From ff978fb89c24969449dac86183782b131b77d32c Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Sun, 20 Aug 2017 21:05:03 -0400 Subject: [PATCH 01/23] Set elasticsearch_jvm_xms to null * Intended to calculate the optimal amount of memory for JVM automatically. --- ansible-role-elasticsearch/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible-role-elasticsearch/defaults/main.yml b/ansible-role-elasticsearch/defaults/main.yml index 93feb04f..e7e38bd0 100644 --- a/ansible-role-elasticsearch/defaults/main.yml +++ b/ansible-role-elasticsearch/defaults/main.yml @@ -3,5 +3,5 @@ elasticsearch_cluster_name: wazuh elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 -elasticsearch_jvm_xms: 2000 +elasticsearch_jvm_xms: null elastic_stack_version: 5.5.0 From 2ba65efae7d3e0428fc65cd1c0183e55f854b41d Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Sun, 20 Aug 2017 21:06:02 -0400 Subject: [PATCH 02/23] Check if elasticsearch_jvm_xms is not null. --- ansible-role-elasticsearch/templates/jvm.options.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible-role-elasticsearch/templates/jvm.options.j2 b/ansible-role-elasticsearch/templates/jvm.options.j2 index 10829b90..576b9cc3 100644 --- a/ansible-role-elasticsearch/templates/jvm.options.j2 +++ b/ansible-role-elasticsearch/templates/jvm.options.j2 @@ -20,7 +20,7 @@ # Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space -{% if elasticsearch_jvm_xms is defined %} +{% if elasticsearch_jvm_xms is not none %} {% if elasticsearch_jvm_xms < 32000 %} -Xms{{ elasticsearch_jvm_xms }}m -Xmx{{ elasticsearch_jvm_xms }}m From fe2f1d94eb67bfc14f12d90f6e02816c89a84aa7 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Sun, 20 Aug 2017 21:15:44 -0400 Subject: [PATCH 03/23] Set shards and replicas for wazuh template. --- ansible-role-logstash/defaults/main.yml | 2 ++ ansible-role-logstash/templates/01-wazuh.conf.j2 | 1 + .../templates/wazuh-elastic5-template.json.j2 | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ansible-role-logstash/defaults/main.yml b/ansible-role-logstash/defaults/main.yml index 0eba9a32..6b7a41e6 100644 --- a/ansible-role-logstash/defaults/main.yml +++ b/ansible-role-logstash/defaults/main.yml @@ -4,6 +4,8 @@ logstash_input_beats: false elasticsearch_network_host: "127.0.0.1" elasticsearch_http_port: "9200" +elasticsearch_shards: 5 +elasticsearch_replicas: 1 elastic_stack_version: 5.5.0 logstash_ssl: false diff --git a/ansible-role-logstash/templates/01-wazuh.conf.j2 b/ansible-role-logstash/templates/01-wazuh.conf.j2 index bbfdb32a..58c19101 100644 --- a/ansible-role-logstash/templates/01-wazuh.conf.j2 +++ b/ansible-role-logstash/templates/01-wazuh.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: trim_blocks:False # {{ ansible_managed }} # Wazuh - Logstash configuration file diff --git a/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 b/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 index f3611d4a..10107191 100644 --- a/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 +++ b/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 @@ -3,8 +3,8 @@ "template": "wazuh*", "settings": { "index.refresh_interval": "5s", - "number_of_shards" : 1, - "number_of_replicas" : 0 + "number_of_shards": {{ elasticsearch_shards }}, + "number_of_replicas": {{ elasticsearch_replicas }} }, "mappings": { "wazuh": { From 0f388781ba659db80694d0005c1ebe8e0602fac9 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Sun, 20 Aug 2017 21:21:29 -0400 Subject: [PATCH 04/23] Add variables for visibility (wazuh-agent role). --- ansible-wazuh-agent/defaults/main.yml | 4 +++- .../templates/var-ossec-etc-ossec-agent.conf.j2 | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 22682137..860367e8 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -1,8 +1,10 @@ --- wazuh_manager_ip: 127.0.0.1 +wazuh_profile: null wazuh_manager_proto: udp -wazuh_authd_port: 1515 wazuh_register_client: false +wazuh_notify_time: null +wazuh_time_reconnect: null wazuh_agent_config: syscheck: frequency: 43200 diff --git a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 35c83fbb..984ca817 100644 --- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -8,14 +8,14 @@ {{ wazuh_manager_ip }} - {% if wazuh_profile is defined %} + {% if wazuh_profile is not none %} {{ wazuh_profile }} {% endif %} {{ wazuh_manager_proto }} {% if wazuh_manager_port is defined %} {{ wazuh_manager_port }} {% endif %} - {% if wazuh_notify_time is defined and wazuh_time_reconnect is defined %} + {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} {{ wazuh_notify_time }} {{ wazuh_time_reconnect }} {% endif %} From 9fec1d16bdd906d42ea72d36c2e5c27e67c94d24 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Sun, 20 Aug 2017 21:45:32 -0400 Subject: [PATCH 05/23] Check for wazuh-manager when file input is used in Logstash. --- ansible-role-logstash/tasks/Debian.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible-role-logstash/tasks/Debian.yml b/ansible-role-logstash/tasks/Debian.yml index 8ed0440d..3bb7976a 100644 --- a/ansible-role-logstash/tasks/Debian.yml +++ b/ansible-role-logstash/tasks/Debian.yml @@ -42,6 +42,7 @@ - name: Debian/Ubuntu | Checking if wazuh-manager is installed command: dpkg -l wazuh-manager register: wazuh_manager_check_deb + when: logstash_input_beats == false args: warn: no From c1dc137adc7535a406b6537bf9d2a17c81ab1f12 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 11:00:25 -0400 Subject: [PATCH 06/23] Adding null variables for visibility (wazuh-manager) --- ansible-wazuh-manager/defaults/main.yml | 70 ++++++++++++++++++++----- 1 file changed, 57 insertions(+), 13 deletions(-) diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml index 5faf962a..afc155a9 100644 --- a/ansible-wazuh-manager/defaults/main.yml +++ b/ansible-wazuh-manager/defaults/main.yml @@ -5,13 +5,50 @@ wazuh_manager_config: json_output: 'yes' alerts_log: 'yes' logall: 'no' + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' authd: enable: false - email_notification: no + port: 1515 + use_source_ip: 'no' + force_insert: 'no' + force_time: 0 + purge: 'no' + use_password: 'no' + ssl_agent_ca: null + ssl_verify_host: 'no' + ssl_manager_cert: null + ssl_manager_key: null + ssl_auto_negotiate: 'no' + email_notification: 'no' mail_to: - - admin@example.net + - 'admin@example.net' mail_smtp_server: localhost mail_from: wazuh-server@example.com + extra_emails: + - enable: false + mail_to: 'admin@example.net' + format: full + level: 7 + event_location: null + group: null + do_not_delay: false + do_not_group: false + rule_id: null + reports: + - enable: false + category: 'syscheck' + title: 'Daily report: File changes' + email_to: 'admin@example.net' + location: null + group: null + rule: null + level: null + srcip: null + user: null + showlogs: null syscheck: frequency: 43200 scan_on_start: 'yes' @@ -61,10 +98,6 @@ wazuh_manager_config: globals: - '127.0.0.1' - '192.168.2.1' - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' commands: - name: 'disable-account' executable: 'disable-account.sh' @@ -95,22 +128,33 @@ wazuh_manager_config: location: 'local' level: 6 timeout: 600 + syslog_outputs: + - server: null + port: null + format: null wazuh_agent_configs: - type: os type_value: linux - frequency_check: 79200 - ignore_files: + syscheck: + frequency: 43200 + scan_on_start: 'yes' + ignore: - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/svc/volatile - directories: - - check_all: yes - dirs: /etc,/usr/bin,/usr/sbin - - check_all: yes - dirs: /bin,/sbin + no_diff: + - /etc/ssl/private.key + directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: 'check_all="yes"' + - dirs: /bin,/sbin + checks: 'check_all="yes"' + rootcheck: + frequency: 43200 + cis_distribution_filename: null localfiles: - format: 'syslog' location: '/var/log/messages' From 83e3d5ac6468494fecfded517269014777bdd907 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 11:00:53 -0400 Subject: [PATCH 07/23] Validating null variables --- ansible-wazuh-manager/tasks/main.yml | 12 ++-- .../var-ossec-etc-ossec-server.conf.j2 | 56 ++++++++++--------- 2 files changed, 39 insertions(+), 29 deletions(-) diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml index b6a094d8..9a2a2c14 100644 --- a/ansible-wazuh-manager/tasks/main.yml +++ b/ansible-wazuh-manager/tasks/main.yml @@ -21,7 +21,7 @@ chdir: /var/ossec/etc/ tags: - config - when: wazuh_manager_config.authd.ssl_agent_ca is not defined + when: not wazuh_manager_config.authd.ssl_agent_ca is not none - name: Copy CA, SSL key and cert for authd copy: @@ -34,7 +34,7 @@ - "{{ wazuh_manager_config.authd.ssl_manager_key }}" tags: - config - when: wazuh_manager_config.authd.ssl_agent_ca is defined + when: wazuh_manager_config.authd.ssl_agent_ca is not none - name: Installing the local_rules.xml (default local_rules.xml) template: src=var-ossec-rules-local_rules.xml.j2 @@ -78,11 +78,15 @@ - name: Enable client-syslog command: /var/ossec/bin/ossec-control enable client-syslog - when: csyslog_running.stdout == '0' and wazuh_manager_config.syslog_outputs is defined + when: + - csyslog_running.stdout == '0' + - wazuh_manager_config.syslog_outputs.server is not none - name: Start client-syslog command: /var/ossec/bin/ossec-control start client-syslog - when: csyslog_running.stdout == '0' and wazuh_manager_config.syslog_outputs is defined + when: + - csyslog_running.stdout == '0' + - wazuh_manager_config.syslog_outputs.server is not none - name: Check if ossec-agentlessd is enabled shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo" diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 5040d338..df9aeade 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -25,63 +25,67 @@ {% if wazuh_manager_config.authd.enable == true %} no - {% if wazuh_manager_config.authd.port is defined %}{{wazuh_manager_config.authd.port}}{% else %}1515{% endif %} - {% if wazuh_manager_config.authd.use_source_ip is defined %}{{wazuh_manager_config.authd.use_source_ip}}{% endif %} - {% if wazuh_manager_config.authd.force_insert is defined %}{{wazuh_manager_config.authd.force_insert}}{% endif %} - {% if wazuh_manager_config.authd.force_time is defined %}{{wazuh_manager_config.authd.force_time}}{% endif %} - {% if wazuh_manager_config.authd.purge is defined %}{{wazuh_manager_config.authd.purge}}{% endif %} - {% if wazuh_manager_config.authd.use_password is defined %}{{wazuh_manager_config.authd.use_password}}{% endif %} - {% if wazuh_manager_config.authd.ssl_agent_ca is defined %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}{% endif %} - {% if wazuh_manager_config.authd.ssl_verify_host is defined %}{{wazuh_manager_config.authd.ssl_verify_host}}{% endif %} - {% if wazuh_manager_config.authd.ssl_manager_cert is defined %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}{% endif %} - {% if wazuh_manager_config.authd.ssl_manager_key is defined %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}{% endif %} - {% if wazuh_manager_config.authd.ssl_auto_negotiate is defined %}{{wazuh_manager_config.authd.ssl_auto_negotiate}}{% endif %} + {% if wazuh_manager_config.authd.port is not none %}{{wazuh_manager_config.authd.port}}{% else %}1515{% endif %} + {% if wazuh_manager_config.authd.use_source_ip is not none %}{{wazuh_manager_config.authd.use_source_ip}}{% endif %} + {% if wazuh_manager_config.authd.force_insert is not none %}{{wazuh_manager_config.authd.force_insert}}{% endif %} + {% if wazuh_manager_config.authd.force_time is not none %}{{wazuh_manager_config.authd.force_time}}{% endif %} + {% if wazuh_manager_config.authd.purge is not none %}{{wazuh_manager_config.authd.purge}}{% endif %} + {% if wazuh_manager_config.authd.use_password is not none %}{{wazuh_manager_config.authd.use_password}}{% endif %} + {% if wazuh_manager_config.authd.ssl_agent_ca is not none %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}{% endif %} + {% if wazuh_manager_config.authd.ssl_verify_host is not none %}{{wazuh_manager_config.authd.ssl_verify_host}}{% endif %} + {% if wazuh_manager_config.authd.ssl_manager_cert is not none %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}{% endif %} + {% if wazuh_manager_config.authd.ssl_manager_key is not none %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}{% endif %} + {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}{{wazuh_manager_config.authd.ssl_auto_negotiate}}{% endif %} {% endif %} {% if wazuh_manager_config.extra_emails is defined %} {% for mail in wazuh_manager_config.extra_emails %} +{% if mail.enable == true %} {{ mail.mail_to }} - {% if mail.format is defined %} + {% if mail.format is not none %} {{ mail.format }} {% endif %} - {% if mail.level is defined %} + {% if mail.level is not none %} {{ mail.level }} {% endif %} - {% if mail.event_location is defined %} + {% if mail.event_location is not none %} {{ mail.event_location }} {% endif %} - {% if mail.group is defined %} + {% if mail.group is not none %} {{ mail.group }} {% endif %} - {% if mail.do_not_delay is defined and mail.do_not_delay == true %} + {% if mail.do_not_delay is not none and mail.do_not_delay == true %} {% endif %} - {% if mail.do_not_group is defined and mail.do_not_group == true %} + {% if mail.do_not_group is not none and mail.do_not_group == true %} {% endif %} - {% if mail.rule_id is defined %} + {% if mail.rule_id is not none %} {{ mail.rule_id }} {% endif %} +{% endif %} {% endfor %} {% endif %} {% if wazuh_manager_config.reports is defined %} {% for report in wazuh_manager_config.reports %} +{% if report.enable == true %} {{ report.category }} {{ report.title }} {{ report.email_to }} - {% if report.location is defined %}{{ report.location }}{% endif %} - {% if report.group is defined %}{{ report.group }}{% endif %} - {% if report.rule is defined %}{{ report.rule }}{% endif %} - {% if report.level is defined %}{{ report.level }}{% endif %} - {% if report.srcip is defined %}{{ report.srcip }}{% endif %} - {% if report.user is defined %}{{ report.user }}{% endif %} - {% if report.showlogs is defined %}{{ report.showlogs }}{% endif %} + {% if report.location is not none %}{{ report.location }}{% endif %} + {% if report.group is not none %}{{ report.group }}{% endif %} + {% if report.rule is not none %}{{ report.rule }}{% endif %} + {% if report.level is not none %}{{ report.level }}{% endif %} + {% if report.srcip is not none %}{{ report.srcip }}{% endif %} + {% if report.user is not none %}{{ report.user }}{% endif %} + {% if report.showlogs is not none %}{{ report.showlogs }}{% endif %} +{% endif %} {% endfor %} {% endif %} @@ -263,11 +267,13 @@ {% if wazuh_manager_config.syslog_outputs is defined %} {% for syslog_output in wazuh_manager_config.syslog_outputs %} +{% if syslog_output.server is not none %} {{ syslog_output.server }} {{ syslog_output.port }} {{ syslog_output.format }} +{% endif %} {% endfor %} {% endif %} From dadd726b67e30bc9a4a92639edc09161d5f68934 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 11:01:24 -0400 Subject: [PATCH 08/23] Modifying the agents.conf template. --- .../var-ossec-etc-shared-agent.conf.j2 | 86 ++++++++++++------- 1 file changed, 55 insertions(+), 31 deletions(-) diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index 7f7e75d8..7cc02748 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -1,44 +1,68 @@ -{% for item in wazuh_agent_configs %} - +{% if wazuh_agent_configs is defined %} +{% for agent_config in wazuh_agent_configs %} + - -{% for directory in item.directories %} - {{ directory.dirs }} -{% endfor %} - - {{ item.frequency_check }} - {% for ignore_file in item.ignore_files %} - {{ ignore_file }} + + {{ agent_config.syscheck.frequency }} + {{ agent_config.syscheck.scan_on_start }} + + + {% if agent_config.syscheck.directories is defined %} + {% for directory in agent_config.syscheck.directories %} + {{ directory.dirs }} {% endfor %} + {% endif %} + + + {% if agent_config.syscheck.ignore is defined %} + {% for ignore in agent_config.syscheck.ignore %} + {{ ignore }} + {% endfor %} + {% endif %} + + + {% if agent_config.syscheck.no_diff is defined %} + {% for no_diff in agent_config.syscheck.no_diff %} + {{ no_diff }} + {% endfor %} + {% endif %} - -{% for localfile in item.localfiles %} - - {{ localfile.format }} - {% if localfile.command is defined %} - {{ localfile.command }} - {% else %} - {{ localfile.location }} - {% endif %} - -{% endfor %} + {% for localfile in agent_config.localfiles %} + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {{ localfile.frequency }} + {% else %} + {{ localfile.location }} + {% endif %} + + {% endfor %} + no + yes + yes + yes + yes + yes + yes + yes + yes + + + {{ agent_config.rootcheck.frequency }} + /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt - {% if item.cis_distribution_filename is defined %} - /var/ossec/etc/shared/{{ item.cis_distribution_filename }} - {% else %} - {# none specified so install all #} - /var/ossec/etc/shared/cis_debian_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt + /var/ossec/etc/shared/system_audit_ssh.txt + {% if agent_config.rootcheck.cis_distribution_filename is not none %} + /var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }} {% endif %} + yes - {% endfor %} +{% endif %} From 20feac0e6c158037ac47a3131e377b06baf87638 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 11:41:57 -0400 Subject: [PATCH 09/23] Install Wazuh APP 2.1 --- ansible-role-kibana/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible-role-kibana/tasks/main.yml b/ansible-role-kibana/tasks/main.yml index 83d465f7..d68ebda2 100644 --- a/ansible-role-kibana/tasks/main.yml +++ b/ansible-role-kibana/tasks/main.yml @@ -35,7 +35,7 @@ tags: install - name: Install Wazuh-APP (can take a while) - shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_{{ elastic_stack_version }}.zip" + shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_{{ elastic_stack_version }}.zip" args: creates: /usr/share/kibana/plugins/wazuh/package.json notify: restart kibana From f072a35f26c9153e454f5592c274f230d7ca4ed2 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 12:02:38 -0400 Subject: [PATCH 10/23] Updated Elastic Stack to v5.5.2 --- ansible-role-elasticsearch/defaults/main.yml | 2 +- ansible-role-kibana/defaults/main.yml | 2 +- ansible-role-logstash/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible-role-elasticsearch/defaults/main.yml b/ansible-role-elasticsearch/defaults/main.yml index e7e38bd0..c4d59a7b 100644 --- a/ansible-role-elasticsearch/defaults/main.yml +++ b/ansible-role-elasticsearch/defaults/main.yml @@ -4,4 +4,4 @@ elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 5.5.0 +elastic_stack_version: 5.5.2 diff --git a/ansible-role-kibana/defaults/main.yml b/ansible-role-kibana/defaults/main.yml index 339df35f..b68a998a 100644 --- a/ansible-role-kibana/defaults/main.yml +++ b/ansible-role-kibana/defaults/main.yml @@ -3,4 +3,4 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 5.5.0 +elastic_stack_version: 5.5.2 diff --git a/ansible-role-logstash/defaults/main.yml b/ansible-role-logstash/defaults/main.yml index 6b7a41e6..a4563477 100644 --- a/ansible-role-logstash/defaults/main.yml +++ b/ansible-role-logstash/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" elasticsearch_http_port: "9200" elasticsearch_shards: 5 elasticsearch_replicas: 1 -elastic_stack_version: 5.5.0 +elastic_stack_version: 5.5.2 logstash_ssl: false logstash_ssl_dir: /etc/pki/logstash From 7dce48315b98815cafcd538793682b557f29332f Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 17:32:25 -0400 Subject: [PATCH 11/23] Use the authd service only when the agent is not registered. --- ansible-wazuh-agent/defaults/main.yml | 5 +++-- ansible-wazuh-agent/tasks/main.yml | 21 +++++++++++++------ .../var-ossec-etc-ossec-agent.conf.j2 | 4 ++++ 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 860367e8..680864e8 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -1,7 +1,8 @@ --- -wazuh_manager_ip: 127.0.0.1 +wazuh_manager_ip: null +wazuh_authd_port: 1515 wazuh_profile: null -wazuh_manager_proto: udp +wazuh_manager_proto: tcp wazuh_register_client: false wazuh_notify_time: null wazuh_time_reconnect: null diff --git a/ansible-wazuh-agent/tasks/main.yml b/ansible-wazuh-agent/tasks/main.yml index 9f332b81..c9af9802 100644 --- a/ansible-wazuh-agent/tasks/main.yml +++ b/ansible-wazuh-agent/tasks/main.yml @@ -10,20 +10,29 @@ tags: - init -- name: "Register agent" - shell: /var/ossec/bin/agent-auth -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }} - register: agent_auth_output - when: wazuh_register_client == true +- name: Check if client.keys exists + stat: path=/var/ossec/etc/client.keys + register: check_keys tags: - config -- name: "Verify agent registration" +- name: Register agent + shell: /var/ossec/bin/agent-auth -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }} + register: agent_auth_output + when: + - wazuh_register_client == true + - check_keys.stat.size == 0 + - wazuh_manager_ip is not none + tags: + - config + +- name: Verify agent registration shell: echo {{ agent_auth_output }} | grep "Valid key created" when: wazuh_register_client == true tags: - config -- name: "Installing agent configuration (ossec.conf)" +- name: Installing agent configuration (ossec.conf) template: src=var-ossec-etc-ossec-agent.conf.j2 dest=/var/ossec/etc/ossec.conf owner=root diff --git a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 984ca817..f79f5e42 100644 --- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -7,7 +7,11 @@ + {% if wazuh_manager_ip is not none %} {{ wazuh_manager_ip }} + {% else %} + SERVER-IP + {% endif %} {% if wazuh_profile is not none %} {{ wazuh_profile }} {% endif %} From d6f865a296f4d0c43153e8baa7c7a9819450ba36 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 18:04:15 -0400 Subject: [PATCH 12/23] Check if wazuh-manager is installed on file input. --- ansible-role-logstash/tasks/RedHat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible-role-logstash/tasks/RedHat.yml b/ansible-role-logstash/tasks/RedHat.yml index 51df05da..eff66dc5 100644 --- a/ansible-role-logstash/tasks/RedHat.yml +++ b/ansible-role-logstash/tasks/RedHat.yml @@ -28,6 +28,7 @@ - name: RedHat/CentOS/Fedora | Checking if wazuh-manager is installed command: rpm -q wazuh-manager register: wazuh_manager_check_rpm + when: logstash_input_beats == false args: warn: no From 90dacea946436c1b320bc0f18b646dd76a40ef34 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 19:09:17 -0400 Subject: [PATCH 13/23] Verify agent registration when is need it. --- ansible-wazuh-agent/tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ansible-wazuh-agent/tasks/main.yml b/ansible-wazuh-agent/tasks/main.yml index c9af9802..bba005aa 100644 --- a/ansible-wazuh-agent/tasks/main.yml +++ b/ansible-wazuh-agent/tasks/main.yml @@ -28,7 +28,10 @@ - name: Verify agent registration shell: echo {{ agent_auth_output }} | grep "Valid key created" - when: wazuh_register_client == true + when: + - wazuh_register_client == true + - check_keys.stat.size == 0 + - wazuh_manager_ip is not none tags: - config From 66ca4e3fd062586f0c4f0cc4d98924d2f5025e0a Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Mon, 21 Aug 2017 23:31:39 -0400 Subject: [PATCH 14/23] Inject Wazuh template and sample alert. --- ansible-role-elasticsearch/defaults/main.yml | 2 + ansible-role-elasticsearch/tasks/main.yml | 24 + .../templates/alert_sample.json.j2 | 72 ++ .../templates/wazuh-elastic5-template.json.j2 | 622 ++++++++++++++++++ 4 files changed, 720 insertions(+) create mode 100644 ansible-role-elasticsearch/templates/alert_sample.json.j2 create mode 100644 ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 diff --git a/ansible-role-elasticsearch/defaults/main.yml b/ansible-role-elasticsearch/defaults/main.yml index c4d59a7b..c8063a38 100644 --- a/ansible-role-elasticsearch/defaults/main.yml +++ b/ansible-role-elasticsearch/defaults/main.yml @@ -5,3 +5,5 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null elastic_stack_version: 5.5.2 +elasticsearch_shards: 5 +elasticsearch_replicas: 1 diff --git a/ansible-role-elasticsearch/tasks/main.yml b/ansible-role-elasticsearch/tasks/main.yml index 59c02bbb..262806e8 100644 --- a/ansible-role-elasticsearch/tasks/main.yml +++ b/ansible-role-elasticsearch/tasks/main.yml @@ -31,6 +31,30 @@ enabled: yes state: started +- name: Make sure Elasticsearch is running before proceeding + wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 + tags: + - configure + - init + +- name: Installing Wazuh template + uri: + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" + method: PUT + status_code: 200 + body_format: json + body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}" + tags: init + +- name: Injecting sample alert + uri: + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" + method: PUT + status_code: 201 + body_format: json + body: "{{ lookup('template','alert_sample.json.j2') }}" + tags: init + - include: "RMRedHat.yml" when: ansible_os_family == "RedHat" diff --git a/ansible-role-elasticsearch/templates/alert_sample.json.j2 b/ansible-role-elasticsearch/templates/alert_sample.json.j2 new file mode 100644 index 00000000..68cf86d7 --- /dev/null +++ b/ansible-role-elasticsearch/templates/alert_sample.json.j2 @@ -0,0 +1,72 @@ +{ + "@timestamp": "2015-03-18T15:55:55.000Z", + "AlertsFile": "sample", + "title": "sample", + "full_log": "sample", + "id": "sample", + "srcuser": "sample", + "srcip": "sample", + "location": "sample", + "GeoLocation": { + "country_name": "sample", + "location": [0.0,0.0] + }, + "agent": { + "name": "sample" + }, + "audit": { + "command": "sample", + "type": "sample", + "egid": "sample", + "euid": "sample", + "exe": "sample", + "gid": "sample", + "uid": "sample", + "directory": { + "name": "sample" + }, + "file": { + "mode": "sample", + "name": "sample" + } + }, + "oscap": { + "check": { + "result": "sample", + "severity": "sample", + "title": "sample" + }, + "scan": { + "id": "sample", + "content": "sample", + "score": 1.55, + "profile": { + "title": "sample" + } + } + }, + "rule": { + "cis": ["sample"], + "description": "sample", + "groups": ["sample"], + "id": "sample", + "level": 0, + "pci_dss": ["sample"] + }, + "syscheck": { + "gname_after": "sample", + "gname_before": "sample", + "guid_after": "sample", + "guid_before": "sample", + "md5_after": "sample", + "md5_before": "sample", + "path": "sample", + "perm_after": "sample", + "perm_before": "sample", + "uid_after": "sample", + "uid_before": "sample", + "uname_after": "sample", + "uname_before": "sample", + "event": "sample" + } +} diff --git a/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 b/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 new file mode 100644 index 00000000..10107191 --- /dev/null +++ b/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 @@ -0,0 +1,622 @@ +{ + "order": 0, + "template": "wazuh*", + "settings": { + "index.refresh_interval": "5s", + "number_of_shards": {{ elasticsearch_shards }}, + "number_of_replicas": {{ elasticsearch_replicas }} + }, + "mappings": { + "wazuh": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword", + "doc_values": "true" + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "dstuser": { + "type": "keyword", + "doc_values": "true" + }, + "AlertsFile": { + "type": "keyword", + "doc_values": "true" + }, + "full_log": { + "type": "text" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword", + "doc_values": "true" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword", + "doc_values": "true" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword", + "doc_values": "true" + }, + "region_name": { + "type": "keyword", + "doc_values": "true" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword", + "doc_values": "true" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_before": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_after": { + "type": "keyword", + "doc_values": "true" + }, + "uid_before": { + "type": "keyword", + "doc_values": "true" + }, + "uid_after": { + "type": "keyword", + "doc_values": "true" + }, + "gid_before": { + "type": "keyword", + "doc_values": "true" + }, + "gid_after": { + "type": "keyword", + "doc_values": "true" + }, + "perm_before": { + "type": "keyword", + "doc_values": "true" + }, + "perm_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_before": { + "type": "keyword", + "doc_values": "true" + }, + "gname_after": { + "type": "keyword", + "doc_values": "true" + }, + "gname_before": { + "type": "keyword", + "doc_values": "true" + }, + "inode_after": { + "type": "keyword", + "doc_values": "true" + }, + "inode_before": { + "type": "keyword", + "doc_values": "true" + }, + "mtime_after": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "mtime_before": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "uname_after": { + "type": "keyword", + "doc_values": "true" + }, + "uname_before": { + "type": "keyword", + "doc_values": "true" + }, + "size_before": { + "type": "long", + "doc_values": "true" + }, + "size_after": { + "type": "long", + "doc_values": "true" + }, + "diff": { + "type": "keyword", + "doc_values": "true" + }, + "event": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "location": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword", + "doc_values": "true" + }, + "groups": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "long", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "cve": { + "type": "keyword", + "doc_values": "true" + }, + "info": { + "type": "keyword", + "doc_values": "true" + }, + "frequency": { + "type": "long", + "doc_values": "true" + }, + "firedtimes": { + "type": "long", + "doc_values": "true" + }, + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "ftscomment": { + "type": "keyword", + "doc_values": "true" + }, + "fts": { + "type": "long", + "doc_values": "true" + }, + "accumulate": { + "type": "long", + "doc_values": "true" + } + } + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "action": { + "type": "keyword", + "doc_values": "true" + }, + "dstip": { + "type": "keyword", + "doc_values": "true" + }, + "dstport": { + "type": "keyword", + "doc_values": "true" + }, + "srcuser": { + "type": "keyword", + "doc_values": "true" + }, + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "status": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "url": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "system_name": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" + } + } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + }, + "agent": { + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "status": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "id": { + "type": "keyword" + } + } + } + } +} From cfbbf49855989bf5aae0098c05d2057f63385560 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Tue, 22 Aug 2017 15:54:48 -0400 Subject: [PATCH 15/23] Ensure latest Wazuh version is installed. --- ansible-wazuh-agent/tasks/main.yml | 2 +- ansible-wazuh-manager/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible-wazuh-agent/tasks/main.yml b/ansible-wazuh-agent/tasks/main.yml index bba005aa..2b8868b6 100644 --- a/ansible-wazuh-agent/tasks/main.yml +++ b/ansible-wazuh-agent/tasks/main.yml @@ -6,7 +6,7 @@ when: ansible_os_family == "Debian" - name: Install wazuh-agent - package: name=wazuh-agent state=present + package: name=wazuh-agent state=latest tags: - init diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml index 9a2a2c14..f15f419e 100644 --- a/ansible-wazuh-manager/tasks/main.yml +++ b/ansible-wazuh-manager/tasks/main.yml @@ -6,7 +6,7 @@ when: ansible_os_family == "Debian" - name: Install wazuh-manager, wazuh-api and expect - package: pkg={{ item }} state=present + package: pkg={{ item }} state=latest with_items: - wazuh-manager - wazuh-api From 6fde2836c7507d3b43d8c56db51ee209a5b43f5a Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Tue, 22 Aug 2017 18:21:16 -0400 Subject: [PATCH 16/23] Check if the Wazuh template exits --- ansible-role-elasticsearch/tasks/main.