afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Wazuh agent - Improvements

Browse Source
This commit is contained in:
Pedro Sanchez 2017-08-02 07:58:52 -07:00 committed by GitHub
commit 5e3055a730
4 changed files with 134 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
ansible-wazuh-agent/defaults/main.yml
View File

@ -1,31 +1,40 @@
---
wazuh_manager_ip: 127.0.0.1
wazuh_manager_proto: udp
wazuh_authd_port: 1515
wazuh_register_client: true
wazuh_register_client: false
wazuh_agent_config:
frequency_check: 43200
syscheck_scan_on_start: 'yes'
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- check_all: 'yes'
dirs: /etc,/usr/bin,/usr/sbin
- check_all: 'yes'
dirs: /bin,/sbin
syscheck:
frequency: 43200
scan_on_start: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
localfiles:
- format: 'syslog'
location: '/var/log/messages'

30
ansible-wazuh-agent/tasks/Debian.yml
View File

@ -3,9 +3,10 @@
apt: name="{{ item }}" state=present update_cache=yes
with_items:
- apt-transport-https
- ca-certificates
- name: Debian/Ubuntu | Installing repository key
shell: curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
@ -13,7 +14,32 @@
state: present
update_cache: yes
- name: Set Distribution CIS filename for debian
- name: Debian/Ubuntu | Set Distribution CIS filename for debian
set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt
when: ansible_os_family == "Debian"
- name: Debian/Ubuntu | Install OpenScap
package: name={{ item }} state=present
when: wazuh_agent_config.openscap.disable == 'no'
with_items:
- libopenscap8
- xsltproc
tags:
- init
- name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
register: openscap_version
when: wazuh_agent_config.openscap.disable == 'no'
changed_when: true
tags:
- config
- name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
register: openscap_version_valid
when: wazuh_agent_config.openscap.disable == 'no'
changed_when: true
tags:
- config

1
ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -43,5 +43,6 @@
- name: RedHat/CentOS/RedHat | Install openscap
package: name=openscap-scanner state=present
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- init

138
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -11,7 +11,14 @@
{% if wazuh_profile is defined %}
<config-profile>{{ wazuh_profile }}</config-profile>
{% endif %}
<protocol>udp</protocol>
<protocol>{{ wazuh_manager_proto }}</protocol>
{% if wazuh_manager_port is defined %}
<port>{{ wazuh_manager_port }}</port>
{% endif %}
{% if wazuh_notify_time is defined and wazuh_time_reconnect is defined %}
<notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %}
</client>
<rootcheck>
@ -25,8 +32,8 @@
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Rootcheck scan frequency -->
<frequency>43200</frequency>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
@ -40,26 +47,79 @@
</rootcheck>
<syscheck>
<!-- Syscgeck scan frequency -->
<frequency>{{ wazuh_agent_config.frequency_check }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck_scan_on_start }}</scan_on_start>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to monitor -->
{% for directory in wazuh_agent_config.directories %}
<directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% for ignore_file in wazuh_agent_config.ignore_files %}
<ignore>{{ ignore_file }}</ignore>
{% if wazuh_agent_config.syscheck.ignore is defined %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.no_diff %}
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
</syscheck>
{% if wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_agent_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
<content type="oval" path="cve-debian-oval.xml"/>
{% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %}
<content type="oval" path="cve-redhat-6-ds.xml"/>
{% endif %}
{% elif ansible_distribution == 'Fedora' %}
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
</wodle>
{% endif %}
<!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_agent_config.localfiles %}
<localfile>
@ -73,58 +133,4 @@
</localfile>
{% endfor %}
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<wodle name="open-scap">
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
{% elif ansible_distribution == 'CentOS' %}
<wodle name="open-scap">
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
{% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
{% elif ansible_distribution == 'RedHat' %}
<wodle name="open-scap">
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
{% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
{% elif ansible_distribution == 'Fedora' %}
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
{% endif %}
</ossec_config>