Updating for Wazuh 3.1 compatibility

* Added support for Vuls command wodle. * Added support for CIS-CAT wodle.
2017-12-23 13:43:32 -05:00 · 2017-12-23 13:43:32 -05:00 · 8316ae54ce
commit 8316ae54ce
parent fb34566fbc
12 changed files with 275 additions and 30 deletions
--- a/ansible-role-kibana/tasks/main.yml
+++ b/ansible-role-kibana/tasks/main.yml
@ -46,7 +46,6 @@
    NODE_OPTIONS: "--max-old-space-size=3072"
  args:
    creates: /usr/share/kibana/plugins/wazuh/package.json
-  when: wazuh_app_verify.stdout == "0"
  notify: restart kibana
  tags: install

--- a/ansible-wazuh-agent/defaults/main.yml
+++ b/ansible-wazuh-agent/defaults/main.yml
@ -16,10 +16,10 @@ wazuh_notify_time: null
 wazuh_time_reconnect: null
 wazuh_winagent_config:
  install_dir: 'C:\wazuh-agent\'
-  version: '3.0.0'
+  version: '3.1.0'
  revision: '1'
  repo: https://packages.wazuh.com/3.x/windows/
-  md5: 896dcc5b786fda30db9649dd7a6043c0
+  md5: 484900d5006a50304bbf284917d7fa14
 wazuh_agent_config:
  log_format: 'plain'
  syscheck:
@ -59,6 +59,28 @@ wazuh_agent_config:
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
+  cis_cat:
+    disable: 'yes'
+    install_java: 'yes'
+    timeout: 1800
+    interval: '1d'
+    scan_on_start: 'yes'
+    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
+    ciscat_path: '/var/ossec/wodles/ciscat'
+    content:
+      - type: 'xccdf'
+        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
+        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
+  vuls:
+    disable: 'yes'
+    interval: '1d'
+    run_on_start: 'yes'
+    args:
+      - 'mincvss 5'
+      - 'antiquity-limit 20'
+      - 'updatenvd'
+      - 'nvd-year 2016'
+      - 'autoupdate'
  localfiles:
    - format: 'syslog'
      location: '/var/log/messages'
--- a/ansible-wazuh-agent/tasks/Debian.yml
+++ b/ansible-wazuh-agent/tasks/Debian.yml
@ -19,8 +19,38 @@
    cis_distribution_filename: cis_debian_linux_rcl.txt
  when: ansible_os_family == "Debian"

+- name: Debian/Ubuntu | Setting webupd8 repository
+  apt_repository:
+    repo: 'ppa:webupd8team/java'
+    codename: 'xenial'
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Accept Oracle Java 8 license
+  debconf:
+    name: oracle-java8-installer
+    question: shared/accepted-oracle-license-v1-1
+    value: true
+    vtype: boolean
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Oracle Java 8 installer
+  apt: name=oracle-java8-installer state=present update_cache=yes
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
 - name: Debian/Ubuntu | Install OpenScap
-  package: name={{ item }} state=present
+  package: name={{ item }} state=present update_cache=yes
  when: wazuh_agent_config.openscap.disable == 'no'
  with_items:
    - libopenscap8
@ -31,15 +61,15 @@
 - name: Debian/Ubuntu | Get OpenScap installed version
  shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
  register: openscap_version
-  when: wazuh_agent_config.openscap.disable == 'no'
  changed_when: true
+  when: wazuh_agent_config.openscap.disable == 'no'
  tags:
    - config

 - name: Debian/Ubuntu | Check OpenScap version
  shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
  register: openscap_version_valid
-  when: wazuh_agent_config.openscap.disable == 'no'
  changed_when: true
+  when: wazuh_agent_config.openscap.disable == 'no'
  tags:
    - config
--- a/ansible-wazuh-agent/tasks/Linux.yml
+++ b/ansible-wazuh-agent/tasks/Linux.yml
@ -39,7 +39,7 @@
 - name: Linux | Register agent
  shell: >
    /var/ossec/bin/agent-auth
-    -m {{ wazuh_manager_ip }}
+    -m {{ wazuh_managers.0.address }}
    -p {{ wazuh_agent_authd.port }}
    {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
    {% if wazuh_agent_authd.ssl_agent_ca is not none %}
@ -52,7 +52,7 @@
  when:
    - wazuh_agent_authd.enable == true
    - check_keys.stat.size == 0
-    - wazuh_manager_ip is not none
+    - wazuh_managers.0.address is not none
  tags:
    - config

