From 8316ae54ce7c9752be2cdd2a7743e51e91c06057 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Sat, 23 Dec 2017 13:43:32 -0500 Subject: [PATCH] Updating for Wazuh 3.1 compatibility * Added support for Vuls command wodle. * Added support for CIS-CAT wodle. --- ansible-role-kibana/tasks/main.yml | 1 - ansible-wazuh-agent/defaults/main.yml | 26 +++++++- ansible-wazuh-agent/tasks/Debian.yml | 36 +++++++++- ansible-wazuh-agent/tasks/Linux.yml | 18 ++++- ansible-wazuh-agent/tasks/RedHat.yml | 21 ++++++ ansible-wazuh-agent/tasks/Windows.yml | 4 +- .../var-ossec-etc-ossec-agent.conf.j2 | 65 ++++++++++++++----- ansible-wazuh-manager/defaults/main.yml | 23 +++++++ ansible-wazuh-manager/tasks/Debian.yml | 35 +++++++++- ansible-wazuh-manager/tasks/RedHat.yml | 21 ++++++ ansible-wazuh-manager/tasks/main.yml | 14 +++- .../var-ossec-etc-ossec-server.conf.j2 | 41 +++++++++++- 12 files changed, 275 insertions(+), 30 deletions(-) diff --git a/ansible-role-kibana/tasks/main.yml b/ansible-role-kibana/tasks/main.yml index 546dcd4d..c4128884 100644 --- a/ansible-role-kibana/tasks/main.yml +++ b/ansible-role-kibana/tasks/main.yml @@ -46,7 +46,6 @@ NODE_OPTIONS: "--max-old-space-size=3072" args: creates: /usr/share/kibana/plugins/wazuh/package.json - when: wazuh_app_verify.stdout == "0" notify: restart kibana tags: install diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 5d65e581..1f250bf3 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -16,10 +16,10 @@ wazuh_notify_time: null wazuh_time_reconnect: null wazuh_winagent_config: install_dir: 'C:\wazuh-agent\' - version: '3.0.0' + version: '3.1.0' revision: '1' repo: https://packages.wazuh.com/3.x/windows/ - md5: 896dcc5b786fda30db9649dd7a6043c0 + md5: 484900d5006a50304bbf284917d7fa14 wazuh_agent_config: log_format: 'plain' syscheck: @@ -59,6 +59,28 @@ wazuh_agent_config: timeout: 1800 interval: '1d' scan_on_start: 'yes' + cis_cat: + disable: 'yes' + install_java: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' + ciscat_path: '/var/ossec/wodles/ciscat' + content: + - type: 'xccdf' + path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' + profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' + vuls: + disable: 'yes' + interval: '1d' + run_on_start: 'yes' + args: + - 'mincvss 5' + - 'antiquity-limit 20' + - 'updatenvd' + - 'nvd-year 2016' + - 'autoupdate' localfiles: - format: 'syslog' location: '/var/log/messages' diff --git a/ansible-wazuh-agent/tasks/Debian.yml b/ansible-wazuh-agent/tasks/Debian.yml index b59d02d1..db8008d7 100644 --- a/ansible-wazuh-agent/tasks/Debian.yml +++ b/ansible-wazuh-agent/tasks/Debian.yml @@ -19,8 +19,38 @@ cis_distribution_filename: cis_debian_linux_rcl.txt when: ansible_os_family == "Debian" +- name: Debian/Ubuntu | Setting webupd8 repository + apt_repository: + repo: 'ppa:webupd8team/java' + codename: 'xenial' + when: + - wazuh_agent_config.cis_cat.disable == 'no' + - wazuh_agent_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: Debian/Ubuntu | Accept Oracle Java 8 license + debconf: + name: oracle-java8-installer + question: shared/accepted-oracle-license-v1-1 + value: true + vtype: boolean + when: + - wazuh_agent_config.cis_cat.disable == 'no' + - wazuh_agent_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: Debian/Ubuntu | Oracle Java 8 installer + apt: name=oracle-java8-installer state=present update_cache=yes + when: + - wazuh_agent_config.cis_cat.disable == 'no' + - wazuh_agent_config.cis_cat.install_java == 'yes' + tags: + - init + - name: Debian/Ubuntu | Install OpenScap - package: name={{ item }} state=present + package: name={{ item }} state=present update_cache=yes when: wazuh_agent_config.openscap.disable == 'no' with_items: - libopenscap8 @@ -31,15 +61,15 @@ - name: Debian/Ubuntu | Get OpenScap installed version shell: "dpkg-query --showformat='${Version}' --show libopenscap8" register: openscap_version - when: wazuh_agent_config.openscap.disable == 'no' changed_when: true + when: wazuh_agent_config.openscap.disable == 'no' tags: - config - name: Debian/Ubuntu | Check OpenScap version shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" register: openscap_version_valid - when: wazuh_agent_config.openscap.disable == 'no' changed_when: true + when: wazuh_agent_config.openscap.disable == 'no' tags: - config diff --git a/ansible-wazuh-agent/tasks/Linux.yml b/ansible-wazuh-agent/tasks/Linux.yml index 877b6e60..85c77c8f 100644 --- a/ansible-wazuh-agent/tasks/Linux.yml +++ b/ansible-wazuh-agent/tasks/Linux.yml @@ -39,7 +39,7 @@ - name: Linux | Register agent shell: > /var/ossec/bin/agent-auth - -m {{ wazuh_manager_ip }} + -m {{ wazuh_managers.0.address }} -p {{ wazuh_agent_authd.port }} {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} {% if wazuh_agent_authd.ssl_agent_ca is not none %} @@ -52,7 +52,7 @@ when: - wazuh_agent_authd.enable == true - check_keys.stat.size == 0 - - wazuh_manager_ip is not none + - wazuh_managers.0.address is not none tags: - config @@ -61,10 +61,22 @@ when: - wazuh_agent_authd.enable == true - check_keys.stat.size == 0 - - wazuh_manager_ip is not none + - wazuh_managers.0.address is not none tags: - config +- name: Linux | Vuls integration deploy (runs in background, can take a while) + command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }} + args: + creates: /var/ossec/wodles/vuls/config.toml + async: 3600 + poll: 0 + when: + - wazuh_agent_config.vuls.disable != 'yes' + - ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' + tags: + - init + - name: Linux | Installing agent configuration (ossec.conf) template: src=var-ossec-etc-ossec-agent.conf.j2 dest=/var/ossec/etc/ossec.conf diff --git a/ansible-wazuh-agent/tasks/RedHat.yml b/ansible-wazuh-agent/tasks/RedHat.yml index 4f030264..828676e0 100644 --- a/ansible-wazuh-agent/tasks/RedHat.yml +++ b/ansible-wazuh-agent/tasks/RedHat.yml @@ -19,6 +19,27 @@ when: - ansible_distribution_major_version|int < 5 +- name: RedHat/CentOS/Fedora | download Oracle Java RPM + get_url: + url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm + dest: /tmp/jdk-8-linux-x64.rpm + headers: 'Cookie:oraclelicense=accept-securebackup-cookie' + register: oracle_java_task_rpm_download + when: + - wazuh_agent_config.cis_cat.disable == 'no' + - wazuh_agent_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: RedHat/CentOS/Fedora | Install Oracle Java RPM + package: name=/tmp/jdk-8-linux-x64.rpm state=present + when: + - wazuh_agent_config.cis_cat.disable == 'no' + - wazuh_agent_config.cis_cat.install_java == 'yes' + - oracle_java_task_rpm_download is defined + tags: + - init + - name: Set Distribution CIS filename for RHEL5 set_fact: cis_distribution_filename: cis_rhel5_linux_rcl.txt diff --git a/ansible-wazuh-agent/tasks/Windows.yml b/ansible-wazuh-agent/tasks/Windows.yml index 4c15619f..25232291 100644 --- a/ansible-wazuh-agent/tasks/Windows.yml +++ b/ansible-wazuh-agent/tasks/Windows.yml @@ -53,7 +53,7 @@ - name: Windows | Register agent win_shell: > {{ wazuh_winagent_config.install_dir }}agent-auth.exe - -m {{ wazuh_manager_ip }} + -m {{ wazuh_managers.0.address }} -p {{ wazuh_agent_authd.port }} {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} args: @@ -63,7 +63,7 @@ when: - wazuh_agent_authd.enable == true - check_windows_key.stat.exists == false - - wazuh_manager_ip is not none + - wazuh_managers.0.address is not none tags: - config diff --git a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index cfdad49e..c6247c79 100644 --- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -8,17 +8,17 @@ - {% for manager in wazuh_managers %} - -
{{ manager.address }}
- {% if manager.port is defined %} - {{ manager.port }} - {% endif %} - {% if manager.protocol is defined %} - {{ manager.protocol }} - {% endif %} - - {% endfor %} + {% for manager in wazuh_managers %} + +
{{ manager.address }}
