Updating for Wazuh 3.1 compatibility

* Added support for Vuls command wodle.
* Added support for CIS-CAT wodle.

ansible-role-kibana/tasks/main.yml

@@ -46,7 +46,6 @@
     NODE_OPTIONS: "--max-old-space-size=3072"
   args:
     creates: /usr/share/kibana/plugins/wazuh/package.json
-  when: wazuh_app_verify.stdout == "0"
   notify: restart kibana
   tags: install
 

ansible-wazuh-agent/defaults/main.yml

@@ -16,10 +16,10 @@ wazuh_notify_time: null
 wazuh_time_reconnect: null
 wazuh_winagent_config:
   install_dir: 'C:\wazuh-agent\'
-  version: '3.0.0'
+  version: '3.1.0'
   revision: '1'
   repo: https://packages.wazuh.com/3.x/windows/
-  md5: 896dcc5b786fda30db9649dd7a6043c0
+  md5: 484900d5006a50304bbf284917d7fa14
 wazuh_agent_config:
   log_format: 'plain'
   syscheck:
@@ -59,6 +59,28 @@ wazuh_agent_config:
     timeout: 1800
     interval: '1d'
     scan_on_start: 'yes'
+  cis_cat:
+    disable: 'yes'
+    install_java: 'yes'
+    timeout: 1800
+    interval: '1d'
+    scan_on_start: 'yes'
+    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
+    ciscat_path: '/var/ossec/wodles/ciscat'
+    content:
+      - type: 'xccdf'
+        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
+        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
+  vuls:
+    disable: 'yes'
+    interval: '1d'
+    run_on_start: 'yes'
+    args:
+      - 'mincvss 5'
+      - 'antiquity-limit 20'
+      - 'updatenvd'
+      - 'nvd-year 2016'
+      - 'autoupdate'
   localfiles:
     - format: 'syslog'
       location: '/var/log/messages'

ansible-wazuh-agent/tasks/Debian.yml

@@ -19,8 +19,38 @@
     cis_distribution_filename: cis_debian_linux_rcl.txt
   when: ansible_os_family == "Debian"
 
+- name: Debian/Ubuntu | Setting webupd8 repository
+  apt_repository:
+    repo: 'ppa:webupd8team/java'
+    codename: 'xenial'
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Accept Oracle Java 8 license
+  debconf:
+    name: oracle-java8-installer
+    question: shared/accepted-oracle-license-v1-1
+    value: true
+    vtype: boolean
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Oracle Java 8 installer
+  apt: name=oracle-java8-installer state=present update_cache=yes
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
 - name: Debian/Ubuntu | Install OpenScap
-  package: name={{ item }} state=present
+  package: name={{ item }} state=present update_cache=yes
   when: wazuh_agent_config.openscap.disable == 'no'
   with_items:
     - libopenscap8
@@ -31,15 +61,15 @@
 - name: Debian/Ubuntu | Get OpenScap installed version
   shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
   register: openscap_version
-  when: wazuh_agent_config.openscap.disable == 'no'
   changed_when: true
+  when: wazuh_agent_config.openscap.disable == 'no'
   tags:
     - config
 
 - name: Debian/Ubuntu | Check OpenScap version
   shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
   register: openscap_version_valid
-  when: wazuh_agent_config.openscap.disable == 'no'
   changed_when: true
+  when: wazuh_agent_config.openscap.disable == 'no'
   tags:
     - config

ansible-wazuh-agent/tasks/Linux.yml

@@ -39,7 +39,7 @@
 - name: Linux | Register agent
   shell: >
     /var/ossec/bin/agent-auth
-    -m {{ wazuh_manager_ip }}
+    -m {{ wazuh_managers.0.address }}
     -p {{ wazuh_agent_authd.port }}
     {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
     {% if wazuh_agent_authd.ssl_agent_ca is not none %}
@@ -52,7 +52,7 @@
   when:
     - wazuh_agent_authd.enable == true
     - check_keys.stat.size == 0
-    - wazuh_manager_ip is not none
+    - wazuh_managers.0.address is not none
   tags:
     - config
 