@ -61,10 +61,22 @@
  when:
    - wazuh_agent_authd.enable == true
    - check_keys.stat.size == 0
-    - wazuh_manager_ip is not none
+    - wazuh_managers.0.address is not none
  tags:
    - config

+- name: Linux | Vuls integration deploy (runs in background, can take a while)
+  command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
+  args:
+    creates: /var/ossec/wodles/vuls/config.toml
+  async: 3600
+  poll: 0
+  when:
+    - wazuh_agent_config.vuls.disable != 'yes'
+    - ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle'
+  tags:
+    - init
+
 - name: Linux | Installing agent configuration (ossec.conf)
  template: src=var-ossec-etc-ossec-agent.conf.j2
            dest=/var/ossec/etc/ossec.conf
--- a/ansible-wazuh-agent/tasks/RedHat.yml
+++ b/ansible-wazuh-agent/tasks/RedHat.yml
@ -19,6 +19,27 @@
  when:
    - ansible_distribution_major_version|int < 5

+- name: RedHat/CentOS/Fedora | download Oracle Java RPM
+  get_url:
+    url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm
+    dest: /tmp/jdk-8-linux-x64.rpm
+    headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
+  register: oracle_java_task_rpm_download
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
+  package: name=/tmp/jdk-8-linux-x64.rpm state=present
+  when:
+    - wazuh_agent_config.cis_cat.disable == 'no'
+    - wazuh_agent_config.cis_cat.install_java == 'yes'
+    - oracle_java_task_rpm_download is defined
+  tags:
+    - init
+
 - name: Set Distribution CIS filename for RHEL5
  set_fact:
    cis_distribution_filename: cis_rhel5_linux_rcl.txt
--- a/ansible-wazuh-agent/tasks/Windows.yml
+++ b/ansible-wazuh-agent/tasks/Windows.yml
@ -53,7 +53,7 @@
 - name: Windows | Register agent
  win_shell: >
    {{ wazuh_winagent_config.install_dir }}agent-auth.exe
-    -m {{ wazuh_manager_ip }}
+    -m {{ wazuh_managers.0.address }}
    -p {{ wazuh_agent_authd.port }}
    {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
  args:
@ -63,7 +63,7 @@
  when:
    - wazuh_agent_authd.enable == true
    - check_windows_key.stat.exists == false
-    - wazuh_manager_ip is not none
+    - wazuh_managers.0.address is not none
  tags:
    - config

--- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@ -117,7 +117,7 @@
    {% endif %}
  </syscheck>

-  {% if wazuh_agent_config.openscap.disable  == 'no' and ansible_system == "Linux"%}
+  {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
@ -127,13 +127,17 @@
    <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_common</profile>
    </content>
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
+    {% elif ansible_distribution == 'Debian' %}
+    {% if ansible_distribution_release == 'jessie' %}
    {% if openscap_version_valid.stdout == "0" %}
    <content type="xccdf" path="ssg-debian-8-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_common</profile>
    </content>
+    <content type="oval" path="cve-debian-8-oval.xml"/>
+    {% endif %}
+    {% elif ansible_distribution_release == 'stretch' %}
+    <content type="oval" path="cve-debian-9-oval.xml"/>
    {% endif %}
-    <content type="oval" path="cve-debian-oval.xml"/>
    {% elif ansible_distribution == 'CentOS' %}
      {% if ansible_distribution_major_version == '7' %}
      <content type="xccdf" path="ssg-centos-7-ds.xml">
@ -166,6 +170,37 @@
  </wodle>
  {% endif %}

