afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Wazuh manager role improvements

Browse Source
This commit is contained in:
Pedro Sanchez 2017-07-25 20:54:14 -07:00 committed by GitHub
commit 731e902c46
4 changed files with 150 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
ansible-wazuh-manager/defaults/main.yml
View File

@ -2,36 +2,47 @@
wazuh_manager_fqdn: "wazuh-server" wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_config: wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
enable_authd: false
email_notification: no email_notification: no
mail_to: mail_to:
- admin@example.net - admin@example.net
mail_smtp_server: localhost mail_smtp_server: localhost
mail_from: wazuh-server@example.com mail_from: wazuh-server@example.com
frequency_check: 43200 syscheck:
syscheck_scan_on_start: 'yes' frequency: 43200
scan_on_start: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
openscap:
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
log_level: 1 log_level: 1
email_level: 12 email_level: 12
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- check_all: 'yes'
dirs: /etc,/usr/bin,/usr/sbin
- check_all: 'yes'
dirs: /bin,/sbin
localfiles: localfiles:
- format: 'syslog' - format: 'syslog'
location: '/var/log/messages' location: '/var/log/messages'

22
ansible-wazuh-manager/tasks/Debian.yml
View File

@ -26,3 +26,25 @@
- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
set_fact: set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt cis_distribution_filename: cis_debian_linux_rcl.txt
- name: Debian/Ubuntu | Install OpenScap
package: name={{ item }} state=present
with_items:
- libopenscap8
- xsltproc
tags:
- init
- name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
register: openscap_version
changed_when: true
tags:
- config
- name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
register: openscap_version_valid
changed_when: true
tags:
- config

30
ansible-wazuh-manager/tasks/main.yml
View File

@ -89,6 +89,15 @@
- name: Retrieving Wazuh-api User Credentials - name: Retrieving Wazuh-api User Credentials
include_vars: wazuh_api_creds.yml include_vars: wazuh_api_creds.yml
- name: Checking alert log output settings
fail: msg="Please enable json_output or alerts_log options."
when:
- wazuh_manager_config.json_output == 'no'
- wazuh_manager_config.alerts_log == 'no'
tags:
- init
- config
- name: Configure ossec.conf - name: Configure ossec.conf
template: src=var-ossec-etc-ossec-server.conf.j2 template: src=var-ossec-etc-ossec-server.conf.j2
dest=/var/ossec/etc/ossec.conf dest=/var/ossec/etc/ossec.conf
@ -106,7 +115,10 @@
owner=root owner=root
group=root group=root
mode=0755 mode=0755
when: ansible_service_mgr == "upstart" and ansible_os_family != "CoreOS" when:
- ansible_service_mgr == "upstart"
- ansible_os_family != "CoreOS"
- wazuh_manager_config.enable_authd == true
tags: tags:
- init - init
- config - config
@ -115,11 +127,20 @@
template: template:
src: ossec-authd.service src: ossec-authd.service
dest: /lib/systemd/system/ossec-authd.service dest: /lib/systemd/system/ossec-authd.service
when: ansible_service_mgr == "systemd" and ansible_os_family != "CoreOS" when:
- ansible_service_mgr == "systemd"
- ansible_os_family != "CoreOS"
- wazuh_manager_config.enable_authd == true
tags: tags:
- init - init
- config - config
- name: Ensure ossec-authd service is started and enabled
service: name=ossec-authd enabled=yes state=started
when: wazuh_manager_config.enable_authd == true
tags:
- config
- name: Wazuh-api User - name: Wazuh-api User
template: template:
src: api_user.j2 src: api_user.j2
@ -145,7 +166,7 @@
shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
when: agentless_creeds is defined when: agentless_creeds is defined
- name: Ensure Wazuh Manager, wazuh api and ossec-authd service is started and enabled - name: Ensure Wazuh Manager, wazuh api service is started and enabled
service: service:
name: "{{ item }}" name: "{{ item }}"
enabled: yes enabled: yes
@ -153,7 +174,8 @@
with_items: with_items:
- wazuh-manager - wazuh-manager
- wazuh-api - wazuh-api
- ossec-authd tags:
- config
- include: "RMRedHat.yml" - include: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"