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ansible-role-elasticsearch/tasks/main.yml b/ansible-role-elasticsearch/tasks/main.yml index 262806e8..7e8df66d 100644 --- a/ansible-role-elasticsearch/tasks/main.yml +++ b/ansible-role-elasticsearch/tasks/main.yml @@ -37,6 +37,14 @@ - configure - init +- name: Check for Wazuh template + uri: + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" + method: GET + status_code: 200, 404 + register: wazuh_template_exits + tags: init + - name: Installing Wazuh template uri: url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" @@ -44,13 +52,14 @@ status_code: 200 body_format: json body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}" + when: wazuh_template_exits.status != 200 tags: init - name: Injecting sample alert uri: url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" method: PUT - status_code: 201 + status_code: 200, 201 body_format: json body: "{{ lookup('template','alert_sample.json.j2') }}" tags: init From c50184edbd3fb4c6d2016985d162ca8ca04908ce Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Tue, 22 Aug 2017 18:44:38 -0400 Subject: [PATCH 17/23] Add granular Active Response settings --- .../templates/var-ossec-etc-ossec-server.conf.j2 | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index df9aeade..8f814164 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -245,10 +245,15 @@ {% for response in wazuh_manager_config.active_responses %} + no {{ response.command }} - {{ response.location }} - {{ response.level }} - {{ response.timeout }} + {%if response.location is defined %}{{ response.location }}{% endif %} + {%if response.agent_id is defined %}{{ response.agent_id }}{% endif %} + {%if response.level is defined %}{{ response.level }}{% endif %} + {%if response.rules_group is defined %}{{ response.rules_group }}{% endif %} + {%if response.rules_id is defined %}{{ response.rules_id }}{% endif %} + {%if response.timeout is defined %}{{ response.timeout }}{% endif %} + {%if response.repeated_offenders is defined %}{{ response.repeated_offenders }}{% endif %} {% endfor %} From 106c20608706a9596fc9e3889e9c502025226b81 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Wed, 23 Aug 2017 10:32:04 -0400 Subject: [PATCH 18/23] Changes to syscheck options and centralized configuration * Perform more checks before enable agentlessd, authd a csyslog output. * Add a rule and active-respose action to restart agents after successfully retrieve agent.conf file from the Wazuh manager. --- ansible-wazuh-agent/defaults/main.yml | 3 + ansible-wazuh-agent/tasks/RMDebian.yml | 3 +- .../var-ossec-etc-ossec-agent.conf.j2 | 6 + ansible-wazuh-manager/defaults/main.yml | 10 +- ansible-wazuh-manager/tasks/main.yml | 125 ++++++++++-------- .../var-ossec-etc-ossec-server.conf.j2 | 12 +- .../var-ossec-etc-shared-agent.conf.j2 | 3 + .../var-ossec-rules-local_rules.xml.j2 | 12 ++ 8 files changed, 117 insertions(+), 57 deletions(-) diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 680864e8..b49e02ff 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -7,9 +7,12 @@ wazuh_register_client: false wazuh_notify_time: null wazuh_time_reconnect: null wazuh_agent_config: + log_format: 'plain' syscheck: frequency: 43200 scan_on_start: 'yes' + auto_ignore: 'no' + alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab diff --git a/ansible-wazuh-agent/tasks/RMDebian.yml b/ansible-wazuh-agent/tasks/RMDebian.yml index 81befd12..a392c44d 100644 --- a/ansible-wazuh-agent/tasks/RMDebian.yml +++ b/ansible-wazuh-agent/tasks/RMDebian.yml @@ -1,4 +1,5 @@ --- -- apt_repository: +- name: Remove Wazuh repository (and clean up left-over metadata) + apt_repository: repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main state: absent diff --git a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index f79f5e42..dd07aa6b 100644 --- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -25,6 +25,10 @@ {% endif %} + + {{ wazuh_agent_config.log_format }} + + no yes @@ -51,6 +55,8 @@ + {{ wazuh_agent_config.syscheck.auto_ignore }} + {{ wazuh_agent_config.syscheck.alert_new_files }} {{ wazuh_agent_config.syscheck.frequency }} {{ wazuh_agent_config.syscheck.scan_on_start }} diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml index afc155a9..37eb0e04 100644 --- a/ansible-wazuh-manager/defaults/main.yml +++ b/ansible-wazuh-manager/defaults/main.yml @@ -5,6 +5,7 @@ wazuh_manager_config: json_output: 'yes' alerts_log: 'yes' logall: 'no' + log_format: 'plain' connection: - type: 'secure' port: '1514' @@ -52,6 +53,8 @@ wazuh_manager_config: syscheck: frequency: 43200 scan_on_start: 'yes' + auto_ignore: 'no' + alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab @@ -124,6 +127,9 @@ wazuh_manager_config: expect: 'srcip' timeout_allowed: 'yes' active_responses: + - command: 'restart-ossec' + location: 'local' + rules_id: 710001 - command: 'host-deny' location: 'local' level: 6 @@ -135,10 +141,12 @@ wazuh_manager_config: wazuh_agent_configs: - type: os - type_value: linux + type_value: Linux syscheck: frequency: 43200 scan_on_start: 'yes' + auto_ignore: 'no' + alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml index f15f419e..974fdb6a 100644 --- a/ansible-wazuh-manager/tasks/main.yml +++ b/ansible-wazuh-manager/tasks/main.yml @@ -63,7 +63,7 @@ - name: Configure the shared-agent.conf template: src=var-ossec-etc-shared-agent.conf.j2 dest=/var/ossec/etc/shared/agent.conf - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager @@ -71,65 +71,80 @@ - init - config -- name: Check if client-syslog is enabled - shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo" - register: csyslog_running - changed_when: False - -- name: Enable client-syslog - command: /var/ossec/bin/ossec-control enable client-syslog - when: - - csyslog_running.stdout == '0' - - wazuh_manager_config.syslog_outputs.server is not none - -- name: Start client-syslog - command: /var/ossec/bin/ossec-control start client-syslog - when: - - csyslog_running.stdout == '0' - - wazuh_manager_config.syslog_outputs.server is not none - -- name: Check if ossec-agentlessd is enabled - shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo" - register: agentless_running - changed_when: False - -- name: Enable ossec-agentlessd - command: /var/ossec/bin/ossec-control enable agentless - when: agentless_running.stdout == '0' and agentless_creeds is defined - -- name: Start ossec-agentlessd - command: /var/ossec/bin/ossec-control start agentless - when: agentless_running.stdout == '0' and agentless_creeds is defined - -- name: Check if ossec-authd is enabled - shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-authd is running' | xargs echo" - register: authd_running - changed_when: False - -- name: Enable ossec-authd - command: /var/ossec/bin/ossec-control enable auth - when: - - authd_running.stdout == '0' - - wazuh_manager_config.authd.enable == true - -- name: Start ossec-authd - command: /var/ossec/bin/ossec-control start auth - when: - - authd_running.stdout == '0' - - wazuh_manager_config.authd.enable == true +- name: Retrieving Agentless Credentials + include_vars: agentless_creeds.yml + tags: + - config - name: Retrieving authd Credentials include_vars: authd_pass.yml tags: - config -- name: Retrieving Agentless Credentials - include_vars: agentless_creeds.yml +- name: Retrieving Wazuh-api User Credentials + include_vars: wazuh_api_creds.yml tags: - config -- name: Retrieving Wazuh-api User Credentials - include_vars: wazuh_api_creds.yml +- name: Check