+ {% if manager.port is defined %} + {{ manager.port }} + {% endif %} + {% if manager.protocol is defined %} + {{ manager.protocol }} + {% endif %} + + {% endfor %} {% if wazuh_profile is not none %} {{ wazuh_profile }} @@ -36,7 +36,7 @@ no - + no @@ -117,7 +117,7 @@ {% endif %} - {% if wazuh_agent_config.openscap.disable == 'no' and ansible_system == "Linux"%} + {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %} no {{ wazuh_agent_config.openscap.timeout }} @@ -127,13 +127,17 @@ xccdf_org.ssgproject.content_profile_common - {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %} + {% elif ansible_distribution == 'Debian' %} + {% if ansible_distribution_release == 'jessie' %} {% if openscap_version_valid.stdout == "0" %} xccdf_org.ssgproject.content_profile_common + + {% endif %} + {% elif ansible_distribution_release == 'stretch' %} + {% endif %} - {% elif ansible_distribution == 'CentOS' %} {% if ansible_distribution_major_version == '7' %} @@ -166,6 +170,37 @@ {% endif %} + {% if ansible_system == "Linux" and wazuh_agent_config.cis_cat.disable == 'no' %} + + no + {{ wazuh_agent_config.cis_cat.timeout }} + {{ wazuh_agent_config.cis_cat.interval }} + {{ wazuh_agent_config.cis_cat.scan_on_start }} + {% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %} + /usr/bin + {% else %} + {{ wazuh_agent_config.cis_cat.java_path }} + {% endif %} + {{ wazuh_agent_config.cis_cat.ciscat_path }} + {% for benchmark in wazuh_agent_config.cis_cat.content %} + + {{ benchmark.profile }} + + {% endfor %} + + {% endif %} + + {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %} + + no + Wazuh-VULS + /usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_agent_config.vuls.args %} --{{ arg }}{% endfor %} + {{ wazuh_agent_config.vuls.interval }} + yes + {{ wazuh_agent_config.vuls.run_on_start }} + + {% endif %} + {% for localfile in wazuh_agent_config.localfiles %} diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml index 2a14332d..dc20b7ca 100644 --- a/ansible-wazuh-manager/defaults/main.yml +++ b/ansible-wazuh-manager/defaults/main.yml @@ -93,9 +93,32 @@ wazuh_manager_config: rootcheck: frequency: 43200 openscap: + disable: 'no' timeout: 1800 interval: '1d' scan_on_start: 'yes' + cis_cat: + disable: 'yes' + install_java: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' + ciscat_path: '/var/ossec/wodles/ciscat' + content: + - type: 'xccdf' + path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' + profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' + vuls: + disable: 'yes' + interval: '1d' + run_on_start: 'yes' + args: + - 'mincvss 5' + - 'antiquity-limit 20' + - 'updatenvd' + - 'nvd-year 2016' + - 'autoupdate' log_level: 1 email_level: 12 localfiles: diff --git a/ansible-wazuh-manager/tasks/Debian.yml b/ansible-wazuh-manager/tasks/Debian.yml index 30db4128..f6e517b6 100644 --- a/ansible-wazuh-manager/tasks/Debian.yml +++ b/ansible-wazuh-manager/tasks/Debian.yml @@ -27,8 +27,39 @@ set_fact: cis_distribution_filename: cis_debian_linux_rcl.txt +- name: Debian/Ubuntu | Setting webupd8 repository + apt_repository: + repo: 'ppa:webupd8team/java' + codename: 'xenial' + when: + - wazuh_manager_config.cis_cat.disable == 'no' + - wazuh_manager_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: Debian/Ubuntu | Accept Oracle Java 8 license + debconf: + name: oracle-java8-installer + question: shared/accepted-oracle-license-v1-1 + value: true + vtype: boolean + when: + - wazuh_manager_config.cis_cat.disable == 'no' + - wazuh_manager_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: Debian/Ubuntu | Oracle Java 8 installer + apt: name=oracle-java8-installer state=present update_cache=yes + when: + - wazuh_manager_config.cis_cat.disable == 'no' + - wazuh_manager_config.cis_cat.install_java == 'yes' + tags: + - init + - name: Debian/Ubuntu | Install OpenScap - package: name={{ item }} state=present + package: name={{ item }} state=present update_cache=yes + when: wazuh_manager_config.openscap.disable == 'no' with_items: - libopenscap8 - xsltproc @@ -37,6 +68,7 @@ - name: Debian/Ubuntu | Get OpenScap installed version shell: "dpkg-query --showformat='${Version}' --show libopenscap8" + when: