afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #335 from wazuh/feature-332-default-installation

Browse Source 
Changes to make `ossec.conf` equivalent to the default version
This commit is contained in:
Jose M. Garcia 2020-01-08 17:18:12 +01:00 committed by GitHub
commit 5c7590d632
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 133 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -53,11 +53,11 @@ All notable changes to this project will be documented in this file.
- Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334)
## [v3.10.2_7.3.2]
## [v3.11.0_7.3.2]
### Added
- Update to Wazuh v3.10.2
- Update to Wazuh v3.11.0
### Changed

1
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -7,6 +7,7 @@ kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
elastic_stack_version: 7.5.1
wazuh_version: 3.11.0
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
# API credentials

40
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -2,7 +2,7 @@
wazuh_agent_version: 3.11.0-1
wazuh_agent_sources_installation:
enabled: false
enabled: "false"
branch: "v3.11.0"
user_language: "y"
user_no_stop: "y"
@ -26,7 +26,7 @@ wazuh_agent_sources_installation:
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
protocol: udp
api_port: 55000
api_proto: 'http'
api_user: null
@ -74,8 +74,6 @@ wazuh_agent_config:
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
win_audit_interval: 300
skip_nfs: 'yes'
ignore:
@ -93,6 +91,10 @@ wazuh_agent_config:
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
- /dev/core
ignore_linux_type:
- '^/proc'
- '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
@ -248,11 +250,11 @@ wazuh_agent_config:
osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\ProgramData\osquery\osqueryd'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\ProgramData\osquery\osquery.conf'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
syscollector:
disable: 'no'
@ -274,18 +276,14 @@ wazuh_agent_config:
time: ''
cis_cat:
disable: 'yes'
install_java: 'yes'
install_java: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: '/var/ossec/wodles/ciscat'
ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls:
disable: 'yes'
interval: '1d'
@ -318,16 +316,16 @@ wazuh_agent_config:
linux:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'command'
command: df -P -x squashfs -x tmpfs -x devtmpfs
frequency: '360'
- format: 'full_command'
command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
windows:
- format: 'eventlog'
location: 'Application'

27
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -51,7 +51,6 @@
<rootcheck>
<disabled>no</disabled>
{% if ansible_system == "Linux" %}
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
@ -65,11 +64,6 @@
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
@ -118,6 +112,13 @@
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_agent_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
{% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
@ -132,13 +133,6 @@
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
<!-- Remove not monitored files -->
<remove_old_diff>{{ wazuh_agent_config.syscheck.remove_old_diff }}</remove_old_diff>
{% if ansible_system == "Linux"%}
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>{{ wazuh_agent_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
@ -234,13 +228,6 @@
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
{% if ansible_system == "Linux" %}
{% for benchmark in wazuh_agent_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
{% endif %}
</wodle>
{% endif %}

81
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -87,7 +87,7 @@ wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
protocol: 'udp'
queue_size: 131072
authd:
enable: true
@ -97,6 +97,8 @@ wazuh_manager_config:
force_time: 0
purge: 'no'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
@ -105,13 +107,14 @@ wazuh_manager_config:
email_notification: 'no'
mail_to:
- 'admin@example.net'
mail_smtp_server: localhost
mail_from: wazuh-server@example.com
mail_smtp_server: smtp.example.wazuh.com
mail_from: ossecm@example.wazuh.com
mail_maxperhour: 12
mail_queue_size: 131072
email_log_source: 'alerts.log'
extra_emails:
- enable: false
mail_to: 'admin@example.net'
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
@ -152,6 +155,10 @@ wazuh_manager_config:
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
- /dev/core
ignore_linux_type:
- '^/proc'
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
@ -164,8 +171,6 @@ wazuh_manager_config:
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
rootcheck:
frequency: 43200
openscap:
@ -181,10 +186,6 @@ wazuh_manager_config:
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
osquery:
disable: 'yes'
run_daemon: 'yes'
@ -209,20 +210,36 @@ wazuh_manager_config:
day: ''
wday: ''
time: ''
vul_detector:
disable: 'yes'
vulnerability_detector:
enabled: 'no'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
ubuntu:
disable: 'yes'
update_interval: '1h'
redhat:
disable: 'yes'
update_interval: '1h'
debian:
disable: 'yes'
update_interval: '1h'
providers:
- enabled: 'no'
os:
- 'precise'
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
vuls:
disable: 'yes'
interval: '1d'
@ -233,15 +250,15 @@ wazuh_manager_config:
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
log_level: 1
log_level: 3
email_level: 12
localfiles:
common:
- format: 'command'
command: df -P -x squashfs -x tmpfs -x devtmpfs
command: df -P
frequency: '360'
- format: 'full_command'
command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
@ -268,18 +285,15 @@ wazuh_manager_config:
location: '/var/log/audit/audit.log'
globals:
- '127.0.0.1'
- '192.168.2.1'
- '^localhost.localdomain$'
- '127.0.0.53'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
# - name: 'restart-ossec'
# executable: 'restart-ossec.sh'
# expect: ''
# timeout_allowed: 'no'
- name: 'win_restart-ossec'
executable: 'restart-ossec.cmd'
- name: 'restart-ossec'
executable: 'restart-ossec.sh'
expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop'
@ -298,6 +312,10 @@ wazuh_manager_config:
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.cmd'
expect: 'srcip'
@ -327,7 +345,6 @@ wazuh_agent_configs:
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab

1
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml
View File

@ -61,6 +61,7 @@
state: directory
# When downloading "v3.11.0" extracted folder name is 3.11.0.
# Explicitly creating the folder with proper naming and striping first level in .tar.gz file
- name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip

91
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -18,7 +18,7 @@
<smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
<email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour>
<queue_size>{{ wazuh_manager_config.mail_queue_size }}</queue_size>
<email_log_source>{{ wazuh_manager_config.email_log_source }}</email_log_source>
</global>
<alerts>
@ -115,7 +115,6 @@
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
@ -129,11 +128,6 @@
<rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>
@ -212,11 +206,6 @@
<java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
{% for benchmark in wazuh_manager_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
</wodle>
<!-- Osquery integration -->
@ -265,24 +254,40 @@
{% endif %}
</sca>
<wodle name="vulnerability-detector">
<disabled>{{ wazuh_manager_config.vul_detector.disable }}</disabled>
<interval>{{ wazuh_manager_config.vul_detector.interval }}</interval>
<ignore_time>{{ wazuh_manager_config.vul_detector.ignore_time }}</ignore_time>
<run_on_start>{{ wazuh_manager_config.vul_detector.run_on_start }}</run_on_start>
<feed name="ubuntu-18">
<disabled>{{ wazuh_manager_config.vul_detector.ubuntu.disable }}</disabled>
<update_interval>{{ wazuh_manager_config.vul_detector.ubuntu.update_interval }}</update_interval>
</feed>
<feed name="redhat">
<disabled>{{ wazuh_manager_config.vul_detector.redhat.disable }}</disabled>
<update_interval>{{ wazuh_manager_config.vul_detector.redhat.update_interval }}</update_interval>
</feed>
<feed name="debian-9">
<disabled>{{ wazuh_manager_config.vul_detector.debian.disable }}</disabled>
<update_interval>{{ wazuh_manager_config.vul_detector.debian.update_interval }}</update_interval>
</feed>
</wodle>
<vulnerability-detector>
{% if wazuh_manager_config.vulnerability_detector.enabled is defined %}
<enabled>{{ wazuh_manager_config.vulnerability_detector.enabled }}</enabled>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.interval is defined %}
<interval>{{ wazuh_manager_config.vulnerability_detector.interval }}</interval>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.ignore_time is defined %}
<ignore_time>{{ wazuh_manager_config.vulnerability_detector.ignore_time }}</ignore_time>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %}
<run_on_start>{{ wazuh_manager_config.vulnerability_detector.run_on_start }}</run_on_start>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.providers is defined %}
{% for provider_ in wazuh_manager_config.vulnerability_detector.providers %}
<provider name={{ provider_.name }}>
{% if provider_.enabled is defined %}
<enabled>{{ provider_.enabled }}</enabled>
{% endif %}
{% if provider_.os is defined %}
{% for os_ in provider_.os %}
<os>{{ os_ }}</os>
{% endfor %}
{% endif %}
{% if provider_.update_from_year is defined %}
<update_from_year>{{ provider_.update_from_year }}</update_from_year>
{% endif %}
{% if provider_.update_interval is defined %}
<update_interval>{{ provider_.update_interval }}</update_interval>
{% endif %}
</provider>
{% endfor %}
{% endif %}
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
@ -293,7 +298,7 @@
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Don't ignore files that change more than 'frequency' times -->
<!-- Do not ignore files that change more than 'frequency' times -->
{% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %}
<auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
{% endif %}
@ -312,6 +317,14 @@
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_manager_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
{% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
@ -319,16 +332,6 @@
{% if wazuh_manager_config.syscheck.skip_nfs is defined %}
<skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
<!-- Remove not monitored files -->
{% if wazuh_manager_config.syscheck.remove_old_diff is defined %}
<remove_old_diff>{{ wazuh_manager_config.syscheck.remove_old_diff }}</remove_old_diff>
{% endif %}
<!-- Allow the system to restart Auditd after installing the plugin -->
{% if wazuh_manager_config.syscheck.restart_audit is defined %}
<restart_audit>{{ wazuh_manager_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
</syscheck>
<global>
@ -390,6 +393,12 @@
{% if wazuh_manager_config.authd.use_password is not none %}
<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
{% endif %}
{% if wazuh_manager_config.authd.limit_maxagents is not none %}
<limit_maxagents>{{wazuh_manager_config.authd.limit_maxagents}}</limit_maxagents>
{% endif %}
{% if wazuh_manager_config.authd.ciphers is not none %}
<ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %}

2
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -4,7 +4,9 @@
<agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
{% if agent_config.syscheck is defined %}
<syscheck>
{% if agent_config.syscheck.auto_ignore is defined %}
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
{% endif %}
<alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ agent_config.syscheck.frequency }}</frequency>

1
wazuh-qa Submodule

@ -0,0 +1 @@
Subproject commit 2699bb7ba8026daae2bb73f19ac50c2010b4677c