@@ -61,10 +61,22 @@
   when:
     - wazuh_agent_authd.enable == true
     - check_keys.stat.size == 0
-    - wazuh_manager_ip is not none
+    - wazuh_managers.0.address is not none
   tags:
     - config
 
+- name: Linux | Vuls integration deploy (runs in background, can take a while)
+  command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
+  args:
+    creates: /var/ossec/wodles/vuls/config.toml
+  async: 3600
+  poll: 0
+  when:
+    - wazuh_agent_config.vuls.disable != 'yes'
+    - ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle'
+  tags:
+    - init
+
 - name: Linux | Installing agent configuration (ossec.conf)
   template: src=var-ossec-etc-ossec-agent.conf.j2
             dest=/var/ossec/etc/ossec.conf

ansible-wazuh-agent/tasks/RedHat.yml

@@ -19,6 +19,27 @@
   when:
     - ansible_distribution_major_version|int < 5
 
+- name: RedHat/CentOS/Fedora | download Oracle Java RPM
+  get_url:
+    url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm
+    dest: /tmp/jdk-8-linux-x64.rpm
+    headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
+  register: oracle_java_task_rpm_download
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
+  package: name=/tmp/jdk-8-linux-x64.rpm state=present
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+    - oracle_java_task_rpm_download is defined
+  tags:
+    - init
+
 - name: Set Distribution CIS filename for RHEL5
   set_fact:
     cis_distribution_filename: cis_rhel5_linux_rcl.txt

ansible-wazuh-agent/tasks/Windows.yml

@@ -53,7 +53,7 @@
 - name: Windows | Register agent
   win_shell: >
     {{ wazuh_winagent_config.install_dir }}agent-auth.exe
-    -m {{ wazuh_manager_ip }}
+    -m {{ wazuh_managers.0.address }}
     -p {{ wazuh_agent_authd.port }}
     {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
   args:
@@ -63,7 +63,7 @@
   when:
     - wazuh_agent_authd.enable == true
     - check_windows_key.stat.exists == false
-    - wazuh_manager_ip is not none
+    - wazuh_managers.0.address is not none
   tags:
     - config
 

ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2

@@ -8,17 +8,17 @@
 <ossec_config>
   <client>
 
-  {% for manager in wazuh_managers  %}
+    {% for manager in wazuh_managers  %}
-     <server>
+    <server>
-       <address>{{ manager.address }}</address>
+      <address>{{ manager.address }}</address>
-       {% if manager.port is defined %}
+      {% if manager.port is defined %}
-       <port>{{ manager.port }}</port>
+      <port>{{ manager.port }}</port>
-       {% endif %}
+      {% endif %}
-       {% if manager.protocol is defined %}
+      {% if manager.protocol is defined %}
-       <protocol>{{ manager.protocol }}</protocol>
+      <protocol>{{ manager.protocol }}</protocol>
-       {% endif %}
+      {% endif %}
-     </server>
+    </server>
-  {% endfor %}
+    {% endfor %}
 
     {% if wazuh_profile is not none %}
     <config-profile>{{ wazuh_profile }}</config-profile>
@@ -36,7 +36,7 @@
 
   <active-response>
     <disabled>no</disabled>
-  </active-response> 
+  </active-response>
 
   <rootcheck>
     <disabled>no</disabled>
@@ -117,7 +117,7 @@
     {% endif %}
   </syscheck>
 
-  {% if wazuh_agent_config.openscap.disable  == 'no' and ansible_system == "Linux"%}
+  {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
   <wodle name="open-scap">
     <disabled>no</disabled>
     <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
@@ -127,13 +127,17 @@
     <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
     </content>
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
+    {% elif ansible_distribution == 'Debian' %}
+    {% if ansible_distribution_release == 'jessie' %}
     {% if openscap_version_valid.stdout == "0" %}
     <content type="xccdf" path="ssg-debian-8-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
     </content>
+    <content type="oval" path="cve-debian-8-oval.xml"/>
+    {% endif %}
+    {% elif ansible_distribution_release == 'stretch' %}
+    <content type="oval" path="cve-debian-9-oval.xml"/>
     {% endif %}
-    <content type="oval" path="cve-debian-oval.xml"/>
     {% elif ansible_distribution == 'CentOS' %}
       {% if ansible_distribution_major_version == '7' %}
       <content type="xccdf" path="ssg-centos-7-ds.xml">
@@ -166,6 +170,37 @@
   </wodle>
   {% endif %}
 
