ossec.conf for windows agents

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -31,6 +31,7 @@ wazuh_agent_config:
   active_response:
      ar_disabled: 'no'
      ca_store: '/var/ossec/etc/wpk_root.pem'
+     ca_store_win: 'wpk_root.pem'
      ca_verification: 'yes'
   log_format: 'plain'
   client_buffer:
@@ -44,6 +45,7 @@ wazuh_agent_config:
     alert_new_files: 'yes'
     remove_old_diff: 'yes'
     restart_audit: 'yes'
+    win_audit_interval: 300
     skip_nfs: 'yes'
     ignore:
       - /etc/mtab
@@ -61,6 +63,8 @@ wazuh_agent_config:
       - /etc/svc/volatile
       - /sys/kernel/security
       - /sys/kernel/debug
+    ignore_win:
+      - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
     no_diff:
       - /etc/ssl/private.key
     directories:
@@ -68,10 +72,142 @@ wazuh_agent_config:
         checks: 'check_all="yes"'
       - dirs: /bin,/sbin
         checks: 'check_all="yes"'
+    win_directories:
+      - dirs: '%WINDIR%\regedit.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\system.ini'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\win.ini'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\at.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\attrib.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\cacls.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\cmd.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\drivers\etc'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\eventcreate.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\ftp.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\lsass.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\net.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\net1.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\netsh.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\reg.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\regedt32.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\regsvr32.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\runas.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\sc.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\schtasks.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\sethc.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\subst.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\wbem\WMIC.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\SysNative\winrm.vbs'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\at.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\attrib.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\cacls.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\cmd.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\drivers\etc'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\eventcreate.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\ftp.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\net.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\net1.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\netsh.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\reg.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\regedit.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\regedt32.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\regsvr32.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\runas.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\sc.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\schtasks.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\sethc.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\subst.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\wbem\WMIC.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe'
+        checks: 'check_all="yes"'
+      - dirs: '%WINDIR%\System32\winrm.vbs'
+        checks: 'check_all="yes"'
+      - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
+        checks: 'check_all="yes" realtime="yes"'
     windows_registry:
       - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
-        arch: 'both'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
       - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Software\Policies'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Security'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
+      - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
+      - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+        arch: "both"
+      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
+        arch: "both"
+    windows_registry_ignore:
+      - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
+      - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
+      - key: '\Enum$'
+        type: "sregex"
   rootcheck:
     frequency: 43200
   openscap:
@@ -82,8 +218,11 @@ wazuh_agent_config:
   osquery:
     disable: 'yes'
     run_daemon: 'yes'
+    bin_path_win: 'C:\ProgramData\osquery\osqueryd'
     log_path: '/var/log/osquery/osqueryd.results.log'
+    log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log'
     config_path: '/etc/osquery/osquery.conf'
+    config_path_win: 'C:\ProgramData\osquery\osquery.conf'
     ad_labels: 'yes'
   syscollector:
     disable: 'no'
@@ -102,7 +241,9 @@ wazuh_agent_config:
     interval: '1d'
     scan_on_start: 'yes'
     java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
+    java_path_win: '\\server\jre\bin\java.exe'
     ciscat_path: '/var/ossec/wodles/ciscat'
+    ciscat_path_win: 'C:\cis-cat'
     content:
       - type: 'xccdf'
         path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
@@ -136,7 +277,7 @@ wazuh_agent_config:
         location: '/var/log/maillog'
       - format: 'audit'
         location: '/var/log/audit/audit.log'
-    common:
+    linux:
       - format: 'syslog'
         location: '/var/ossec/logs/active-responses.log'
       - format: 'command'
@@ -149,3 +290,13 @@ wazuh_agent_config:
       - format: 'full_command'
         command: 'last -n 20'
         frequency: '360'
+    windows:
+      - format: 'eventlog' 
+        location: 'Application'
+      - format: 'eventchannel'
+        location: 'Security'
+        query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'  
+      - format: 'eventlog'
+        location: 'System'
+      - format: 'syslog'
+        location: 'active-response\active-responses.log'

roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2

@@ -43,13 +43,14 @@
 
   <active-response>
     <disabled>{{ wazuh_agent_config.active_response.ar|default('no') }}</disabled>
-    <ca_store>{{ wazuh_agent_config.active_response.ca_store }}</ca_store>
+    <ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
     <ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
   </active-response>
 
   {% if wazuh_agent_config.rootcheck is defined %}
   <rootcheck>
     <disabled>no</disabled>
+    {% if ansible_system == "Linux" %}
     <check_unixaudit>yes</check_unixaudit>
     <check_files>yes</check_files>
     <check_trojans>yes</check_trojans>
@@ -62,13 +63,6 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
 
-    {% if ansible_os_family == "Windows" %}
-    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
-    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
-    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
-    {% endif %}
-
-    {% if ansible_system == "Linux" %}
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
     <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
@@ -76,9 +70,15 @@
     {% if cis_distribution_filename is defined %}
     <system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
     {% endif %}
+    <skip_nfs>yes</skip_nfs>
+    {% endif %}
+
+    {% if ansible_os_family == "Windows" %}
+    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
+    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
+    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
     {% endif %}
 
-    <skip_nfs>yes</skip_nfs>
   </rootcheck>
   {% endif %}
 
@@ -86,43 +86,60 @@
   {% if wazuh_agent_config.syscheck is defined %}
   <syscheck>
     <disabled>no</disabled>
+<!--    #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
+    <!-- Frequency that syscheck is executed -- default every 20 hours -->
+    <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
     {% if ansible_system == "Linux" %}
 <!--    #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
     <directories check_all="yes">/bin,/sbin,/boot</directories>
-    {% endif %}
 
     <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
-<!--    #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
-    <!-- Frequency that syscheck is executed -- default every 20 hours -->
-    <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
     <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
+    {% endif %}
 
     <!-- Directories to check  (perform all possible verifications) -->
-    {% if wazuh_agent_config.syscheck.directories is defined %}
+    {% if wazuh_agent_config.syscheck.directories is defined and ansible_os_family == "Linux" %}
     {% for directory in wazuh_agent_config.syscheck.directories %}
     <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
     {% endfor %}
     {% endif %}
 
+    <!-- Directories to check  (perform all possible verifications) -->
+    {% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %}
+    {% for directory in wazuh_agent_config.syscheck.win_directories %}
+    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
+    {% endfor %}
+    {% endif %}
+
     <!-- Files/directories to ignore -->
-    {% if wazuh_agent_config.syscheck.ignore is defined %}
+    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
     {% for ignore in wazuh_agent_config.syscheck.ignore %}
     <ignore>{{ ignore }}</ignore>
     {% endfor %}
     {% endif %}
 
+    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
+    {% for ignore in wazuh_agent_config.syscheck.ignore_win %}
+    <ignore type="sregex">{{ ignore }}</ignore>
+    {% endfor %}
+    {% endif %}
+
+    {% if ansible_system == "Linux" %}
     <!-- Files no diff -->
     {% for no_diff in wazuh_agent_config.syscheck.no_diff %}
     <nodiff>{{ no_diff }}</nodiff>
     {% endfor %}
 
     <skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
+    {% endif %}
     <!-- Remove not monitored files -->
     <remove_old_diff>{{ wazuh_agent_config.syscheck.remove_old_diff }}</remove_old_diff>
 
+    {% if ansible_system == "Linux"%}
     <!-- Allow the system to restart Auditd after installing the plugin -->
     <restart_audit>{{ wazuh_agent_config.syscheck.restart_audit }}</restart_audit>
+    {% endif %} 
 
     {% if ansible_os_family == "Windows" %}
     {% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
@@ -133,6 +150,21 @@
     {% endif %}
     {% endfor %}
     {% endif %}
+
+    {% if ansible_os_family == "Windows" %}
+    {% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
+    {% if registry_key.type is defined %}
+    <registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
+    {% else %}
+    <registry_ignore>{{ registry_key.key }}</registry_ignore>
+    {% endif %}
+    {% endfor %}
+    {% endif %}
+
+    {% if ansible_os_family == "Windows" %}
+    <!-- Frequency for ACL checking (seconds) -->
+    <windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
+    {% endif %}
   </syscheck>
   {% endif %}
 
@@ -189,7 +221,7 @@
   </wodle>
   {% endif %}
 
-  {% if ansible_system == "Linux" and wazuh_agent_config.cis_cat.disable == 'no' %}
+  {% if wazuh_agent_config.cis_cat.disable == 'no' %}
   <wodle name="cis-cat">
     <disabled>no</disabled>
     <timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
@@ -197,15 +229,19 @@
     <scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
     {% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
     <java_path>/usr/bin</java_path>
+    {% elif ansible_os_family == "Windows" %}
+    <java_path>{{ wazuh_agent_config.cis_cat.java_path_win }}</java_path>
     {% else %}
     <java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
     {% endif %}
-    <ciscat_path>{{ wazuh_agent_config.cis_cat.ciscat_path }}</ciscat_path>
+    <ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
+    {% if ansible_system == "Linux" %}
     {% for benchmark in wazuh_agent_config.cis_cat.content %}
     <content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
       <profile>{{ benchmark.profile }}</profile>
     </content>
     {% endfor %}
+    {% endif %}
   </wodle>
   {% endif %}
 
@@ -213,8 +249,11 @@
   <wodle name="osquery">
     <disabled>{{ wazuh_agent_config.osquery.disable }}</disabled>
     <run_daemon>{{ wazuh_agent_config.osquery.run_daemon }}</run_daemon>
-    <log_path>{{ wazuh_agent_config.osquery.log_path }}</log_path>
+    {% if ansible_os_family == "Windows" %}
-    <config_path>{{ wazuh_agent_config.osquery.config_path }}</config_path>
+    <bin_path>{{ wazuh_agent_config.osquery.bin_path_win }}</bin_path>
+    {% endif %}
+    <log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path>
+    <config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path>
     <add_labels>{{ wazuh_agent_config.osquery.ad_labels }}</add_labels>
   </wodle>
 
@@ -245,7 +284,8 @@
   {% endif %}
 
   <!-- Files to monitor (localfiles) -->
-    {% for localfile in wazuh_agent_config.localfiles.common %}
+    {% if ansible_system == "Linux" %}
+    {% for localfile in wazuh_agent_config.localfiles.linux %}
     <localfile>
         <log_format>{{ localfile.format }}</log_format>
     {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@@ -256,6 +296,7 @@
     {% endif %}
     </localfile>
   {% endfor %}
+  {% endif %}
 
     {% if ansible_os_family == "Debian" %}
     {% for localfile in wazuh_agent_config.localfiles.debian %}
@@ -284,4 +325,18 @@
     </localfile>
   {% endfor %}
   {% endif %}
+
+   {% if ansible_os_family == "Windows" %}
+   {% for localfile in wazuh_agent_config.localfiles.windows %}
+    <localfile>
+        <log_format>{{ localfile.format }}</log_format>
+    {% if localfile.format == 'eventchannel' %}
+        <location>{{ localfile.location }}</location>
+        <query>{{ localfile.query}}</query>
+    {% else %}
+        <location>{{ localfile.location }}</location>
+    {% endif %}
+    </localfile>
+  {% endfor %}
+  {% endif %}
 </ossec_config>