diff --git a/CHANGELOG.md b/CHANGELOG.md index f2f333cc..879c1617 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,11 +53,11 @@ All notable changes to this project will be documented in this file. - Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334) -## [v3.10.2_7.3.2] +## [v3.11.0_7.3.2] ### Added -- Update to Wazuh v3.10.2 +- Update to Wazuh v3.11.0 ### Changed diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 4e32c838..b82f4ce2 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -7,6 +7,7 @@ kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.5.1 wazuh_version: 3.11.0 + wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # API credentials diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index d21dea91..4926e19d 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -140,7 +140,7 @@ - name: Select correct API protocol set_fact: elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}" - + - name: Attempting to delete legacy Wazuh index if exists uri: url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh" diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 6645a4b3..c46992c6 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -2,7 +2,7 @@ wazuh_agent_version: 3.11.0-1 wazuh_agent_sources_installation: - enabled: false + enabled: "false" branch: "v3.11.0" user_language: "y" user_no_stop: "y" @@ -26,7 +26,7 @@ wazuh_agent_sources_installation: wazuh_managers: - address: 127.0.0.1 port: 1514 - protocol: tcp + protocol: udp api_port: 55000 api_proto: 'http' api_user: null @@ -74,8 +74,6 @@ wazuh_agent_config: scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' - remove_old_diff: 'yes' - restart_audit: 'yes' win_audit_interval: 300 skip_nfs: 'yes' ignore: @@ -93,6 +91,10 @@ wazuh_agent_config: - /etc/svc/volatile - /sys/kernel/security - /sys/kernel/debug + - /dev/core + ignore_linux_type: + - '^/proc' + - '.log$|.swp$' ignore_win: - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' no_diff: @@ -248,11 +250,11 @@ wazuh_agent_config: osquery: disable: 'yes' run_daemon: 'yes' - bin_path_win: 'C:\ProgramData\osquery\osqueryd' + bin_path_win: 'C:\Program Files\osquery\osqueryd' log_path: '/var/log/osquery/osqueryd.results.log' - log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log' + log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log' config_path: '/etc/osquery/osquery.conf' - config_path_win: 'C:\ProgramData\osquery\osquery.conf' + config_path_win: 'C:\Program Files\osquery\osquery.conf' add_labels: 'yes' syscollector: disable: 'no' @@ -274,18 +276,14 @@ wazuh_agent_config: time: '' cis_cat: disable: 'yes' - install_java: 'yes' + install_java: 'no' timeout: 1800 interval: '1d' scan_on_start: 'yes' - java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' + java_path: 'wodles/java' java_path_win: '\\server\jre\bin\java.exe' - ciscat_path: '/var/ossec/wodles/ciscat' + ciscat_path: 'wodles/ciscat' ciscat_path_win: 'C:\cis-cat' - content: - - type: 'xccdf' - path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' - profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' vuls: disable: 'yes' interval: '1d' @@ -318,16 +316,16 @@ wazuh_agent_config: linux: - format: 'syslog' location: '/var/ossec/logs/active-responses.log' - - format: 'command' - command: df -P -x squashfs -x tmpfs -x devtmpfs - frequency: '360' - - format: 'full_command' - command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t - alias: 'netstat listening ports' - frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360' + - format: 'command' + command: df -P + frequency: '360' + - format: 'full_command' + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + alias: 'netstat listening ports' + frequency: '360' windows: - format: 'eventlog' location: 'Application' diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 61c28012..6629da08 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -51,7 +51,6 @@ no {% if ansible_system == "Linux" %} - yes yes yes yes @@ -65,11 +64,6 @@ /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt - {% if cis_distribution_filename is defined %} - /var/ossec/etc/shared/{{ cis_distribution_filename }} - {% endif %} yes {% endif %} {% if ansible_os_family == "Windows" %} @@ -118,6 +112,13 @@ {% endfor %} {% endif %} + + {% if wazuh_agent_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %} + {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %} + {{ ignore }} + {% endfor %} + {% endif %} + {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %} {% for ignore in wazuh_agent_config.syscheck.ignore_win %} {{ ignore }} @@ -132,13 +133,6 @@ {{ wazuh_agent_config.syscheck.skip_nfs }} {% endif %} - - {{ wazuh_agent_config.syscheck.remove_old_diff }} - - {% if ansible_system == "Linux"%} - - {{ wazuh_agent_config.syscheck.restart_audit }} - {% endif %} {% if ansible_os_family == "Windows" %} {% for registry_key in wazuh_agent_config.syscheck.windows_registry %} @@ -234,13 +228,6 @@ {{ wazuh_agent_config.cis_cat.java_path }} {% endif %} {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %} - {% if ansible_system == "Linux" %} - {% for benchmark in wazuh_agent_config.cis_cat.content %} - - {{ benchmark.profile }} - - {% endfor %} - {% endif %} {% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index bd039d68..d075b3cb 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -87,7 +87,7 @@ wazuh_manager_config: connection: - type: 'secure' port: '1514' - protocol: 'tcp' + protocol: 'udp' queue_size: 131072 authd: enable: true @@ -97,6 +97,8 @@ wazuh_manager_config: force_time: 0 purge: 'no' use_password: 'no' + limit_maxagents: 'yes' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' ssl_agent_ca: null ssl_verify_host: 'no' ssl_manager_cert: 'sslmanager.cert' @@ -105,13 +107,14 @@ wazuh_manager_config: email_notification: 'no' mail_to: - 'admin@example.net' - mail_smtp_server: localhost - mail_from: wazuh-server@example.com + mail_smtp_server: smtp.example.wazuh.com + mail_from: ossecm@example.wazuh.com mail_maxperhour: 12 mail_queue_size: 131072 + email_log_source: 'alerts.log' extra_emails: - enable: false - mail_to: 'admin@example.net' + mail_to: 'recipient@example.wazuh.com' format: full level: 7 event_location: null @@ -152,6 +155,10 @@ wazuh_manager_config: - /etc/svc/volatile - /sys/kernel/security - /sys/kernel/debug + - /dev/core + ignore_linux_type: + - '^/proc' + - '.log$|.swp$' no_diff: - /etc/ssl/private.key directories: @@ -164,8 +171,6 @@ wazuh_manager_config: timeframe: 'timeframe="3600"' value: 'no' skip_nfs: 'yes' - remove_old_diff: 'yes' - restart_audit: 'yes' rootcheck: frequency: 43200 openscap: @@ -181,10 +186,6 @@ wazuh_manager_config: scan_on_start: 'yes' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' ciscat_path: 'wodles/ciscat' - content: - - type: 'xccdf' - path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' - profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' osquery: disable: 'yes' run_daemon: 'yes' @@ -209,20 +210,36 @@ wazuh_manager_config: day: '' wday: '' time: '' - vul_detector: - disable: 'yes' + vulnerability_detector: + enabled: 'no' interval: '5m' ignore_time: '6h' run_on_start: 'yes' - ubuntu: - disable: 'yes' - update_interval: '1h' - redhat: - disable: 'yes' - update_interval: '1h' - debian: - disable: 'yes' - update_interval: '1h' + providers: + - enabled: 'no' + os: + - 'precise' + - 'trusty' + - 'xenial' + - 'bionic' + update_interval: '1h' + name: '"canonical"' + - enabled: 'no' + os: + - 'wheezy' + - 'stretch' + - 'jessie' + - 'buster' + update_interval: '1h' + name: '"debian"' + - enabled: 'no' + update_from_year: '2010' + update_interval: '1h' + name: '"redhat"' + - enabled: 'no' + update_from_year: '2010' + update_interval: '1h' + name: '"nvd"' vuls: disable: 'yes' interval: '1d' @@ -233,15 +250,15 @@ wazuh_manager_config: - 'updatenvd' - 'nvd-year 2016' - 'autoupdate' - log_level: 1 + log_level: 3 email_level: 12 localfiles: common: - format: 'command' - command: df -P -x squashfs -x tmpfs -x devtmpfs + command: df -P frequency: '360' - format: 'full_command' - command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d alias: 'netstat listening ports' frequency: '360' - format: 'full_command' @@ -268,18 +285,15 @@ wazuh_manager_config: location: '/var/log/audit/audit.log' globals: - '127.0.0.1' - - '192.168.2.1' + - '^localhost.localdomain$' + - '127.0.0.53' commands: - name: 'disable-account' executable: 'disable-account.sh' expect: 'user' timeout_allowed: 'yes' - # - name: 'restart-ossec' - # executable: 'restart-ossec.sh' - # expect: '' - # timeout_allowed: 'no' - - name: 'win_restart-ossec' - executable: 'restart-ossec.cmd' + - name: 'restart-ossec' + executable: 'restart-ossec.sh' expect: '' timeout_allowed: 'no' - name: 'firewall-drop' @@ -298,6 +312,10 @@ wazuh_manager_config: executable: 'route-null.cmd' expect: 'srcip' timeout_allowed: 'yes' + - name: 'win_route-null-2012' + executable: 'route-null-2012.cmd' + expect: 'srcip' + timeout_allowed: 'yes' - name: 'netsh' executable: 'netsh.cmd' expect: 'srcip' @@ -327,7 +345,6 @@ wazuh_agent_configs: syscheck: frequency: 43200 scan_on_start: 'yes' - auto_ignore: 'no' alert_new_files: 'yes' ignore: - /etc/mtab diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml index fe78cdbb..10203cb9 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml @@ -61,6 +61,7 @@ state: directory # When downloading "v3.11.0" extracted folder name is 3.11.0. + # Explicitly creating the folder with proper naming and striping first level in .tar.gz file - name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index b4d27e14..99201c29 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -18,7 +18,7 @@ {{ wazuh_manager_config.mail_smtp_server }} {{ wazuh_manager_config.mail_from }} {{ wazuh_manager_config.mail_maxperhour }} - {{ wazuh_manager_config.mail_queue_size }} + {{ wazuh_manager_config.email_log_source }} @@ -115,7 +115,6 @@ no - yes yes yes yes @@ -129,11 +128,6 @@ /var/ossec/etc/shared/default/rootkit_files.txt /var/ossec/etc/shared/default/rootkit_trojans.txt - /var/ossec/etc/shared/default/system_audit_rcl.txt - /var/ossec/etc/shared/default/system_audit_ssh.txt - {% if cis_distribution_filename is defined %} - /var/ossec/etc/shared/default/{{ cis_distribution_filename }} - {% endif %} yes @@ -212,11 +206,6 @@ {{ wazuh_manager_config.cis_cat.java_path }} {% endif %} {{ wazuh_manager_config.cis_cat.ciscat_path }} - {% for benchmark in wazuh_manager_config.cis_cat.content %} - - {{ benchmark.profile }} - - {% endfor %} @@ -265,24 +254,40 @@ {% endif %} - - {{ wazuh_manager_config.vul_detector.disable }} - {{ wazuh_manager_config.vul_detector.interval }} - {{ wazuh_manager_config.vul_detector.ignore_time }} - {{ wazuh_manager_config.vul_detector.run_on_start }} - - {{ wazuh_manager_config.vul_detector.ubuntu.disable }} - {{ wazuh_manager_config.vul_detector.ubuntu.update_interval }} - - - {{ wazuh_manager_config.vul_detector.redhat.disable }} - {{ wazuh_manager_config.vul_detector.redhat.update_interval }} - - - {{ wazuh_manager_config.vul_detector.debian.disable }} - {{ wazuh_manager_config.vul_detector.debian.update_interval }} - - + + {% if wazuh_manager_config.vulnerability_detector.enabled is defined %} + {{ wazuh_manager_config.vulnerability_detector.enabled }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.interval is defined %} + {{ wazuh_manager_config.vulnerability_detector.interval }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.ignore_time is defined %} + {{ wazuh_manager_config.vulnerability_detector.ignore_time }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %} + {{ wazuh_manager_config.vulnerability_detector.run_on_start }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.providers is defined %} + {% for provider_ in wazuh_manager_config.vulnerability_detector.providers %} + + {% if provider_.enabled is defined %} + {{ provider_.enabled }} + {% endif %} + {% if provider_.os is defined %} + {% for os_ in provider_.os %} + {{ os_ }} + {% endfor %} + {% endif %} + {% if provider_.update_from_year is defined %} + {{ provider_.update_from_year }} + {% endif %} + {% if provider_.update_interval is defined %} + {{ provider_.update_interval }} + {% endif %} + + {% endfor %} + {% endif %} + @@ -293,7 +298,7 @@ {{ wazuh_manager_config.syscheck.frequency }} {{ wazuh_manager_config.syscheck.scan_on_start }} - + {% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %} {{wazuh_manager_config.syscheck.auto_ignore_frequency.value }} {% endif %} @@ -312,6 +317,14 @@ {% endfor %} {% endif %} + + {% if wazuh_manager_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %} + {% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %} + {{ ignore }} + {% endfor %} + {% endif %} + + {% for no_diff in wazuh_manager_config.syscheck.no_diff %} {{ no_diff }} @@ -319,16 +332,6 @@ {% if wazuh_manager_config.syscheck.skip_nfs is defined %} {{ wazuh_manager_config.syscheck.skip_nfs }} {% endif %} - - - {% if wazuh_manager_config.syscheck.remove_old_diff is defined %} - {{ wazuh_manager_config.syscheck.remove_old_diff }} - {% endif %} - - - {% if wazuh_manager_config.syscheck.restart_audit is defined %} - {{ wazuh_manager_config.syscheck.restart_audit }} - {% endif %} @@ -390,6 +393,12 @@ {% if wazuh_manager_config.authd.use_password is not none %} {{wazuh_manager_config.authd.use_password}} {% endif %} + {% if wazuh_manager_config.authd.limit_maxagents is not none %} + {{wazuh_manager_config.authd.limit_maxagents}} + {% endif %} + {% if wazuh_manager_config.authd.ciphers is not none %} + {{wazuh_manager_config.authd.ciphers}} + {% endif %} {% if wazuh_manager_config.authd.ssl_agent_ca is not none %} /var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}} {% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index 4ae5a145..77e64fbf 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -4,7 +4,9 @@ {% if agent_config.syscheck is defined %} + {% if agent_config.syscheck.auto_ignore is defined %} {{ agent_config.syscheck.auto_ignore }} + {% endif %} {{ agent_config.syscheck.alert_new_files }} {{ agent_config.syscheck.frequency }} diff --git a/wazuh-qa b/wazuh-qa new file mode 160000 index 00000000..2699bb7b --- /dev/null +++ b/wazuh-qa @@ -0,0 +1 @@ +Subproject commit 2699bb7ba8026daae2bb73f19ac50c2010b4677c