os_family localfiles

2018-12-13 13:42:15 +00:00 · 2018-12-13 13:42:15 +00:00 · 852d5909eb
commit 852d5909eb
parent 23aeeffff2
4 changed files with 176 additions and 51 deletions
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@ -93,7 +93,7 @@ wazuh_agent_config:
    ports_no: 'yes'
    processes: 'yes'
  cis_cat:
-    disable: 'no'
+    disable: 'yes'
    install_java: 'yes'
    timeout: 1800
    interval: '1d'
@ -103,7 +103,7 @@ wazuh_agent_config:
    content:
      - type: 'xccdf'
        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
-        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'  
+        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' 
  vuls:
    disable: 'yes'
    interval: '1d'
@ -115,23 +115,34 @@ wazuh_agent_config:
      - 'nvd-year 2016'
      - 'autoupdate'
  localfiles:
-    - format: 'syslog'
-      location: '/var/ossec/logs/active-responses.log'
-    - format: 'syslog'
-      location: '/var/log/auth.log'
-    - format: 'syslog'
-      location: '/var/log/syslog'
-    - format: 'syslog'
-      location: '/var/log/dpkg.log'
-    - format: 'syslog'
-      location: '/var/log/kern.log'
-    - format: 'command'
-      command: 'df -P'
-      frequency: '360'
-    - format: 'full_command'
-      command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
-      alias: 'netstat listening ports'      
-      frequency: '360'
-    - format: 'full_command'
-      command: 'last -n 20'
-      frequency: '360'
+    debian:
+      - format: 'syslog'
+        location: '/var/log/auth.log'
+      - format: 'syslog'
+        location: '/var/log/syslog'
+      - format: 'syslog'
+        location: '/var/log/dpkg.log'
+      - format: 'syslog'
+        location: '/var/log/kern.log'
+    centos:
+      - format: 'syslog'
+        location: '/var/log/messages'
+      - format: 'syslog'
+        location: '/var/log/secure'
+      - format: 'syslog' 
+        location: '/var/log/maillog'
+      - format: 'audit'
+        location: '/var/log/audit/audit.log'
+    common:
+      - format: 'syslog'
+        location: '/var/ossec/logs/active-responses.log'
+      - format: 'command'
+        command: 'df -P'
+        frequency: '360'
+      - format: 'full_command'
+        command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d         
+        alias: 'netstat listening ports'      
+        frequency: '360'
+      - format: 'full_command'
+        command: 'last -n 20'
+        frequency: '360'
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@ -87,13 +87,13 @@
  <syscheck>
    <disabled>no</disabled>
    {% if ansible_system == "Linux" %}
-    #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories>
+<!--    #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
    {% endif %}

    <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
-    #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
+<!--    #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
    <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
@ -245,7 +245,7 @@
  {% endif %}

  <!-- Files to monitor (localfiles) -->
-    {% for localfile in wazuh_agent_config.localfiles %}
+    {% for localfile in wazuh_agent_config.localfiles.common %}
    <localfile>
        <log_format>{{ localfile.format }}</log_format>
    {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -257,4 +257,31 @@
    </localfile>
  {% endfor %}

+    {% if ansible_os_family == "Debian" %}
+    {% for localfile in wazuh_agent_config.localfiles.debian %}
+    <localfile>
+        <log_format>{{ localfile.format }}</log_format>
+    {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+        <command>{{ localfile.command }}</command>
+        <frequency>{{ localfile.frequency }}</frequency>
+    {% else %}
+        <location>{{ localfile.location }}</location>
+    {% endif %}
+    </localfile>
+  {% endfor %}
+  {% endif %}
+
+    {% if ansible_os_family == "RedHat" %}
+    {% for localfile in wazuh_agent_config.localfiles.centos %}
+    <localfile>
+        <log_format>{{ localfile.format }}</log_format>
+    {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+        <command>{{ localfile.command }}</command>
+        <frequency>{{ localfile.frequency }}</frequency>
+    {% else %}
+        <location>{{ localfile.location }}</location>
+    {% endif %}
+    </localfile>
+  {% endfor %}
+  {% endif %}
 </ossec_config>
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@ -181,26 +181,36 @@ wazuh_manager_config:
  log_level: 1
  email_level: 12
  localfiles:
-    - format: 'command'
-      command: 'df -P'
-      frequency: '360'
-    - format: 'full_command'
-      command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
-      alias: 'netstat listening ports'
-      frequency: '360'
-    - format: 'full_command'
-      command: 'last -n 20'
-      frequency: '360'
-    - format: 'syslog'
-      location: '/var/ossec/logs/active-responses.log'
-    - format: 'syslog'
-      location: '/var/log/auth.log'
-    - format: 'syslog'
-      location: '/var/log/syslog'
-    - format: 'syslog'
-      location: '/var/log/dpkg.log'
-    - format: 'syslog'
-      location: '/var/log/kern.log'
+    common:
+       - format: 'command'
+         command: 'df -P'
+         frequency: '360'
+       - format: 'full_command'
+         command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
+         alias: 'netstat listening ports'
+         frequency: '360'
+       - format: 'full_command'
+         command: 'last -n 20'
+       - format: 'syslog'
+         location: '/var/ossec/logs/active-responses.log'
+    debian:
+       - format: 'syslog'
+         location: '/var/log/auth.log'
+       - format: 'syslog'
+         location: '/var/log/syslog'
+       - format: 'syslog'
+         location: '/var/log/dpkg.log'
+       - format: 'syslog'
+         location: '/var/log/kern.log'
+    centos:
+       - format: 'syslog'
+         location: '/var/log/messages'
+       - format: 'syslog'
+         location: '/var/log/secure'
+       - format: 'syslog'
+         location: '/var/log/maillog'
+       - format: 'audit'
+         location: '/var/log/audit/audit.log'
  globals:
    - '127.0.0.1'
    - '192.168.2.1'
@ -209,10 +219,10 @@ wazuh_manager_config:
      executable: 'disable-account.sh'
      expect: 'user'
      timeout_allowed: 'yes'
-    - name: 'restart-ossec'
-      executable: 'restart-ossec.sh'
-      expect: ''
-      timeout_allowed: 'no'
+    #- name: 'restart-ossec'
+    #  executable: 'restart-ossec.sh'
+    #  expect: ''
+    #  timeout_allowed: 'no'
    - name: 'win_restart-ossec'
      executable: 'restart-ossec.cmd'
      expect: ''
--- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@ -398,7 +398,7 @@
 {% endif %}


