From 7619b44426a0d248bcebdae33d309e6886d72802 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 12 Jun 2019 21:11:12 +0200 Subject: [PATCH] Added changes for ELK 7 --- playbooks/wazuh-elastic_stack-single.yml | 9 +- .../ansible-elasticsearch/defaults/main.yml | 8 +- .../ansible-elasticsearch/tasks/Debian.yml | 6 - .../ansible-elasticsearch/tasks/RMDebian.yml | 2 +- .../ansible-elasticsearch/tasks/RedHat.yml | 7 - .../ansible-kibana/defaults/main.yml | 2 +- .../ansible-kibana/tasks/RMDebian.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/Debian.yml | 2 +- .../wazuh/ansible-filebeat/tasks/RMDebian.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/RedHat.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/config.yml | 10 + .../templates/elasticsearch.yml.j2 | 1455 +++++++++++++++++ .../var-ossec-rules-local_rules.xml.j2 | 20 +- 13 files changed, 1482 insertions(+), 45 deletions(-) create mode 100644 roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 diff --git a/playbooks/wazuh-elastic_stack-single.yml b/playbooks/wazuh-elastic_stack-single.yml index 9d3d761a..ac5efaf1 100644 --- a/playbooks/wazuh-elastic_stack-single.yml +++ b/playbooks/wazuh-elastic_stack-single.yml @@ -1,7 +1,6 @@ --- -- hosts: +- hosts: roles: - - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager} - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} - - { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: 'localhost' } - - { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } + - {role: ../roles/wazuh/ansible-wazuh-manager} + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true} + - { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 3328165a..5d380b6b 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -5,6 +5,8 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null elastic_stack_version: 7.1.1 -elasticsearch_shards: 5 -elasticsearch_replicas: 1 -elasticsearch_install_java: true +single_node: false +elasticsearch_bootstrap_node: false +elasticsearch_master_candidate: false +elasticsearch_cluster_nodes: + - 127.0.0.1 \ No newline at end of file diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml index d5315805..844da315 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml @@ -4,12 +4,6 @@ name: ['apt-transport-https', 'ca-certificates'] state: present -- when: elasticsearch_install_java - block: - - name: Debian/Ubuntu | Install OpenJDK 1.8 - apt: name=openjdk-8-jre state=present cache_valid_time=3600 - tags: install - - name: Debian/Ubuntu | Add Elasticsearch GPG key. apt_key: url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml index 74c59c37..b11eec45 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml @@ -1,5 +1,5 @@ --- - name: Debian/Ubuntu | Removing Elasticsearch repository apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main state: absent diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml index 64cc0820..54728b0c 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml @@ -1,10 +1,4 @@ --- -- when: elasticsearch_install_java - block: - - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 - yum: name=java-1.8.0-openjdk state=present - register: oracle_java_task_rpm_installed - tags: install - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: @@ -16,5 +10,4 @@ - name: RedHat/CentOS/Fedora | Install Elasticsarch package: name=elasticsearch-{{ elastic_stack_version }} state=present - when: not elasticsearch_install_java or oracle_java_task_rpm_installed is defined tags: install diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 921cd436..cf33aeff 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -4,4 +4,4 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.1.1 -wazuh_version: 3.9.1 +wazuh_version: 3.9.1 \ No newline at end of file diff --git a/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml b/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml index 74c59c37..b11eec45 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml @@ -1,5 +1,5 @@ --- - name: Debian/Ubuntu | Removing Elasticsearch repository apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main state: absent diff --git a/roles/wazuh/ansible-filebeat/tasks/Debian.yml b/roles/wazuh/ansible-filebeat/tasks/Debian.yml index 455034d6..95b31e0e 100644 --- a/roles/wazuh/ansible-filebeat/tasks/Debian.yml +++ b/roles/wazuh/ansible-filebeat/tasks/Debian.yml @@ -12,6 +12,6 @@ - name: Debian/Ubuntu | Add Filebeat repository. apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: present update_cache: true diff --git a/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml index 580e6d86..f027d4f9 100644 --- a/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml +++ b/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml @@ -1,5 +1,5 @@ --- - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main state: absent diff --git a/roles/wazuh/ansible-filebeat/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat/tasks/RedHat.yml index 80798897..e4ddd652 100644 --- a/roles/wazuh/ansible-filebeat/tasks/RedHat.yml +++ b/roles/wazuh/ansible-filebeat/tasks/RedHat.yml @@ -3,6 +3,6 @@ yum_repository: name: elastic_repo description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum + baseurl: https://artifacts.elastic.co/packages/7.