From af5b41ad29d5c7c222cea1c2a073511a55ed6984 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 3 Oct 2023 17:04:35 +0200 Subject: [PATCH 01/14] Initial variables created --- roles/wazuh/ansible-wazuh-agent/README.md | 2 ++ roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 5 +++++ roles/wazuh/vars/repo.yml | 5 +++++ roles/wazuh/vars/repo_pre-release.yml | 5 +++++ roles/wazuh/vars/repo_staging.yml | 5 +++++ 5 files changed, 22 insertions(+) diff --git a/roles/wazuh/ansible-wazuh-agent/README.md b/roles/wazuh/ansible-wazuh-agent/README.md index baf7e57e..10255e54 100644 --- a/roles/wazuh/ansible-wazuh-agent/README.md +++ b/roles/wazuh/ansible-wazuh-agent/README.md @@ -12,6 +12,8 @@ This role is compatible with: * Fedora * Debian * Ubuntu + * Windows + * macOS Role Variables diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 3c27e7c1..68ac7415 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -54,6 +54,11 @@ wazuh_winagent_config: auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_sha512: True +# macOS deployment +wazuh_macos_config: + download_dir: / + install_dir: /Library/Ossec/ + wazuh_dir: "/var/ossec" # This is deprecated, see: wazuh_agent_address diff --git a/roles/wazuh/vars/repo.yml b/roles/wazuh/vars/repo.yml index d038f024..1703c4c2 100644 --- a/roles/wazuh/vars/repo.yml +++ b/roles/wazuh/vars/repo.yml @@ -7,6 +7,11 @@ wazuh_winagent_config_url: "https://packages.wazuh.com/4.x/windows/wazuh-agent-{ wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" wazuh_winagent_sha512_url: "https://packages.wazuh.com/4.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" +wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg" +wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg" +wazuh_macos_intel_package_url: "https://packages.wazuh.com/4.x/macos/{{ wazuh_macos_intel_package_name }}" +wazuh_macos_arm_package_url: "https://packages.wazuh.com/4.x/macos/{{ wazuh_macos_arm_package_name }}" + certs_gen_tool_version: 4.8 # Url of certificates generator tool diff --git a/roles/wazuh/vars/repo_pre-release.yml b/roles/wazuh/vars/repo_pre-release.yml index 3ad401c6..502aa584 100644 --- a/roles/wazuh/vars/repo_pre-release.yml +++ b/roles/wazuh/vars/repo_pre-release.yml @@ -7,6 +7,11 @@ wazuh_winagent_config_url: "https://packages-dev.wazuh.com/pre-release/windows/w wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" +wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg" +wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg" +wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/staging/pre-release/{{ wazuh_macos_intel_package_name }}" +wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/pre-release/macos/{{ wazuh_macos_arm_package_name }}" + certs_gen_tool_version: 4.8 # Url of certificates generator tool diff --git a/roles/wazuh/vars/repo_staging.yml b/roles/wazuh/vars/repo_staging.yml index 06343c88..7bd37414 100644 --- a/roles/wazuh/vars/repo_staging.yml +++ b/roles/wazuh/vars/repo_staging.yml @@ -6,6 +6,11 @@ wazuh_repo: wazuh_winagent_config_url: "https://packages-dev.wazuh.com/staging/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg" +wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg" +wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_intel_package_name }}" +wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_arm_package_name }}" + certs_gen_tool_version: 4.8 # Url of certificates generator tool From e1568d00ebcf7cab14c2aacd730df577ef6533ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 3 Oct 2023 17:05:22 +0200 Subject: [PATCH 02/14] Initial macOS tasks created --- .../wazuh/ansible-wazuh-agent/tasks/macOS.yml | 18 ++++++++++++++++++ roles/wazuh/ansible-wazuh-agent/tasks/main.yml | 3 +++ 2 files changed, 21 insertions(+) create mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml new file mode 100644 index 00000000..4021bfd7 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml @@ -0,0 +1,18 @@ +--- +- name: macOS | Check architecture + command: "/usr/bin/uname -m" + register: uname_result + +- name: macOS | Set architecture variable + set_fact: + macos_architecture: "{{ 'arm' if uname_result.stdout == 'arm64' else 'intel' }}" + +- name: macOS | Set package name and URL based on architecture + set_fact: + wazuh_macos_package_url: "{{ wazuh_macos_intel_package_url if macos_architecture == 'intel' else wazuh_macos_arm_package_url }}" + wazuh_macos_package_name: "{{ wazuh_macos_intel_package_name if macos_architecture == 'intel' else wazuh_macos_arm_package_name }}" + +- name: macOS | Check if Wazuh installer is already downloaded + stat: + path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" + register: wazuh_package_downloaded \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml index d12446b1..26c27817 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml @@ -23,3 +23,6 @@ - include_tasks: "Linux.yml" when: ansible_system == "Linux" + +- include_tasks: "macOS.yml" + when: ansible_system == "Darwin" \ No newline at end of file From 4ef5c37970f775409faf66fc12e4e31c275e585d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 3 Oct 2023 17:16:38 +0200 Subject: [PATCH 03/14] Agent package is downloaded and deleted --- .../wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 68ac7415..9e9b627f 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -56,7 +56,7 @@ wazuh_winagent_config: # macOS deployment wazuh_macos_config: - download_dir: / + download_dir: /tmp/ install_dir: /Library/Ossec/ wazuh_dir: "/var/ossec" diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml index 4021bfd7..e3cd51c4 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml @@ -15,4 +15,18 @@ - name: macOS | Check if Wazuh installer is already downloaded stat: path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" - register: wazuh_package_downloaded \ No newline at end of file + register: wazuh_package_downloaded + +- name: macOS | Download Wazuh Agent package + get_url: + url: "{{ wazuh_macos_package_url }}" + dest: "{{ wazuh_macos_config.download_dir }}" + when: + - not wazuh_package_downloaded.stat.exists + +- name: macOS | Delete downloaded Wazuh agent installer file + file: + path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" + state: absent + when: + - wazuh_package_downloaded.stat.exists \ No newline at end of file From 490bcfff25d190ec8a3def56c5bfd6e00f3fcf63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 10 Oct 2023 15:05:20 +0200 Subject: [PATCH 04/14] Updated ossec.conf template to support macOS --- .../ansible-wazuh-agent/defaults/main.yml | 18 ++++++ .../ansible-wazuh-agent/handlers/main.yml | 3 + .../var-ossec-etc-ossec-agent.conf.j2 | 55 +++++++++++++++++-- 3 files changed, 70 insertions(+), 6 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 9e9b627f..399e94ce 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -40,6 +40,7 @@ authd_pass: '' wazuh_api_reachable_from_agent: yes wazuh_profile_centos: 'centos, centos7, centos7.6' wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' +wazuh_profile_macos: 'darwin, darwin21, darwin21.1' wazuh_auto_restart: 'yes' wazuh_notify_time: '10' @@ -230,6 +231,11 @@ wazuh_agent_syscheck: checks: '' - dirs: /bin,/sbin,/boot checks: '' + macos_directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: '' + - dirs: /bin,/sbin + checks: '' win_directories: - dirs: '%WINDIR%' checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' @@ -332,6 +338,17 @@ wazuh_agent_localfiles: command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d alias: 'netstat listening ports' frequency: '360' + macos: + - format: 'full_command' + command: netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u + alias: 'netstat listening ports' + frequency: '360' + - format: 'macos' + location: 'macos' + query: + type: 'trace,log,activity' + level: 'info' + value: (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd") windows: - format: 'eventlog' location: 'Application' @@ -355,6 +372,7 @@ wazuh_agent_active_response: ar_disabled: 'no' ca_store: "{{ wazuh_dir }}/etc/wpk_root.pem" ca_store_win: 'wpk_root.pem' + ca_store_macos: 'etc/wpk_root.pem' ca_verification: 'yes' ## Logging diff --git a/roles/wazuh/ansible-wazuh-agent/handlers/main.yml b/roles/wazuh/ansible-wazuh-agent/handlers/main.yml index 84f3ff45..f4770eb3 100644 --- a/roles/wazuh/ansible-wazuh-agent/handlers/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/handlers/main.yml @@ -4,3 +4,6 @@ - name: Windows | Restart Wazuh Agent win_service: name=WazuhSvc start_mode=auto state=restarted + +- name: macOS | Restart Wazuh Agent + command: /Library/Ossec/bin/wazuh-control restart \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 8eef3d1d..dd40b21e 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -30,6 +30,9 @@ {{ wazuh_profile_ubuntu }} {% endif %} {% endif %} + {% if ansible_system == "Darwin" %} + {{ wazuh_profile_macos }} + {% endif %} {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} {{ wazuh_notify_time }} {{ wazuh_time_reconnect }} @@ -91,7 +94,7 @@ {% if wazuh_agent_config.rootcheck is defined %} no - {% if ansible_system == "Linux" %} + {% if ansible_system == "Linux" or ansible_system == "Darwin" %} yes yes yes @@ -103,10 +106,14 @@ {{ wazuh_agent_config.rootcheck.frequency }} + {% if ansible_system == "Darwin" %} + etc/shared/rootkit_files.txt + etc/shared/rootkit_trojans.txt + {% else %} {{ wazuh_dir }}/etc/shared/rootkit_files.txt {{ wazuh_dir }}/etc/shared/rootkit_trojans.txt - yes {% endif %} + yes {% if ansible_os_family == "Windows" %} ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt @@ -179,6 +186,7 @@ {% endif %} + {% if ansible_system != "Darwin" %} {{ wazuh_agent_config.cis_cat.disable }} {{ wazuh_agent_config.cis_cat.timeout }} @@ -193,6 +201,7 @@ {% endif %} {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %} + {% endif %} @@ -249,13 +258,18 @@ no {{ wazuh_agent_config.syscheck.frequency }} - {% if ansible_system == "Linux" %} + {% if ansible_system == "Linux" or ansible_system == "Darwin" %} {{ wazuh_agent_config.syscheck.scan_on_start }} {% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %} {% for directory in wazuh_agent_config.syscheck.directories %} {{ directory.dirs }} {% endfor %} + {% elif ansible_system == "Darwin" %} + {% for directory in wazuh_agent_config.syscheck.macos_directories %} + {{ directory.dirs }} + {% endfor %} + {% endif %} {% endif %} {% endif %} @@ -267,7 +281,7 @@ {% endif %} - {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %} + {% if wazuh_agent_config.syscheck.ignore is defined and (ansible_system == "Linux" or ansible_system == "Darwin") %} {% for ignore in wazuh_agent_config.syscheck.ignore %} {{ ignore }} {% endfor %} @@ -286,7 +300,7 @@ {% endfor %} {% endif %} - {% if ansible_system == "Linux" %} + {% if ansible_system == "Linux" or ansible_system == "Darwin" %} {% for no_diff in wazuh_agent_config.syscheck.no_diff %} {{ no_diff }} @@ -363,6 +377,27 @@ {% endfor %} {% endif %} + {% if ansible_system == "Darwin" %} + {% for localfile in wazuh_agent_config.localfiles.macos %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {{ localfile.frequency }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'macos' %} + {{ localfile.query.value }} + {% endif %} + {% endif %} + + {% endfor %} + {% endif %} + {% if ansible_os_family == "Debian" %} {% for localfile in wazuh_agent_config.localfiles.debian %} @@ -439,7 +474,15 @@ {{ wazuh_agent_config.active_response.ar_disabled|default('no') }} - {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %} + + {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }} + {% else %} + {% if ansible_system == "Darwin" %}{{ wazuh_agent_config.active_response.ca_store_macos }} + {% else %} + {{ wazuh_agent_config.active_response.ca_store }} + {% endif %} + {% endif %} + {{ wazuh_agent_config.active_response.ca_verification }} From eabc38dc84854f74f019a673c9dce07d9207a6b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 10 Oct 2023 15:08:04 +0200 Subject: [PATCH 05/14] Added authd enrollment alternative to macOS.yml --- .../wazuh/ansible-wazuh-agent/tasks/macOS.yml | 115 +++++++++++++++++- 1 file changed, 110 insertions(+), 5 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml index e3cd51c4..469dd2e6 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml @@ -21,12 +21,117 @@ get_url: url: "{{ wazuh_macos_package_url }}" dest: "{{ wazuh_macos_config.download_dir }}" + register: download_result when: - not wazuh_package_downloaded.stat.exists + +- name: macOS | Check if Wazuh Agent is already installed + stat: + path: "{{ wazuh_macos_config.install_dir }}" + register: wazuh_installed + +- name: macOS | Install Agent if not already installed + command: "installer -pkg {{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }} -target /" + register: install_result + +- name: macOS | Check if client.keys exists + stat: + path: "{{ wazuh_macos_config.install_dir }}/etc/client.keys" + register: client_keys_file + tags: + - config + +- name: macOS | Agent registration via authd + block: + + - name: Copy CA root certificate to verify authd + copy: + src: "{{ wazuh_agent_authd.ssl_agent_ca }}" + dest: "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + mode: 0644 + when: + - wazuh_agent_authd.ssl_agent_ca is not none + + - name: Copy TLS/SSL certificate for agent verification + copy: + src: "{{ item }}" + dest: "{{ wazuh_macos_config.install_dir }}/etc/{{ item | basename }}" + mode: 0644 + with_items: + - "{{ wazuh_agent_authd.ssl_agent_cert }}" + - "{{ wazuh_agent_authd.ssl_agent_key }}" + when: + - wazuh_agent_authd.ssl_agent_cert is not none + - wazuh_agent_authd.ssl_agent_key is not none + - name: macOS | Register agent (via authd) + shell: > + {{ wazuh_macos_config.install_dir }}/bin/agent-auth + {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %} + -A {{ wazuh_agent_authd.agent_name }} + {% endif %} + -m {{ wazuh_agent_authd.registration_address }} + -p {{ wazuh_agent_authd.port }} + {% if wazuh_agent_nat %} -I "any" {% endif %} + {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} + {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %} + -v "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %} + -x "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %} + -k "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} + {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %} + -G "{{ wazuh_agent_authd.groups | join(',') }}" + {% endif %} + register: agent_auth_output + notify: macOS | Restart Wazuh Agent + vars: + agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" + when: + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 + - wazuh_agent_authd.registration_address is not none + + - name: macOS | Verify agent registration + shell: > + sh -c "echo '{{ agent_auth_output.stdout }} {{ agent_auth_output.stderr }}' | grep 'Valid key received'" + when: + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 + - wazuh_agent_authd.registration_address is not none + when: + - wazuh_agent_authd.enable | bool + - wazuh_agent_config.enrollment.enabled != 'yes' + tags: + - config + - authd + +- name: macOS | Installing agent configuration (ossec.conf) + template: + src: var-ossec-etc-ossec-agent.conf.j2 + dest: "{{ wazuh_macos_config.install_dir }}/etc/ossec.conf" + owner: root + group: wazuh + mode: 0644 + notify: macOS | Restart Wazuh Agent + tags: + - init + - config + +- name: macOS | Installing local_internal_options.conf + template: + src: var-ossec-etc-local-internal-options.conf.j2 + dest: "{{ wazuh_macos_config.install_dir }}/etc/local_internal_options.conf" + owner: root + group: wazuh + mode: 0640 + notify: macOS | Restart Wazuh Agent + tags: + - init + - config - name: macOS | Delete downloaded Wazuh agent installer file - file: - path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" - state: absent - when: - - wazuh_package_downloaded.stat.exists \ No newline at end of file + file: + path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" + state: absent \ No newline at end of file From 58ed9c241a93d88170671ac0e1d3a8dff81ac4fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 10 Oct 2023 17:59:05 +0200 Subject: [PATCH 06/14] Updated API enrollment variables --- playbooks/wazuh-agent.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/wazuh-agent.yml b/playbooks/wazuh-agent.yml index 22fcfa77..16ff48ae 100644 --- a/playbooks/wazuh-agent.yml +++ b/playbooks/wazuh-agent.yml @@ -10,7 +10,7 @@ port: 1514 protocol: tcp api_port: 55000 - api_proto: 'http' - api_user: ansible + api_proto: 'https' + api_user: wazuh max_retries: 5 retry_interval: 5 \ No newline at end of file From 61c40a1fec098899e7d097b20944352358a37b36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 10 Oct 2023 18:15:07 +0200 Subject: [PATCH 07/14] Added API enrollment alternative to macOS.yml --- .../wazuh/ansible-wazuh-agent/tasks/macOS.yml | 101 +++++++++++++++++- 1 file changed, 100 insertions(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml index 469dd2e6..49fe677d 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml @@ -107,6 +107,105 @@ - config - authd +- name: macOS | Agent registration via rest-API + block: + + - name: macOS | Establish target Wazuh Manager for registration task + set_fact: + target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}' + vars: + manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}" + manager_fallback: "{{ wazuh_managers | list }}" + + - name: macOS | Obtain JWT Token + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate' + method: POST + url_username: '{{ target_manager.api_user }}' + url_password: '{{ api_pass }}' + status_code: 200 + return_content: yes + force_basic_auth: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' + changed_when: api_jwt_result.json.error == 0 + register: api_jwt_result + become: no + tags: + - config + - api + + - name: macOS | Create the agent key via rest-API + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents' + method: POST + body_format: json + body: + name: '{{ agent_name }}' + headers: + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + become: no + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' + changed_when: api_agent_post.json.error == 0 + register: api_agent_post + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' + tags: + - config + - api + + - name: macOS | Validate registered agent key matches manager record + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key' + method: GET + headers: + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + become: no + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' + register: api_agent_validation + vars: + agent_id: '{{ api_agent_post.json.data.id }}' + agent_key: '{{ api_agent_post.json.data.key }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' + failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key + when: + - wazuh_agent_api_validate | bool + - api_agent_post.json.error == 0 + tags: + - config + - api + + - name: macOS | Import Key (via rest-API) + command: "{{ wazuh_macos_config.install_dir }}/bin/manage_agents" + environment: + OSSEC_ACTION: i + OSSEC_AGENT_NAME: '{{ agent_name }}' + OSSEC_AGENT_IP: '{{ wazuh_agent_address }}' + OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}' + OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}' + OSSEC_ACTION_CONFIRMED: y + register: manage_agents_output + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' + notify: macOS | Restart Wazuh Agent + when: + - not ( wazuh_agent_authd.enable | bool ) + - wazuh_agent_config.enrollment.enabled != 'yes' + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 + tags: + - config + - api + - name: macOS | Installing agent configuration (ossec.conf) template: src: var-ossec-etc-ossec-agent.conf.j2 @@ -132,6 +231,6 @@ - config - name: macOS | Delete downloaded Wazuh agent installer file - file: + file: path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" state: absent \ No newline at end of file From 07d4228fa496cd34eba400d12545c8a636e0540d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 10 Oct 2023 19:06:42 +0200 Subject: [PATCH 08/14] Added auto enrollment alternative to macOS.yml --- .../wazuh/ansible-wazuh-agent/tasks/macOS.yml | 24 +++++++++++++++++++ .../var-ossec-etc-ossec-agent.conf.j2 | 4 +++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml index 49fe677d..3988d126 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml @@ -206,6 +206,16 @@ - config - api +- name: macOS | Agent registration via auto-enrollment + debug: + msg: Agent registration will be performed through enrollment option in templated ossec.conf + when: wazuh_agent_config.enrollment.enabled == 'yes' + +- name: macOS | Ensure group "wazuh" exists + ansible.builtin.group: + name: wazuh + state: present + - name: macOS | Installing agent configuration (ossec.conf) template: src: var-ossec-etc-ossec-agent.conf.j2 @@ -230,6 +240,20 @@ - init - config +- name: Create auto-enrollment password file + template: + src: authd_pass.j2 + dest: "{{ wazuh_macos_config.install_dir }}/etc/authd.pass" + owner: wazuh + group: wazuh + mode: 0640 + when: + - wazuh_agent_config.enrollment.enabled == 'yes' + - wazuh_agent_config.enrollment.authorization_pass_path_macos | length > 0 + - authd_pass | length > 0 + tags: + - config + - name: macOS | Delete downloaded Wazuh agent installer file file: path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index dd40b21e..1ae07862 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -67,8 +67,10 @@ {% if wazuh_agent_config.enrollment.agent_key_path | length > 0 %} {{ wazuh_agent_config.enrollment.agent_key_path }} {% endif %} - {% if wazuh_agent_config.enrollment.authorization_pass_path | length > 0 %} + {% if wazuh_agent_config.enrollment.authorization_pass_path | length > 0 and ansible_system != "Darwin" %} {{ wazuh_agent_config.enrollment.authorization_pass_path }} + {% else %} + {{ wazuh_agent_config.enrollment.authorization_pass_path_macos }} {% endif %} {% if wazuh_agent_config.enrollment.auto_method | length > 0 %} {{ wazuh_agent_config.enrollment.auto_method }} From 640a8b87b6f167f7d747e277c2d0efd06d2d286b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Fri, 13 Oct 2023 10:25:38 +0200 Subject: [PATCH 09/14] Bump revision to 40701 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index c9470816..0c9bd04f 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ WAZUH-ANSIBLE_VERSION="v4.7.0" -REVISION="40700" +REVISION="40701" From 1432f9273f94b4158b0acdc4687117328d16a1b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Mon, 16 Oct 2023 15:13:41 +0200 Subject: [PATCH 10/14] Added password path in macOS --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 399e94ce..93a0dc32 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -106,6 +106,7 @@ wazuh_agent_enrollment: agent_certificate_path: '' agent_key_path: '' authorization_pass_path: "{{ wazuh_dir }}/etc/authd.pass" + authorization_pass_path_macos: "/etc/authd.pass" auto_method: 'no' delay_after_enrollment: 20 use_source_ip: 'no' From e28067bdaf2b6090f7546ffcdb23c640eaa3398c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 17 Oct 2023 10:10:55 +0200 Subject: [PATCH 11/14] Bump version to 4.5.4 --- CHANGELOG.md | 6 ++++++ README.md | 1 + VERSION | 4 ++-- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 4 ++-- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 4 ++-- roles/wazuh/check-packages/defaults/main.yml | 2 +- roles/wazuh/wazuh-dashboard/defaults/main.yml | 4 ++-- roles/wazuh/wazuh-dashboard/vars/debian.yml | 2 +- roles/wazuh/wazuh-indexer/defaults/main.yml | 2 +- 9 files changed, 18 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92cee4ab..17c09859 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # Change Log All notable changes to this project will be documented in this file. +## [v4.5.4] + +### Added + +- Update to [Wazuh v4.5.4](https://github.com/wazuh/wazuh/blob/v4.5.4/CHANGELOG.md#v454) + ## [v4.5.3] ### Added diff --git a/README.md b/README.md index 3c83481b..e01715c3 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb | Wazuh version | Elastic | ODFE | |---------------|---------|--------| +| v4.5.4 | | | | v4.5.3 | | | | v4.5.2 | | | | v4.5.1 | | | diff --git a/VERSION b/VERSION index 82b3eba7..e20fd3d2 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-ANSIBLE_VERSION="v4.5.3" -REVISION="40508" +WAZUH-ANSIBLE_VERSION="v4.5.4" +REVISION="40509" diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 5b4582be..6c15d9f7 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,6 +1,6 @@ --- -wazuh_agent_version: 4.5.3 +wazuh_agent_version: 4.5.4 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v4.5.3" + branch: "v4.5.4" user_language: "y" user_no_stop: "y" user_install_type: "agent" diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 21913bb0..5facb1b6 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,6 +1,6 @@ --- -wazuh_manager_version: 4.5.3 +wazuh_manager_version: 4.5.4 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -13,7 +13,7 @@ wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazon # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v4.5.3" + branch: "v4.5.4" user_language: "en" user_no_stop: "y" user_install_type: "server" diff --git a/roles/wazuh/check-packages/defaults/main.yml b/roles/wazuh/check-packages/defaults/main.yml index d8cf1dba..c00a819a 100644 --- a/roles/wazuh/check-packages/defaults/main.yml +++ b/roles/wazuh/check-packages/defaults/main.yml @@ -1,2 +1,2 @@ --- -wazuh_version: 4.5.3 +wazuh_version: 4.5.4 diff --git a/roles/wazuh/wazuh-dashboard/defaults/main.yml b/roles/wazuh/wazuh-dashboard/defaults/main.yml index 6e2b925c..9b88f078 100644 --- a/roles/wazuh/wazuh-dashboard/defaults/main.yml +++ b/roles/wazuh/wazuh-dashboard/defaults/main.yml @@ -8,12 +8,12 @@ dashboard_node_name: node-1 dashboard_server_host: "0.0.0.0" dashboard_server_port: "443" dashboard_server_name: "dashboard" -wazuh_version: 4.5.3 +wazuh_version: 4.5.4 indexer_cluster_nodes: - 127.0.0.1 # The Wazuh dashboard package repository -dashboard_version: "4.5.3" +dashboard_version: "4.5.4" # API credentials wazuh_api_credentials: diff --git a/roles/wazuh/wazuh-dashboard/vars/debian.yml b/roles/wazuh/wazuh-dashboard/vars/debian.yml index c9a3f56d..2c2650cb 100644 --- a/roles/wazuh/wazuh-dashboard/vars/debian.yml +++ b/roles/wazuh/wazuh-dashboard/vars/debian.yml @@ -1,2 +1,2 @@ --- -dashboard_version: 4.5.3 +dashboard_version: 4.5.4 diff --git a/roles/wazuh/wazuh-indexer/defaults/main.yml b/roles/wazuh/wazuh-indexer/defaults/main.yml index 61970cb7..a4602481 100644 --- a/roles/wazuh/wazuh-indexer/defaults/main.yml +++ b/roles/wazuh/wazuh-indexer/defaults/main.yml @@ -1,6 +1,6 @@ --- # Cluster Settings -indexer_version: 4.5.3 +indexer_version: 4.5.4 single_node: false indexer_node_name: node-1 From b2d2f5cd29063d56672858077b2fe1b4d28191f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 17 Oct 2023 16:11:55 +0200 Subject: [PATCH 12/14] Removed agent verification in macOS deployment --- .../wazuh/ansible-wazuh-agent/tasks/macOS.yml | 29 ------------------- 1 file changed, 29 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml index 3988d126..9c1f6ce7 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml @@ -43,26 +43,6 @@ - name: macOS | Agent registration via authd block: - - - name: Copy CA root certificate to verify authd - copy: - src: "{{ wazuh_agent_authd.ssl_agent_ca }}" - dest: "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" - mode: 0644 - when: - - wazuh_agent_authd.ssl_agent_ca is not none - - - name: Copy TLS/SSL certificate for agent verification - copy: - src: "{{ item }}" - dest: "{{ wazuh_macos_config.install_dir }}/etc/{{ item | basename }}" - mode: 0644 - with_items: - - "{{ wazuh_agent_authd.ssl_agent_cert }}" - - "{{ wazuh_agent_authd.ssl_agent_key }}" - when: - - wazuh_agent_authd.ssl_agent_cert is not none - - wazuh_agent_authd.ssl_agent_key is not none - name: macOS | Register agent (via authd) shell: > {{ wazuh_macos_config.install_dir }}/bin/agent-auth @@ -73,15 +53,6 @@ -p {{ wazuh_agent_authd.port }} {% if wazuh_agent_nat %} -I "any" {% endif %} {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} - {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %} - -v "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" - {% endif %} - {% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %} - -x "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" - {% endif %} - {% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %} - -k "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" - {% endif %} {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %} -G "{{ wazuh_agent_authd.groups | join(',') }}" From 3b9e567acc012a8873bb6cdfc6d233e053fa45b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Thu, 19 Oct 2023 11:46:24 +0200 Subject: [PATCH 13/14] Bump revision to 40510 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index e20fd3d2..6cf27978 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ WAZUH-ANSIBLE_VERSION="v4.5.4" -REVISION="40509" +REVISION="40510" From 9bffdbe93c817154b9a393f9ac47a2149acdcc0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Mon, 23 Oct 2023 09:52:38 +0200 Subject: [PATCH 14/14] Added v4.5.4 to CHANGELOG.md --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b8980092..ec96d523 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ All notable changes to this project will be documented in this file. - Update to [Wazuh v4.6.0](https://github.com/wazuh/wazuh/blob/v4.6.0/CHANGELOG.md#v460) +## [v4.5.4] + +### Added + +- Update to [Wazuh v4.5.4](https://github.com/wazuh/wazuh/blob/v4.5.4/CHANGELOG.md#v454) + ## [v4.5.3] ### Added