From a263a27e0c42f2c29724abaea597114b40024bbe Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Fri, 18 Aug 2017 15:58:57 -0400 Subject: [PATCH] Updating the manager role with Wazuh 2.1 * ossec-authd now could be configured from ossec.conf. * Switching from generating the SSL certs and using a CA. * Adding authd password template (intended to be used with vault). --- ansible-wazuh-manager/README.md | 68 ++++++++---- ansible-wazuh-manager/defaults/main.yml | 3 +- ansible-wazuh-manager/tasks/main.yml | 81 +++++++++----- ansible-wazuh-manager/templates/authd_pass.j2 | 1 + .../templates/ossec-authd-init.service | 104 ------------------ .../templates/ossec-authd.service | 8 -- .../var-ossec-etc-ossec-server.conf.j2 | 18 +++ ansible-wazuh-manager/vars/authd_pass.yml | 2 + 8 files changed, 119 insertions(+), 166 deletions(-) create mode 100644 ansible-wazuh-manager/templates/authd_pass.j2 delete mode 100644 ansible-wazuh-manager/templates/ossec-authd-init.service delete mode 100644 ansible-wazuh-manager/templates/ossec-authd.service create mode 100644 ansible-wazuh-manager/vars/authd_pass.yml diff --git a/ansible-wazuh-manager/README.md b/ansible-wazuh-manager/README.md index 250933e2..125287b6 100644 --- a/ansible-wazuh-manager/README.md +++ b/ansible-wazuh-manager/README.md @@ -38,7 +38,8 @@ This file has the agenless credentials. arguments: '/bin /etc/ /sbin' passwd: qwerty ``` -### vars/wazuh_api_creds + +### vars/wazuh_api_creds.yml This file has user and password created in httpasswd format. ``` --- @@ -46,6 +47,13 @@ wazuh_api_user: - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/" ``` +### vars/authd_pass.yml +This file has the password to be used for the authd daemon. +``` +--- +authd_pass: foobar +``` + Default config -------------- @@ -55,36 +63,48 @@ Default config wazuh_manager_fqdn: "wazuh-server" wazuh_manager_config: + json_output: 'yes' + alerts_log: 'yes' + logall: 'no' + authd: + enable: false email_notification: no mail_to: - admin@example.net mail_smtp_server: localhost mail_from: wazuh-server@example.com - frequency_check: 43200 - syscheck_scan_on_start: 'yes' + syscheck: + frequency: 43200 + scan_on_start: 'yes' + ignore: + - /etc/mtab + - /etc/mnttab + - /etc/hosts.deny + - /etc/mail/statistics + - /etc/random-seed + - /etc/random.seed + - /etc/adjtime + - /etc/httpd/logs + - /etc/utmpx + - /etc/wtmpx + - /etc/cups/certs + - /etc/dumpdates + - /etc/svc/volatile + no_diff: + - /etc/ssl/private.key + directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: 'check_all="yes"' + - dirs: /bin,/sbin + checks: 'check_all="yes"' + rootcheck: + frequency: 43200 + openscap: + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' log_level: 1 email_level: 12 - ignore_files: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/random.seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - no_diff: - - /etc/ssl/private.key - directories: - - check_all: 'yes' - dirs: /etc,/usr/bin,/usr/sbin - - check_all: 'yes' - dirs: /bin,/sbin localfiles: - format: 'syslog' location: '/var/log/messages' diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml index c5d2e9dc..5faf962a 100644 --- a/ansible-wazuh-manager/defaults/main.yml +++ b/ansible-wazuh-manager/defaults/main.yml @@ -5,7 +5,8 @@ wazuh_manager_config: json_output: 'yes' alerts_log: 'yes' logall: 'no' - enable_authd: false + authd: + enable: false email_notification: no mail_to: - admin@example.net diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml index bff50411..b6a094d8 100644 --- a/ansible-wazuh-manager/tasks/main.yml +++ b/ansible-wazuh-manager/tasks/main.yml @@ -14,13 +14,27 @@ tags: - init -- name: Generate SSL files +- name: Generate SSL files for authd command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{wazuh_manager_fqdn}}/" args: creates: sslmanager.cert chdir: /var/ossec/etc/ tags: - config + when: wazuh_manager_config.authd.ssl_agent_ca is not defined + +- name: Copy CA, SSL key and cert for authd + copy: + src: "{{ item }}" + dest: "/var/ossec/etc/{{ item | basename }}" + mode: 0644 + with_items: + - "{{ wazuh_manager_config.authd.ssl_agent_ca }}" + - "{{ wazuh_manager_config.authd.ssl_manager_cert }}" + - "{{ wazuh_manager_config.authd.ssl_manager_key }}" + tags: + - config + when: wazuh_manager_config.authd.ssl_agent_ca is defined - name: Installing the local_rules.xml (default local_rules.xml) template: src=var-ossec-rules-local_rules.xml.j2 @@ -79,15 +93,41 @@ command: /var/ossec/bin/ossec-control enable agentless when: agentless_running.stdout == '0' and agentless_creeds is defined -- name: Start client-syslog +- name: Start ossec-agentlessd command: /var/ossec/bin/ossec-control start agentless when: agentless_running.stdout == '0' and agentless_creeds is defined +- name: Check if ossec-authd is enabled + shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-authd is