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: true diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index a21e32ac..ce63503d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -9,6 +9,16 @@ notify: restart filebeat tags: configure +- name: Copy Elasticsearch template. + template: + src: elasticsearch.yml.j2 + dest: "/etc/filebeat/wazuh-template.json" + owner: root + group: root + mode: 0644 + notify: restart filebeat + tags: configure + - name: Ensure Filebeat SSL key pair directory exists. file: path: "{{ filebeat_ssl_dir }}" diff --git a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 new file mode 100644 index 00000000..11ef6176 --- /dev/null +++ b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 @@ -0,0 +1,1455 @@ +{ + "order": 0, + "index_patterns": ["wazuh-alerts-3.x-*"], + "settings": { + "index.refresh_interval": "5s", + "index.number_of_shards": "3", + "index.number_of_replicas": "0", + "index.auto_expand_replicas": "0-1", + "index.mapping.total_fields.limit": 2000 + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword", + "doc_values": "true" + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "AlertsFile": { + "type": "keyword", + "doc_values": "true" + }, + "full_log": { + "enabled": false, + "type": "object" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword", + "doc_values": "true" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword", + "doc_values": "true" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword", + "doc_values": "true" + }, + "region_name": { + "type": "keyword", + "doc_values": "true" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword", + "doc_values": "true" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_before": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_after": { + "type": "keyword", + "doc_values": "true" + }, + "uid_before": { + "type": "keyword", + "doc_values": "true" + }, + "uid_after": { + "type": "keyword", + "doc_values": "true" + }, + "gid_before": { + "type": "keyword", + "doc_values": "true" + }, + "gid_after": { + "type": "keyword", + "doc_values": "true" + }, + "perm_before": { + "type": "keyword", + "doc_values": "true" + }, + "perm_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_before": { + "type": "keyword", + "doc_values": "true" + }, + "gname_after": { + "type": "keyword", + "doc_values": "true" + }, + "gname_before": { + "type": "keyword", + "doc_values": "true" + }, + "inode_after": { + "type": "keyword", + "doc_values": "true" + }, + "inode_before": { + "type": "keyword", + "doc_values": "true" + }, + "mtime_after": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "mtime_before": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "uname_after": { + "type": "keyword", + "doc_values": "true" + }, + "uname_before": { + "type": "keyword", + "doc_values": "true" + }, + "size_before": { + "type": "long", + "doc_values": "true" + }, + "size_after": { + "type": "long", + "doc_values": "true" + }, + "diff": { + "type": "keyword", + "doc_values": "true" + }, + "event": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "location": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword", + "doc_values": "true" + }, + "groups": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "long", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "cve": { + "type": "keyword", + "doc_values": "true" + }, + "info": { + "type": "keyword", + "doc_values": "true" + }, + "frequency": { + "type": "long", + "doc_values": "true" + }, + "firedtimes": { + "type": "long", + "doc_values": "true" + }, + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + }, + "gdpr": { + "type": "keyword", + "doc_values": "true" + }, + "gpg13": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "predecoder": { + "properties": { + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "timestamp": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "ftscomment": { + "type": "keyword", + "doc_values": "true" + }, + "fts": { + "type": "long", + "doc_values": "true" + }, + "accumulate": { + "type": "long", + "doc_values": "true" + } + } + }, + "data": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "action": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "dstip": { + "type": "keyword", + "doc_values": "true" + }, + "srcport": { + "type": "keyword", + "doc_values": "true" + }, + "dstport": { + "type": "keyword", + "doc_values": "true" + }, + "srcuser": { + "type": "keyword", + "doc_values": "true" + }, + "dstuser": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "status": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "system_name": { + "type": "keyword", + "doc_values": "true" + }, + "url": { + "type": "keyword", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" + } + } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long", + "doc_values": "true" + }, + "dstaddr": { + "type": "ip", + "doc_values": "true" + }, + "srcaddr": { + "type": "ip", + "doc_values": "true" + }, + "end": { + "type": "date", + "doc_values": "true" + }, + "start": { + "type": "date", + "doc_values": "true" + }, + "source_ip_address": { + "type": "ip", + "doc_values": "true" + }, + "resource.instanceDetails.networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip", + "doc_values": "true" + }, + "publicIp": { + "type": "ip", + "doc_values": "true" + } + } + }, + "service": { + "properties": { + "count": { + "type": "long", + "doc_values": "true" + }, + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip", + "doc_values": "true" + }, + "geoLocation": { + "type": "geo_point", + "doc_values": "true" + } + } + } + } + } + } + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + }, + "mac": { + "type": "keyword", + "doc_values": "true" + }, + "adapter": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "mtu": { + "type": "long", + "doc_values": "true" + }, + "tx_bytes": { + "type": "long", + "doc_values": "true" + }, + "rx_bytes": { + "type": "long", + "doc_values": "true" + }, + "tx_errors": { + "type": "long", + "doc_values": "true" + }, + "rx_errors": { + "type": "long", + "doc_values": "true" + }, + "tx_dropped": { + "type": "long", + "doc_values": "true" + }, + "rx_dropped": { + "type": "long", + "doc_values": "true" + }, + "tx_packets": { + "type": "long", + "doc_values": "true" + }, + "rx_packets": { + "type": "long", + "doc_values": "true" + }, + "ipv4": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + }, + "ipv6": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + } + } + } + } + }, + "os": { + "properties": { + "hostname": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "codename": { + "type": "keyword", + "doc_values": "true" + }, + "major": { + "type": "keyword", + "doc_values": "true" + }, + "minor": { + "type": "keyword", + "doc_values": "true" + }, + "build": { + "type": "keyword", + "doc_values": "true" + }, + "platform": { + "type": "keyword", + "doc_values": "true" + }, + "sysname": { + "type": "keyword", + "doc_values": "true" + }, + "release": { + "type": "keyword", + "doc_values": "true" + }, + "release_version": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "port": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "local_ip": { + "type": "ip", + "doc_values": "true" + }, + "local_port": { + "type": "long", + "doc_values": "true" + }, + "remote_ip": { + "type": "ip", + "doc_values": "true" + }, + "remote_port": { + "type": "long", + "doc_values": "true" + }, + "tx_queue": { + "type": "long", + "doc_values": "true" + }, + "rx_queue": { + "type": "long", + "doc_values": "true" + }, + "inode": { + "type": "long", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "long", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "hardware": { + "properties": { + "serial": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_name": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_cores": { + "type": "long", + "doc_values": "true" + }, + "cpu_mhz": { + "type": "double", + "doc_values": "true" + }, + "ram_total": { + "type": "long", + "doc_values": "true" + }, + "ram_free": { + "type": "long", + "doc_values": "true" + }, + "ram_usage": { + "type": "long", + "doc_values": "true" + } + } + }, + "program": { + "properties": { + "format": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "keyword", + "doc_values": "true" + }, + "section": { + "type": "keyword", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vendor": { + "type": "keyword", + "doc_values": "true" + }, + "install_time": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "multiarch": { + "type": "keyword", + "doc_values": "true" + }, + "source": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "location": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "process": { + "properties": { + "pid": { + "type": "long", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "long", + "doc_values": "true" + }, + "utime": { + "type": "long", + "doc_values": "true" + }, + "stime": { + "type": "long", + "doc_values": "true" + }, + "cmd": { + "type": "keyword", + "doc_values": "true" + }, + "args": { + "type": "keyword", + "doc_values": "true" + }, + "euser": { + "type": "keyword", + "doc_values": "true" + }, + "ruser": { + "type": "keyword", + "doc_values": "true" + }, + "suser": { + "type": "keyword", + "doc_values": "true" + }, + "egroup": { + "type": "keyword", + "doc_values": "true" + }, + "sgroup": { + "type": "keyword", + "doc_values": "true" + }, + "fgroup": { + "type": "keyword", + "doc_values": "true" + }, + "rgroup": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "long", + "doc_values": "true" + }, + "nice": { + "type": "long", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vm_size": { + "type": "long", + "doc_values": "true" + }, + "resident": { + "type": "long", + "doc_values": "true" + }, + "share": { + "type": "long", + "doc_values": "true" + }, + "start_time": { + "type": "long", + "doc_values": "true" + }, + "pgrp": { + "type": "long", + "doc_values": "true" + }, + "session": { + "type": "long", + "doc_values": "true" + }, + "nlwp": { + "type": "long", + "doc_values": "true" + }, + "tgid": { + "type": "long", + "doc_values": "true" + }, + "tty": { + "type": "long", + "doc_values": "true" + }, + "processor": { + "type": "long", + "doc_values": "true" + } + } + }, + "sca": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "scan_id": { + "type": "keyword", + "doc_values": "true" + }, + "policy": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "passed": { + "type": "integer", + "doc_values": "true" + }, + "failed": { + "type": "integer", + "doc_values": "true" + }, + "score": { + "type": "long", + "doc_values": "true" + }, + "check": { + "properties": { + "id": { + "type": "keyword", + "doc_values": "true" + }, + "title": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "rationale": { + "type": "keyword", + "doc_values": "true" + }, + "remediation": { + "type": "keyword", + "doc_values": "true" + }, + "compliance": { + "properties": { + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "cis_csc": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "references": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "directory": { + "type": "keyword", + "doc_values": "true" + }, + "registry": { + "type": "keyword", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + }, + "result": { + "type": "keyword", + "doc_values": "true" + }, + "previous_result": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + }, + "win": { + "properties": { + "system": { + "properties": { + "providerName": { + "type": "keyword", + "doc_values": "true" + }, + "providerGuid": { + "type": "keyword", + "doc_values": "true" + }, + "eventSourceName": { + "type": "keyword", + "doc_values": "true" + }, + "securityUserID": { + "type": "keyword", + "doc_values": "true" + }, + "userID": { + "type": "keyword", + "doc_values": "true" + }, + "eventID": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "keyword", + "doc_values": "true" + }, + "task": { + "type": "keyword", + "doc_values": "true" + }, + "opcode": { + "type": "keyword", + "doc_values": "true" + }, + "keywords": { + "type": "keyword", + "doc_values": "true" + }, + "systemTime": { + "type": "keyword", + "doc_values": "true" + }, + "eventRecordID": { + "type": "keyword", + "doc_values": "true" + }, + "processID": { + "type": "keyword", + "doc_values": "true" + }, + "threadID": { + "type": "keyword", + "doc_values": "true" + }, + "channel": { + "type": "keyword", + "doc_values": "true" + }, + "computer": { + "type": "keyword", + "doc_values": "true" + }, + "severityValue": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "eventdata": { + "properties": { + "subjectUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "subjectUserName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserName": { + "type": "keyword", + "doc_values": "true" + }, + "targetDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "targetLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "logonType": { + "type": "keyword", + "doc_values": "true" + }, + "logonProcessName": { + "type": "keyword", + "doc_values": "true" + }, + "authenticationPackageName": { + "type": "keyword", + "doc_values": "true" + }, + "logonGuid": { + "type": "keyword", + "doc_values": "true" + }, + "keyLength": { + "type": "keyword", + "doc_values": "true" + }, + "impersonationLevel": { + "type": "keyword", + "doc_values": "true" + }, + "transactionId": { + "type": "keyword", + "doc_values": "true" + }, + "newState": { + "type": "keyword", + "doc_values": "true" + }, + "resourceManager": { + "type": "keyword", + "doc_values": "true" + }, + "processId": { + "type": "keyword", + "doc_values": "true" + }, + "processName": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "image": { + "type": "keyword", + "doc_values": "true" + }, + "binary": { + "type": "keyword", + "doc_values": "true" + }, + "parentImage": { + "type": "keyword", + "doc_values": "true" + }, + "categoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryGuid": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChangesId": { + "type": "keyword", + "doc_values": "true" + }, + "category": { + "type": "keyword", + "doc_values": "true" + }, + "subcategory": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChanges": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "rmSessionEvent": { + "properties": { + "rmSessionId": { + "type": "keyword", + "doc_values": "true" + }, + "uTCStartTime": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + } + } + }, + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword", + "doc_values": "true" + } + } + } +} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 index 5cbe7670..39eb6a94 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 @@ -1,6 +1,7 @@ + @@ -15,21 +16,4 @@ authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, - - - - - - syscheck - /var/ossec/etc/shared/agent.conf - Linux | agent.conf was modified - - - syscheck - C:\wazuh-agent/shared/agent.conf - Windows | agent.conf was modified - - + \ No newline at end of file