis_distribution_filename: null
# localfiles: # localfiles:
# - format: 'syslog' # - format: 'syslog'
# location: '/var/log/messages' # location: '/var/log/messages'
# - format: 'syslog' # - format: 'syslog'
# location: '/var/log/secure' # location: '/var/log/secure'
# - format: 'syslog' # - format: 'syslog'
# location: '/var/log/maillog' # location: '/var/log/maillog'
# - format: 'apache' # - format: 'apache'
# location: '/var/log/httpd/error_log' # location: '/var/log/httpd/error_log'
# - format: 'apache' # - format: 'apache'
# location: '/var/log/httpd/access_log' # location: '/var/log/httpd/access_log'
# - format: 'apache' # - format: 'apache'
# location: '/var/ossec/logs/active-responses.log' # location: '/var/ossec/logs/active-responses.log'
# - type: os # - type: os
# type_value: Windows # type_value: Windows
# syscheck: # syscheck:
# frequency: 43200 # frequency: 43200
# scan_on_start: 'yes' # scan_on_start: 'yes'
# auto_ignore: 'no' # auto_ignore: 'no'
# windows_registry: # windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both' # arch: 'both'
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
# localfiles: # localfiles:
# - location: 'Security' # - location: 'Security'
# format: 'eventchannel' # format: 'eventchannel'
# - location: 'System' # - location: 'System'
# format: 'eventlog' # format: 'eventlog'
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
agent_groups: [] # groups to create

8
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -1,4 +1,12 @@
--- ---
- name: Overlay wazuh_manager_config on top of defaults
set_fact:
wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}'
vars:
config_layer: '{{ wazuh_manager_config | default({}) }}'
when: wazuh_manager_config_overlay | bool
- name: "Install dependencies" - name: "Install dependencies"
package: package:
name: name: