afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #118 from wazuh/Issue_78-windows_ossec_conf

Browse Source 
ossec.conf for windows agents
This commit is contained in:
Carlos Dominguez 2019-01-10 13:11:33 +01:00 committed by GitHub
commit 8852f16b21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 230 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -31,6 +31,7 @@ wazuh_agent_config:
active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem'
ca_verification: 'yes'
log_format: 'plain'
client_buffer:
@ -44,6 +45,7 @@ wazuh_agent_config:
alert_new_files: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
win_audit_interval: 300
skip_nfs: 'yes'
ignore:
- /etc/mtab
@ -61,6 +63,8 @@ wazuh_agent_config:
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
directories:
@ -68,10 +72,142 @@ wazuh_agent_config:
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
win_directories:
- dirs: '%WINDIR%\regedit.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\system.ini'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\win.ini'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\at.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\attrib.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\cacls.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\cmd.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\drivers\etc'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\eventcreate.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\ftp.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\lsass.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\net.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\net1.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\netsh.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\reg.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\regedt32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\regsvr32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\runas.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\sc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\schtasks.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\sethc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\subst.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\wbem\WMIC.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\winrm.vbs'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\at.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\attrib.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\cacls.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\cmd.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\eventcreate.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\ftp.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\net.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\net1.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\netsh.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\reg.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\regedit.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\regedt32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\regsvr32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\runas.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\sc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\schtasks.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\sethc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\subst.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\wbem\WMIC.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\winrm.vbs'
checks: 'check_all="yes"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'check_all="yes" realtime="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
rootcheck:
frequency: 43200
openscap:
@ -82,8 +218,11 @@ wazuh_agent_config:
osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\ProgramData\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\ProgramData\osquery\osquery.conf'
ad_labels: 'yes'
syscollector:
disable: 'no'
@ -102,7 +241,9 @@ wazuh_agent_config:
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: '/var/ossec/wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
@ -136,7 +277,7 @@ wazuh_agent_config:
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
common:
linux:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'command'
@ -149,3 +290,13 @@ wazuh_agent_config:
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'

95
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -43,13 +43,14 @@
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar|default('no') }}</disabled>
<ca_store>{{ wazuh_agent_config.active_response.ca_store }}</ca_store>
<ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
{% if wazuh_agent_config.rootcheck is defined %}
<rootcheck>
<disabled>no</disabled>
{% if ansible_system == "Linux" %}
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
@ -62,13 +63,6 @@
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
{% if ansible_os_family == "Windows" %}
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
{% endif %}
{% if ansible_system == "Linux" %}
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
@ -76,9 +70,15 @@
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>
{% endif %}
@ -86,43 +86,60 @@
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<!-- #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" %}
<!-- #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
{% endif %}
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
<!-- #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined %}
{% if wazuh_agent_config.syscheck.directories is defined and ansible_os_family == "Linux" %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %}
{% for directory in wazuh_agent_config.syscheck.win_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if ansible_system == "Linux" %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
<!-- Remove not monitored files -->
<remove_old_diff>{{ wazuh_agent_config.syscheck.remove_old_diff }}</remove_old_diff>
{% if ansible_system == "Linux"%}
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>{{ wazuh_agent_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
@ -133,6 +150,21 @@
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
{% if registry_key.type is defined %}
<registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
{% else %}
<registry_ignore>{{ registry_key.key }}</registry_ignore>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
{% endif %}
</syscheck>
{% endif %}
@ -189,7 +221,7 @@
</wodle>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.cis_cat.disable == 'no' %}
{% if wazuh_agent_config.cis_cat.disable == 'no' %}
<wodle name="cis-cat">
<disabled>no</disabled>
<timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
@ -197,15 +229,19 @@
<scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
<java_path>/usr/bin</java_path>
{% elif ansible_os_family == "Windows" %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path_win }}</java_path>
{% else %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{{ wazuh_agent_config.cis_cat.ciscat_path }}</ciscat_path>
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
{% if ansible_system == "Linux" %}
{% for benchmark in wazuh_agent_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
{% endif %}
</wodle>
{% endif %}
@ -213,8 +249,11 @@
<wodle name="osquery">
<disabled>{{ wazuh_agent_config.osquery.disable }}</disabled>
<run_daemon>{{ wazuh_agent_config.osquery.run_daemon }}</run_daemon>
<log_path>{{ wazuh_agent_config.osquery.log_path }}</log_path>
<config_path>{{ wazuh_agent_config.osquery.config_path }}</config_path>
{% if ansible_os_family == "Windows" %}
<bin_path>{{ wazuh_agent_config.osquery.bin_path_win }}</bin_path>
{% endif %}
<log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path>
<config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path>
<add_labels>{{ wazuh_agent_config.osquery.ad_labels }}</add_labels>
</wodle>
@ -245,7 +284,8 @@
{% endif %}
<!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_agent_config.localfiles.common %}
{% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -256,6 +296,7 @@
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %}
@ -284,4 +325,18 @@
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'eventchannel' %}
<location>{{ localfile.location }}</location>
<query>{{ localfile.query}}</query>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
</ossec_config>