afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

os_family localfiles

Browse Source
This commit is contained in:
root 2018-12-13 13:42:15 +00:00
parent 23aeeffff2
commit 852d5909eb
4 changed files with 176 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -93,7 +93,7 @@ wazuh_agent_config:
ports_no: 'yes' ports_no: 'yes'
processes: 'yes' processes: 'yes'
cis_cat: cis_cat:
disable: 'no' disable: 'yes'
install_java: 'yes' install_java: 'yes'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
@ -103,7 +103,7 @@ wazuh_agent_config:
content: content:
- type: 'xccdf' - type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls: vuls:
disable: 'yes' disable: 'yes'
interval: '1d' interval: '1d'
@ -115,23 +115,34 @@ wazuh_agent_config:
- 'nvd-year 2016' - 'nvd-year 2016'
- 'autoupdate' - 'autoupdate'
localfiles: localfiles:
- format: 'syslog' debian:
location: '/var/ossec/logs/active-responses.log' - format: 'syslog'
- format: 'syslog' location: '/var/log/auth.log'
location: '/var/log/auth.log' - format: 'syslog'
- format: 'syslog' location: '/var/log/syslog'
location: '/var/log/syslog' - format: 'syslog'
- format: 'syslog' location: '/var/log/dpkg.log'
location: '/var/log/dpkg.log' - format: 'syslog'
- format: 'syslog' location: '/var/log/kern.log'
location: '/var/log/kern.log' centos:
- format: 'command' - format: 'syslog'
command: 'df -P' location: '/var/log/messages'
frequency: '360' - format: 'syslog'
- format: 'full_command' location: '/var/log/secure'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - format: 'syslog'
alias: 'netstat listening ports' location: '/var/log/maillog'
frequency: '360' - format: 'audit'
- format: 'full_command' location: '/var/log/audit/audit.log'
command: 'last -n 20' common:
frequency: '360' - format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'

33
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -87,13 +87,13 @@
<syscheck> <syscheck>
<disabled>no</disabled> <disabled>no</disabled>
{% if ansible_system == "Linux" %} {% if ansible_system == "Linux" %}
#<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> <!-- #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories> <directories check_all="yes">/bin,/sbin,/boot</directories>
{% endif %} {% endif %}
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore> <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
#<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> <!-- #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours --> <!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency> <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
@ -245,7 +245,7 @@
{% endif %} {% endif %}
<!-- Files to monitor (localfiles) --> <!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_agent_config.localfiles %} {% for localfile in wazuh_agent_config.localfiles.common %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -257,4 +257,31 @@
</localfile> </localfile>
{% endfor %} {% endfor %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
</ossec_config> </ossec_config>

58
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -181,26 +181,36 @@ wazuh_manager_config:
log_level: 1 log_level: 1
email_level: 12 email_level: 12
localfiles: localfiles:
- format: 'command' common:
command: 'df -P' - format: 'command'
frequency: '360' command: 'df -P'
- format: 'full_command' frequency: '360'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - format: 'full_command'
alias: 'netstat listening ports' command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
frequency: '360' alias: 'netstat listening ports'
- format: 'full_command' frequency: '360'
command: 'last -n 20' - format: 'full_command'
frequency: '360' command: 'last -n 20'
- format: 'syslog' - format: 'syslog'
location: '/var/ossec/logs/active-responses.log' location: '/var/ossec/logs/active-responses.log'
- format: 'syslog' debian:
location: '/var/log/auth.log' - format: 'syslog'
- format: 'syslog' location: '/var/log/auth.log'
location: '/var/log/syslog' - format: 'syslog'
- format: 'syslog' location: '/var/log/syslog'
location: '/var/log/dpkg.log' - format: 'syslog'
- format: 'syslog' location: '/var/log/dpkg.log'
location: '/var/log/kern.log' - format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
globals: globals:
- '127.0.0.1' - '127.0.0.1'
- '192.168.2.1' - '192.168.2.1'
@ -209,10 +219,10 @@ wazuh_manager_config:
executable: 'disable-account.sh' executable: 'disable-account.sh'
expect: 'user' expect: 'user'
timeout_allowed: 'yes' timeout_allowed: 'yes'
- name: 'restart-ossec' #- name: 'restart-ossec'
executable: 'restart-ossec.sh' # executable: 'restart-ossec.sh'
expect: '' # expect: ''
timeout_allowed: 'no' # timeout_allowed: 'no'
- name: 'win_restart-ossec' - name: 'win_restart-ossec'
executable: 'restart-ossec.cmd' executable: 'restart-ossec.cmd'
expect: '' expect: ''

81
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -398,7 +398,7 @@
{% endif %} {% endif %}
<!-- Active Response Config --> <!-- Active Response Config
{% for response in wazuh_manager_config.active_responses %} {% for response in wazuh_manager_config.active_responses %}
<active-response> <active-response>
<disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled> <disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled>
@ -412,9 +412,10 @@
{%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %} {%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
</active-response> </active-response>
{% endfor %} {% endfor %}
-->
<!-- Files to monitor (localfiles) --> <!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_manager_config.localfiles %} {% for localfile in wazuh_manager_config.localfiles.common %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -450,6 +451,82 @@
</localfile> </localfile>
{% endfor %} {% endfor %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_manager_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.iteritems() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_manager_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.iteritems() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if wazuh_manager_config.syslog_outputs is defined %} {% if wazuh_manager_config.syslog_outputs is defined %}
{% for syslog_output in wazuh_manager_config.syslog_outputs %} {% for syslog_output in wazuh_manager_config.syslog_outputs %}
{% if syslog_output.server is not none %} {% if syslog_output.server is not none %}