wazuh_manager_config.openscap.disable == 'no' register: openscap_version changed_when: true tags: @@ -44,6 +76,7 @@ - name: Debian/Ubuntu | Check OpenScap version shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" + when: wazuh_manager_config.openscap.disable == 'no' register: openscap_version_valid changed_when: true tags: diff --git a/ansible-wazuh-manager/tasks/RedHat.yml b/ansible-wazuh-manager/tasks/RedHat.yml index 6ff3448f..1b6ed589 100644 --- a/ansible-wazuh-manager/tasks/RedHat.yml +++ b/ansible-wazuh-manager/tasks/RedHat.yml @@ -79,6 +79,27 @@ - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' ) - wazuh_manager_config.cluster.disable != 'yes' +- name: RedHat/CentOS/Fedora | download Oracle Java RPM + get_url: + url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm + dest: /tmp/jdk-8-linux-x64.rpm + headers: 'Cookie:oraclelicense=accept-securebackup-cookie' + register: oracle_java_task_rpm_download + when: + - wazuh_manager_config.cis_cat.disable == 'no' + - wazuh_manager_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: RedHat/CentOS/Fedora | Install Oracle Java RPM + package: name=/tmp/jdk-8-linux-x64.rpm state=present + when: + - wazuh_manager_config.cis_cat.disable == 'no' + - wazuh_manager_config.cis_cat.install_java == 'yes' + - oracle_java_task_rpm_download is defined + tags: + - init + - name: Set Distribution CIS filename for RHEL5/CentOS-5 set_fact: cis_distribution_filename: cis_rhel5_linux_rcl.txt diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml index b82d00ea..6a621335 100644 --- a/ansible-wazuh-manager/tasks/main.yml +++ b/ansible-wazuh-manager/tasks/main.yml @@ -212,6 +212,18 @@ - init - config +- name: Linux | Vuls integration deploy (runs in background, can take a while) + command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }} + args: + creates: /var/ossec/wodles/vuls/config.toml + async: 3600 + poll: 0 + when: + - wazuh_manager_config.vuls.disable != 'yes' + - ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' + tags: + - init + - name: Configure ossec.conf template: src=var-ossec-etc-ossec-server.conf.j2 dest=/var/ossec/etc/ossec.conf @@ -298,7 +310,7 @@ - wazuh-api tags: - config - environment: + environment: LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib" when: - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 52925583..6ce31f99 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -175,6 +175,7 @@ {% endfor %} + {% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %} no {{ wazuh_manager_config.openscap.timeout }} @@ -184,13 +185,17 @@ xccdf_org.ssgproject.content_profile_common - {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %} + {% elif ansible_distribution == 'Debian' %} + {% if ansible_distribution_release == 'jessie' %} {% if openscap_version_valid.stdout == "0" %} xccdf_org.ssgproject.content_profile_common + + {% endif %} + {% elif ansible_distribution_release == 'stretch' %} + {% endif %} - {% elif ansible_distribution == 'CentOS' %} {% if ansible_distribution_major_version == '7' %} @@ -221,6 +226,38 @@ {% endif %} + {% endif %} + + {% if wazuh_manager_config.cis_cat.disable == 'no' %} + + no + {{ wazuh_manager_config.cis_cat.timeout }} + {{ wazuh_manager_config.cis_cat.interval }} + {{ wazuh_manager_config.cis_cat.scan_on_start }} + {% if wazuh_manager_config.cis_cat.install_java == 'yes' %} + /usr/bin + {% else %} + {{ wazuh_manager_config.cis_cat.java_path }} + {% endif %} + {{ wazuh_manager_config.cis_cat.ciscat_path }} + {% for benchmark in wazuh_manager_config.cis_cat.content %} + + {{ benchmark.profile }} + + {% endfor %} + + {% endif %} + + {% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %} + + no + Wazuh-VULS + /usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_manager_config.vuls.args %} --{{ arg }}{% endfor %} + {{ wazuh_manager_config.vuls.interval }} + yes + {{ wazuh_manager_config.vuls.run_on_start }} + + {% endif %} {% if agentless_creeds is defined %} {% for agentless in agentless_creeds %}