+  {% if ansible_system == "Linux" and wazuh_agent_config.cis_cat.disable == 'no' %}
+  <wodle name="cis-cat">
+    <disabled>no</disabled>
+    <timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
+    <interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
+    <scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
+    {% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
+    <java_path>/usr/bin</java_path>
+    {% else %}
+    <java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
+    {% endif %}
+    <ciscat_path>{{ wazuh_agent_config.cis_cat.ciscat_path }}</ciscat_path>
+    {% for benchmark in wazuh_agent_config.cis_cat.content %}
+    <content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
+      <profile>{{ benchmark.profile }}</profile>
+    </content>
+    {% endfor %}
+  </wodle>
+  {% endif %}
+
+  {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
+  <wodle name="command">
+    <disabled>no</disabled>
+    <tag>Wazuh-VULS</tag>
+    <command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_agent_config.vuls.args %} --{{ arg }}{% endfor %}</command>
+    <interval>{{ wazuh_agent_config.vuls.interval }}</interval>
+    <ignore_output>yes</ignore_output>
+    <run_on_start>{{ wazuh_agent_config.vuls.run_on_start }}</run_on_start>
+  </wodle>
+  {% endif %}
+
   <!-- Files to monitor (localfiles) -->
     {% for localfile in wazuh_agent_config.localfiles %}
     <localfile>

ansible-wazuh-manager/defaults/main.yml

@@ -93,9 +93,32 @@ wazuh_manager_config:
   rootcheck:
     frequency: 43200
   openscap:
+    disable: 'no'
     timeout: 1800
     interval: '1d'
     scan_on_start: 'yes'
+  cis_cat:
+    disable: 'yes'
+    install_java: 'yes'
+    timeout: 1800
+    interval: '1d'
+    scan_on_start: 'yes'
+    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
+    ciscat_path: '/var/ossec/wodles/ciscat'
+    content:
+      - type: 'xccdf'
+        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
+        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
+  vuls:
+    disable: 'yes'
+    interval: '1d'
+    run_on_start: 'yes'
+    args:
+      - 'mincvss 5'
+      - 'antiquity-limit 20'
+      - 'updatenvd'
+      - 'nvd-year 2016'
+      - 'autoupdate'
   log_level: 1
   email_level: 12
   localfiles:

ansible-wazuh-manager/tasks/Debian.yml

@@ -27,8 +27,39 @@
   set_fact:
     cis_distribution_filename: cis_debian_linux_rcl.txt
 
+- name: Debian/Ubuntu | Setting webupd8 repository
+  apt_repository:
+    repo: 'ppa:webupd8team/java'
+    codename: 'xenial'
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Accept Oracle Java 8 license
+  debconf:
+    name: oracle-java8-installer
+    question: shared/accepted-oracle-license-v1-1
+    value: true
+    vtype: boolean
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Oracle Java 8 installer
+  apt: name=oracle-java8-installer state=present update_cache=yes
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
 - name: Debian/Ubuntu | Install OpenScap
-  package: name={{ item }} state=present
+  package: name={{ item }} state=present update_cache=yes
+  when: wazuh_manager_config.openscap.disable == 'no'
   with_items:
     - libopenscap8
     - xsltproc
@@ -37,6 +68,7 @@
 
 - name: Debian/Ubuntu | Get OpenScap installed version
   shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
+  when: wazuh_manager_config.openscap.disable == 'no'
   register: openscap_version
   changed_when: true
   tags:
@@ -44,6 +76,7 @@
 
 - name: Debian/Ubuntu | Check OpenScap version
   shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
+  when: wazuh_manager_config.openscap.disable == 'no'
   register: openscap_version_valid
   changed_when: true
   tags:

ansible-wazuh-manager/tasks/RedHat.yml

@@ -79,6 +79,27 @@
     - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
     - wazuh_manager_config.cluster.disable != 'yes'
 