135
ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -6,8 +6,9 @@
<ossec_config> <ossec_config>
<global> <global>
<jsonout_output>yes</jsonout_output> <jsonout_output>{{ wazuh_manager_config.json_output }}</jsonout_output>
<alerts_log>yes</alerts_log> <alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log>
<logall>{{ wazuh_manager_config.logall }}</logall>
{% if wazuh_manager_config.email_notification | lower == "yes" %} {% if wazuh_manager_config.email_notification | lower == "yes" %}
<email_notification>yes</email_notification> <email_notification>yes</email_notification>
{% else %} {% else %}
@ -47,6 +48,23 @@
{% endif %} {% endif %}
</email_alerts> </email_alerts>
{% endfor %} {% endfor %}
{% endif %}
{% if wazuh_manager_config.reports is defined %}
{% for report in wazuh_manager_config.reports %}
<reports>
<category>{{ report.category }}</category>
<title>{{ report.title }}</title>
<email_to>{{ report.email_to }}</email_to>
{% if report.location is defined %}<location>{{ report.location }}</location>{% endif %}
{% if report.group is defined %}<group>{{ report.group }}</group>{% endif %}
{% if report.rule is defined %}<rule>{{ report.rule }}</rule>{% endif %}
{% if report.level is defined %}<level>{{ report.level }}</level>{% endif %}
{% if report.srcip is defined %}<srcip>{{ report.srcip }}</srcip>{% endif %}
{% if report.user is defined %}<user>{{ report.user }}</user>{% endif %}
{% if report.showlogs is defined %}<showlogs>{{ report.showlogs }}</showlogs>{% endif %}
</reports>
{% endfor %}
{% endif %} {% endif %}
<alerts> <alerts>
@ -74,7 +92,7 @@
<check_if>yes</check_if> <check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency> <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
@ -89,92 +107,75 @@
<syscheck> <syscheck>
<!-- Frequency that syscheck is executed -- default every 20 hours --> <!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_manager_config.frequency_check }}</frequency> <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck_scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) --> <!-- Directories to check (perform all possible verifications) -->
{% for directory in wazuh_manager_config.directories %} {% if wazuh_manager_config.syscheck.directories is defined %}
<directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories> {% for directory in wazuh_manager_config.syscheck.directories %}
{% endfor %} <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore --> <!-- Files/directories to ignore -->
{% for ignore_file in wazuh_manager_config.ignore_files %} {% if wazuh_manager_config.syscheck.ignore is defined %}
<ignore>{{ ignore_file }}</ignore> {% for ignore in wazuh_manager_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %} {% endfor %}
{% endif %}
<!-- Files no diff --> <!-- Files no diff -->
{% for no_diff in wazuh_manager_config.no_diff %} {% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff> <nodiff>{{ no_diff }}</nodiff>
{% endfor %} {% endfor %}
</syscheck> </syscheck>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<wodle name="open-scap"> <wodle name="open-scap">
<disabled>no</disabled> <disabled>no</disabled>
<timeout>1800</timeout> <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
<interval>1d</interval> <interval>{{ wazuh_manager_config.openscap.interval }}</interval>
<scan-on-start>yes</scan-on-start> <scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml"> <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
</wodle> {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
{% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %} {% if openscap_version_valid.stdout == "0" %}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-debian-8-ds.xml"> <content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
</wodle>
{% elif ansible_distribution == 'CentOS' %}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
{% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
{% endif %} {% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <content type="oval" path="cve-debian-oval.xml"/>
<profile>xccdf_org.ssgproject.content_profile_common</profile> {% elif ansible_distribution == 'CentOS' %}
</content> {% if ansible_distribution_major_version == '7' %}
</wodle> <content type="xccdf" path="ssg-centos-7-ds.xml">
{% elif ansible_distribution == 'RedHat' %} {% elif ansible_distribution_major_version == '6' %}
<wodle name="open-scap"> <content type="xccdf" path="ssg-centos-6-ds.xml">
<disabled>no</disabled> {% endif %}
<timeout>1800</timeout> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<interval>1d</interval> <profile>xccdf_org.ssgproject.content_profile_common</profile>
<scan-on-start>yes</scan-on-start> </content>
{% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml"> <content type="xccdf" path="ssg-rhel-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml"> <content type="xccdf" path="ssg-rhel-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %}
<content type="oval" path="cve-redhat-6-ds.xml"/>
{% endif %}
{% elif ansible_distribution == 'Fedora' %}
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %} {% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle> </wodle>
{% elif ansible_distribution == 'Fedora' %}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
{% endif %}
{% if agentless_creeds is defined %} {% if agentless_creeds is defined %}
{% for agentless in agentless_creeds %} {% for agentless in agentless_creeds %}