if syslog output is enabled + set_fact: syslog_output=true + when: item.server is not none + with_items: + - "{{ wazuh_manager_config.syslog_outputs }}" + tags: + - config + +- name: Check if client-syslog is enabled + shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo" + args: + removes: /var/ossec/bin/.process_list + changed_when: False + register: csyslog_enabled + tags: + - config + +- name: Enable client-syslog + command: /var/ossec/bin/ossec-control enable client-syslog + notify: restart wazuh-manager + when: + - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout + - syslog_output is defined and syslog_output == true + tags: + - config + +- name: Check if ossec-agentlessd is enabled + shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo" + args: + removes: /var/ossec/bin/.process_list + changed_when: False + register: agentlessd_enabled + tags: + - config + +- name: Enable ossec-agentlessd + command: /var/ossec/bin/ossec-control enable agentless + notify: restart wazuh-manager + when: + - agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout + - agentless_creeds is defined + tags: + - config + +- name: Check if ossec-authd is enabled + shell: "grep -c 'ossec-authd' /var/ossec/bin/.process_list | xargs echo" + args: + removes: /var/ossec/bin/.process_list + changed_when: False + register: authd_enabled + tags: + - config + +- name: Enable ossec-authd + command: /var/ossec/bin/ossec-control enable auth + notify: restart wazuh-manager + when: + - authd_enabled.stdout == '0' or "skipped" in authd_enabled.stdout + - wazuh_manager_config.authd.enable == true tags: - config @@ -164,7 +179,7 @@ notify: restart wazuh-manager when: - wazuh_manager_config.authd.use_password is defined - - wazuh_manager_config.authd.use_password == true + - wazuh_manager_config.authd.use_password == 'yes' tags: - config @@ -178,6 +193,8 @@ no_log: true notify: restart wazuh-api when: wazuh_api_user is defined + tags: + - config - name: Agentless Hosts & Passwd template: @@ -188,10 +205,14 @@ mode: 0644 no_log: true when: agentless_creeds is defined + tags: + - config - name: Encode the secret shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp when: agentless_creeds is defined + tags: + - config - name: Ensure Wazuh Manager, wazuh api service is started and enabled service: diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 8f814164..62eaa282 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -1,4 +1,4 @@ -#jinja2: trim_blocks:False +#jinja2: trim_blocks: False {{ wazuh_manager_config.syscheck.frequency }} {{ wazuh_manager_config.syscheck.scan_on_start }} diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index 7cc02748..a45a95d8 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -1,7 +1,10 @@ +#jinja2: trim_blocks: False {% if wazuh_agent_configs is defined %} {% for agent_config in wazuh_agent_configs %} + {{ agent_config.syscheck.auto_ignore }} + {{ agent_config.syscheck.alert_new_files }} {{ agent_config.syscheck.frequency }} {{ agent_config.syscheck.scan_on_start }} diff --git a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 index 76001f2e..db0b000a 100644 --- a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 @@ -1,5 +1,17 @@ + + + + syscheck + /var/ossec/etc/shared/agent.conf + agent.conf was modified + + + From 3ec7f354f4f1e6e570c53219b9a0b71fbd627206 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Wed, 23 Aug 2017 15:37:41 -0400 Subject: [PATCH 19/23] Adding windows support. --- ansible-wazuh-agent/defaults/main.yml | 5 ++ ansible-wazuh-agent/handlers/main.yml | 3 ++ ansible-wazuh-agent/tasks/Linux.yml | 59 ++++++++++++++++++++++ ansible-wazuh-agent/tasks/Windows.yml | 70 +++++++++++++++++++++++++++ ansible-wazuh-agent/tasks/main.yml | 61 ++--------------------- 5 files changed, 141 insertions(+), 57 deletions(-) create mode 100644 ansible-wazuh-agent/tasks/Linux.yml create mode 100644 ansible-wazuh-agent/tasks/Windows.yml diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index b49e02ff..62716bab 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -6,6 +6,11 @@ wazuh_manager_proto: tcp wazuh_register_client: false wazuh_notify_time: null wazuh_time_reconnect: null +wazuh_winagent_config: + install_dir: 'C:\wazuh-agent\' + version: '2.1.0' + url: https://packages.wazuh.com/windows/wazuh-winagent-v2.1.0-1.exe + md5: 715fbd55f670c2cecc607f2cbd0b2310 wazuh_agent_config: log_format: 'plain' syscheck: diff --git a/ansible-wazuh-agent/handlers/main.yml b/ansible-wazuh-agent/handlers/main.yml index f778a145..bb84954e 100644 --- a/ansible-wazuh-agent/handlers/main.yml +++ b/ansible-wazuh-agent/handlers/main.yml @@ -1,3 +1,6 @@ --- - name: restart wazuh-agent service: name=wazuh-agent state=restarted enabled=yes + +- name: restart wazuh-agent windows + win_service: name=OssecSvc start_mode=auto state=restarted diff --git a/ansible-wazuh-agent/tasks/Linux.yml b/ansible-wazuh-agent/tasks/Linux.yml new file mode 100644 index 00000000..74db22d3 --- /dev/null +++ b/ansible-wazuh-agent/tasks/Linux.yml @@ -0,0 +1,59 @@ +--- +- include: "RedHat.yml" + when: ansible_os_family == "RedHat" + +- include: "Debian.yml" + when: ansible_os_family == "Debian" + +- name: Linux | Install wazuh-agent + package: name=wazuh-agent state=latest + tags: + - init + +- name: Linux | Check if client.keys exists + stat: path=/var/ossec/etc/client.keys + register: check_keys + tags: + - config + +- name: Linux | Register agent + shell: /var/ossec/bin/agent-auth -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }} + register: agent_auth_output + when: + - wazuh_register_client == true + - check_keys.stat.size == 0 + - wazuh_manager_ip is not none + tags: + - config + +- name: Linux | Verify agent registration + shell: echo {{ agent_auth_output }} | grep "Valid key created" + when: + - wazuh_register_client == true + - check_keys.stat.size == 0 + - wazuh_manager_ip is not none + tags: + - config + +- name: Linux | Installing agent configuration (ossec.conf) + template: src=var-ossec-etc-ossec-agent.conf.j2 + dest=/var/ossec/etc/ossec.conf + owner=root + group=ossec + mode=0644 + notify: restart wazuh-agent + tags: + - init + - config + +- name: Linux | Ensure Wazuh Agent service is started and enabled + service: + name: wazuh-agent + enabled: yes + state: started + +- include: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- include: "RMDebian.yml" + when: ansible_os_family == "Debian" diff --git a/ansible-wazuh-agent/tasks/Windows.yml b/ansible-wazuh-agent/tasks/Windows.yml new file mode 100644 index 00000000..abad7728 --- /dev/null +++ b/ansible-wazuh-agent/tasks/Windows.yml @@ -0,0 +1,70 @@ +--- +- name: Windows | Get current installed version + win_shell: "{{ wazuh_winagent_config.install_dir }}ossec-agent.exe -h" + args: + removes: "{{ wazuh_winagent_config.install_dir }}ossec-agent.exe" + register: agent_version + failed_when: False + changed_when: False + +- name: Windows | Check Wazuh agent version installed + set_fact: correct_version=true + when: + - agent_version.stdout is defined + - wazuh_winagent_config.version in agent_version.stdout + +- name: Windows | Downloading windows Wazuh agent installer + win_get_url: + dest: C:\wazuh-agent-installer.exe + url: "{{ wazuh_winagent_config.url }}" + when: + - correct_version is not defined + +- name: Windows | Verify the downloaded Wazuh agent installer + win_stat: + path: C:\wazuh-agent-installer.exe + get_checksum: yes + checksum_algorithm: md5 + register: installer_md5 + when: + - correct_version is not defined + failed_when: + - installer_md5.stat.checksum != wazuh_winagent_config.md5 + +- name: Windows | Install Wazuh agent + win_shell: C:\wazuh-agent-installer.exe /S /D={{ wazuh_winagent_config.install_dir }} + when: + - correct_version is not defined + +- name: Windows | Check if client.keys exists + win_stat: path="{{ wazuh_winagent_config.install_dir }}client.keys" + register: check_windows_key + notify: restart wazuh-agent windows + tags: + - config + +- name: Windows | Register agent + win_shell: "{{ wazuh_winagent_config.install_dir }}agent-auth.exe -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }}" + args: + chdir: "{{ wazuh_winagent_config.install_dir }}" + register: agent_auth_output + notify: restart wazuh-agent windows + when: + - wazuh_register_client == true + - check_windows_key.stat.exists == false + - wazuh_manager_ip is not none + tags: + - config + +- name: Windows | Installing agent configuration (ossec.conf) + win_template: + src: var-ossec-etc-ossec-agent.conf.j2 + dest: "{{ wazuh_winagent_config.install_dir }}ossec.conf" + notify: restart wazuh-agent windows + tags: + - config + +- name: Windows | Delete downloaded Wazuh agent installer file + win_file: + path: C:\wazuh-agent-installer.exe + state: absent diff --git a/ansible-wazuh-agent/tasks/main.yml b/ansible-wazuh-agent/tasks/main.yml index 2b8868b6..ade60835 100644 --- a/ansible-wazuh-agent/tasks/main.yml +++ b/ansible-wazuh-agent/tasks/main.yml @@ -1,59 +1,6 @@ --- -- include: "RedHat.yml" - when: ansible_os_family == "RedHat" +- include: "Windows.yml" + when: ansible_os_family == "Windows" -- include: "Debian.yml" - when: ansible_os_family == "Debian" - -- name: Install wazuh-agent - package: name=wazuh-agent state=latest - tags: - - init - -- name: Check if client.keys exists - stat: path=/var/ossec/etc/client.keys - register: check_keys - tags: - - config - -- name: Register agent - shell: /var/ossec/bin/agent-auth -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }} - register: agent_auth_output - when: - - wazuh_register_client == true - - check_keys.stat.size == 0 - - wazuh_manager_ip is not none - tags: - - config - -- name: Verify agent registration - shell: echo {{ agent_auth_output }} | grep "Valid key created" - when: - - wazuh_register_client == true - - check_keys.stat.size == 0 - - wazuh_manager_ip is not none - tags: - - config - -- name: Installing agent configuration (ossec.conf) - template: src=var-ossec-etc-ossec-agent.conf.j2 - dest=/var/ossec/etc/ossec.conf - owner=root - group=ossec - mode=0644 - notify: restart wazuh-agent - tags: - - init - - config - -- name: Ensure Wazuh Agent service is started and enabled - service: - name: wazuh-agent - enabled: yes - state: started - -- include: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- include: "RMDebian.yml" - when: ansible_os_family == "Debian" +- include: "Linux.yml" + when: ansible_system == "Linux" From cab4302c4e7b7ce14f21270b19aa9a1e15aeee00 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Tue, 29 Aug 2017 12:54:04 -0500 Subject: [PATCH 20/23] Using version and revision fields on Windows agent role. --- ansible-wazuh-agent/defaults/main.yml | 3 ++- ansible-wazuh-agent/tasks/Windows.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 62716bab..79bd3c55 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -9,7 +9,8 @@ wazuh_time_reconnect: null wazuh_winagent_config: install_dir: 'C:\wazuh-agent\' version: '2.1.0' - url: https://packages.wazuh.com/windows/wazuh-winagent-v2.1.0-1.exe + revision: '1' + repo: https://packages.wazuh.com/windows/ md5: 715fbd55f670c2cecc607f2cbd0b2310 wazuh_agent_config: log_format: 'plain' diff --git a/ansible-wazuh-agent/tasks/Windows.yml b/ansible-wazuh-agent/tasks/Windows.yml index abad7728..cf825b8a 100644 --- a/ansible-wazuh-agent/tasks/Windows.yml +++ b/ansible-wazuh-agent/tasks/Windows.yml @@ -16,7 +16,7 @@ - name: Windows | Downloading windows Wazuh agent installer win_get_url: dest: C:\wazuh-agent-installer.exe - url: "{{ wazuh_winagent_config.url }}" + url: "{{ wazuh_winagent_config.repo }}wazuh-winagent-v{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.exe" when: - correct_version is not defined From fe07c66d24ec3a2f40d33964b79389d82a77a55b Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Tue, 29 Aug 2017 20:56:42 -0500 Subject: [PATCH 21/23] Add Windows registry keys to syscheck * Changing agent restart rules id. * Restart Windows agents after receiving agent.conf --- ansible-wazuh-agent/defaults/main.yml | 4 +++ .../var-ossec-etc-ossec-agent.conf.j2 | 35 +++++++++++++++++-- ansible-wazuh-manager/defaults/main.yml | 25 ++++++++++++- .../var-ossec-etc-shared-agent.conf.j2 | 16 ++++++--- .../var-ossec-rules-local_rules.xml.j2 | 29 ++++++++------- 5 files changed, 90 insertions(+), 19 deletions(-) diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 79bd3c55..153f1633 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -40,6 +40,10 @@ wazuh_agent_config: checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' + windows_registry: + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' + arch: 'both' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' rootcheck: frequency: 43200 openscap: diff --git a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index dd07aa6b..d50fd470 100644 --- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -1,4 +1,4 @@ -#jinja2: lstrip_blocks: True +#jinja2: trim_blocks: False {{ wazuh_agent_config.rootcheck.frequency }} + {% if ansible_os_family == "Windows" %} + ./shared/win_audit_rcl.txt + ./shared/win_applications_rcl.txt + ./shared/win_malware_rcl.txt + {% endif %} + + {% if ansible_system == "Linux" %} /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt @@ -50,11 +61,21 @@ {% if cis_distribution_filename is defined %} /var/ossec/etc/shared/{{ cis_distribution_filename }} {% endif %} + {% endif %} yes + no + {% if ansible_os_family == "Windows" %} + C:\wazuh-agent + {% endif %} + + {% if ansible_system == "Linux" %} + /var/ossec/etc/shared + {% endif %} + {{ wazuh_agent_config.syscheck.auto_ignore }} {{ wazuh_agent_config.syscheck.alert_new_files }} @@ -79,9 +100,19 @@ {% for no_diff in wazuh_agent_config.syscheck.no_diff %} {{ no_diff }} {% endfor %} + + {% if ansible_os_family == "Windows" %} + {% for registry_key in wazuh_agent_config.syscheck.windows_registry %} + {% if registry_key.arch is defined %} + {{ registry_key.key }} + {% else %} + {{ registry_key.key }} + {% endif %} + {% endfor %} + {% endif %} - {% if wazuh_agent_config.openscap.disable == 'no' %} + {% if wazuh_agent_config.openscap.disable == 'no' and ansible_system == "Linux"%} no {{ wazuh_agent_config.openscap.timeout }} diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml index 37eb0e04..28fbee8c 100644 --- a/ansible-wazuh-manager/defaults/main.yml +++ b/ansible-wazuh-manager/defaults/main.yml @@ -110,6 +110,10 @@ wazuh_manager_config: executable: 'restart-ossec.sh' expect: '' timeout_allowed: 'no' + - name: 'win_restart-ossec' + executable: 'restart-ossec.cmd' + expect: '' + timeout_allowed: 'no' - name: 'firewall-drop' executable: 'firewall-drop.sh' expect: 'srcip' @@ -129,7 +133,10 @@ wazuh_manager_config: active_responses: - command: 'restart-ossec' location: 'local' - rules_id: 710001 + rules_id: '100002' + - command: 'win_restart-ossec' + location: 'local' + rules_id: '100003' - command: 'host-deny' location: 'local' level: 6 @@ -176,3 +183,19 @@ wazuh_agent_configs: location: '/var/log/httpd/access_log' - format: 'apache' location: '/var/ossec/logs/active-responses.log' + - type: os + type_value: Windows + syscheck: + frequency: 43200 + scan_on_start: 'yes' + auto_ignore: 'no' + alert_new_files: 'yes' + windows_registry: + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' + arch: 'both' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' + localfiles: + - format: 'Security' + location: 'eventchannel' + - format: 'System' + location: 'eventlog' diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index a45a95d8..9d52c8e2 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -29,6 +29,16 @@ {{ no_diff }} {% endfor %} {% endif %} + + {% if agent_config.syscheck.windows_registry is defined %} + {% for registry_key in agent_config.syscheck.windows_registry %} + {% if registry_key.arch is defined %} + {{ registry_key.key }} + {% else %} + {{ registry_key.key }} + {% endif %} + {% endfor %} + {% endif %} {% for localfile in agent_config.localfiles %} @@ -43,6 +53,7 @@ {% endfor %} + {% if agent_config.rootcheck is defined %} no yes @@ -57,15 +68,12 @@ {{ agent_config.rootcheck.frequency }} - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt {% if agent_config.rootcheck.cis_distribution_filename is not none %} /var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }} {% endif %} yes + {% endif %} {% endfor %} {% endif %} diff --git a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 index db0b000a..5cbe7670 100644 --- a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 @@ -1,17 +1,5 @@ - - - - syscheck - /var/ossec/etc/shared/agent.conf - agent.conf was modified - - - @@ -28,3 +16,20 @@ is successfully retrieved. + + + + + syscheck + /var/ossec/etc/shared/agent.conf + Linux | agent.conf was modified + + + syscheck + C:\wazuh-agent/shared/agent.conf + Windows | agent.conf was modified + + From ff6ea6230a038dfc6a794eeaedf072d00d434e9d Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Wed, 30 Aug 2017 15:30:04 -0500 Subject: [PATCH 22/23] Add support to generate CDB lists --- ansible-wazuh-manager/handlers/main.yml | 3 +++ ansible-wazuh-manager/tasks/main.yml | 22 +++++++++++++++++++ ansible-wazuh-manager/templates/cdb_lists.j2 | 1 + .../var-ossec-etc-ossec-server.conf.j2 | 6 ++++- ansible-wazuh-manager/vars/cdb_lists.yml | 9 ++++++++ 5 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 ansible-wazuh-manager/templates/cdb_lists.j2 create mode 100644 ansible-wazuh-manager/vars/cdb_lists.yml diff --git a/ansible-wazuh-manager/handlers/main.yml b/ansible-wazuh-manager/handlers/main.yml index 2d799c45..924ee738 100644 --- a/ansible-wazuh-manager/handlers/main.yml +++ b/ansible-wazuh-manager/handlers/main.yml @@ -1,4 +1,7 @@ --- +- name: rebuild cdb_lists + shell: /var/ossec/bin/ossec-makelists + - name: restart wazuh-manager service: name=wazuh-manager state=restarted diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml index 974fdb6a..43dc9e3e 100644 --- a/ansible-wazuh-manager/tasks/main.yml +++ b/ansible-wazuh-manager/tasks/main.yml @@ -86,6 +86,11 @@ tags: - config +- name: Retrieving CDB lists + include_vars: cdb_lists.yml + tags: + - config + - name: Check if syslog output is enabled set_fact: syslog_output=true when: item.server is not none @@ -214,6 +219,23 @@ tags: - config +- name: CDB Lists + template: + src: cdb_lists.j2 + dest: "/var/ossec/etc/lists/{{ item.name }}" + owner: root + group: ossec + mode: 0640 + no_log: true + notify: + - rebuild cdb_lists + - restart wazuh-manager + with_items: + - "{{ cdb_lists }}" + when: cdb_lists is defined + tags: + - config + - name: Ensure Wazuh Manager, wazuh api service is started and enabled service: name: "{{ item }}" diff --git a/ansible-wazuh-manager/templates/cdb_lists.j2 b/ansible-wazuh-manager/templates/cdb_lists.j2 new file mode 100644 index 00000000..37774b9c --- /dev/null +++ b/ansible-wazuh-manager/templates/cdb_lists.j2 @@ -0,0 +1 @@ +{{ item.content }} diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 62eaa282..98d13b2a 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -241,7 +241,11 @@ ruleset/decoders ruleset/rules 0215-policy_rules.xml - etc/lists/audit-keys + {% if cdb_lists is defined %} + {% for list in cdb_lists %} + etc/lists/{{ list.name }} + {% endfor %} + {% endif %} etc/decoders diff --git a/ansible-wazuh-manager/vars/cdb_lists.yml b/ansible-wazuh-manager/vars/cdb_lists.yml new file mode 100644 index 00000000..4dd651c5 --- /dev/null +++ b/ansible-wazuh-manager/vars/cdb_lists.yml @@ -0,0 +1,9 @@ +--- +cdb_lists: + - name: 'audit-keys' + content: | + audit-wazuh-w:write + audit-wazuh-r:read + audit-wazuh-a:attribute + audit-wazuh-x:execute + audit-wazuh-c:command From b141dd4113bd04f2e2dfb48c252dc8d14648d23c Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Tue, 5 Sep 2017 12:43:39 -0500 Subject: [PATCH 23/23] More options on client registration --- ansible-wazuh-agent/defaults/main.yml | 9 +++++-- ansible-wazuh-agent/tasks/Linux.yml | 36 ++++++++++++++++++++++--- ansible-wazuh-agent/tasks/Windows.yml | 13 +++++++-- ansible-wazuh-agent/vars/authd_pass.yml | 2 ++ 4 files changed, 53 insertions(+), 7 deletions(-) create mode 100644 ansible-wazuh-agent/vars/authd_pass.yml diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 153f1633..def57641 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -1,9 +1,14 @@ --- wazuh_manager_ip: null -wazuh_authd_port: 1515 wazuh_profile: null wazuh_manager_proto: tcp -wazuh_register_client: false +wazuh_agent_authd: + enable: false + port: 1515 + ssl_agent_ca: null + ssl_agent_cert: null + ssl_agent_key: null + ssl_auto_negotiate: 'no' wazuh_notify_time: null wazuh_time_reconnect: null wazuh_winagent_config: diff --git a/ansible-wazuh-agent/tasks/Linux.yml b/ansible-wazuh-agent/tasks/Linux.yml index 74db22d3..2ebfe29c 100644 --- a/ansible-wazuh-agent/tasks/Linux.yml +++ b/ansible-wazuh-agent/tasks/Linux.yml @@ -10,6 +10,26 @@ tags: - init +- name: Retrieving authd Credentials + include_vars: authd_pass.yml + tags: + - config + +- name: Copy CA, SSL key and cert for authd + copy: + src: "{{ item }}" + dest: "/var/ossec/etc/{{ item | basename }}" + mode: 0644 + with_items: + - "{{ wazuh_agent_authd.ssl_agent_ca }}" + - "{{ wazuh_agent_authd.ssl_agent_cert }}" + - "{{ wazuh_agent_authd.ssl_agent_key }}" + tags: + - config + when: + - wazuh_agent_authd.ssl_agent_ca is not none + - wazuh_agent_authd.enable == true + - name: Linux | Check if client.keys exists stat: path=/var/ossec/etc/client.keys register: check_keys @@ -17,10 +37,20 @@ - config - name: Linux | Register agent - shell: /var/ossec/bin/agent-auth -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }} + shell: > + /var/ossec/bin/agent-auth + -m {{ wazuh_manager_ip }} + -p {{ wazuh_agent_authd.port }} + {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} + {% if wazuh_agent_authd.ssl_agent_ca is not none %} + -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + -x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" + -k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %}-a{% endif %} register: agent_auth_output when: - - wazuh_register_client == true + - wazuh_agent_authd.enable == true - check_keys.stat.size == 0 - wazuh_manager_ip is not none tags: @@ -29,7 +59,7 @@ - name: Linux | Verify agent registration shell: echo {{ agent_auth_output }} | grep "Valid key created" when: - - wazuh_register_client == true + - wazuh_agent_authd.enable == true - check_keys.stat.size == 0 - wazuh_manager_ip is not none tags: diff --git a/ansible-wazuh-agent/tasks/Windows.yml b/ansible-wazuh-agent/tasks/Windows.yml index cf825b8a..0de57d7b 100644 --- a/ansible-wazuh-agent/tasks/Windows.yml +++ b/ansible-wazuh-agent/tasks/Windows.yml @@ -43,14 +43,23 @@ tags: - config +- name: Retrieving authd Credentials + include_vars: authd_pass.yml + tags: + - config + - name: Windows | Register agent - win_shell: "{{ wazuh_winagent_config.install_dir }}agent-auth.exe -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }}" + win_shell: > + {{ wazuh_winagent_config.install_dir }}agent-auth.exe + -m {{ wazuh_manager_ip }} + -p {{ wazuh_agent_authd.port }} + {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} args: chdir: "{{ wazuh_winagent_config.install_dir }}" register: agent_auth_output notify: restart wazuh-agent windows when: - - wazuh_register_client == true + - wazuh_agent_authd.enable == true - check_windows_key.stat.exists == false - wazuh_manager_ip is not none tags: diff --git a/ansible-wazuh-agent/vars/authd_pass.yml b/ansible-wazuh-agent/vars/authd_pass.yml new file mode 100644 index 00000000..df5e2bbf --- /dev/null +++ b/ansible-wazuh-agent/vars/authd_pass.yml @@ -0,0 +1,2 @@ +--- +#authd_pass: 'foobar'