+  {% if ansible_system == "Linux" and wazuh_agent_config.cis_cat.disable == 'no' %}
+  <wodle name="cis-cat">
+    <disabled>no</disabled>
+    <timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
+    <interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
+    <scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
+    {% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
+    <java_path>/usr/bin</java_path>
+    {% else %}
+    <java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
+    {% endif %}
+    <ciscat_path>{{ wazuh_agent_config.cis_cat.ciscat_path }}</ciscat_path>
+    {% for benchmark in wazuh_agent_config.cis_cat.content %}
+    <content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
+      <profile>{{ benchmark.profile }}</profile>
+    </content>
+    {% endfor %}
+  </wodle>
+  {% endif %}
+
+  {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
+  <wodle name="command">
+    <disabled>no</disabled>
+    <tag>Wazuh-VULS</tag>
+    <command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_agent_config.vuls.args %} --{{ arg }}{% endfor %}</command>
+    <interval>{{ wazuh_agent_config.vuls.interval }}</interval>
+    <ignore_output>yes</ignore_output>
+    <run_on_start>{{ wazuh_agent_config.vuls.run_on_start }}</run_on_start>
+  </wodle>
+  {% endif %}
+
  <!-- Files to monitor (localfiles) -->
    {% for localfile in wazuh_agent_config.localfiles %}
    <localfile>
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@ -93,9 +93,32 @@ wazuh_manager_config:
  rootcheck:
    frequency: 43200
  openscap:
+    disable: 'no'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
+  cis_cat:
+    disable: 'yes'
+    install_java: 'yes'
+    timeout: 1800
+    interval: '1d'
+    scan_on_start: 'yes'
+    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
+    ciscat_path: '/var/ossec/wodles/ciscat'
+    content:
+      - type: 'xccdf'
+        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
+        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
+  vuls:
+    disable: 'yes'
+    interval: '1d'
+    run_on_start: 'yes'
+    args:
+      - 'mincvss 5'
+      - 'antiquity-limit 20'
+      - 'updatenvd'
+      - 'nvd-year 2016'
+      - 'autoupdate'
  log_level: 1
  email_level: 12
  localfiles:
--- a/ansible-wazuh-manager/tasks/Debian.yml
+++ b/ansible-wazuh-manager/tasks/Debian.yml
@ -27,8 +27,39 @@
  set_fact:
    cis_distribution_filename: cis_debian_linux_rcl.txt

+- name: Debian/Ubuntu | Setting webupd8 repository
+  apt_repository:
+    repo: 'ppa:webupd8team/java'
+    codename: 'xenial'
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Accept Oracle Java 8 license
+  debconf:
+    name: oracle-java8-installer
+    question: shared/accepted-oracle-license-v1-1
+    value: true
+    vtype: boolean
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Oracle Java 8 installer
+  apt: name=oracle-java8-installer state=present update_cache=yes
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
 - name: Debian/Ubuntu | Install OpenScap
-  package: name={{ item }} state=present
+  package: name={{ item }} state=present update_cache=yes
+  when: wazuh_manager_config.openscap.disable == 'no'
  with_items:
    - libopenscap8
    - xsltproc
@ -37,6 +68,7 @@

 - name: Debian/Ubuntu | Get OpenScap installed version
  shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
+  when: wazuh_manager_config.openscap.disable == 'no'
  register: openscap_version
  changed_when: true
  tags:
@ -44,6 +76,7 @@

 - name: Debian/Ubuntu | Check OpenScap version
  shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
+  when: wazuh_manager_config.openscap.disable == 'no'
  register: openscap_version_valid
  changed_when: true
  tags:
--- a/ansible-wazuh-manager/tasks/RedHat.yml
+++ b/ansible-wazuh-manager/tasks/RedHat.yml
@ -79,6 +79,27 @@
    - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
    - wazuh_manager_config.cluster.disable != 'yes'