+- name: RedHat/CentOS/Fedora | download Oracle Java RPM
+  get_url:
+    url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm
+    dest: /tmp/jdk-8-linux-x64.rpm
+    headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
+  register: oracle_java_task_rpm_download
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
+  package: name=/tmp/jdk-8-linux-x64.rpm state=present
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+    - oracle_java_task_rpm_download is defined
+  tags:
+    - init
+
 - name: Set Distribution CIS filename for RHEL5/CentOS-5
   set_fact:
     cis_distribution_filename: cis_rhel5_linux_rcl.txt

ansible-wazuh-manager/tasks/main.yml

@@ -212,6 +212,18 @@
     - init
     - config
 
+- name: Linux | Vuls integration deploy (runs in background, can take a while)
+  command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
+  args:
+    creates: /var/ossec/wodles/vuls/config.toml
+  async: 3600
+  poll: 0
+  when:
+    - wazuh_manager_config.vuls.disable != 'yes'
+    - ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle'
+  tags:
+    - init
+
 - name: Configure ossec.conf
   template: src=var-ossec-etc-ossec-server.conf.j2
             dest=/var/ossec/etc/ossec.conf
@@ -298,7 +310,7 @@
     - wazuh-api
   tags:
     - config
-  environment: 
+  environment:
     LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
   when:
     - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )

ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2

@@ -175,6 +175,7 @@
     {% endfor %}
   </syscheck>
 
+  {% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %}
   <wodle name="open-scap">
     <disabled>no</disabled>
     <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
@@ -184,13 +185,17 @@
     <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
     </content>
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
+    {% elif ansible_distribution == 'Debian' %}
+    {% if ansible_distribution_release == 'jessie' %}
     {% if openscap_version_valid.stdout == "0" %}
     <content type="xccdf" path="ssg-debian-8-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
     </content>
+    <content type="oval" path="cve-debian-8-oval.xml"/>
+    {% endif %}
+    {% elif ansible_distribution_release == 'stretch' %}
+    <content type="oval" path="cve-debian-9-oval.xml"/>
     {% endif %}
-    <content type="oval" path="cve-debian-oval.xml"/>
     {% elif ansible_distribution == 'CentOS' %}
       {% if ansible_distribution_major_version == '7' %}
       <content type="xccdf" path="ssg-centos-7-ds.xml">
@@ -221,6 +226,38 @@
       </content>
     {% endif %}
   </wodle>
+  {% endif %}
+
+  {% if wazuh_manager_config.cis_cat.disable == 'no' %}
+  <wodle name="cis-cat">
+    <disabled>no</disabled>
+    <timeout>{{ wazuh_manager_config.cis_cat.timeout }}</timeout>
+    <interval>{{ wazuh_manager_config.cis_cat.interval }}</interval>
+    <scan-on-start>{{ wazuh_manager_config.cis_cat.scan_on_start }}</scan-on-start>
+    {% if wazuh_manager_config.cis_cat.install_java == 'yes' %}
+    <java_path>/usr/bin</java_path>
+    {% else %}
+    <java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
+    {% endif %}
+    <ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
+    {% for benchmark in wazuh_manager_config.cis_cat.content %}
+    <content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
+      <profile>{{ benchmark.profile }}</profile>
+    </content>
+    {% endfor %}
+  </wodle>
+  {% endif %}
+
+  {% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
+  <wodle name="command">
+    <disabled>no</disabled>
+    <tag>Wazuh-VULS</tag>
+    <command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_manager_config.vuls.args %} --{{ arg }}{% endfor %}</command>
+    <interval>{{ wazuh_manager_config.vuls.interval }}</interval>
+    <ignore_output>yes</ignore_output>
+    <run_on_start>{{ wazuh_manager_config.vuls.run_on_start }}</run_on_start>
+  </wodle>
+  {% endif %}
 
 {% if agentless_creeds is defined %}
 {% for agentless in agentless_creeds %}