Fix rootkit files & trojans paths for manager

2020-01-09 18:05:41 +01:00 · 2020-01-09 18:05:41 +01:00 · a35c7bceb1
commit a35c7bceb1
parent 8f8c32cf59
2 changed files with 10 additions and 10 deletions
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@ -95,7 +95,7 @@ wazuh_manager_config:
    use_source_ip: 'yes'
    force_insert: 'yes'
    force_time: 0
-    purge: 'no'
+    purge: 'yes'
    use_password: 'no'
    limit_maxagents: 'yes'
    ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
@ -114,7 +114,7 @@ wazuh_manager_config:
  email_log_source: 'alerts.log'
  extra_emails:
    - enable: false
-      mail_to: 'recipient@example.wazuh.com'
+      mail_to: 'admin@example.net'
      format: full
      level: 7
      event_location: null
@ -174,7 +174,7 @@ wazuh_manager_config:
  rootcheck:
    frequency: 43200
  openscap:
-    disable: 'no'
+    disable: 'yes'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
@ -263,6 +263,7 @@ wazuh_manager_config:
        frequency: '360'
      - format: 'full_command'
        command: 'last -n 20'
+        frequency: '360'
      - format: 'syslog'
        location: '/var/ossec/logs/active-responses.log'
    debian:
@ -295,7 +296,6 @@ wazuh_manager_config:
    - name: 'restart-ossec'
      executable: 'restart-ossec.sh'
      expect: ''
-      timeout_allowed: 'no'
    - name: 'firewall-drop'
      executable: 'firewall-drop.sh'
      expect: 'srcip'
--- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@ -126,8 +126,8 @@
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>

-    <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>
@ -292,7 +292,6 @@
  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled>
-    <auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>
    <alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
@ -318,7 +317,7 @@
    {% endif %}

    <!-- File types to ignore -->
-    {% if wazuh_manager_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
+    {% if wazuh_manager_config.syscheck.ignore_linux_type is defined %}
    {% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
    <ignore type="sregex">{{ ignore }}</ignore>
    {% endfor %}
@ -346,7 +345,9 @@
    <name>{{ command.name }}</name>
    <executable>{{ command.executable }}</executable>
    <expect>{{ command.expect }}</expect>
+    {% if command.timeout_allowed is defined %}
        <timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
+    {% endif %}
  </command>
 {% endfor %}

@ -359,7 +360,6 @@
  <rule_exclude>{{ rule }}</rule_exclude>
  {% endfor %}
  {% endif %}
-  {% if cdb_lists is defined %}
  {% for list in cdb_lists %}
  <list>etc/lists/{{ list.name }}</list>
  {% endfor %}