running' | xargs echo" + register: authd_running + changed_when: False + +- name: Enable ossec-authd + command: /var/ossec/bin/ossec-control enable auth + when: + - authd_running.stdout == '0' + - wazuh_manager_config.authd.enable == true + +- name: Start ossec-authd + command: /var/ossec/bin/ossec-control start auth + when: + - authd_running.stdout == '0' + - wazuh_manager_config.authd.enable == true + +- name: Retrieving authd Credentials + include_vars: authd_pass.yml + tags: + - config + - name: Retrieving Agentless Credentials include_vars: agentless_creeds.yml + tags: + - config - name: Retrieving Wazuh-api User Credentials include_vars: wazuh_api_creds.yml + tags: + - config - name: Checking alert log output settings fail: msg="Please enable json_output or alerts_log options." @@ -109,35 +149,18 @@ - init - config -- name: Write ossec-authd init file - template: src=ossec-authd-init.service - dest=/etc/init.d/ossec-authd - owner=root - group=root - mode=0755 - when: - - ansible_service_mgr == "upstart" - - ansible_os_family != "CoreOS" - - wazuh_manager_config.enable_authd == true - tags: - - init - - config - -- name: Write ossec-authd systemd file +- name: Ossec-authd password template: - src: ossec-authd.service - dest: /lib/systemd/system/ossec-authd.service + src: authd_pass.j2 + dest: "/var/ossec/etc/authd.pass" + owner: ossec + group: ossec + mode: 0640 + no_log: true + notify: restart wazuh-manager when: - - ansible_service_mgr == "systemd" - - ansible_os_family != "CoreOS" - - wazuh_manager_config.enable_authd == true - tags: - - init - - config - -- name: Ensure ossec-authd service is started and enabled - service: name=ossec-authd enabled=yes state=started - when: wazuh_manager_config.enable_authd == true + - wazuh_manager_config.authd.use_password is defined + - wazuh_manager_config.authd.use_password == true tags: - config diff --git a/ansible-wazuh-manager/templates/authd_pass.j2 b/ansible-wazuh-manager/templates/authd_pass.j2 new file mode 100644 index 00000000..27c97708 --- /dev/null +++ b/ansible-wazuh-manager/templates/authd_pass.j2 @@ -0,0 +1 @@ +{{ authd_pass }} diff --git a/ansible-wazuh-manager/templates/ossec-authd-init.service b/ansible-wazuh-manager/templates/ossec-authd-init.service deleted file mode 100644 index 5feeb506..00000000 --- a/ansible-wazuh-manager/templates/ossec-authd-init.service +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh -# -# ossec-authd Start the OSSEC-HIDS Authentication Daemon -# -# chkconfig: 2345 99 01 -# description: Provides key signing for OSSEC Clients -# processname: ossec-authd -# config: /var/ossec/etc/ossec.conf -# pidfile: /var/run/ossec-authd.pid -### BEGIN INIT INFO -# Provides: ossec-authd -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Authentication Daemon for OSSEC-HIDS. -# Description: Provides key signing for OSSEC Clients -### END INIT INFO - -# Author: Brad Lhotsky -NAME=ossec-authd -HOME=/var/ossec -DAEMON=/var/ossec/bin/ossec-authd -DAEMON_ARGS="-p 1515 2>&1 >> /var/ossec/logs/ossec-authd.log &" -PIDDIR=/var/ossec/var/run -SCRIPTNAME=/etc/init.d/ossec-authd - -if [ ! -e $HOME/etc/sslmanager.key ] - then - echo "Creating ossec-authd key and cert" - openssl genrsa -out $HOME/etc/sslmanager.key 4096 - openssl req -new -x509 -key $HOME/etc/sslmanager.key\ - -out $HOME/etc/sslmanager.cert -days 3650\ - -subj /CN=fqdn/ -fi - -. /etc/rc.d/init.d/functions - -getpid() { - for filename in $PIDDIR/${NAME}*.pid; do - pidfile=$(basename $filename) - pid=$(echo $pidfile |cut -d\- -f 3 |cut -d\. -f 1) - kill -0 $pid &> /dev/null - RETVAL=$? - if [ $RETVAL -eq 0 ]; then - PIDFILE=$filename - PID=$pid - else - rm -f $filename - fi; - done; -} - -start() { - echo -n $"Starting $NAME: " - daemon $DAEMON $DAEMON_ARGS - retval=$? - if [ $retval -eq 0 ]; then - echo_success - echo - else - echo_failure - echo - fi - return $retval -} - -stop() { - echo -n $"Stopping $NAME: " - getpid - killproc -p $PIDFILE $NAME - retval=$? - echo - return $retval -} - -restart() { - stop - start -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - status) - getpid - if [ -z $PIDFILE ]; then - status $NAME - else - status -p $PIDFILE $NAME - fi; - ;; - restart) - restart - ;; - *) - echo "Usage: $0 {start|stop|status}" - exit 2 - ;; -esac - -exit $? diff --git a/ansible-wazuh-manager/templates/ossec-authd.service b/ansible-wazuh-manager/templates/ossec-authd.service deleted file mode 100644 index ba488148..00000000 --- a/ansible-wazuh-manager/templates/ossec-authd.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Wazuh authd - -[Service] -EnvironmentFile=/etc/ossec-init.conf -Environment=DIRECTORY=/var/ossec - -ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-authd -p 1515 diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 6a421309..5040d338 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: trim_blocks:False