+- name: RedHat/CentOS/Fedora | download Oracle Java RPM
+  get_url:
+    url: http://download.oracle.com/otn-pub/java/jdk/8u151-b12/e758a0de34e24606bca991d704f6dcbf/jre-8u151-linux-x64.rpm
+    dest: /tmp/jdk-8-linux-x64.rpm
+    headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
+  register: oracle_java_task_rpm_download
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+  tags:
+    - init
+
+- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
+  package: name=/tmp/jdk-8-linux-x64.rpm state=present
+  when:
+    - wazuh_manager_config.cis_cat.disable == 'no'
+    - wazuh_manager_config.cis_cat.install_java == 'yes'
+    - oracle_java_task_rpm_download is defined
+  tags:
+    - init
+
 - name: Set Distribution CIS filename for RHEL5/CentOS-5
  set_fact:
    cis_distribution_filename: cis_rhel5_linux_rcl.txt
--- a/ansible-wazuh-manager/tasks/main.yml
+++ b/ansible-wazuh-manager/tasks/main.yml
@ -212,6 +212,18 @@
    - init
    - config

+- name: Linux | Vuls integration deploy (runs in background, can take a while)
+  command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
+  args:
+    creates: /var/ossec/wodles/vuls/config.toml
+  async: 3600
+  poll: 0
+  when:
+    - wazuh_manager_config.vuls.disable != 'yes'
+    - ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle'
+  tags:
+    - init
+
 - name: Configure ossec.conf
  template: src=var-ossec-etc-ossec-server.conf.j2
            dest=/var/ossec/etc/ossec.conf
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@ -175,6 +175,7 @@
    {% endfor %}
  </syscheck>

+  {% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %}
  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
@ -184,13 +185,17 @@
    <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_common</profile>
    </content>
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
+    {% elif ansible_distribution == 'Debian' %}
+    {% if ansible_distribution_release == 'jessie' %}
    {% if openscap_version_valid.stdout == "0" %}
    <content type="xccdf" path="ssg-debian-8-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_common</profile>
    </content>
+    <content type="oval" path="cve-debian-8-oval.xml"/>
+    {% endif %}
+    {% elif ansible_distribution_release == 'stretch' %}
+    <content type="oval" path="cve-debian-9-oval.xml"/>
    {% endif %}
-    <content type="oval" path="cve-debian-oval.xml"/>
    {% elif ansible_distribution == 'CentOS' %}
      {% if ansible_distribution_major_version == '7' %}
      <content type="xccdf" path="ssg-centos-7-ds.xml">
@ -221,6 +226,38 @@
      </content>
    {% endif %}
  </wodle>
+  {% endif %}
+
+  {% if wazuh_manager_config.cis_cat.disable == 'no' %}
+  <wodle name="cis-cat">
+    <disabled>no</disabled>
+    <timeout>{{ wazuh_manager_config.cis_cat.timeout }}</timeout>
+    <interval>{{ wazuh_manager_config.cis_cat.interval }}</interval>
+    <scan-on-start>{{ wazuh_manager_config.cis_cat.scan_on_start }}</scan-on-start>
+    {% if wazuh_manager_config.cis_cat.install_java == 'yes' %}
+    <java_path>/usr/bin</java_path>
+    {% else %}
+    <java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
+    {% endif %}
+    <ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
+    {% for benchmark in wazuh_manager_config.cis_cat.content %}
+    <content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
+      <profile>{{ benchmark.profile }}</profile>
+    </content>
+    {% endfor %}
+  </wodle>
+  {% endif %}
+
+  {% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
+  <wodle name="command">
+    <disabled>no</disabled>
+    <tag>Wazuh-VULS</tag>
+    <command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_manager_config.vuls.args %} --{{ arg }}{% endfor %}</command>
+    <interval>{{ wazuh_manager_config.vuls.interval }}</interval>
+    <ignore_output>yes</ignore_output>
+    <run_on_start>{{ wazuh_manager_config.vuls.run_on_start }}</run_on_start>
+  </wodle>
+  {% endif %}

 {% if agentless_creeds is defined %}
 {% for agentless in agentless_creeds %}