-  <!-- Active Response Config -->
+  <!-- Active Response Config 
 {% for response in wazuh_manager_config.active_responses %}
  <active-response>
    <disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled>
@ -412,9 +412,10 @@
    {%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
  </active-response>
 {% endfor %}
+-->

  <!-- Files to monitor (localfiles) -->
-{% for localfile in wazuh_manager_config.localfiles %}
+{% for localfile in wazuh_manager_config.localfiles.common %}
  <localfile>
     <log_format>{{ localfile.format }}</log_format>
     {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -450,6 +451,82 @@
  </localfile>
 {% endfor %}

+{% if ansible_os_family == "Debian" %}
+{% for localfile in wazuh_manager_config.localfiles.debian %}
+  <localfile>
+     <log_format>{{ localfile.format }}</log_format>
+     {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+     <command>{{ localfile.command }}</command>
+     {% if localfile.alias is defined %}
+     <alias>{{ localfile.alias }}</alias>
+     {% endif %}
+     {% if localfile.frequency is defined %}
+     <frequency>{{ localfile.frequency }}</frequency>
+     {% endif %}
+     {% else %}
+     <location>{{ localfile.location }}</location>
+     {% if localfile.format == 'eventchannel' %}
+     {% if localfile.only_future_events is defined %}
+     <only-future-events>{{ localfile.only_future_events }}</only_future_events>
+     {% endif %}
+     {% if localfile.query is defined %}
+     <query>{{ localfile.query }}</query>
+     {% endif %}
+     {% endif %}
+     {% endif %}
+     {% if localfile.format == 'json' and localfile.labels is defined %}
+     {% for key, value in localfile.labels.iteritems() %}
+     <label key="{{ key }}">{{ value }}</label>
+     {% endfor %}
+     {% endif %}
+     {% if localfile.target is defined %}
+     <target>{{ localfile.target }}</target>
+     {% endif %}
+     {% if localfile.out_format is defined %}
+     <out_format>{{ localfile.out_format }}</out_format>
+     {% endif %}
+  </localfile>
+{% endfor %}
+{% endif %}
+
+{% if ansible_os_family == "RedHat" %}  
+{% for localfile in wazuh_manager_config.localfiles.centos %}
+  <localfile>
+     <log_format>{{ localfile.format }}</log_format>
+     {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+     <command>{{ localfile.command }}</command>
+     {% if localfile.alias is defined %}
+     <alias>{{ localfile.alias }}</alias>
+     {% endif %}
+     {% if localfile.frequency is defined %}
+     <frequency>{{ localfile.frequency }}</frequency>
+     {% endif %}
+     {% else %}
+     <location>{{ localfile.location }}</location>
+     {% if localfile.format == 'eventchannel' %}
+     {% if localfile.only_future_events is defined %}
+     <only-future-events>{{ localfile.only_future_events }}</only_future_events>
+     {% endif %}
+     {% if localfile.query is defined %}
+     <query>{{ localfile.query }}</query>
+     {% endif %}
+     {% endif %}
+     {% endif %}
+     {% if localfile.format == 'json' and localfile.labels is defined %}
+     {% for key, value in localfile.labels.iteritems() %}
+     <label key="{{ key }}">{{ value }}</label>
+     {% endfor %}
+     {% endif %}
+     {% if localfile.target is defined %}
+     <target>{{ localfile.target }}</target>
+     {% endif %}
+     {% if localfile.out_format is defined %}
+     <out_format>{{ localfile.out_format }}</out_format>
+     {% endif %}
+  </localfile>
+{% endfor %}
+{% endif %}
+
 {% if wazuh_manager_config.syslog_outputs is defined %}
 {% for syslog_output in wazuh_manager_config.syslog_outputs %}
 {% if syslog_output.server is not none  %}